Merge remote-tracking branch 'refs/remotes/origin/master' into jdvpn

2025-06-20 12:53:38 +00:00 · 2016-09-26 11:11:47 -07:00
parent 567e6d1e58 b702b3f061
commit 994b357c57
30 changed files with 321 additions and 347 deletions
--- a/windows/keep-secure/TOC.md
+++ b/windows/keep-secure/TOC.md
@ -35,6 +35,7 @@
 #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
 #### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md)
 #### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
+#### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)
 ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md)
 ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md)
 ## [VPN technical guide](vpn-guide.md)
--- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md
+++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md
@ -16,6 +16,9 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md

 | New or changed topic | Description |
 | --- | --- |
+|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) | New |
+|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
+|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. |
 | [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) | Clarified how convenience PIN works in Windows 10, version 1607, on domain-joined PCs |
 | [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq ezxample and added a new Windows PowerShell example for creating a self-signed certficate |

--- a/windows/keep-secure/create-wip-policy-using-intune.md
+++ b/windows/keep-secure/create-wip-policy-using-intune.md
@ -138,8 +138,8 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the
 1.	From the **App Rules** area, click **Add**.

    The **Add App Rule** box appears.
-
-        ![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png)
+    
+    ![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png)

 2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.

@ -278,8 +278,8 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules*
 1.	From the **App Rules** area, click **Add**.
    
    The **Add App Rule** box appears.
-
-        ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png)
+    
+    ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png)

 2.	Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*.

@ -370,8 +370,8 @@ There are no default locations included with WIP, you must add each of your netw
            </tr>
            <tr>
                <td>Enterprise Cloud Resources</td>
-                <td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
-                <td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
+                <td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
+                <td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the <code>/*AppCompat*/</code> string to this setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/*AppCompat*/</code></td>
            </tr>
            <tr>
                <td>Enterprise Network Domain Names (Required)</td>
@ -380,8 +380,8 @@ There are no default locations included with WIP, you must add each of your netw
            </tr>
            <tr>
                <td>Enterprise Proxy Servers</td>
-                <td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
-                <td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.<p>This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
+                <td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
+                <td>Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.<p>This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.<p>This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
            </tr>
            <tr>
                <td>Enterprise Internal Proxy Servers</td>
--- a/windows/keep-secure/create-wip-policy-using-sccm.md
+++ b/windows/keep-secure/create-wip-policy-using-sccm.md
@ -391,18 +391,23 @@ There are no default locations included with WIP, you must add each of your netw
        </tr>
        <tr>
            <td>Enterprise Cloud Resources</td>
-            <td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
-            <td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
+            <td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
+            <td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the <code>/*AppCompat*/</code> string to this setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/*AppCompat*/</code></td>
        </tr>
        <tr>
            <td>Enterprise Network Domain Names (Required)</td>
            <td>corp.contoso.com,region.contoso.com</td>
-            <td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>                
+            <td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
        </tr>
        <tr>
            <td>Enterprise Proxy Servers</td>
+<<<<<<< HEAD
            <td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
+            <td>Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.<p>This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.<p>TThis setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
+=======
+            <td>proxy.contoso.com:80;proxy2.contoso.com:443</td>
            <td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.<p>This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
+>>>>>>> refs/remotes/origin/master
        </tr>
        <tr>
            <td>Enterprise Internal Proxy Servers</td>
--- a/windows/keep-secure/credential-guard.md
+++ b/windows/keep-secure/credential-guard.md
@ -30,7 +30,9 @@ Credential Guard isolates secrets that previous versions of Windows stored in th

 For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.

-Credential Guard also does not allow unconstrained Kerberos delegation, NTLMv1, MS-CHAPv2, Digest, CredSSP, and Kerberos DES encryption.
+Credential Guard prevents NTLMv1, MS-CHAPv2, Digest, and CredSSP from using sign-on credentials. Thus, single sign-on does not work with these protocols. However, Credential guard allows these protocols to be used with prompted credentials or those saved in Credential Manager. It is strongly recommended that valuable credentials, such as the sign-on credentials, not be used with any of these protocols. If these protocols must be used by domain users, secondary credentials should be provisioned for these use cases.
+
+Credential Guard does not allow unconstrained Kerberos delegation or Kerberos DES encryption at all. Neither sign-on nor prompted/saved credentials may be used.

 Here's a high-level overview on how the LSA is isolated by using virtualization-based security:

--- a/windows/keep-secure/guidance-and-best-practices-wip.md
+++ b/windows/keep-secure/guidance-and-best-practices-wip.md
@ -25,4 +25,5 @@ This section includes info about the enlightened Microsoft apps, including how t
 |[Windows Information Protection (WIP) overview](wip-enterprise-overview.md) |High-level overview info about why to use WIP, the enterprise scenarios, and how to turn it off. |
 |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. |
 |[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
-|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. |
+|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. |
+|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |The most common problems you might encounter while using Windows Information Protection (WIP). |
--- a/windows/keep-secure/limitations-with-wip.md
+++ b/windows/keep-secure/limitations-with-wip.md
@ -0,0 +1,77 @@
+---
+title: Limitations while using Windows Information Protection (WIP) (Windows 10)
+description: This section includes info about the common problems you might encounter while using Windows Information Protection (WIP).
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Limitations while using Windows Information Protection (WIP)
+**Applies to:**
+
+-   Windows 10, version 1607
+-   Windows 10 Mobile
+
+This table provides info about the most common problems you might encounter while running WIP in your organization.
+
+<table>
+    <tr>
+        <th>Limitation</th>
+        <th>How it appears</th>
+        <th>Workaround</th>
+    </tr>
+    <tr>
+        <td>Enterprise data on USB drives is tied to the device it was protected on.</td>
+        <td>Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.</td>
+        <td>Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<p>We strongly recommend educating employees about how to limit or eliminate the need for this decryption.</td>
+    </tr>
+    <tr>
+        <td>Direct Access is incompatible with WIP.</td>
+        <td>Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.</td>
+        <td>We recommend that you use VPN for client access to your intranet resources.<p><strong>Note</strong><br>VPN is optional and isn’t required by WIP.</td>
+    </tr>
+    <tr>
+        <td><strong>NetworkIsolation</strong> Group Policy setting is incompatible with WIP.</td>
+        <td>The <strong>NetworkIsolation</strong> Group Policy setting has incompatible network settings that can conflict and cause problems with WIP.</td>
+        <td>We recommend that you don’t use the NetworkIsolation Group Policy setting.</td>
+    </tr>
+    <tr>
+        <td>Cortana can potentially allow data leakage if it’s on the allowed apps list.</td>
+        <td>If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.</td>
+        <td>We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.</td>
+    </tr>
+    <tr>
+        <td>WIP is designed for use by a single user per device.</td>
+        <td>A secondary user on a device might experience app compat issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.</td>
+        <td>We recommend only having one user per managed device.</td>
+    </tr>
+    <tr>
+        <td>Installers copied from an enterprise network file share might not work properly.</td>
+        <td>An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.</td>
+        <td>To fix this, you can:
+            <ul>
+                <li>Start the installer directly from the file share.<p>-OR-</li>
+                <li>Decrypt the locally copied files needed by the installer.<p>-OR-</li>
+                <li>Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as <strong>Authoritative</strong> and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.</li>
+            </ul></td>
+    </tr>
+    <tr>
+        <td>Changing your primary Corporate Identity isn’t supported.</td>
+        <td>You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.</td>
+        <td>Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.</td>
+    </tr>
+    <tr>
+        <td>Redirected folders with Client Side Caching are not compatible with WIP.</td>
+        <td>Apps might encounter access errors while attempting to read a cached, offline file.</td>
+        <td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.</td>
+    </tr>
+    <tr>
+        <td>You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.</td>
+        <td>A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.</td>
+        <td>Open File Explorer and change the file ownership to **Personal** before you upload.</td>
+    </tr>
+</table>