After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives. | -
**Note**
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution.
+|Off |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.
**Note**
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |
## Why use WIP?
WIP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
@@ -75,9 +126,13 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
- **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
-- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
**Note**
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
+- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
+ > **Note**
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
+
+## Turn off WIP
+You can turn off all Windows Information Protection and restrictions, reverting to where you were pre-WIP, with no data loss. However, turning off WIP isn't recommended. If you choose to turn it off, you can always turn it back on, but WIP won't retain your decryption and policies info.
## Next steps
After deciding to use WIP in your enterprise, you need to:
-- [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
\ No newline at end of file
+- [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md
index e74a83cfad..45737291cf 100644
--- a/windows/keep-secure/testing-scenarios-for-wip.md
+++ b/windows/keep-secure/testing-scenarios-for-wip.md
@@ -1,6 +1,6 @@
---
title: Testing scenarios for Windows Information Protection (WIP) (Windows 10)
-description: We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
+description: A list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: w10
@@ -22,16 +22,145 @@ We've come up with a list of suggested testing scenarios that you can use to tes
## Testing scenarios
You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization.
-|Scenario |Processes |
-|---------|----------|
-|Automatically encrypt files from enterprise apps |
**Note**
Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.
The app shouldn't be able to access the file.
If your default app association is an app not on your allowed apps list, you should get an **Access Denied** error message.
You should see a WIP-related warning box, asking you to click either **Got it** or **Cancel**.
The content isn't pasted into the non-enterprise app.
The content is pasted into the non-enterprise app.
The content should copy and paste between apps without any warning messages.
You should see a WIP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.
The content isn't dropped into the non-enterprise app.
The content is dropped into the non-enterprise app.
The content should move between the apps without any warning messages.
You should see a WIP-related warning box, asking you to click either **Share Anyway** or **Cancel**.
The content isn't shared into Facebook.
The content is shared into Facebook.
The content should share between the apps without any warning messages.
WIP should encrypt the file to your Enterprise Identity.
The file should be decrypted and the **Lock** icon should disappear.
**Note**
Most Windows-signed components like Windows Explorer (when running in the user’s context), should have access to enterprise data.
A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.
Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.
The device should be removed and all of the enterprise content for that managed account should be gone.
**Important**
Unenrolling a device revokes and erases all of the enterprise data for the managed account.
Scenario | +Processes | +
---|---|
Encrypt and decrypt files using File Explorer. | +For desktop: +
+
|
+
Create work documents in enterprise-allowed apps. | +For desktop: +
+
|
+
Block enterprise data from non-enterprise apps. | +
+
|
+
Copy and paste from enterprise apps to non-enterprise apps. | +
+
|
+
Drag and drop from enterprise apps to non-enterprise apps. | +
+
|
+
Share between enterprise apps and non-enterprise apps. | +
+
|
+
Verify that Windows system components can use WIP. | +
+
|
+
Use WIP on NTFS, FAT, and exFAT systems. | +
+
|
+
Verify your shared files can use WIP. | +
+
|
+
Verify your cloud resources can use WIP. | +
+
|
+
Verify your Virtual Private Network (VPN) can be auto-triggered. | +
+
|
+
Unenroll client devices from WIP. | +
+
|
+
Verify that app content is protected when a Windows 10 Mobile phone is locked. | +
+
|
+