From 8e751df01ab4c5a8439d2a3616c0e0d68a7f4db3 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Fri, 5 Apr 2019 10:42:01 -0700 Subject: [PATCH] added row for Windir --- .../limitations-with-wip.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md index 1e633ed77d..a3f036e9f4 100644 --- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md +++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md @@ -12,7 +12,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 03/06/2019 +ms.date: 04/05/2019 ms.localizationpriority: medium --- @@ -124,7 +124,24 @@ This table provides info about the most common problems you might encounter whil If all apps need to be managed, enroll the device for MDM. + + By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encypted by one user, other users can't access it. + + Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. + + If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it. + + >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). + + +Anywhere under c:windows\* is a design. We don’t want you to shoot yourself in the foot. We don’t want that encrypted to a specific user because it’s used y all windows users. If you are logged in as one admin user and another user signs in as a diff admin user, they have no way to elevate to get the encrypted data. + +If it’s in windir, they will not encrypt if it was already there. If there is a file in the dir and you try to encrypt it, it will fail. But if you drag and drop to there, it will retain encryption. That honors the intent of the owner. So if you redirect OneDrive to C:windows\temp, the files will not get encrypted. They won’t change it. + +Put in the limitations section, add a section that says this is by design + +Workaround,