mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-15 18:33:43 +00:00
Updating after conversion
This commit is contained in:
LizRoss
@ -20,8 +20,7 @@ There are 3 ways to use this feature:
|
||||
|
||||
- **On.** Helps stop any font processed using GDI from loading outside of the `%windir%/Fonts` directory. It also turns on event logging.
|
||||
|
||||
- **Audit.** Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.<p>
|
||||
**Note**<br>If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues.
|
||||
- **Audit.** Turns on event logging, but doesn’t block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.<p>**Note**<br>If you aren’t quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues.
|
||||
|
||||
- **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts).
|
||||
|
||||
@ -94,9 +93,9 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa
|
||||
|
||||
**To fix your apps by excluding processes**
|
||||
|
||||
1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`. Like, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
|
||||
1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`. Like, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
|
||||
|
||||
2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature.](#turn-on-and-use-the-blocking-untrusted-fonts-feature)
|
||||
2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature).
|
||||
|
||||
|
||||
|
||||
|
||||
@ -43,11 +43,11 @@ After you’ve installed and set up Intune for your organization, you must creat
|
||||
|
||||
3. Go to **Windows**, click the **Enterprise Data Protection (Windows 10 and Mobile and later) policy**, pick the EDP template, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
|
||||
|
||||
|
||||
|
||||
|
||||
4. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
|
||||
|
||||
|
||||
|
||||
|
||||
## Add individual apps to your Protected App list
|
||||
During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
|
||||
@ -89,7 +89,7 @@ The steps to add your apps are based on the type of app it is; either a Universa
|
||||
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
|
||||
}
|
||||
```
|
||||
|
||||
|
||||
|
||||
**To find the Publisher and Product name values for apps installed on Windows 10 Mobile phones**
|
||||
|
||||
@ -157,7 +157,7 @@ The steps to add your apps are based on the type of app it is; either a Universa
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
|
||||
If you’re unsure about what to include for the publisher, you can run this PowerShell command:
|
||||
|
||||
@ -237,7 +237,7 @@ We recommend that you start with **Silent** or **Override** while verifying with
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
|
||||
## Define your enterprise-managed identity domains
|
||||
Specify your company’s enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list.
|
||||
@ -246,7 +246,7 @@ You can also specify all the domains owned by your enterprise that are used for
|
||||
|
||||
This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed.
|
||||
|
||||
|
||||
|
||||
|
||||
**To add your primary domain**
|
||||
|
||||
@ -301,13 +301,13 @@ After you've added a protection mode to your apps, you'll need to decide where t
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
|
||||
2. Add as many locations as you need, and then click **OK**.<p>The **Add or Edit Enterprise Network Locations box** closes.
|
||||
|
||||
3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.<p>Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.<p>
|
||||
|
||||
|
||||
|
||||
|
||||
## Choose your optional EDP-related settings
|
||||
After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional EDP settings.
|
||||
@ -320,7 +320,7 @@ After you've decided where your protected apps can access enterprise data on you
|
||||
|
||||
- **Protect app content when the device is in a locked state for the apps configured above.** Clicking **Yes** lets EDP help to secure protected app content when a mobile device is locked. We recommend turning this option on to help prevent data leaks from things such as email text that appears on the **Lock** screen of a Windows 10 Mobile phone.
|
||||
|
||||
|
||||
|
||||
|
||||
2. Click **Save Policy**.
|
||||
|
||||
|
||||
@ -1,38 +1,38 @@
|
||||
---
|
||||
title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10)
|
||||
description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy.
|
||||
ms.assetid: D0EABA4F-6D7D-4AE4-8044-64680A40CF6B
|
||||
ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b
|
||||
keywords: ["EDP", "Enterprise Data Protection"]
|
||||
ms.prod: W10
|
||||
ms.mktglfcycl: explore
|
||||
ms.sitesec: library
|
||||
author: brianlic-msft
|
||||
author: eross-msft
|
||||
---
|
||||
|
||||
# Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
- Windows 10 Mobile Preview
|
||||
|
||||
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
|
||||
|
||||
After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy.
|
||||
|
||||
## Create your VPN policy using Microsoft Intune
|
||||
|
||||
|
||||
Follow these steps to create the VPN policy you want to use with EDP.
|
||||
|
||||
**To create your VPN policy**
|
||||
|
||||
1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
|
||||
|
||||
2. Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
|
||||
2. Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
|
||||
|
||||
3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
|
||||
|
||||
|
||||
3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
|
||||
|
||||
|
||||
|
||||
4. In the **VPN Settings** area, type the following info:
|
||||
|
||||
@ -44,47 +44,44 @@ Follow these steps to create the VPN policy you want to use with EDP.
|
||||
|
||||
- **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN).
|
||||
|
||||
|
||||
|
||||
|
||||
5. In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.
|
||||
5. In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.<p>
|
||||
It's your choice whether you check the box to **Remember the user credentials at each logon**.
|
||||
|
||||
It's your choice whether you check the box to **Remember the user credentials at each logon**.
|
||||
|
||||
|
||||
|
||||
|
||||
6. You can leave the rest of the default or blank settings, and then click **Save Policy**.
|
||||
|
||||
## Deploy your VPN policy using Microsoft Intune
|
||||
|
||||
|
||||
After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your enterprise data protection (EDP) policy.
|
||||
|
||||
**To deploy your VPN policy**
|
||||
|
||||
1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
|
||||
|
||||
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
|
||||
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.<p>
|
||||
The added people move to the **Selected Groups** list on the right-hand pane.
|
||||
|
||||
The added people move to the **Selected Groups** list on the right-hand pane.
|
||||
|
||||
|
||||
|
||||
|
||||
3. After you've picked all of the employees and groups that should get the policy, click **OK**.
|
||||
|
||||
The policy is deployed to the selected users' devices.
|
||||
3. After you've picked all of the employees and groups that should get the policy, click **OK**.<p>
|
||||
The policy is deployed to the selected users' devices.
|
||||
|
||||
## Link your EDP and VPN policies and deploy the custom configuration policy
|
||||
|
||||
|
||||
The final step to making your VPN configuration work with EDP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EdpModeID** setting, and then deploying the policy to the same group you deployed your EDP and VPN policies
|
||||
|
||||
**To link your VPN policy**
|
||||
|
||||
1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
|
||||
|
||||
2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
|
||||
2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
|
||||
|
||||
3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
|
||||
|
||||
|
||||
3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
|
||||
|
||||
|
||||
|
||||
4. In the **OMA-URI Settings** area, click **Add** to add your **EdpModeID** info.
|
||||
|
||||
@ -94,11 +91,11 @@ The final step to making your VPN configuration work with EDP, is to link your t
|
||||
|
||||
- **Data type.** Pick the **String** data type.
|
||||
|
||||
- **OMA-URI.** Type ./Vendor/MSFT/VPNv2/*<your\_edp\_policy\_name>*/EdpModeId, replacing *<your\_edp\_policy\_name>* with the name you gave to your EDP policy. For example, ./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EdpModeId.
|
||||
- **OMA-URI.** Type `./Vendor/MSFT/VPNv2/<your_edp_policy_name>/EdpModeId`, replacing *<your\_edp\_policy\_name>* with the name you gave to your EDP policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EdpModeId`.
|
||||
|
||||
- **Value.** Your fully-qualified domain that should be used by the OMA-URI setting.
|
||||
|
||||
|
||||
|
||||
|
||||
6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.**
|
||||
|
||||
|
||||
@ -1,23 +1,21 @@
|
||||
---
|
||||
title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
|
||||
description: After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices.
|
||||
ms.assetid: 9C4A01E7-0B1C-4F15-95D0-0389F0686211
|
||||
ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
|
||||
keywords: ["EDP", "Enterprise Data Protection"]
|
||||
ms.prod: W10
|
||||
ms.mktglfcycl: explore
|
||||
ms.sitesec: library
|
||||
author: brianlic-msft
|
||||
author: eross-msft
|
||||
---
|
||||
|
||||
# Deploy your enterprise data protection (EDP) policy using Microsoft Intune
|
||||
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Insider Preview
|
||||
- Windows 10 Mobile Preview
|
||||
|
||||
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
|
||||
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
|
||||
|
||||
After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
|
||||
|
||||
@ -25,24 +23,21 @@ After you’ve created your enterprise data protection (EDP) policy, you'll need
|
||||
|
||||
1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
|
||||
|
||||
|
||||
|
||||
|
||||
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
|
||||
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.<p>
|
||||
The added people move to the **Selected Groups** list on the right-hand pane.
|
||||
|
||||
The added people move to the **Selected Groups** list on the right-hand pane.
|
||||
|
||||
|
||||
|
||||
|
||||
3. After you've picked all of the employees and groups that should get the policy, click **OK**.
|
||||
|
||||
The policy is deployed to the selected users' devices.
|
||||
3. After you've picked all of the employees and groups that should get the policy, click **OK**.<p>
|
||||
The policy is deployed to the selected users' devices.
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
|
||||
|
||||
[General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
|
||||
- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
|
||||
-[Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)
|
||||
- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
|
||||
- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
|
||||
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user