From bec528e955f630526b67bdd3f835872e751d4a14 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 24 Aug 2016 10:04:23 -0700 Subject: [PATCH 1/6] Updating topic with CSS additions --- .../keep-secure/testing-scenarios-for-wip.md | 87 +++++++++++++++++++ 1 file changed, 87 insertions(+) diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md index e74a83cfad..89c5ad0e9e 100644 --- a/windows/keep-secure/testing-scenarios-for-wip.md +++ b/windows/keep-secure/testing-scenarios-for-wip.md @@ -22,6 +22,93 @@ We've come up with a list of suggested testing scenarios that you can use to tes ## Testing scenarios You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +3. +4. Make sure the file is decrypted, by: +o Right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. +The Details button should be unavailable. +For mobile: +1. Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related. +2. Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work. +Make sure the file is encrypted, by locating the Briefcase icon next to the file name. +3. Select the same file, click File ownership from the drop down menu, and then click Personal. +Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name. + + + + + + + + + + + + + + + + + + + |Scenario |Processes | |---------|----------| |Automatically encrypt files from enterprise apps |
  1. Start an unmodified (for example, WIP-unaware) line-of-business app that's on your allowed apps list and then create, edit, write, and save files.
  2. Make sure that all of the files you worked with from the WIP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
  3. Open File Explorer and make sure your modified files are appearing with a **Lock** icon.

    **Note**
    Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.

| From 2624af7f0b7eb218d6a9dc93562e7500bbaf667a Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 24 Aug 2016 10:13:39 -0700 Subject: [PATCH 2/6] Updating content from CSS --- windows/keep-secure/testing-scenarios-for-wip.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md index 89c5ad0e9e..e7f6a935bb 100644 --- a/windows/keep-secure/testing-scenarios-for-wip.md +++ b/windows/keep-secure/testing-scenarios-for-wip.md @@ -50,8 +50,8 @@ You can try any of the processes included in these scenarios, but you should foc - - + + + + + + + + + + + + + + + + + + - + - + + + + - - - - - -3. -4. Make sure the file is decrypted, by: -o Right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. -The Details button should be unavailable. -For mobile: -1. Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related. -2. Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work. -Make sure the file is encrypted, by locating the Briefcase icon next to the file name. -3. Select the same file, click File ownership from the drop down menu, and then click Personal. -Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name. - - - - - - - - - - - - - - - - - - - -|Scenario |Processes | -|---------|----------| -|Automatically encrypt files from enterprise apps |
  1. Start an unmodified (for example, WIP-unaware) line-of-business app that's on your allowed apps list and then create, edit, write, and save files.
  2. Make sure that all of the files you worked with from the WIP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
  3. Open File Explorer and make sure your modified files are appearing with a **Lock** icon.

    **Note**
    Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.

| -|Block enterprise data from non-enterprise apps |
  1. Start an app that doesn't appear on your allowed apps list, and then try to open an enterprise-encrypted file.

    The app shouldn't be able to access the file.

  2. Try double-clicking or tapping on the enterprise-encrypted file.

    If your default app association is an app not on your allowed apps list, you should get an **Access Denied** error message.

| -|Copy and paste from enterprise apps to non-enterprise apps |
  1. Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.

    You should see a WIP-related warning box, asking you to click either **Got it** or **Cancel**.

  2. Click **Cancel**.

    The content isn't pasted into the non-enterprise app.

  3. Repeat Step 1, but this time click **Got it**, and try to paste the content again.

    The content is pasted into the non-enterprise app.

  4. Try copying and pasting content between apps on your allowed apps list.

    The content should copy and paste between apps without any warning messages.

| -|Drag and drop from enterprise apps to non-enterprise apps |
  1. Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.

    You should see a WIP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.

  2. Click **Cancel**.

    The content isn't dropped into the non-enterprise app.

  3. Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.

    The content is dropped into the non-enterprise app.

  4. Try dragging and dropping content between apps on your allowed apps list.

    The content should move between the apps without any warning messages.

| -|Share between enterprise apps and non-enterprise apps |
  1. Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.

    You should see a WIP-related warning box, asking you to click either **Share Anyway** or **Cancel**.

  2. Click **Cancel**.

    The content isn't shared into Facebook.

  3. Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.

    The content is shared into Facebook.

  4. Try sharing content between apps on your allowed apps list.

    The content should share between the apps without any warning messages.

| -|Use the **Encrypt to** functionality |
  1. Open File Explorer on the desktop, right-click a decrypted file, and then click **Encrypt to** from the **Encrypt to** menu.

    WIP should encrypt the file to your Enterprise Identity.

  2. Make sure that the newly encrypted file has a **Lock** icon.
  3. In the **Encrypted to** column of File Explorer on the desktop, look for the enterprise ID value.
  4. Right-click the encrypted file, and then click **Not encrypted** from the **Encrypt to** menu.

    The file should be decrypted and the **Lock** icon should disappear.

| -|Verify that Windows system components can use WIP |
  1. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
  2. Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
  3. Open File Explorer and make sure your modified files are appearing with a **Lock** icon
  4. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

    **Note**
    Most Windows-signed components like Windows Explorer (when running in the user’s context), should have access to enterprise data.

    A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.

| -|Use WIP on FAT/exFAT systems |
  1. Start an app that uses the FAT or exFAT file system and appears on your allowed apps list.
  2. Create, edit, write, save, and move files.

    Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.

  3. Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.
| -|Use WIP on NTFS systems |
  1. Start an app that uses the NTFS file system and appears on your allowed apps list.
  2. Create, edit, write, save, and move files.

    Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.

  3. Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.
| -|Unenroll client devices from WIP | | -|Verify that app content is protected when a Windows 10 Mobile phone is locked | | \ No newline at end of file + + + + + + + + + + + + + + +
ScenarioProcesses
Encrypt and decrypt files using File Explorer.For desktop:

+

    +
  1. Open File Explorer, right-click a work document, and then click Work from the File Ownership menu.
    2. +
  2. Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area.
    The file should show up under the heading, This enterprise domain can remove or revoke access: <your_enterprise_identity>. For example, contoso.com.
    3. +
  3. In File Explorer, right-click the same document, and then click Personal from the File Ownership menu.
    4. +
  4. Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
    5. +
+ For mobile:

+

    +
  1. Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
    2. +
  2. Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work.
    3. +
  3. Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
    4. +
  4. Select the same file, click File ownership from the drop down menu, and then click Personal.
    5. +
  5. Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
    6. +
+
Create work documents in enterprise-allowed apps.For desktop:

+

    +
  1. +
  2. +
+ For mobile:

+

    +
  1. +
  2. +
+
Create work documents in enterprise-allowed apps. For desktop:

    -
  1. -
  2. +
  3. Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.
    4. +
  4. Make sure the document is encrypted to your Enterprise Identity.
    This might take a few minutes and require you to close and re-open the file.

    Important
    Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.

    For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager](create-wip-policy-using-sccm.md), based on your deployment system.

For mobile:

    From cc0cd05f33ad42a2cd7e4265d971c9f5334c3b76 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 24 Aug 2016 10:54:37 -0700 Subject: [PATCH 3/6] Updating content with CSS info --- .../keep-secure/testing-scenarios-for-wip.md | 171 +++++++++++------- 1 file changed, 106 insertions(+), 65 deletions(-) diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md index e7f6a935bb..1fdd1eb655 100644 --- a/windows/keep-secure/testing-scenarios-for-wip.md +++ b/windows/keep-secure/testing-scenarios-for-wip.md @@ -31,94 +31,135 @@ You can try any of the processes included in these scenarios, but you should foc
Encrypt and decrypt files using File Explorer. For desktop:

    -
  1. Open File Explorer, right-click a work document, and then click Work from the File Ownership menu.
    2. -
  2. Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area.
    The file should show up under the heading, This enterprise domain can remove or revoke access: <your_enterprise_identity>. For example, contoso.com.
    3. -
  3. In File Explorer, right-click the same document, and then click Personal from the File Ownership menu.
    4. -
  4. Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
    5. +
  5. Open File Explorer, right-click a work document, and then click Work from the File Ownership menu.
    Make sure the file is encrypted by right-clicking the file again, clicking Advanced from the General tab, and then clicking Details from the Compress or Encrypt attributes area. The file should show up under the heading, This enterprise domain can remove or revoke access: <your_enterprise_identity>. For example, contoso.com.
    6. +
  6. In File Explorer, right-click the same document, and then click Personal from the File Ownership menu.
    Make sure the file is decrypted by right-clicking the file again, clicking Advanced from the General tab, and then verifying that the Details button is unavailable.
For mobile:

  1. Open the File Explorer app, browse to a file location, click the elipsis (...), and then click Select to mark at least one file as work-related.
    2. -
  2. Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work.
    3. -
  3. Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
    4. -
  4. Select the same file, click File ownership from the drop down menu, and then click Personal.
    5. -
  5. Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
    6. +
  6. Click the elipsis (...) again, click File ownership from the drop down menu, and then click Work.
    Make sure the file is encrypted, by locating the Briefcase icon next to the file name.
    7. +
  7. Select the same file, click File ownership from the drop down menu, and then click Personal.
    Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
Create work documents in enterprise-allowed apps. For desktop:

-

    -
  1. Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.
    2. -
  2. Make sure the document is encrypted to your Enterprise Identity.
    This might take a few minutes and require you to close and re-open the file.

    Important
    Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.

    For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager](create-wip-policy-using-sccm.md), based on your deployment system.

    3. -
+
    +
  • Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.
    Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.

    Important
    Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.

    For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager](create-wip-policy-using-sccm.md), based on your deployment system.

    • +
For mobile:

    -
  1. -
  2. +
  3. Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location.
    Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
    4. +
  4. Open the same document and attempt to save it to a non-work-related location.
    WIP should stop you from saving the file to this location.
    5. +
  5. Open the same document one last time, make a change to the contents, and then save it again using the Personal option.
    Make sure the file is decrypted and that you're no longer seeing the Briefcase icon next to file name.
Block enterprise data from non-enterprise apps. +
    +
  1. Start an app that doesn't appear on your allowed apps list, and then try to open a work-encrypted file.
    The app shouldn't be able to access the file.
    2. +
  2. Try double-clicking or tapping on the work-encrypted file.
    If your default app association is an app not on your allowed apps list, you should get an Access Denied error message.
    3. +
+
Copy and paste from enterprise apps to non-enterprise apps. +
    +
  1. Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.
    You should see a WIP-related warning box, asking you to click either Change to personal or Keep at work.
    2. +
  2. Click Keep at work.
    The content isn't pasted into the non-enterprise app.
    3. +
  3. Repeat Step 1, but this time click Change to personal, and try to paste the content again.
    The content is pasted into the non-enterprise app.
    4. +
  4. Try copying and pasting content between apps on your allowed apps list.
    The content should copy and paste between apps without any warning messages.
    5. +
+
Drag and drop from enterprise apps to non-enterprise apps. +
    +
  1. Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.
    You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
    2. +
  2. Click Keep at work.
    The content isn't dropped into the non-enterprise app.
    3. +
  3. Repeat Step 1, but this time click Change to personal, and try to drop the content again.
    The content is dropped into the non-enterprise app.
    4. +
  4. Try dragging and dropping content between apps on your allowed apps list.
    The content should move between the apps without any warning messages.
    5. +
+
Share between enterprise apps and non-enterprise apps. +
    +
  1. Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.
    You should see a WIP-related warning box, asking you to click either Keep at work or Change to personal.
    2. +
  2. Click Keep at work.
    The content isn't shared into Facebook.
    3. +
  3. Repeat Step 1, but this time click Change to personal, and try to share the content again.
    The content is shared into Facebook.
    4. +
  4. Try sharing content between apps on your allowed apps list.
    The content should share between the apps without any warning messages.
    5. +
+
Verify that Windows system components can use WIP. +
    +
  1. +
+
+
    +
  1. +
+
+
    +
  1. +
+
+
    +
  1. +
+
+
    +
  1. +
+
+
    +
  1. +
+
+
    +
  1. +
+
+
    +
  1. +
+
\ No newline at end of file From ff805308df4cb3fe26cec8ca0e943190c8df5217 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 24 Aug 2016 12:22:20 -0700 Subject: [PATCH 4/6] Updating with CSS info --- .../keep-secure/testing-scenarios-for-wip.md | 51 ++++++++++--------- 1 file changed, 26 insertions(+), 25 deletions(-) diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md index 1fdd1eb655..09ead9a07b 100644 --- a/windows/keep-secure/testing-scenarios-for-wip.md +++ b/windows/keep-secure/testing-scenarios-for-wip.md @@ -102,64 +102,65 @@ You can try any of the processes included in these scenarios, but you should foc Verify that Windows system components can use WIP.
    -
  1. +
  2. Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
    Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
    3. +
  3. Open File Explorer and make sure your modified files are appearing with a Lock icon.
    4. +
  4. Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.

    Note
    Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data.

    A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.

- + Use WIP on NTFS, FAT, and exFAT systems.
    -
  1. +
  2. Start an app that uses the FAT or exFAT file system (for example a SD card or USB flash drive), and appears on your allowed apps list.
    3. +
  3. Create, edit, write, save, copy, and move files.
    Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.
- + Verify your shared files can use WIP.
    -
  1. +
  2. Download a file from a protected file share, making sure the file is encrypted by locating the Briefcase icon next to the file name.
    3. +
  3. Open the same file, make a change, save it and then try to upload it back to the file share. Again, this should work without any warnings.
    4. +
  4. Open an app that doesn't appear on your allowed apps list and attempt to access a file on the WIP-enabled file share.
    The app shouldn't be able to access the file share.
- + Verify your cloud resources can use WIP.
    -
  1. +
  2. Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.
    3. +
  3. Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.
    Both browsers should respect the enterprise and personal boundary.
    4. +
  4. Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.
    IE11 shouldn't be able to access the sites.

    Note
    Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as Work.

- + Verify your Virtual Private Network (VPN) can be auto-triggered.
    -
  1. +
  2. Set up your VPN network to start based on the WIPModeID setting.
    For specific info about how to do this, see the [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-wip-policy-using-intune.md) topic.
    3. +
  3. Start an app from your allowed apps list.
    The VPN network should automatically start.
    4. +
  4. Disconnect from your network and then start an app that isn't on your allowed apps list.
    The VPN shouldn't start and the app shouldn't be able to access your enterprise network.
- + Unenroll client devices from WIP. -
    -
  1. -
+ - + Verify that app content is protected when a Windows 10 Mobile phone is locked. -
    -
  1. -
- - - - - -
    -
  1. -
+ \ No newline at end of file From df64768ebd1c2710680f9bd16c0bed7a3e229a2d Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 24 Aug 2016 12:39:51 -0700 Subject: [PATCH 5/6] Tweaked description --- windows/keep-secure/testing-scenarios-for-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md index 09ead9a07b..45737291cf 100644 --- a/windows/keep-secure/testing-scenarios-for-wip.md +++ b/windows/keep-secure/testing-scenarios-for-wip.md @@ -1,6 +1,6 @@ --- title: Testing scenarios for Windows Information Protection (WIP) (Windows 10) -description: We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company. +description: A list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company. ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2 keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection ms.prod: w10 From fd21842572066436dfd648ef51eba5f17000a45a Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 24 Aug 2016 12:52:16 -0700 Subject: [PATCH 6/6] Updated for marketing and CSS updates --- .../keep-secure/change-history-for-keep-windows-10-secure.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index c8012d34ec..db3058b317 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -13,6 +13,8 @@ author: brianlic-msft This topic lists new and updated topics in the [Keep Windows 10 secure](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md). ## August 2016 +- [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |Updated and added additional scenarios for testing. | +- [Protect your enterprise data using Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) |Updated to include info from the original What's New and Overview topics. | - [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |New | ## RELEASE: Windows 10, version 1607