diff --git a/windows/keep-secure/block-untrusted-fonts-in-enterprise.md b/windows/keep-secure/block-untrusted-fonts-in-enterprise.md index b174fc875f..032ef98517 100644 --- a/windows/keep-secure/block-untrusted-fonts-in-enterprise.md +++ b/windows/keep-secure/block-untrusted-fonts-in-enterprise.md @@ -20,8 +20,7 @@ There are 3 ways to use this feature: - **On.** Helps stop any font processed using GDI from loading outside of the `%windir%/Fonts` directory. It also turns on event logging. -- **Audit.** Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.

-**Note**
If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues. +- **Audit.** Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.

**Note**
If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues. - **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts). @@ -94,9 +93,9 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa **To fix your apps by excluding processes** -1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`. Like, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. +1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`. Like, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. -2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature.](#turn-on-and-use-the-blocking-untrusted-fonts-feature) +2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature).   diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md index b1f5e1c45f..11c56fd728 100644 --- a/windows/keep-secure/create-edp-policy-using-intune.md +++ b/windows/keep-secure/create-edp-policy-using-intune.md @@ -43,11 +43,11 @@ After you’ve installed and set up Intune for your organization, you must creat 3. Go to **Windows**, click the **Enterprise Data Protection (Windows 10 and Mobile and later) policy**, pick the EDP template, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. - ![microsoft intune: new policy creation screen](images/intune-createnewpolicy.png) + ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) 4. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. - ![microsoft intune: required name and optional description fields](images/intune-namedescription.png) + ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-namedescription.png) ## Add individual apps to your Protected App list During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. @@ -89,7 +89,7 @@ The steps to add your apps are based on the type of app it is; either a Universa "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", } ``` - ![microsoft intune: add a universal windows app to the protected apps list](images/intune-addapps.png) + ![Microsoft Intune: Add a UWP app to the Protected Apps list](images/intune-addapps.png) **To find the Publisher and Product name values for apps installed on Windows 10 Mobile phones** @@ -157,7 +157,7 @@ The steps to add your apps are based on the type of app it is; either a Universa - ![microsoft intune: add a classic windows app to the protected apps list](images/intune-add-desktop-app.png) + ![Microsoft Intune: Add a Classic Windows app to the Protected Apps list](images/intune-add-desktop-app.png) If you’re unsure about what to include for the publisher, you can run this PowerShell command: @@ -237,7 +237,7 @@ We recommend that you start with **Silent** or **Override** while verifying with -![microsoft intune: add protection level for protected apps list](images/intune-encryption-level.png) +![Microsoft Intune: Add the protection level for your Protected Apps list](images/intune-encryption-level.png) ## Define your enterprise-managed identity domains Specify your company’s enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list. @@ -246,7 +246,7 @@ You can also specify all the domains owned by your enterprise that are used for This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed. -![microsoft intune: add primary internet domain for your enterprise identity](images/intune-primary-domain.png) +![Microsoft Intune: Add the primary internet domain for your enterprise identity](images/intune-primary-domain.png) **To add your primary domain** @@ -301,13 +301,13 @@ After you've added a protection mode to your apps, you'll need to decide where t - ![microsoft intune: choose the primary domain and the other network locations for protected apps](images/intune-networklocation.png) + ![Microsoft Intune: Choose the primary domain and the other network locations for protected apps](images/intune-networklocation.png) 2. Add as many locations as you need, and then click **OK**.

The **Add or Edit Enterprise Network Locations box** closes. 3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.

Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.

- ![microsoft intune: specify your data recovery certificate for your policy](images/intune-data-recovery.png) + ![Microsoft Intune: Specify a data recovery certificate for your policy](images/intune-data-recovery.png) ## Choose your optional EDP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings. @@ -320,7 +320,7 @@ After you've decided where your protected apps can access enterprise data on you - **Protect app content when the device is in a locked state for the apps configured above.** Clicking **Yes** lets EDP help to secure protected app content when a mobile device is locked. We recommend turning this option on to help prevent data leaks from things such as email text that appears on the **Lock** screen of a Windows 10 Mobile phone. - ![microsoft intune: optional edp settings](images/intune-edpsettings.png) + ![Microsoft Intune: Optional EDP settings](images/intune-edpsettings.png) 2. Click **Save Policy**. diff --git a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md index 8fffdbba98..42c19efa73 100644 --- a/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md +++ b/windows/keep-secure/create-vpn-and-edp-policy-using-intune.md @@ -1,38 +1,38 @@ --- title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10) description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy. -ms.assetid: D0EABA4F-6D7D-4AE4-8044-64680A40CF6B +ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b keywords: ["EDP", "Enterprise Data Protection"] ms.prod: W10 ms.mktglfcycl: explore ms.sitesec: library -author: brianlic-msft +author: eross-msft --- # Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune - - **Applies to:** - Windows 10 Insider Preview - Windows 10 Mobile Preview -\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\] +[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.] After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy. ## Create your VPN policy using Microsoft Intune - - Follow these steps to create the VPN policy you want to use with EDP. **To create your VPN policy** 1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**. -2. Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.![microsoft intune: new policy creation screen](images/intune-vpn-createpolicy.png) +2. Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. -3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.![microsoft intune: title and description for your policy](images/intune-vpn-titledescription.png) + ![Microsoft Intune: Create a new policy using the New Policy screen](images/intune-vpn-createpolicy.png) + +3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. + + ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-titledescription.png) 4. In the **VPN Settings** area, type the following info: @@ -44,47 +44,44 @@ Follow these steps to create the VPN policy you want to use with EDP. - **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN). - ![microsoft intune: vpn settings area of the new policy](images/intune-vpn-vpnsettings.png) + ![Microsoft Intune: Fill in the VPN Settings area](images/intune-vpn-vpnsettings.png) -5. In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**. +5. In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.

+It's your choice whether you check the box to **Remember the user credentials at each logon**. - It's your choice whether you check the box to **Remember the user credentials at each logon**. - - ![microsoft intune: authentication method for your vpn system](images/intune-vpn-authentication.png) + ![Microsoft Intune: Choose the Authentication Method for your VPN system](images/intune-vpn-authentication.png) 6. You can leave the rest of the default or blank settings, and then click **Save Policy**. ## Deploy your VPN policy using Microsoft Intune - - After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your enterprise data protection (EDP) policy. **To deploy your VPN policy** 1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. -2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. +2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.

+The added people move to the **Selected Groups** list on the right-hand pane. - The added people move to the **Selected Groups** list on the right-hand pane. + ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-deploy-vpn.png) - ![microsoft intune, group selection for policy deployment](images/intune-deploy-vpn.png) - -3. After you've picked all of the employees and groups that should get the policy, click **OK**. - - The policy is deployed to the selected users' devices. +3. After you've picked all of the employees and groups that should get the policy, click **OK**.

+The policy is deployed to the selected users' devices. ## Link your EDP and VPN policies and deploy the custom configuration policy - - The final step to making your VPN configuration work with EDP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EdpModeID** setting, and then deploying the policy to the same group you deployed your EDP and VPN policies **To link your VPN policy** 1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**. -2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.![microsoft intune: new policy creation screen](images/intune-vpn-customconfig.png) +2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. -3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.![microsoft intune: title and description for your policy](images/intune-vpn-edpmodeid.png) + ![Microsoft Intune: Create a new policy from the New Policy screen](images/intune-vpn-customconfig.png) + +3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. + + ![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-edpmodeid.png) 4. In the **OMA-URI Settings** area, click **Add** to add your **EdpModeID** info. @@ -94,11 +91,11 @@ The final step to making your VPN configuration work with EDP, is to link your t - **Data type.** Pick the **String** data type. - - **OMA-URI.** Type ./Vendor/MSFT/VPNv2/*<your\_edp\_policy\_name>*/EdpModeId, replacing *<your\_edp\_policy\_name>* with the name you gave to your EDP policy. For example, ./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EdpModeId. + - **OMA-URI.** Type `./Vendor/MSFT/VPNv2//EdpModeId`, replacing *<your\_edp\_policy\_name>* with the name you gave to your EDP policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EdpModeId`. - **Value.** Your fully-qualified domain that should be used by the OMA-URI setting. - ![microsoft intune: oma-uri settings area of the new policy](images/intune-vpn-omaurisettings.png) + ![Microsoft Intune: Fill in the OMA-URI Settings for the EdpModeID setting](images/intune-vpn-omaurisettings.png) 6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.** diff --git a/windows/keep-secure/deploy-edp-policy-using-intune.md b/windows/keep-secure/deploy-edp-policy-using-intune.md index 49e0b31744..ec2ba23c56 100644 --- a/windows/keep-secure/deploy-edp-policy-using-intune.md +++ b/windows/keep-secure/deploy-edp-policy-using-intune.md @@ -1,23 +1,21 @@ --- title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10) description: After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. -ms.assetid: 9C4A01E7-0B1C-4F15-95D0-0389F0686211 +ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211 keywords: ["EDP", "Enterprise Data Protection"] ms.prod: W10 ms.mktglfcycl: explore ms.sitesec: library -author: brianlic-msft +author: eross-msft --- # Deploy your enterprise data protection (EDP) policy using Microsoft Intune - - **Applies to:** - Windows 10 Insider Preview - Windows 10 Mobile Preview -\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\] +[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.] After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information. @@ -25,24 +23,21 @@ After you’ve created your enterprise data protection (EDP) policy, you'll need 1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. - ![microsoft intune configuration policies screen, showing the manage deployment link](images/intune-managedeployment.png) + ![Microsoft Intune: Click the Manage Deployment link from the Configuration Policies screen](images/intune-managedeployment.png) -2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. +2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.

+The added people move to the **Selected Groups** list on the right-hand pane. - The added people move to the **Selected Groups** list on the right-hand pane. + ![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-groupselection.png) - ![microsoft intune, group selection for policy deployment](images/intune-groupselection.png) - -3. After you've picked all of the employees and groups that should get the policy, click **OK**. - - The policy is deployed to the selected users' devices. +3. After you've picked all of the employees and groups that should get the policy, click **OK**.

+The policy is deployed to the selected users' devices. ## Related topics - - -[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) - -[General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md) +- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) +-[Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) +- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md) +- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)