Merge remote-tracking branch 'refs/remotes/origin/master' into live

This commit is contained in:
LizRoss 2017-04-13 10:02:49 -07:00
commit 8e4dd841e4
14 changed files with 85 additions and 52 deletions

View File

@ -216,7 +216,7 @@ Before any change to the disk is made, MBR2GPT validates the layout and geometry
- There are at most 3 primary partitions in the MBR partition table - There are at most 3 primary partitions in the MBR partition table
- One of the partitions is set as active and is the system partition - One of the partitions is set as active and is the system partition
- The BCD store on the system partition contains a default OS entry pointing to an OS partition - The BCD store on the system partition contains a default OS entry pointing to an OS partition
- The volume IDs can retrieved for each volume which has a drive letter assigned - The volume IDs can be retrieved for each volume which has a drive letter assigned
- All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option - All partitions on the disk are of MBR types recognized by Windows or has a mapping specified using the /map command-line option
If any of these checks fails, the conversion will not proceed and an error will be returned. If any of these checks fails, the conversion will not proceed and an error will be returned.

View File

@ -2,7 +2,7 @@
title: Resolve Windows 10 upgrade errors - Windows IT Pro title: Resolve Windows 10 upgrade errors - Windows IT Pro
description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors. description: Resolve Windows 10 upgrade errors for ITPros. Technical information for IT professionals to help diagnose Windows setup errors.
ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502 ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502
keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback keywords: deploy, error, troubleshoot, windows, 10, upgrade, code, rollback, ITPro
ms.prod: w10 ms.prod: w10
ms.mktglfcycl: deploy ms.mktglfcycl: deploy
ms.sitesec: library ms.sitesec: library
@ -560,11 +560,13 @@ For more information, see [How to perform a clean boot in Windows](https://suppo
</TABLE> </TABLE>
### 0x800xxxxx ### 0x800xxxxx
Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly. Result codes starting with the digits 0x800 are also important to understand. These error codes indicate general operating system errors, and are not unique to the Windows upgrade process. Examples include timeouts, devices not functioning, and a process stopping unexpectedly.
<P>See the following general troubleshooting procedures associated with a result code of 0x800xxxxx: See the following general troubleshooting procedures associated with a result code of 0x800xxxxx:
<TABLE border=1 cellspacing=0 cellpadding=0> <TABLE border=1 cellspacing=0 cellpadding=0>

View File

@ -40,7 +40,7 @@ You can add apps to your Windows Information Protection (WIP) protected app list
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules. 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
>[!Note] >[!Note]
>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule. >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<br><br>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules. 6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules.
@ -67,8 +67,9 @@ You can add apps to your Windows Information Protection (WIP) protected app list
<RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection> <RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
``` ```
15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p> 15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
## Add Desktop apps ## Add Desktop apps
1. Open the Local Security Policy snap-in (SecPol.msc). 1. Open the Local Security Policy snap-in (SecPol.msc).
@ -91,7 +92,7 @@ After saving the policy, youll need to deploy it to your employees devices
>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future. >You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
>[!Note] >[!Note]
>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed. >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<br><br>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<br><br>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules. 6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules.

View File

@ -37,6 +37,7 @@ The following policy settings can be used to determine how a BitLocker-protected
- [Require additional authentication at startup](#bkmk-unlockpol1) - [Require additional authentication at startup](#bkmk-unlockpol1)
- [Allow enhanced PINs for startup](#bkmk-unlockpol2) - [Allow enhanced PINs for startup](#bkmk-unlockpol2)
- [Configure minimum PIN length for startup](#bkmk-unlockpol3) - [Configure minimum PIN length for startup](#bkmk-unlockpol3)
- [Disable new DMA devices when this computer is locked](#disable-new-dma-devices-when-this-computer-is-locked)
- [Disallow standard users from changing the PIN or password](#bkmk-dpinchange) - [Disallow standard users from changing the PIN or password](#bkmk-dpinchange)
- [Configure use of passwords for operating system drives](#bkmk-ospw) - [Configure use of passwords for operating system drives](#bkmk-ospw)
- [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#bkmk-unlockpol4) - [Require additional authentication at startup (Windows Server 2008 and Windows Vista)](#bkmk-unlockpol4)
@ -355,6 +356,24 @@ This policy setting is used to set a minimum PIN length when you use an unlock m
This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits. This policy setting is applied when you turn on BitLocker. The startup PIN must have a minimum length of 4 digits and can have a maximum length of 20 digits.
### Disable new DMA devices when this computer is locked
This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI ports until a user signs in to Windows.
| | |
|--------------------|----------------------|
| Policy description | This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys. |
| Introduced | Windows 10, version 1703 |
| Drive type | Operating system drives |
| Policy path | Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
| Conflicts | None |
| When enabled | Every time the user locks the screen, DMA will be blocked on hot pluggable PCI ports until the user signs in again. |
| When disabled or not configured | DMA is available on hot pluggable PCI devices if the device is turned on, regardless of whether a user is signed in.|
**Reference**
This policy setting is only enforced when BitLocker or device encyption is enabled.
### <a href="" id="bkmk-dpinchange"></a>Disallow standard users from changing the PIN or password ### <a href="" id="bkmk-dpinchange"></a>Disallow standard users from changing the PIN or password
This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive. This policy setting allows you to configure whether standard users are allowed to change the PIN or password that is used to protect the operating system drive.

View File

@ -45,7 +45,7 @@ Configure a registry-based static proxy to allow only Windows Defender ATP senso
The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**. The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**.
The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DisableEnterpriseAuthProxy`. The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DisableEnterpriseAuthProxy\DataCollection`.
The registry value `TelemetryProxyServer` takes the following string format: The registry value `TelemetryProxyServer` takes the following string format:

View File

@ -21,7 +21,7 @@ If you dont already have an EFS DRA certificate, youll need to create and
The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices. The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.
>[!IMPORTANT] >[!IMPORTANT]
>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).<p>If your DRA certificate has expired, you wont be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. >If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).<br><br>If your DRA certificate has expired, you wont be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
**To manually create an EFS DRA certificate** **To manually create an EFS DRA certificate**
@ -71,7 +71,8 @@ The recovery process included in this topic only works for desktop devices. WIP
Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx. Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx.
**To quickly recover WIP-protected desktop data after unenrollment**<br> **To quickly recover WIP-protected desktop data after unenrollment**
It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps. It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps.
>[!IMPORTANT] >[!IMPORTANT]
@ -95,7 +96,8 @@ It's possible that you might revoke data from an unenrolled device only to later
The Windows Credential service automatically recovers the employees previously revoked keys from the <code>Recovery\Input</code> location. The Windows Credential service automatically recovers the employees previously revoked keys from the <code>Recovery\Input</code> location.
**To quickly recover WIP-protected desktop data in a cloud-based environment**<br> **To quickly recover WIP-protected desktop data in a cloud-based environment**
If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences. If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences.
>[!IMPORTANT] >[!IMPORTANT]
@ -135,5 +137,7 @@ If you use a cloud environment in your organization, you may still want to resto
- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA) - [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA)
<p>**Note**<br>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
>[!Note]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

View File

@ -387,7 +387,7 @@ There are no default locations included with WIP, you must add each of your netw
<tr> <tr>
<td>Enterprise Cloud Resources</td> <td>Enterprise Cloud Resources</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td> <td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the <code>/*AppCompat*/</code> string to this setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/*AppCompat*/</code></td> <td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.</td>
</tr> </tr>
<tr> <tr>
<td>Enterprise Network Domain Names (Required)</td> <td>Enterprise Network Domain Names (Required)</td>
@ -493,10 +493,10 @@ After youve created your WIP policy, you'll need to deploy it to your organiz
- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708225) - [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708225)
- [How to Deploy Configuration Baselines in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708226) - [How to Deploy Configuration Baselines in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708226)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
## Related topics ## Related topics
- [System Center Configuration Manager and Endpoint Protection (Version 1606)](https://go.microsoft.com/fwlink/p/?LinkId=717372) - [System Center Configuration Manager and Endpoint Protection (Version 1606)](https://go.microsoft.com/fwlink/p/?LinkId=717372)
- [TechNet documentation for Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=691623) - [TechNet documentation for Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=691623)
- [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624) - [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

View File

@ -25,13 +25,15 @@ After youve created your Windows Information Protection (WIP) policy, you'll
![Microsoft Intune: Click the Manage Deployment link from the Configuration Policies screen](images/intune-managedeployment.png) ![Microsoft Intune: Click the Manage Deployment link from the Configuration Policies screen](images/intune-managedeployment.png)
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.<p> 2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
The added people move to the **Selected Groups** list on the right-hand pane.
The added people move to the **Selected Groups** list on the right-hand pane.
![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-groupselection.png) ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-groupselection.png)
3. After you've picked all of the employees and groups that should get the policy, click **OK**.<p> 3. After you've picked all of the employees and groups that should get the policy, click **OK**.
The policy is deployed to the selected users' devices.
The policy is deployed to the selected users' devices.
>[!NOTE] >[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

View File

@ -27,18 +27,18 @@ This table provides info about the most common problems you might encounter whil
</tr> </tr>
<tr> <tr>
<td>Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.</td> <td>Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.</td>
<td><strong>If youre using Azure RMS:</strong> Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.<p><strong>If youre not using Azure RMS:</strong> Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.</td> <td><strong>If youre using Azure RMS:</strong> Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.<br><br><strong>If youre not using Azure RMS:</strong> Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.</td>
<td>Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<p>We strongly recommend educating employees about how to limit or eliminate the need for this decryption.</td> <td>Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<br><br>We strongly recommend educating employees about how to limit or eliminate the need for this decryption.</td>
</tr> </tr>
<tr> <tr>
<td>Direct Access is incompatible with WIP.</td> <td>Direct Access is incompatible with WIP.</td>
<td>Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isnt a corporate network resource.</td> <td>Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isnt a corporate network resource.</td>
<td>We recommend that you use VPN for client access to your intranet resources.<p><strong>Note</strong><br>VPN is optional and isnt required by WIP.</td> <td>We recommend that you use VPN for client access to your intranet resources.<br><br><strong>Note</strong><br>VPN is optional and isnt required by WIP.</td>
</tr> </tr>
<tr> <tr>
<td><strong>NetworkIsolation</strong> Group Policy setting is incompatible with WIP.</td> <td><strong>NetworkIsolation</strong> Group Policy setting takes precedence over MDM Policy settings.</td>
<td>The <strong>NetworkIsolation</strong> Group Policy setting has incompatible network settings that can conflict and cause problems with WIP.</td> <td>The <strong>NetworkIsolation</strong> Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.</td>
<td>We recommend that you dont use the NetworkIsolation Group Policy setting.</td> <td>If you use both Group Policy and MDM to configure your <strong>NetworkIsolation</strong> settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.</td>
</tr> </tr>
<tr> <tr>
<td>Cortana can potentially allow data leakage if its on the allowed apps list.</td> <td>Cortana can potentially allow data leakage if its on the allowed apps list.</td>
@ -55,8 +55,8 @@ This table provides info about the most common problems you might encounter whil
<td>An app might fail to properly install because it cant read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.</td> <td>An app might fail to properly install because it cant read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.</td>
<td>To fix this, you can: <td>To fix this, you can:
<ul> <ul>
<li>Start the installer directly from the file share.<p>-OR-</li> <li>Start the installer directly from the file share.<br><br>-OR-<br><br></li>
<li>Decrypt the locally copied files needed by the installer.<p>-OR-</li> <li>Decrypt the locally copied files needed by the installer.<br><br>-OR-<br><br></li>
<li>Mark the file share with the installation media as “personal”. To do this, youll need to set the Enterprise IP ranges as <strong>Authoritative</strong> and then exclude the IP address of the file server, or youll need to put the file server on the Enterprise Proxy Server list.</li> <li>Mark the file share with the installation media as “personal”. To do this, youll need to set the Enterprise IP ranges as <strong>Authoritative</strong> and then exclude the IP address of the file server, or youll need to put the file server on the Enterprise Proxy Server list.</li>
</ul></td> </ul></td>
</tr> </tr>
@ -68,7 +68,7 @@ This table provides info about the most common problems you might encounter whil
<tr> <tr>
<td>Redirected folders with Client Side Caching are not compatible with WIP.</td> <td>Redirected folders with Client Side Caching are not compatible with WIP.</td>
<td>Apps might encounter access errors while attempting to read a cached, offline file.</td> <td>Apps might encounter access errors while attempting to read a cached, offline file.</td>
<td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<p><strong>Note</strong><br>For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/kb/3187045).</td> <td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<br><br><strong>Note</strong><br>For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/kb/3187045).</td>
</tr> </tr>
<tr> <tr>
<td>You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.</td> <td>You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.</td>
@ -78,7 +78,7 @@ This table provides info about the most common problems you might encounter whil
<tr> <tr>
<td>ActiveX controls should be used with caution.</td> <td>ActiveX controls should be used with caution.</td>
<td>Webpages that use ActiveX controls can potentially communicate with other outside processes that arent protected by using WIP.</td> <td>Webpages that use ActiveX controls can potentially communicate with other outside processes that arent protected by using WIP.</td>
<td>We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.<p>For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).</td> <td>We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.<br><br>For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).</td>
</tr> </tr>
<tr> <tr>
<td>WIP isnt turned on if any of the following folders have the <strong>MakeFolderAvailableOfflineDisabled</strong> option set to <strong>False</strong>: <td>WIP isnt turned on if any of the following folders have the <strong>MakeFolderAvailableOfflineDisabled</strong> option set to <strong>False</strong>:
@ -99,7 +99,7 @@ This table provides info about the most common problems you might encounter whil
</ul> </ul>
</td> </td>
<td>WIP isnt turned on for employees in your organization.</td> <td>WIP isnt turned on for employees in your organization.</td>
<td>Dont set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders.<p>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection).</td> <td>Dont set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection).</td>
</tr> </tr>
</table> </table>

View File

@ -117,4 +117,4 @@ If you're running Windows Defender as the primary antimalware product on your en
If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy). If you're running a third-party antimalware client and use Mobile Device Management solutions or System Center Configuration Manager (current branch) version 1606, you'll need to ensure that the Windows Defender ELAM driver is enabled. For more information, see [Ensure that Windows Defender is not disabled by policy](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md#ensure-that-windows-defender-is-not-disabled-by-a-policy).
>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-abovefoldlink1) >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=technet-wd-atp-minreq-belowfoldlink1)

View File

@ -28,7 +28,7 @@ Youll need this software to run WIP in your enterprise:
|Operating system | Management solution | |Operating system | Management solution |
|-----------------|---------------------| |-----------------|---------------------|
|Windows 10, version 1607 or later | Microsoft Intune<br>-OR-<br>System Center Configuration Manager<br>-OR-<br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.| |Windows 10, version 1607 or later | Microsoft Intune<br><br>-OR-<br><br>System Center Configuration Manager<br><br>-OR-<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
## What is enterprise data control? ## What is enterprise data control?
Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people cant share anything and its all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure. Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people cant share anything and its all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.
@ -94,7 +94,8 @@ WIP gives you a new way to manage data policy enforcement for apps and documents
- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. - **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
>**Note**<br>For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.<br>System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. >[!Note]
>For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.<br>System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
## How WIP works ## How WIP works
WIP helps address your everyday challenges in the enterprise. Including: WIP helps address your everyday challenges in the enterprise. Including:
@ -129,7 +130,7 @@ You can set your WIP policy to use 1 of 4 protection and management modes:
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organizations network.| |Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organizations network.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). | |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](https://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
|Off |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.<p>**Note**<br>For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. | |Off |WIP is turned off and doesn't help to protect or audit your data.<br><br>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.<br><br>**Note**<br>For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |
## Turn off WIP ## Turn off WIP
You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isnt recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info wont be automatically reapplied. You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isnt recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info wont be automatically reapplied.

View File

@ -29,12 +29,12 @@ You can try any of the processes included in these scenarios, but you should foc
</tr> </tr>
<tr> <tr>
<td>Encrypt and decrypt files using File Explorer.</td> <td>Encrypt and decrypt files using File Explorer.</td>
<td><strong>For desktop:</strong><p> <td><strong>For desktop:</strong><br><br>
<ol> <ol>
<li>Open File Explorer, right-click a work document, and then click <strong>Work</strong> from the <strong>File Ownership</strong> menu.<br>Make sure the file is encrypted by right-clicking the file again, clicking <strong>Advanced</strong> from the <strong>General</strong> tab, and then clicking <strong>Details</strong> from the <strong>Compress or Encrypt attributes</strong> area. The file should show up under the heading, <strong>This enterprise domain can remove or revoke access:</strong> <em>&lt;your_enterprise_identity&gt;</em>. For example, contoso.com.</li> <li>Open File Explorer, right-click a work document, and then click <strong>Work</strong> from the <strong>File Ownership</strong> menu.<br>Make sure the file is encrypted by right-clicking the file again, clicking <strong>Advanced</strong> from the <strong>General</strong> tab, and then clicking <strong>Details</strong> from the <strong>Compress or Encrypt attributes</strong> area. The file should show up under the heading, <strong>This enterprise domain can remove or revoke access:</strong> <em>&lt;your_enterprise_identity&gt;</em>. For example, contoso.com.</li>
<li>In File Explorer, right-click the same document, and then click <strong>Personal</strong> from the <strong>File Ownership</strong> menu.<br>Make sure the file is decrypted by right-clicking the file again, clicking <strong>Advanced</strong> from the <strong>General</strong> tab, and then verifying that the <strong>Details</strong> button is unavailable.</li> <li>In File Explorer, right-click the same document, and then click <strong>Personal</strong> from the <strong>File Ownership</strong> menu.<br>Make sure the file is decrypted by right-clicking the file again, clicking <strong>Advanced</strong> from the <strong>General</strong> tab, and then verifying that the <strong>Details</strong> button is unavailable.</li>
</ol> </ol>
<strong>For mobile:</strong><p> <strong>For mobile:</strong><br><br>
<ol> <ol>
<li>Open the File Explorer app, browse to a file location, click the elipsis (...), and then click <strong>Select</strong> to mark at least one file as work-related.</li> <li>Open the File Explorer app, browse to a file location, click the elipsis (...), and then click <strong>Select</strong> to mark at least one file as work-related.</li>
<li>Click the elipsis (...) again, click <strong>File ownership</strong> from the drop down menu, and then click <strong>Work</strong>.<br>Make sure the file is encrypted, by locating the <strong>Briefcase</strong> icon next to the file name.</li> <li>Click the elipsis (...) again, click <strong>File ownership</strong> from the drop down menu, and then click <strong>Work</strong>.<br>Make sure the file is encrypted, by locating the <strong>Briefcase</strong> icon next to the file name.</li>
@ -44,11 +44,11 @@ You can try any of the processes included in these scenarios, but you should foc
</tr> </tr>
<tr> <tr>
<td>Create work documents in enterprise-allowed apps.</td> <td>Create work documents in enterprise-allowed apps.</td>
<td><strong>For desktop:</strong><p> <td><strong>For desktop:</strong><br><br>
<ul> <ul>
<li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<p><strong>Important</strong><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<p>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager](create-wip-policy-using-sccm.md), based on your deployment system.</li> <li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br><strong>Important</strong><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using Microsoft System Center Configuration Manager](create-wip-policy-using-sccm.md), based on your deployment system.</li>
</ul> </ul>
<strong>For mobile:</strong><p> <strong>For mobile:</strong><br><br>
<ol> <ol>
<li>Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as <strong>Work</strong> to a local, work-related location.<br>Make sure the document is encrypted, by locating the <strong>Briefcase</strong> icon next to the file name.</li> <li>Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as <strong>Work</strong> to a local, work-related location.<br>Make sure the document is encrypted, by locating the <strong>Briefcase</strong> icon next to the file name.</li>
<li>Open the same document and attempt to save it to a non-work-related location.<br>WIP should stop you from saving the file to this location.</li> <li>Open the same document and attempt to save it to a non-work-related location.<br>WIP should stop you from saving the file to this location.</li>
@ -104,7 +104,7 @@ You can try any of the processes included in these scenarios, but you should foc
<ol> <ol>
<li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.<br>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li> <li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.<br>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li>
<li>Open File Explorer and make sure your modified files are appearing with a <strong>Lock</strong> icon.</li> <li>Open File Explorer and make sure your modified files are appearing with a <strong>Lock</strong> icon.</li>
<li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<p><strong>Note</strong><br>Most Windows-signed components like File Explorer (when running in the users context), should have access to enterprise data.<p>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.</li> <li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<br><br><strong>Note</strong><br>Most Windows-signed components like File Explorer (when running in the users context), should have access to enterprise data.<br><br>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.</li>
</ol> </ol>
</td> </td>
</tr> </tr>
@ -133,7 +133,7 @@ You can try any of the processes included in these scenarios, but you should foc
<ol> <ol>
<li>Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.</li> <li>Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.</li>
<li>Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.<br>Both browsers should respect the enterprise and personal boundary.</li> <li>Open SharePoint (or another cloud resource that's part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.<br>Both browsers should respect the enterprise and personal boundary.</li>
<li>Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.<br>IE11 shouldn't be able to access the sites.<p><strong>Note</strong><br>Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as <strong>Work</strong>.</li> <li>Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.<br>IE11 shouldn't be able to access the sites.<br><br><strong>Note</strong><br>Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as <strong>Work</strong>.</li>
</ol> </ol>
</td> </td>
</tr> </tr>
@ -141,7 +141,7 @@ You can try any of the processes included in these scenarios, but you should foc
<td>Verify your Virtual Private Network (VPN) can be auto-triggered.</td> <td>Verify your Virtual Private Network (VPN) can be auto-triggered.</td>
<td> <td>
<ol> <ol>
<li>Set up your VPN network to start based on the <strong>WIPModeID</strong> setting.<br>For specific info about how to do this, see the [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-wip-policy-using-intune.md) topic.</li> <li>Set up your VPN network to start based on the <strong>WIPModeID</strong> setting.<br>For specific info about how to do this, see the [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) topic.</li>
<li>Start an app from your allowed apps list.<br>The VPN network should automatically start.</li> <li>Start an app from your allowed apps list.<br>The VPN network should automatically start.</li>
<li>Disconnect from your network and then start an app that isn't on your allowed apps list.<br>The VPN shouldn't start and the app shouldn't be able to access your enterprise network.</li> <li>Disconnect from your network and then start an app that isn't on your allowed apps list.<br>The VPN shouldn't start and the app shouldn't be able to access your enterprise network.</li>
</ol> </ol>
@ -151,7 +151,7 @@ You can try any of the processes included in these scenarios, but you should foc
<td>Unenroll client devices from WIP.</td> <td>Unenroll client devices from WIP.</td>
<td> <td>
<ul> <ul>
<li>Unenroll a device from WIP by going to <strong>Settings</strong>, click <strong>Accounts</strong>, click <strong>Work</strong>, click the name of the device you want to unenroll, and then click <strong>Remove</strong>.<br>The device should be removed and all of the enterprise content for that managed account should be gone.<p><strong>Important</strong><br>On desktop devices, the data isn't removed and can be recovered, so you must make sure they content is marked as <strong>Revoked</strong> and that access is denied for the employee. On mobile devices, the data is removed.</li> <li>Unenroll a device from WIP by going to <strong>Settings</strong>, click <strong>Accounts</strong>, click <strong>Work</strong>, click the name of the device you want to unenroll, and then click <strong>Remove</strong>.<br>The device should be removed and all of the enterprise content for that managed account should be gone.<br><br><strong>Important</strong><br>On desktop devices, the data isn't removed and can be recovered, so you must make sure they content is marked as <strong>Revoked</strong> and that access is denied for the employee. On mobile devices, the data is removed.</li>
</ul> </ul>
</td> </td>
</tr> </tr>

View File

@ -27,6 +27,8 @@ localizationpriority: high
Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks. Windows Defender Advanced Threat Protection (Windows Defender ATP) is a security service that enables enterprise customers to detect, investigate, and respond to advanced threats on their networks.
Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see (Windows Defender ATP for Windows 10 Creators Update)[https://technet.microsoft.com/en-au/windows/mt782787].
Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service: Windows Defender ATP uses the following combination of technology built into Windows 10 and Microsoft's robust cloud service:
- **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors - **Endpoint behavioral sensors**: Embedded in Windows 10, these sensors

View File

@ -121,6 +121,8 @@ New features in Windows Defender Advanced Threat Protection (ATP) for Windows 10
You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/). You can read more about ransomware mitigations and detection capability in Windows Defender Advanced Threat Protection in the blog: [Averting ransomware epidemics in corporate networks with Windows Defender ATP](https://blogs.technet.microsoft.com/mmpc/2017/01/30/averting-ransomware-epidemics-in-corporate-networks-with-windows-defender-atp/).
Get a quick, but in-depth overview of Windows Defender ATP for Windows 10 and the new capabilities in Windows 10, version 1703 see (Windows Defender ATP for Windows 10 Creators Update)[https://technet.microsoft.com/en-au/windows/mt782787].
### Windows Defender Antivirus ### Windows Defender Antivirus
Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](../keep-secure/windows-defender-antivirus-in-windows-10.md). Windows Defender is now called Windows Defender Antivirus, and we've [increased the breadth of the documentation library for enterprise security admins](../keep-secure/windows-defender-antivirus-in-windows-10.md).