From 1e7c9a3ddc01731249a17f1079f3e8b13a613e7a Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:06:31 -0700 Subject: [PATCH 01/12] Added text back in --- ...ate-and-verify-an-efs-dra-certificate.1.md | 90 +++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md new file mode 100644 index 0000000000..03d72f1d40 --- /dev/null +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md @@ -0,0 +1,90 @@ + +--- +title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) +description: Follow these steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +--- + +# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate +**Applies to:** + +- Windows 10 Insider Preview +- Windows 10 Mobile Preview + +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. + +The recovery process included in this topic only works for desktop devices. EDP deletes the data on Windows 10 Mobile devices. + +>**Important**
+If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. + +**To manually create an EFS DRA certificate** + +1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. + +2. Run this command: + + `cipher /r:` + + Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. + +3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. + + The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. + + >**Important**
+ Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. + +4. Add your EFS DRA certificate to your EDP policy by using either Microsoft Intune or System Center Configuration Manager. + + >**Note**
+ To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. + +**To verify your data recovery certificate is correctly set up on an EDP client computer** + +1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. + +2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: + + `cipher /c ` + + Where *<filename>* is the name of the file you created in Step 1. + +3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. + +**To recover your data using the EFS DRA certificate in a test environment** + +1. Copy your EDP-encrypted file to a location where you have admin access. + +2. Install the EFSDRA.pfx file, using your password. + +3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: + + `cipher /d ` + + Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. + +**To recover your EDP-protected desktop data after unenrollment** + +1. Have your employee sign in to the unenrolled device, open a command prompt, and type: + + `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` + + Where *<”new_location”>* is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. + +2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing: + + `cipher.exe /D <“new_location”>` + +3. Sign in to the unenrolled device as the employee, and type: + + `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` + +4. Ask the employee to log back in to the device or to lock and unlock the device. + + The Windows Credential service automatically recovers the protected data from the `Recovery\Input` location. From 472827a8dd58583098ee0355bbe611e3daefc57c Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:10:34 -0700 Subject: [PATCH 02/12] Fixing topic issue --- ...ate-and-verify-an-efs-dra-certificate.1.md | 90 ------------------- 1 file changed, 90 deletions(-) delete mode 100644 windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md deleted file mode 100644 index 03d72f1d40..0000000000 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.1.md +++ /dev/null @@ -1,90 +0,0 @@ - ---- -title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) -description: Follow these steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. -ms.prod: w10 -ms.mktglfcycl: explore -ms.sitesec: library -ms.pagetype: security ---- - -# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate -**Applies to:** - -- Windows 10 Insider Preview -- Windows 10 Mobile Preview - -[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] - -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. - -The recovery process included in this topic only works for desktop devices. EDP deletes the data on Windows 10 Mobile devices. - ->**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. - -**To manually create an EFS DRA certificate** - -1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. - -2. Run this command: - - `cipher /r:` - - Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. - -3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. - - The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - - >**Important**
- Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. - -4. Add your EFS DRA certificate to your EDP policy by using either Microsoft Intune or System Center Configuration Manager. - - >**Note**
- To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. - -**To verify your data recovery certificate is correctly set up on an EDP client computer** - -1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. - -2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: - - `cipher /c ` - - Where *<filename>* is the name of the file you created in Step 1. - -3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. - -**To recover your data using the EFS DRA certificate in a test environment** - -1. Copy your EDP-encrypted file to a location where you have admin access. - -2. Install the EFSDRA.pfx file, using your password. - -3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: - - `cipher /d ` - - Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. - -**To recover your EDP-protected desktop data after unenrollment** - -1. Have your employee sign in to the unenrolled device, open a command prompt, and type: - - `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` - - Where *<”new_location”>* is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. - -2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing: - - `cipher.exe /D <“new_location”>` - -3. Sign in to the unenrolled device as the employee, and type: - - `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` - -4. Ask the employee to log back in to the device or to lock and unlock the device. - - The Windows Credential service automatically recovers the protected data from the `Recovery\Input` location. From 1c25b6c8ab4bce0b9a4222d0722be7d35e82a3e4 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:13:08 -0700 Subject: [PATCH 03/12] Fixing broken topics --- ...ange-history-for-keep-windows-10-secure.md | 1 + ...reate-and-verify-an-efs-dra-certificate.md | 89 +++++++++++++++++++ 2 files changed, 90 insertions(+) create mode 100644 windows/keep-secure/create-and-verify-an-efs-dra-certificate.md diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 4b25f1edc5..1fe970c712 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New | |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New | |[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New | diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md new file mode 100644 index 0000000000..84de2b4519 --- /dev/null +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -0,0 +1,89 @@ +--- +title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) +description: Follow these steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +--- + +# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate +**Applies to:** + +- Windows 10 Insider Preview +- Windows 10 Mobile Preview + +[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] + +If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. + +The recovery process included in this topic only works for desktop devices. EDP deletes the data on Windows 10 Mobile devices. + +>**Important**
+If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. + +**To manually create an EFS DRA certificate** + +1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate. + +2. Run this command: + + `cipher /r:` + + Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. + +3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. + + The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. + + >**Important**
+ Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. + +4. Add your EFS DRA certificate to your EDP policy by using either Microsoft Intune or System Center Configuration Manager. + + >**Note**
+ To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. + +**To verify your data recovery certificate is correctly set up on an EDP client computer** + +1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. + +2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: + + `cipher /c ` + + Where *<filename>* is the name of the file you created in Step 1. + +3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. + +**To recover your data using the EFS DRA certificate in a test environment** + +1. Copy your EDP-encrypted file to a location where you have admin access. + +2. Install the EFSDRA.pfx file, using your password. + +3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: + + `cipher /d ` + + Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. + +**To recover your EDP-protected desktop data after unenrollment** + +1. Have your employee sign in to the unenrolled device, open a command prompt, and type: + + `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` + + Where *<”new_location”>* is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. + +2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing: + + `cipher.exe /D <“new_location”>` + +3. Sign in to the unenrolled device as the employee, and type: + + `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` + +4. Ask the employee to log back in to the device or to lock and unlock the device. + + The Windows Credential service automatically recovers the protected data from the `Recovery\Input` location. From 7df7f72ddd510af164c35612f20beb5d8e8eb400 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:22:50 -0700 Subject: [PATCH 04/12] Added DRA topic to TOC --- windows/keep-secure/TOC.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index e2590ac099..027a9f1fa0 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -30,6 +30,7 @@ ##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) #### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) ### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) +#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) #### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) From 401cb6a038cd9ef26bd009665be9ebe35d38657c Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:32:56 -0700 Subject: [PATCH 05/12] Moved topic in TOC --- windows/keep-secure/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 027a9f1fa0..59d9b683d8 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -29,8 +29,8 @@ ##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) ##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) #### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) -### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] +### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) #### [Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) From 4fe90bda85afbb122143c490c251614cb2f8568e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 07:36:20 -0700 Subject: [PATCH 06/12] Updated to include DRA topic --- windows/keep-secure/overview-create-edp-policy.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md index 02e9e28ec7..abd098560f 100644 --- a/windows/keep-secure/overview-create-edp-policy.md +++ b/windows/keep-secure/overview-create-edp-policy.md @@ -24,6 +24,7 @@ Microsoft Intune and System Center Configuration Manager Technical Preview versi |------|------------| |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. | |[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. | +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |     From 6bc10261524a6452cd066afe5b69d4915154665a Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 18 Jul 2016 08:13:40 -0700 Subject: [PATCH 07/12] changed description slightly --- windows/keep-secure/create-and-verify-an-efs-dra-certificate.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 84de2b4519..1d26215059 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -1,6 +1,6 @@ --- title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) -description: Follow these steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. +description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library From 295373c1b741337d166c56e4a302f989a036f40e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 20 Jul 2016 14:12:17 -0700 Subject: [PATCH 08/12] Updated topic based on tech review --- ...reate-and-verify-an-efs-dra-certificate.md | 60 ++++++++++++------- 1 file changed, 40 insertions(+), 20 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 1d26215059..eb3965f6f1 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -1,6 +1,7 @@ --- title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10) description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. +keywords: Windows Information Protection, WIP, WIP, Enterprise Data Protection ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library @@ -15,12 +16,12 @@ ms.pagetype: security [Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.] -If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. +If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. -The recovery process included in this topic only works for desktop devices. EDP deletes the data on Windows 10 Mobile devices. +The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices. >**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. +If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx). **To manually create an EFS DRA certificate** @@ -37,30 +38,32 @@ If you already have an EFS DRA certificate for your organization, you can skip c The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. >**Important**
- Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location. + Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. -4. Add your EFS DRA certificate to your EDP policy by using either Microsoft Intune or System Center Configuration Manager. +4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. >**Note**
- To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. + To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic. -**To verify your data recovery certificate is correctly set up on an EDP client computer** +**To verify your data recovery certificate is correctly set up on an WIP client computer** -1. Open an app on your protected app list, and then create and save a file so that it’s encrypted by EDP. +1. Find or create a file that's encrypted using Windows Information Protection. For example, you could open an app on your allowed app list, and then create and save a file so it’s encrypted by WIP. -2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: +2. Open an app on your protected app list, and then create and save a file so that it’s encrypted by WIP. + +3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: `cipher /c ` Where *<filename>* is the name of the file you created in Step 1. -3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. +4. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. **To recover your data using the EFS DRA certificate in a test environment** -1. Copy your EDP-encrypted file to a location where you have admin access. +1. Copy your WIP-encrypted file to a location where you have admin access. -2. Install the EFSDRA.pfx file, using your password. +2. Install the EFSDRA.pfx file, using its password. 3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: @@ -68,22 +71,39 @@ If you already have an EFS DRA certificate for your organization, you can skip c Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. -**To recover your EDP-protected desktop data after unenrollment** +**To quickly recover WIP-protected desktop data after unenrollment** +It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps. + +>**Important**
To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. 1. Have your employee sign in to the unenrolled device, open a command prompt, and type: - `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` + `Robocopy “%localappdata%\Microsoft\WIP\Recovery” <“new_location”> /EFSRAW` - Where *<”new_location”>* is a different location from where you store your recovery data. This location can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that you can reach while logged in as a data recovery agent. + Where *<”new_location”>* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent. -2. Sign in to a different device with administrator credentials that have access to your organization's Data Recovery Agent (DRA) certificate, and perform the file decryption and recovery by typing: +2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing: `cipher.exe /D <“new_location”>` -3. Sign in to the unenrolled device as the employee, and type: +3. Have your employee sign in to the unenrolled device, and type: + + `Robocopy <”new_location”> “%localappdata%\Microsoft\WIP\Recovery\Input”` + +4. Ask the employee to lock and unlock the device. + + The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. + +## Related topics +- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) + +- [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx) + +- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) + +- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) + +- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/en-us/library/cc875821.aspx#EJAA) - `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` -4. Ask the employee to log back in to the device or to lock and unlock the device. - The Windows Credential service automatically recovers the protected data from the `Recovery\Input` location. From 56f2bb27c97968abedd87bc6543f40a3629bf770 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 20 Jul 2016 14:22:07 -0700 Subject: [PATCH 09/12] Fixed typo --- windows/keep-secure/TOC.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 59d9b683d8..86c984bbe8 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -29,7 +29,7 @@ ##### [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) ##### [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) #### [Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) -#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] +#### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) ### [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) #### [Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) From e6ca478c43c5b69593cdee2c0b43bc5af4b756cc Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 20 Jul 2016 14:26:51 -0700 Subject: [PATCH 10/12] Added spacing --- windows/keep-secure/create-and-verify-an-efs-dra-certificate.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index eb3965f6f1..a2e26f0b66 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -71,7 +71,7 @@ If you already have an EFS DRA certificate for your organization, you can skip c Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. -**To quickly recover WIP-protected desktop data after unenrollment** +**To quickly recover WIP-protected desktop data after unenrollment**
It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps. >**Important**
To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. From c0e1575f37b597d4c3b0349170049c15b022db37 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 06:59:22 -0700 Subject: [PATCH 11/12] Updated with note about expired DRA certs --- windows/keep-secure/create-and-verify-an-efs-dra-certificate.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index a2e26f0b66..5f9b52ebf2 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -21,7 +21,7 @@ If you don’t already have an EFS DRA certificate, you’ll need to create and The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices. >**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx). +If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx).

If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. **To manually create an EFS DRA certificate** From 6c16831ff5860de735e0f9bae5de1806dbe72d87 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 21 Jul 2016 07:30:54 -0700 Subject: [PATCH 12/12] Updated --- ...change-history-for-keep-windows-10-secure.md | 2 +- windows/manage/manage-cortana-in-enterprise.md | 17 +++++++++-------- 2 files changed, 10 insertions(+), 9 deletions(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 1fe970c712..1292a8cbbc 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,7 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic | Description | |----------------------|-------------| -|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |New | |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |New | |[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |New | |[Create an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |New | diff --git a/windows/manage/manage-cortana-in-enterprise.md b/windows/manage/manage-cortana-in-enterprise.md index b44e4c4920..98ed3188ee 100644 --- a/windows/manage/manage-cortana-in-enterprise.md +++ b/windows/manage/manage-cortana-in-enterprise.md @@ -50,14 +50,15 @@ Set up and manage Cortana by using the following Group Policy and mobile device |Group policy |MDM policy |Description | |-------------|-----------|------------| -|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.

**Note**
Employees can still perform searches even with Cortana turned off. | -|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInput Personalization |Specifies whether to turn on automatic learning, which allows the collection of speech and handwriting patterns, typing history, contacts, and recent calendar information. It is required for the use of Cortana.

**Important**
Cortana won’t work if this setting is turned off (disabled). | -|None |System/AllowLocation |Specifies whether to allow app access to the Location service. | -|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |None |Specifies whether search can perform queries on the web and if the web results are displayed in search.

**Important**
Cortana won’t work if this setting is turned off (disabled). | -|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUse Location |Specifies whether search and Cortana can provide location aware search and Cortana results.

**Important**
Cortana won’t work if this setting is turned off (disabled). | -|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearch Permissions |Specifies what level of safe search (filtering adult content) is required.

**Note**
This setting only applies to Windows 10 Mobile. | -|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference.

**Important**
Cortana won’t work if this setting is turned off (disabled). | -|User Configuration\Administrative Templates\Start Menu and Taskbar\Do not search communications |None |Specifies whether the Start menu search box searches communications.

**Important**
Cortana won’t work if this setting is turned off (disabled). | +|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.

**Note**
This setting only applies to Windows 10 for desktop devices. | +|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow input personalization |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in the enterprise.

**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).

**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled). | +|None |System/AllowLocation |Specifies whether to allow app access to the Location service.

**In Windows 10, version 1511**
Cortana won’t work if this setting is turned off (disabled).

**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled). | +|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.

Use this setting if you only want to support Azure AD in your organization. | +|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders. | +|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.

**Note**
This setting only applies to Windows 10 Mobile. | +|User Configuration\Administrative Templates\Windows Components\File Explorer\Turn off display of recent search entries in the File Explorer search box |None |Specifies whether the search box can suggest recent queries and prevent entries from being stored in the registry for future reference. | +|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |None |Specifies whether search can perform queries on the web and if the web results are displayed in search.

**In Windows 10 Pro edition**
This setting can’t be managed.

**In Windows 10 Enterprise edition**
Cortana won't work if this setting is turned off (disabled). | +|Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana |Experience/AllowCortana |Specifies whether employees can use Cortana.

**Important**
Cortana won’t work if this setting is turned off (disabled). However, employees can still perform local searches even with Cortana turned off. | **More info:** - For specific info about how to set, manage, and use each of these MDM policies to configure Cortana in your enterprise, see the [Policy CSP](http://go.microsoft.com/fwlink/p/?LinkId=717380) topic, located in the configuration service provider reference topics. For specific info about how to set, manage, and use each of these Group Policies to configure Cortana in your enterprise, see the [Group Policy TechCenter](http://go.microsoft.com/fwlink/p/?LinkId=717381).