See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
+See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
index 1bf6c06da4..60a66db5c9 100644
--- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
+++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
@@ -40,7 +40,7 @@ You can add apps to your Windows Information Protection (WIP) protected app list
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
>[!Note]
- >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
+ >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
@@ -67,8 +67,9 @@ You can add apps to your Windows Information Protection (WIP) protected app list
```
-15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
-After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
+15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
+
+ After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
## Add Desktop apps
1. Open the Local Security Policy snap-in (SecPol.msc).
@@ -91,7 +92,7 @@ After saving the policy, you’ll need to deploy it to your employee’s devices
>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
>[!Note]
- >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
+ >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
diff --git a/windows/keep-secure/bitlocker-group-policy-settings.md b/windows/keep-secure/bitlocker-group-policy-settings.md
index 8f5aa0a1af..252b46ba59 100644
--- a/windows/keep-secure/bitlocker-group-policy-settings.md
+++ b/windows/keep-secure/bitlocker-group-policy-settings.md
@@ -37,6 +37,7 @@ The following policy settings can be used to determine how a BitLocker-protected
- [Require additional authentication at startup](#bkmk-unlockpol1)
- [Allow enhanced PINs for startup](#bkmk-unlockpol2)
- [Configure minimum PIN length for startup](#bkmk-unlockpol3)
+- [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)
- [Disallow standard users from changing the PIN or password](#bkmk-dpinchange)
- [Configure use of passwords for operating system drives](#bkmk-ospw)
- [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#bkmk-unlockpol4)
@@ -355,6 +356,24 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
+### Disable new DMA devices when this computer is locked
+
+This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows.
+
+| | |
+|--------------------|----------------------|
+| Policy description | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. |
+| Introduced | Windows 10, version 1703 |
+| Drive type | Operating system drives |
+| Policy path | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
+| Conflicts | None |
+| When enabled | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. |
+| When disabled or not configured | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
+
+**Reference**
+
+This policy setting is only enforced when BitLocker or device encyption is enabled.
+
### Disallow standard users from changing the PIN or password
This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive.
diff --git a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 8ef29a6be5..399486b886 100644
--- a/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -45,7 +45,7 @@ Configure a registry-based static proxy to allow only Windows Defender ATP senso
The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**.
-The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DisableEnterpriseAuthProxy`.
+The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DisableEnterpriseAuthProxy\DataCollection`.
The registry value `TelemetryProxyServer` takes the following string format:
diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
index 6fd0497318..ab2695ebf7 100644
--- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
@@ -21,7 +21,7 @@ If you don’t already have an EFS DRA certificate, you’ll need to create and
The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.
>[!IMPORTANT]
->If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).
If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
+>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).
If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
**To manually create an EFS DRA certificate**
@@ -71,7 +71,8 @@ The recovery process included in this topic only works for desktop devices. WIP
Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx.
-**To quickly recover WIP-protected desktop data after unenrollment**
+**To quickly recover WIP-protected desktop data after unenrollment**
+
It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps.
>[!IMPORTANT]
@@ -95,7 +96,8 @@ It's possible that you might revoke data from an unenrolled device only to later
The Windows Credential service automatically recovers the employee’s previously revoked keys from the Recovery\Input location.
-**To quickly recover WIP-protected desktop data in a cloud-based environment**
+**To quickly recover WIP-protected desktop data in a cloud-based environment**
+
If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences.
>[!IMPORTANT]
@@ -135,5 +137,7 @@ If you use a cloud environment in your organization, you may still want to resto
- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA)
-
**Note**
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+
+>[!Note]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md
index 5a51f50d60..91b8f3df68 100644
--- a/windows/keep-secure/create-wip-policy-using-sccm.md
+++ b/windows/keep-secure/create-wip-policy-using-sccm.md
@@ -387,7 +387,7 @@ There are no default locations included with WIP, you must add each of your netw
| Enterprise Cloud Resources |
With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.comWithout proxy: contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ |
+ Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>. Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. |
| Enterprise Network Domain Names (Required) |
@@ -493,10 +493,10 @@ After you’ve created your WIP policy, you'll need to deploy it to your organiz
- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708225)
- [How to Deploy Configuration Baselines in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708226)
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
-
## Related topics
- [System Center Configuration Manager and Endpoint Protection (Version 1606)](https://go.microsoft.com/fwlink/p/?LinkId=717372)
- [TechNet documentation for Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=691623)
-- [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624)
\ No newline at end of file
+- [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624)
+
+>[!NOTE]
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/keep-secure/deploy-wip-policy-using-intune.md b/windows/keep-secure/deploy-wip-policy-using-intune.md
index c9977fec21..76abd68b76 100644
--- a/windows/keep-secure/deploy-wip-policy-using-intune.md
+++ b/windows/keep-secure/deploy-wip-policy-using-intune.md
@@ -25,13 +25,15 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll
-2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
-The added people move to the **Selected Groups** list on the right-hand pane.
+2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
+
+ The added people move to the **Selected Groups** list on the right-hand pane.
-3. After you've picked all of the employees and groups that should get the policy, click **OK**.
-The policy is deployed to the selected users' devices.
+3. After you've picked all of the employees and groups that should get the policy, click **OK**.
+
+ The policy is deployed to the selected users' devices.
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md
index edb6564532..27d6a611ae 100644
--- a/windows/keep-secure/limitations-with-wip.md
+++ b/windows/keep-secure/limitations-with-wip.md
@@ -27,18 +27,18 @@ This table provides info about the most common problems you might encounter whil
| Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. |
- If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703. If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |
- Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited. We strongly recommend educating employees about how to limit or eliminate the need for this decryption. |
+ If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.
If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |
+ Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.
We strongly recommend educating employees about how to limit or eliminate the need for this decryption. |
| Direct Access is incompatible with WIP. |
Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource. |
- We recommend that you use VPN for client access to your intranet resources. Note
VPN is optional and isn’t required by WIP. |
+ We recommend that you use VPN for client access to your intranet resources.
Note
VPN is optional and isn’t required by WIP. |
- | NetworkIsolation Group Policy setting is incompatible with WIP. |
- The NetworkIsolation Group Policy setting has incompatible network settings that can conflict and cause problems with WIP. |
- We recommend that you don’t use the NetworkIsolation Group Policy setting. |
+ NetworkIsolation Group Policy setting takes precedence over MDM Policy settings. |
+ The NetworkIsolation Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured. |
+ If you use both Group Policy and MDM to configure your NetworkIsolation settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM. |
| Cortana can potentially allow data leakage if it’s on the allowed apps list. |
@@ -55,8 +55,8 @@ This table provides info about the most common problems you might encounter whil
An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action. |
To fix this, you can:
- - Start the installer directly from the file share.
-OR-
- - Decrypt the locally copied files needed by the installer.
-OR-
+ - Start the installer directly from the file share.
-OR-
+ - Decrypt the locally copied files needed by the installer.
-OR-
- Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
|
@@ -68,7 +68,7 @@ This table provides info about the most common problems you might encounter whil
| Redirected folders with Client Side Caching are not compatible with WIP. |
Apps might encounter access errors while attempting to read a cached, offline file. |
- Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business. Note
For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/kb/3187045). |
+ Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
Note
For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/kb/3187045). |
| You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. |
@@ -78,7 +78,7 @@ This table provides info about the most common problems you might encounter whil
| ActiveX controls should be used with caution. |
Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP. |
- We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology. For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking). |
+ We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.
For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking). |
| WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False:
@@ -99,7 +99,7 @@ This table provides info about the most common problems you might encounter whil
|
WIP isn’t turned on for employees in your organization. |
- Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). |
+ Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders.
If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection). |
diff --git a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
index 9a231875f8..b632c08944 100644
--- a/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -117,4 +117,4 @@ If you're running Windows Defender as the primary antimalware product on your en
If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy).
->Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1)
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-minreq-belowfoldlink1)
diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md
index 0a8a8d62ea..265ffe048d 100644
--- a/windows/keep-secure/protect-enterprise-data-using-wip.md
+++ b/windows/keep-secure/protect-enterprise-data-using-wip.md
@@ -28,7 +28,7 @@ You’ll need this software to run WIP in your enterprise:
|Operating system | Management solution |
|-----------------|---------------------|
-|Windows 10, version 1607 or later | Microsoft IntuneAfter you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.
| Create work documents in enterprise-allowed apps. |
- For desktop:
+ | For desktop:
- - Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.
Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.Important
Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption. For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager](create-wip-policy-using-sccm.md), based on your deployment system.
+ - Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.
Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.
Important
Certain file types like .exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.
For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager](create-wip-policy-using-sccm.md), based on your deployment system.
- For mobile:
+ For mobile:
- Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as Work to a local, work-related location.
Make sure the document is encrypted, by locating the Briefcase icon next to the file name.
- Open the same document and attempt to save it to a non-work-related location.
WIP should stop you from saving the file to this location.
@@ -104,7 +104,7 @@ You can try any of the processes included in these scenarios, but you should foc
- Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.
Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.
- Open File Explorer and make sure your modified files are appearing with a Lock icon.
- - Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.
Note
Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data. A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
+ - Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.
Note
Most Windows-signed components like File Explorer (when running in the user’s context), should have access to enterprise data.
A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.
|
@@ -133,7 +133,7 @@ You can try any of the processes included in these scenarios, but you should foc