deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-14 06:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/op-cleanup-eross-msft'

Browse Source
This commit is contained in:
LizRoss 2016-04-04 16:38:07 -07:00
commit 99ba1a0272
7 changed files with 209 additions and 652 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
View File

@ -24,7 +24,7 @@ Add multiple apps to your enterprise data protection (EDP) **Protected Apps** li
**Important**  
Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
If you only want to add one app at a time, you can follow the instructions in the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)) topic.
If you only want to add one app at a time, you can follow the instructions in the [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic.
 
@ -150,7 +150,7 @@ If you only want to add one app at a time, you can follow the instructions in th
15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)) topic.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
 

111
windows/keep-secure/block-untrusted-fonts-in-enterprise.md
View File

@ -1,42 +1,31 @@
---
title: Block untrusted fonts in an enterprise (Windows 10)
description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, weve created the Blocking Untrusted Fonts feature.
ms.assetid: A3354C8E-4208-4BE6-BC19-56A572C361B4
ms.assetid: a3354c8e-4208-4be6-bc19-56a572c361b4
keywords: ["font blocking", "untrusted font blocking", "block fonts", "untrusted fonts"]
ms.prod: W10
ms.mktglfcycl: deploy
ms.sitesec: library
author: brianlic-msft
author: eross-msft
---
# Block untrusted fonts in an enterprise
To help protect your company from attacks which may originate from untrusted or attacker controlled font files, weve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.
To help protect your company from attacks which may originate from untrusted or attacker controlled font files, weve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.
## What does this mean for me?
Blocking untrusted fonts helps improve your network and employee protection against font-processing-related attacks. By default, this feature is not turned on.
## How does this feature work?
There are 3 ways to use this feature:
- **On.** Helps stop any font processed using GDI from loading outside of the %windir%/Fonts directory. It also turns on event logging.
- **On.** Helps stop any font processed using GDI from loading outside of the `%windir%/Fonts` directory. It also turns on event logging.
- **Audit.** Turns on event logging, but doesnt block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.
**Note**  If you arent quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues.
 
- **Audit.** Turns on event logging, but doesnt block fonts from loading, regardless of location. The name of the apps that use untrusted fonts appear in your event log.<p>
**Note**<br>If you arent quite ready to deploy this feature into your organization, you can run it in Audit mode to see if not loading untrusted fonts causes any usability or compatibility issues.
- **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts).
## Potential reductions in functionality
After you turn this feature on, your employees might experience reduced functionality when:
- Sending a print job to a remote printer server that uses this feature and where the spooler process hasnt been specifically excluded. In this situation, any fonts that arent already available in the servers %windir%/Fonts folder wont be used.
@ -50,11 +39,9 @@ After you turn this feature on, your employees might experience reduced function
- Using desktop Office to look at documents with embedded fonts. In this situation, content shows up using a default font picked by Office.
## Turn on and use the Blocking Untrusted Fonts feature
To turn this feature on, off, or to use audit mode:
1. Open the registry editor (regedit.exe) and go to **HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Kernel\\**.
1. Open the registry editor (regedit.exe) and go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\`.
2. If the **MitigationOptions** key isn't there, right-click and add a new **QWORD (64-bit) Value**, renaming it to **MitigationOptions**.
@ -62,82 +49,52 @@ To turn this feature on, off, or to use audit mode:
- **To turn this feature on.** Type **1000000000000**.
- **To turn this feature off.** Type **2000000000000**.
- **To audit with this feature.** Type **3000000000000**.
**Important**  Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*.
 
- **To audit with this feature.** Type **3000000000000**.<p>**Important**<br>Your existing **MitigationOptions** values should be saved during your update. For example, if the current value is *1000*, your updated value should be *1000000001000*. 
4. Restart your computer.
## <a href="" id="view-the-event-logs"></a>View the event log
## View the event log
After you turn this feature on, or start using Audit mode, you can look at your event logs for details.
**To look at your event log**
Open the event viewer (eventvwr.exe) and go to **Application and Service Logs/Microsoft/Windows/Win32k/Operational**.
1. Open the event viewer (eventvwr.exe) and go to **Application and Service Logs/Microsoft/Windows/Win32k/Operational**.
Scroll down to **EventID: 260** and review the relevant events.
**Event example 1 - MS Word**
WINWORD.EXE attempted loading a font that is restricted by font loading policy.
FontType: Memory
FontPath:
Blocked: true
**Note**  Because the **FontType** is *Memory*, theres no associated **FontPath.**
 
**Event example 2 - Winlogon**
Winlogon.exe attempted loading a font that is restricted by font loading policy.
FontType: File
FontPath: \\??\\C:\\PROGRAM FILES (X86)\\COMMON FILES\\MICROSOFT SHARED\\EQUATION\\MTEXTRA.TTF
Blocked: true
**Note**  Because the **FontType** is *File*, theres also an associated **FontPath.**
 
**Event example 3 - Internet Explorer running in Audit mode**
Iexplore.exe attempted loading a font that is restricted by font loading policy.
FontType: Memory
FontPath:
Blocked: false
**Note**  In Audit mode, the problem is recorded, but the font isnt blocked.
 
2. Scroll down to **EventID: 260** and review the relevant events.
<p>
**Event Example 1 - MS Word**<br>
WINWORD.EXE attempted loading a font that is restricted by font loading policy.<br>
FontType: Memory<br>
FontPath:<br>
Blocked: true<p>
**Note**<br>Because the **FontType** is *Memory*, theres no associated **FontPath.**
<p>
**Event Example 2 - Winlogon**<br>
Winlogon.exe attempted loading a font that is restricted by font loading policy.<br>
FontType: File<br>
FontPath: `\??\C:\PROGRAM FILES (X86)\COMMON FILES\MICROSOFT SHARED\EQUATION\MTEXTRA.TTF`<br>
Blocked: true<p>
**Note**<br>Because the **FontType** is *File*, theres also an associated **FontPath.**
<p>
**Event Example 3 - Internet Explorer running in Audit mode**<br>
Iexplore.exe attempted loading a font that is restricted by font loading policy.<br>
FontType: Memory<br>
FontPath:<br>
Blocked: false<p>
**Note**<br>In Audit mode, the problem is recorded, but the font isnt blocked.
## Fix apps having problems because of blocked fonts
Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems.
After you figure out the problematic fonts, you can try to fix your apps in 2 ways: by directly installing the fonts into the %windir%/Fonts directory or by excluding the underlying processes and letting the fonts load. As the default solution, we highly recommend that you install the problematic font. Installing fonts is safer than excluding apps because excluded apps can load any font, trusted or untrusted.
**To fix your apps by installing the problematic fonts (recommended)**
- On each computer with the app installed, right-click on the font name and click **Install**.
The font should automatically install into your %windir%/Fonts directory. If it doesnt, youll need to manually copy the font files into the **Fonts** directory and run the installation from there.
- On each computer with the app installed, right-click on the font name and click **Install**.<p>The font should automatically install into your `%windir%/Fonts` directory. If it doesnt, youll need to manually copy the font files into the **Fonts** directory and run the installation from there.
**To fix your apps by excluding processes**
1. On each computer with the app installed, open regedit.exe and go to **HKEY\_LOCAL\_MACHINE\\ Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\*&lt;Process\_Image\_Name&gt;***. Like, if you want to exclude Microsoft Word processes, youd use **HKEY\_LOCAL\_MACHINE\\ Software\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\Winword.exe**.
1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<process_image_name>`. Like, if you want to exclude Microsoft Word processes, youd use `HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`.
2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using steps 2 and 3 in [Turn on and use the Blocking Untrusted Fonts feature.](#turn-on-and-use-the-blocking-untrusted-fonts-feature)

384
windows/keep-secure/create-edp-policy-using-intune.md
View File

@ -1,76 +1,63 @@
---
title: Create an enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
description: Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
ms.assetid: 4B307C99-3016-4D6A-9AE7-3BBEBD26E721
ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
ms.prod: W10
ms.mktglfcycl: explore
ms.sitesec: library
author: brianlic-msft
author: eross-msft
---
# Create an enterprise data protection (EDP) policy using Microsoft Intune
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
## In this topic:
- [Add an EDP policy](#add-an-edp-policy)
- [Add individual apps to your Protected App list](#add-individual-apps-to-your-protected-app-list)
- [Add an EDP policy](#add-edp-policy)
- [Exempt apps from EDP restrictions](#exempt-apps-from-EDP-restrictions)
- [Choose which apps can access your enterprise data](#choose-apps)
- [Manage the EDP protection level for your enterprise data](#manage-the-edp-protection-level-for-your-enterprise-data)
- [Exempt apps from EDP restrictions](#exempt-apps)
- [Define your enterprise-managed identity domains](#define-your-enterprise-managed-identity-domains)
- [Manage the EDP protection level for your enterprise data](#protect-level)
- [Define your enterprise-managed identity domains](#define-enterprise-managed-identity-domains)
- [Choose where apps can access enterprise data](#choose-where-apps)
- [Choose your optional EDP-related settings](#optional-settings)
## <a href="" id="add-edp-policy"></a>Add an EDP policy
- [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data)
- [Choose your optional EDP-related settings](#choose-your-optional-EDP-related-settings)
## Add an EDP policy
After youve installed and set up Intune for your organization, you must create an EDP-specific policy.
**To add an EDP policy**
1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
2. Click **Add Policy** from the **Tasks** area.
3. Go to **Windows**, click the **Enterprise Data Protection (Windows 10 and Mobile and later) policy**, pick the EDP template, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.![microsoft intune: new policy creation screen](images/intune-createnewpolicy.png)
3. Go to **Windows**, click the **Enterprise Data Protection (Windows 10 and Mobile and later) policy**, pick the EDP template, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
![microsoft intune: new policy creation screen](images/intune-createnewpolicy.png)
4. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
![microsoft intune: required name and optional description fields](images/intune-namedescription.png)
## <a href="" id="choose-apps"></a>Add individual apps to your Protected App list
## Add individual apps to your Protected App list
During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your apps are based on the type of app it is; either a Universal Windows Platform (UWP) app, or a signed Desktop app, also known as a Classic Windows application.
**Important**  
EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data loss during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
**Important**<br>EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary and will encrypt all files they create or modify, meaning that they could encrypt personal data and cause data loss during the revocation process. Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **Protected App** list.
<p>
**Note**<br>If you want to use **File hash** or **Path** rules, instead of Publisher rules, you must follow the steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)) topic.
 
**Note**  If you want to use **File hash** or **Path** rules, instead of Publisher rules, you must follow the steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)) topic.
 
<a href="" id="add-uwp"></a>
**To add a UWP app**
1. From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
@ -79,166 +66,100 @@ EDP-aware apps are expected to prevent enterprise data from going to unprotected
**To find the Publisher and Product name values for Microsoft Store apps without installing them**
1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
**Note**  
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the **Protected App** list. For info about how to do this, see the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)) topic.
 
1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.<p>
**Note**<br>If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the **Protected App** list. For info about how to do this, see the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/*9wzdncrfhvjl*/applockerdata, where *9wzdncrfhvjl* is replaced with your ID value.
<p>
The API runs and opens a text editor with the app details.
``` syntax
``` json
{
"packageIdentityName": "Microsoft.Office.OneNote",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
}
```
4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
**Important**  
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example:
 
``` syntax
<p>**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
<p>For example:<br>
``` json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
![microsoft intune: add a universal windows app to the protected apps list](images/intune-addapps.png)
**To find the Publisher and Product name values for apps installed on Windows 10 Mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the Windows Device Portal feature.
<p>**Note**<br>Your PC and phone must be on the same wireless network.
2. **Note**  
Your PC and phone must be on the same wireless network.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
 
3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
3. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
4. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
5. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
6. On the **Apps** tab of the website, click the drop-down box to choose the app you want to know more about.
<p>The **Publisher** and **Product Name** values appear.
6. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
7. On the **Apps** tab of the website, click the drop-down box to choose the app you want to know more about.
The **Publisher** and **Product Name** values appear.
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
**Important**  
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example:
 
``` syntax
7. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
<p>**Important**<br>The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
<p>For example:<br>
``` json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
<a href="" id="add-classic"></a>
**To add a Classic Windows application**
1. From the **Configure the following apps to be protected by EDP** table in the **Protected Apps** area, click **Add.**
A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**.
<p>A dialog box appears, letting you pick whether the app is a **Universal App** or a **Desktop App**.
2. Click **Desktop App**, pick the options you want (see table), and then click **OK**.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Option</th>
<th align="left">Manages</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>All fields left as “*”</p></td>
<td align="left"><p>All files signed by any publisher. (Not recommended.)</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Publisher</strong> selected</p></td>
<td align="left"><p>All files signed by the named publisher.</p>
<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Publisher</strong> and <strong>Product Name</strong> selected</p></td>
<td align="left"><p>All files for the specified product, signed by the named publisher.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>File Name</strong> selected</p></td>
<td align="left"><p>Any version of the named file or package for the specified product, signed by the named publisher.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, Exactly</strong>, selected</p></td>
<td align="left"><p>Specified version of the named file or package for the specified product, signed by the named publisher.</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And above</strong> selected</p></td>
<td align="left"><p>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.</p>
<p>This option is recommended for enlightened apps that weren't previously enlightened.</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>File Name</strong>, and <strong>File Version, And below</strong> selected</p></td>
<td align="left"><p>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</p></td>
</tr>
</tbody>
</table>
 
![microsoft intune: add a classic windows app to the protected apps list](images/intune-add-desktop-app.png)
If youre unsure about what to include for the publisher, you can run this PowerShell command:
``` syntax
Get-AppLockerFileInformation -Path "<path of the exe>"
```
Where `"<path of the exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
In this example, you'd get the following info:
``` syntax
Path Publisher
---- ---------
%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
## <a href="" id="exempt-apps"></a>Exempt apps from EDP restrictions
|Option |Manages |
|-------|--------|
|All fields left as “*”| All files signed by any publisher. (Not recommended.) |
|**Publisher** selected | All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps. |
|**Publisher** and **Product Name** selected |All files for the specified product, signed by the named publisher. |
|**Publisher**, **Product Name** and **File Name** selected |Any version of the named file or package for the specified product, signed by the named publisher.|
|**Publisher**, **Product Name**, **File Name**, and **File Version, Exactly** selected |Specified version of the named file or package for the specified product, signed by the named publisher. |
|**Publisher**, **Product Name**, **File Name**, and **File Version, And above** selected |Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened. |
|**Publisher**, **Product Name**, **File Name**, and **File Version, And below** selected |Specified version or older releases of the named file or package for the specified product, signed by the named publisher. |
![microsoft intune: add a classic windows app to the protected apps list](images/intune-add-desktop-app.png)
If youre unsure about what to include for the publisher, you can run this PowerShell command:
``` syntax
Get-AppLockerFileInformation -Path "<path of the exe>"
```
Where `"<path_of_the_exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
In this example, you'd get the following info:
``` syntax
Path Publisher
---- ---------
%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
## Exempt apps from EDP restrictions
If you're running into compatibility issues where your app is incompatible with EDP, but still needs to be used with enterprise data, you can exempt the app from the EDP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt an UWP app**
1. Follow the **Add a UWP app** steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)) topic, through to Step \#11.
2. In the **OMA-URI** box at Step 12, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>edpexempt/StoreApp EXE`.
1. Follow the **Add a UWP app** steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic, through to Step 11.
Where **edpexempt** is added as a substring, making the app exempt.
2. In the **OMA-URI** box at Step 12, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>edpexempt/StoreApp EXE`.<p>Where **edpexempt** is added as a substring, making the app exempt.
3. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
@ -248,16 +169,13 @@ If you're running into compatibility issues where your app is incompatible with
<RuleCollection Type="Appx" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
```
5. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)) topic.
5. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
**To exempt a Classic Windows application**
1. Follow the **Add a Classic Windows application app** steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)) topic, through to Step \#11.
2. In the **OMA-URI** box at Step 12, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>edpexempt/EXE`.
1. Follow the **Add a Classic Windows application app** steps in the [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md) topic, through to Step 11.
Where **edpexempt** is added as a substring, making the app exempt.
2. In the **OMA-URI** box at Step 12, type `./Vendor/MSFT/AppLocker/EnterpriseDataProtection/<your_enterprise_name>edpexempt/EXE`.<p>Where **edpexempt** is added as a substring, making the app exempt.
3. Open File Explorer, go to the location where you saved your new XML file, and open it using an XML editor, such as Notepad.
@ -267,160 +185,65 @@ If you're running into compatibility issues where your app is incompatible with
<RuleCollection Type="Exe" EnforcementMode="Enabled"><your_xml_rules_here></RuleCollection>
```
5. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)) topic.
## <a href="" id="protect-level"></a>Manage the EDP protection level for your enterprise data
5. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
## Manage the EDP protection level for your enterprise data
After you've added the apps you want to protect with EDP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your **Protected Apps** list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Mode</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><strong>Block</strong></td>
<td align="left"><p>EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.</p></td>
</tr>
<tr class="even">
<td align="left"><strong>Override</strong></td>
<td align="left"><p>EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459).</p></td>
</tr>
<tr class="odd">
<td align="left"><strong>Silent</strong></td>
<td align="left"><p>EDP runs silently, logging inappropriate data sharing, without blocking anything.</p></td>
</tr>
<tr class="even">
<td align="left"><strong>Off</strong>
<p>(Not recommended)</p></td>
<td align="left"><p>EDP is turned off and doesn't help to protect or audit your data</p></td>
</tr>
</tbody>
</table>
 
|Mode |Description |
|-----|------------|
|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise. |
|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything. |
|Off |EDP is turned off and doesn't help to protect or audit your data.|
<p>
![microsoft intune: add protection level for protected apps list](images/intune-encryption-level.png)
## <a href="" id="define-enterprise-managed-identity-domains"></a>Define your enterprise-managed identity domains
## Define your enterprise-managed identity domains
Specify your companys enterprise identity, expressed as your primary internet domain. For example, if your company is Contoso, its enterprise identity might be contoso.com. The first listed domain (in this example, contoso.com) is the primary enterprise identity string used to tag files protected by any app on the **Protected App** list.
You can also specify all the domains owned by your enterprise that are used for user accounts, separating them with the "|" character. For example, if Contoso also has some employees with email addresses or user accounts on the fabrikam.com domain, you would use contoso.com|fabrikam.com.
This list of managed identity domains, along with the primary domain, make up the identity of your managing enterprise. User identities (user@domain) that end in any of the domains on this list, are considered managed.
<p>
![microsoft intune: add primary internet domain for your enterprise identity](images/intune-primary-domain.png)
**To add your primary domain**
- Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*.
- Type the name of your primary domain into the **Primary domain** field. For example, *contoso.com*.<p>
If you have multiple domains, you must separate them with the "|" character. For example, contoso.com|fabrikam.com.
If you have multiple domains, you must separate them with the "|" character. For example, contoso.com|fabrikam.com.
## <a href="" id="choose-where-apps"></a>Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.
**Important**  
## Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. There are 6 options, including your network domain, cloud domain, proxy server, internal proxy server, IPv4 range, and IPv6 range.<p>
**Important**<br>
- Every EDP policy should include policy that defines your enterprise network locations.
- Classless Inter-Domain Routing (CIDR) notation isnt supported for EDP configurations.
 
**To specify where your protected apps can find and send enterprise data on the network**
1. Add additional network locations your apps can access by clicking **Add**, typing a description into the **Description** box, and then choosing your location type, including:
1. Add additional network locations your apps can access by clicking **Add**, typing a description into the **Description** box, and then choosing your location type, including:<p>
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Network location type</th>
<th align="left">Format</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Enterprise Cloud Domain</p></td>
<td align="left"><p>contoso.sharepoint.com,proxy1.contoso.com|office.com|proxy2.contoso.com</p></td>
<td align="left"><p>Specify the cloud resources traffic to restrict to your protected apps.</p>
<p>For each cloud resource, you may also specify an internal proxy server that routes your traffic from your <strong>Enterprise Internal Proxy Server</strong> policy. If you have multiple resources, you must use the &quot;|&quot; delimiter. Include the &quot;,&quot; delimiter just before the &quot;|&quot; if you dont use proxies. For example: <code>[URL,Proxy]|[URL,Proxy]</code>.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Enterprise Network Domain</p></td>
<td align="left"><p>domain1.contoso.com,domain2.contoso.com</p></td>
<td align="left"><p>Specify the DNS suffix used in your environment. All traffic to the fully-qualified domains using this DNS suffix will be protected. If you have multiple resources, you must use the &quot;,&quot; delimiter.</p>
<p>This setting works with the IP Ranges settings to detect whether a network endpoint is enterprise or personal on private networks.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Enterprise Proxy Server</p></td>
<td align="left"><p>domain1.contoso.com:80;domain2.contoso.com:137</p></td>
<td align="left"><p>Specify the proxy server and the port traffic is routed through. If you have multiple resources, you must use the &quot;;&quot; delimiter.</p>
<p>This setting is required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when using certain Wi-Fi hotspots at hotels and restaurants.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Enterprise Internal Proxy Server</p></td>
<td align="left"><p>proxy1.contoso.com;proxy2.contoso.com</p></td>
<td align="left"><p>Specify the proxy servers your cloud resources will go through. If you have multiple resources, you must use the &quot;;&quot; delimiter.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Enterprise IPv4 Range</p></td>
<td align="left"><p><strong>Starting IPv4 Address:</strong> 3.4.0.1</p>
<p><strong>Ending IPv4 Address:</strong> 3.4.255.254</p>
<p><strong>Custom URI:</strong> 3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254</p></td>
<td align="left"><p>Specify the addresses for a valid IPv4 value range within your intranet.</p>
<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the &quot;-&quot; delimiter between start and end of a range, and the &quot;,&quot; delimiter to separate ranges.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Enterprise IPv6 Range</p></td>
<td align="left"><p><strong>Starting IPv6 Address:</strong></p>
<p>2a01:110::</p>
<p><strong>Ending IPv6 Address:</strong> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff</p>
<p><strong>Custom URI:</strong> 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</p></td>
<td align="left"><p>Specify the addresses for a valid IPv6 value range within your intranet.</p>
<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the &quot;-&quot; delimiter between start and end of a range, and the &quot;,&quot; delimiter to separate ranges.</p></td>
</tr>
</tbody>
</table>
|Network location type |Format |Description |
|----------------------|----------------|----------------------|
|Enterprise Cloud Domain |contoso.sharepoint.com,proxy1.contoso.com&#x7C;office.com&#x7C;proxy2.contoso.com|Specify the cloud resources traffic to restrict to your protected apps.<p>For each cloud resource, you may also specify an internal proxy server that routes your traffic from your **Enterprise Internal Proxy Server** policy. If you have multiple resources, you must use the &#x7C; delimiter. Include the &#x7C; delimiter just before the &#x7C; if you dont use proxies. For example: [URL,Proxy]&#x7C;[URL,Proxy]. |
|Enterprise Network Domain |domain1.contoso.com,domain2.contoso.com |Specify the DNS suffix used in your environment. All traffic to the fully-qualified domains using this DNS suffix will be protected. If you have multiple resources, you must use the `,` delimiter.<p>This setting works with the IP Ranges settings to detect whether a network endpoint is enterprise or personal on private networks. |
|Enterprise Proxy Server |domain1.contoso.com:80;domain2.contoso.com:137 |Specify the proxy server and the port traffic is routed through. If you have multiple resources, you must use the `;` delimiter.<p>This setting is required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when using certain Wi-Fi hotspots at hotels and restaurants. |
|Enterprise Internal Proxy Server |proxy1.contoso.com;proxy2.contoso.com |Specify the proxy servers your cloud resources will go through. If you have multiple resources, you must use the `;` delimiter. |
|Enterprise IPv4 Range |**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,10.0.0.1-10.255.255.254 | Specify the addresses for a valid IPv4 value range within your intranet.<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the `-` delimiter between start and end of a range, and the `,` delimiter to separate ranges. |
|Enterprise IPv6 Range |**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110::-2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |Specify the addresses for a valid IPv6 value range within your intranet.<p>If you are adding a single range, you can enter the starting and ending addresses into your management systems UI. If you want to add multiple addresses, we suggest creating a Custom URI, using the `-` delimiter between start and end of a range, and the `,` delimiter to separate ranges.
 
![microsoft intune: choose the primary domain and the other network locations for protected apps](images/intune-networklocation.png)
![microsoft intune: choose the primary domain and the other network locations for protected apps](images/intune-networklocation.png)
2. Add as many locations as you need, and then click **OK**.<p>The **Add or Edit Enterprise Network Locations box** closes.
2. Add as many locations as you need, and then click **OK**.
The **Add or Edit Enterprise Network Locations box** closes.
3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.
Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
![microsoft intune: specify your data recovery certificate for your policy](images/intune-data-recovery.png)
## <a href="" id="optional-settings"></a>Choose your optional EDP-related settings
3. In the **Use a data recovery certificate in case of data loss** box, click **Browse** to add a data recovery certificate for your policy.<p>Adding a data recovery certificate helps you to access locally-protected files on the device. For example, if an employee leaves the company and the IT department has to access EDP-protected data from a Windows 10 company computer. This can also help recover data in case an employee's device is accidentally revoked. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.<p>
![microsoft intune: specify your data recovery certificate for your policy](images/intune-data-recovery.png)
## Choose your optional EDP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional EDP settings.
**To add your optional settings**
@ -436,11 +259,8 @@ After you've decided where your protected apps can access enterprise data on you
2. Click **Save Policy**.
## Related topics
[Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md))
[General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md))
- [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
 

141
windows/keep-secure/enlightened-microsoft-apps-and-edp.md
View File

@ -6,41 +6,32 @@ keywords: ["EDP", "Enterprise Data Protection"]
ms.prod: W10
ms.mktglfcycl: explore
ms.sitesec: library
author: brianlic-msft
author: eross-msft
---
# List of enlightened Microsoft apps for use with enterprise data protection (EDP)
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list.
## Enlightened versus unenlightened apps
Apps can be enlightened (policy-aware) or unenlightened (policy unaware).
- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
-
**Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because:
- **Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because:
- Windows Desktop shows it as always running in enterprise mode.
- Windows **Save As** experiences only allow you to save your files as enterprise.
it won't use common controls for saving files or text boxes, and will work on personal and enterprise data simultaneously (for example, a browser that displays personal and enterprise web pages on tabs within a single instance).
## List of enlightened Microsoft apps
Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
- Microsoft Edge
@ -66,116 +57,26 @@ Microsoft has made a concerted effort to enlighten several of our more popular a
- Microsoft Messaging
## Adding enlightened Microsoft apps to the Protected Apps list
You can add any or all of the enlightened Microsoft apps to your Protected Apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Product name</th>
<th align="left">App info</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Microsoft Edge</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.MicrosoftEdge</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="even">
<td align="left"><p>IE11</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>File Name:</strong> iexplore.exe</p>
<p><strong>App Type:</strong> Desktop App</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft People</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.People</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="even">
<td align="left"><p>Word Mobile</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.Office.Word</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Excel Mobile</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.Office.Excel</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="even">
<td align="left"><p>PowerPoint Mobile</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.Office.PowerPoint</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="odd">
<td align="left"><p>OneNote</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.Office.OneNote</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="even">
<td align="left"><p>Outlook Mail and Calendar</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> microsoft.windowscommunicationsapps</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Photos</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.Windows.Photos</p>
<p><strong>App Type:</strong> Universal AppMicrosoft.Windows.Photos</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft OneDrive</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> microsoft.microsoftskydrive</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Groove Music</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.ZuneMusic</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="even">
<td align="left"><p>Notepad</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</code></p>
<p><strong>File Name:</strong> notepad.exe</p>
<p><strong>App Type:</strong> Desktop App</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Paint</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US</code></p>
<p><strong>File Name:</strong> mspaint.exe</p>
<p><strong>App Type:</strong> Desktop App</p></td>
</tr>
<tr class="even">
<td align="left"><p>Microsoft Movies &amp; TV</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.ZuneVideo</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Microsoft Messaging</p></td>
<td align="left"><p><strong>Publisher:</strong> <code>CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US</code></p>
<p><strong>Product Name:</strong> Microsoft.Messaging</p>
<p><strong>App Type:</strong> Universal App</p></td>
</tr>
</tbody>
</table>
 
|Product name |App info |
|-------------|---------|
|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.MicrosoftEdge<br>**App Type:** Universal app |
|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** iexplore.exe<br>**App Type:** Desktop app |
|Microsoft People |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.People<br>**App Type:** Universal app |
|Word Mobile |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Word<br>**App Type:** Universal app |
|Excel Mobile |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Excel<br>**App Type:** Universal app |
|PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.PowerPoint<br>**App Type:** Universal app |
|OneNote |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.OneNote<br>**App Type:** Universal app |
|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.windowscommunicationsapps<br>**App Type:** Universal app |
|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Windows.Photos<br>**App Type:** Universal app |
|Microsoft OneDrive |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.microsoftskydrive<br>**App Type:** Universal app |
|Groove Music |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneMusic<br>**App Type:** Universal app |
|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** notepad.exe<br>**App Type:** Desktop app |
|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** mspaint.exe<br>**App Type:** Desktop app |
|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneVideo<br>**App Type:** Universal app |
|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Messaging<br>**App Type:** Universal app |
 

6
windows/keep-secure/index.md
View File

@ -33,7 +33,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
<td align="left"><p>This topic lists new and updated topics in the Keep Windows 10 secure documentation for [Windows 10 and Windows 10 Mobile](../index.md).</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md))</p></td>
<td align="left"><p>[Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)</p></td>
<td align="left"><p>To help protect your company from attacks which may originate from untrusted or attacker controlled font files, weve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the %windir%/Fonts directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process.</p></td>
</tr>
<tr class="odd">
@ -45,7 +45,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
<td align="left"><p>In Windows 10, Microsoft Passport replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and a Windows Hello (biometric) or PIN.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md))</p></td>
<td align="left"><p>[Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)</p></td>
<td align="left"><p>Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.</p></td>
</tr>
<tr class="even">
@ -61,7 +61,7 @@ Learn about keeping Windows 10 and Windows 10 Mobile secure.
<td align="left"><p>Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes and Kerberos Ticket Granting Tickets.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md))</p></td>
<td align="left"><p>[Protect your enterprise data using enterprise data protection (EDP)](protect-enterprise-data-using-edp.md)</p></td>
<td align="left"><p>With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info to a public Yammer group or tweet, or saves an in-progress sales report to their public cloud storage.</p></td>
</tr>
<tr class="even">

147
windows/keep-secure/protect-enterprise-data-using-edp.md
View File

@ -1,61 +1,34 @@
---
title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10)
description: With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control.
ms.assetid: 6CCA0119-5954-4757-B2BC-E0EA4D2C7032
ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
keywords: ["EDP", "Enterprise Data Protection"]
ms.prod: W10
ms.mktglfcycl: explore
ms.sitesec: library
author: brianlic-msft
author: eross-msft
---
# Protect your enterprise data using enterprise data protection (EDP)
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
\[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.\]
<span style="color:#ED1C24;">[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. An app that calls an API introduced in Windows 10 Anniversary SDK Preview Build 14295 cannot be ingested into the Windows Store during the Preview period.]</span>
With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info to a public Yammer group or tweet, or saves an in-progress sales report to their public cloud storage.
Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside EDP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
## <a href="" id="prereqs"></a>Prerequisites
## Prerequisites
Youll need this software to run EDP in your enterprise:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Operating System</th>
<th align="left">Management solution</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Windows 10 Insider Preview</p></td>
<td align="left"><p>Microsoft Intune</p>
<p>-OR-</p>
<p>System Center Configuration Manager (version 1511 or later)</p>
<p>-OR-</p>
<p>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [Custom URI - Policy CSP](http://go.microsoft.com/fwlink/?LinkID=733963) documentation.</p></td>
</tr>
</tbody>
</table>
 
|Operating system | Management solution |
|-----------------|---------------------|
|Windows 10 Insider Preview | Microsoft Intune<br>-OR-<br>System Center Configuration Manager (version 1511 or later)<br>-OR-<br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [Custom URI - Policy CSP](http://go.microsoft.com/fwlink/?LinkID=733963) documentation.|
## How EDP works
EDP helps address your everyday challenges in the enterprise. Including:
- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
@ -67,51 +40,17 @@ EDP helps address your everyday challenges in the enterprise. Including:
- Managing apps that arent enterprise aware, especially on mobile devices.
### EDP-protection modes
You can set EDP to 1 of 4 protection and management modes:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">Mode</th>
<th align="left">Description</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Block</p></td>
<td align="left"><p>EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Override</p></td>
<td align="left"><p>EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459).</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Silent</p></td>
<td align="left"><p>EDP runs silently, logging inappropriate data sharing, without blocking anything.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Off</p></td>
<td align="left"><p>EDP is turned off and doesn't help to protect or audit your data.</p>
<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.</p></td>
</tr>
</tbody>
</table>
 
**Note**  
For more info about setting your EDP-protection modes, see either [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md)) or [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md)), depending on your management solution.
 
|Mode|Description|
|----|-----------|
|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything.|
|Off |EDP is turned off and doesn't help to protect or audit your data.<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |
<p>**Note**<br>For more info about setting your EDP-protection modes, see either [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md) or [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md), depending on your management solution.
## Why use EDP?
EDP gives you a new way to manage data security for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
- **Change the way you think about data security.** As an enterprise admin, you need to maintain the security and confidentiality of your enterprise data. EDP helps make sure that your enterprise data is protected on employee-owned devices, even when the employee isnt using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
@ -122,75 +61,35 @@ EDP gives you a new way to manage data security for apps and documents, along wi
- **Using protected apps.** Managed apps (apps that you've included on the **Protected Apps** list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your **Protected App** list, the app is trusted with enterprise data. All apps not on this list are potentially blocked from accessing your enterprise data, depending on your EDP management-mode.
- **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your **Protected App** list, the app is trusted with enterprise data. All apps not on this list are potentially blocked from accessing your enterprise data, depending on your EDP management-mode.<p>
You dont have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the **Protected App** list.
- **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping it; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your **Protected App** list.
- **Continuous data encryption.** EDP helps protect enterprise data when it leaves a device. For example, when an employee saves to public cloud storage, or synchronizes with another device.
- **Continuous data encryption.** EDP helps protect enterprise data when it leaves a device. For example, when an employee saves to public cloud storage, or synchronizes with another device.<p>
Apps such as Microsoft Word work with EDP to continue your data encryption across locations and services. These apps are being referred to as, *enterprise aware*. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document, maintaining the encryption.
- **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, file syncing apps not on your **Protected App** list, such as Dropbox™, wont be able to sync encrypted files to the employees personal cloud storage. Instead, if an employee stores content in their Microsoft OneDrive for Business folder, which is automatically synced with OneDrive for Business (an app on your **Protected App** list), then the document maintains its encryption and can sync freely.
- **Helping prevent accidental data disclosure to other devices.** EDP helps prevent enterprise data from leaking when it's copied or transferred to other devices. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesnt.
- **Remove access to enterprise data from enterprise-protected devices.** EDP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
**Note**  System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
 
- **Remove access to enterprise data from enterprise-protected devices.** EDP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.<p>**Note**<br>System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
## Current limitations with EDP
EDP is still in development and is not yet integrated with Azure Rights Management. This means that while you can deploy an EDP-configured policy to a protected device, that protection is restricted to a single user on the device. Additionally, the EDP-protected data must be stored on NTFS, FAT, or ExFAT file systems.
Use the following table to identify the scenarios that require Azure Rights Management, the behavior when Azure Rights Management is not used with EDP, and the recommended workarounds.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
<col width="33%" />
</colgroup>
<thead>
<tr class="header">
<th align="left">EDP scenario</th>
<th align="left">Without Azure Rights Management</th>
<th align="left">Workaround</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td align="left"><p>Saving enterprise data to USB drives</p></td>
<td align="left"><p>Data in the new location remains encrypted, but becomes inaccessible on other devices or for other users. For example, the file won't open or the file opens, but doesn't contain readable text.</p></td>
<td align="left"><p>Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.</p>
<p>We strongly recommend educating employees about how to limit or eliminate the need for this decryption.</p></td>
</tr>
<tr class="even">
<td align="left"><p>Sharing enterprise data through email attachments</p></td>
<td align="left"><p>The attachment is sent unprotected.</p></td>
<td align="left"><p>Store documents on enterprise cloud or network sites, and share links.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>Synchronizing data to other services or public cloud storage</p></td>
<td align="left"><p>Synchronized files aren't protected on additional services or as part of public cloud storage.</p></td>
<td align="left"><p>Stop the app from synchronizing or don't add the app to your <strong>Protected App</strong> list.</p>
<p>For more info about adding apps to the <strong>Protected Apps</strong> list, see either the [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md)) or the [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md)) topic, depending on your management solution.</p></td>
</tr>
</tbody>
</table>
 
|EDP scenario |Without Azure Rights Management |Workaround |
|-------------|--------------------------------|-----------|
|Saving enterprise data to USB drives |Data in the new location remains encrypted, but becomes inaccessible on other devices or for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<p>We strongly recommend educating employees about how to limit or eliminate the need for this decryption. |
|Sharing enterprise data through email attachments |The attachment is sent unprotected. |Store documents on enterprise cloud or network sites, and share links. |
|Synchronizing data to other services or public cloud storage |Synchronized files aren't protected on additional services or as part of public cloud storage. |Stop the app from synchronizing or don't add the app to your **Protected App** list.<p>For more info about adding apps to the **Protected App** list, see either the [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md) or the [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md) topic, depending on your management solution.
## Next steps
After deciding to use EDP in your enterprise, you need to:
- [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md))
- [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md)
 

54
windows/keep-secure/windows-hello-in-enterprise.md
View File

@ -1,17 +1,15 @@
---
title: Windows Hello biometrics in the enterprise (Windows 10)
description: Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
ms.assetid: D3F27D94-2226-4547-86C0-65C84D6DF8BC
ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc
keywords: ["Windows Hello", "enterprise biometrics"]
ms.prod: W10
ms.mktglfcycl: explore
ms.sitesec: library
author: brianlic-msft
author: eross-msft
---
# Windows Hello biometrics in the enterprise
**Applies to:**
- Windows 10
@ -20,47 +18,36 @@ Windows Hello is the biometric authentication feature that helps strengthen auth
Because we realize your employees are going to want to use this new technology in your enterprise, weve been actively working with the device manufacturers to create strict design and performance recommendations that help to ensure that you can more confidently introduce Windows Hello biometrics into your organization.
## <a href="" id="how-hello-works"></a> How does Windows Hello work?
##How does Windows Hello work?
Windows Hello lets your employees use fingerprint or facial recognition as an alternative method to unlocking a device. With Windows Hello, authentication happens when the employee provides his or her unique biometric identifier while accessing the device-specific Microsoft Passport credentials.
The Windows Hello authenticator works with Microsoft Passport to authenticate and allow employees onto your enterprise network. Authentication doesnt roam among devices, isnt shared with a server, and cant easily be extracted from a device. If multiple employees share a device, each employee will use his or her own biometric data on the device.
## <a href="" id="why-use-hello"></a>Why should I let my employees use Windows Hello?
## Why should I let my employees use Windows Hello?
Windows Hello provides many benefits, including:
- Combined with Microsoft Passport, it helps to strengthen your protections against credential theft. Because an attacker must have both the device and the biometric info or PIN, its much more difficult to gain access without the employees knowledge.
- Employees get a simple authentication method (backed up with a PIN) thats always with them, so theres nothing to lose. No more forgetting passwords!
- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.
For more info about the available Group Policies and MDM CSPs, see the [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) topic.
## <a href="" id="where-hello-data-stored"></a>Where is Microsoft Hello data stored?
- Support for Windows Hello is built into the operating system so you can add additional biometric devices and polices as part of a coordinated rollout or to individual employees or groups using Group Policy or Mobile Device Management (MDM) configurations service provider (CSP) policies.<br>For more info about the available Group Policies and MDM CSPs, see the [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md) topic.
## Where is Microsoft Hello data stored?
The biometric data used to support Windows Hello is stored on the local device only. It doesnt roam and is never sent to external devices or servers. This separation helps to stop potential attackers by providing no single collection point that an attacker could potentially compromise to steal biometric data. Additionally, even if an attacker was actually able to get the biometric data, it still cant be easily converted to a form that could be recognized by the biometric sensor.
## <a href="" id="hello-device-reqs"></a> Has Microsoft set any device requirements for Windows Hello?
## Has Microsoft set any device requirements for Windows Hello?
Weve been working with the device manufacturers to help ensure a high-level of performance and protection is met by each sensor and device, based on these requirements:
- **False Accept Rate (FAR).** Represents the instance a biometric identification solution verifies an unauthorized person. This is normally represented as a ratio of number of instances in a given population size, for example 1 in 100 000. This can also be represented as a percentage of occurrence, for example, 0.001%. This measurement is heavily considered the most important with regards to the security of the biometric algorithm.
- **False Reject Rate (FRR).** Represents the instances a biometric identification solution fails to verify an authorized person correctly. Usually represented as a percentage, the sum of the True Accept Rate and False Reject Rate is 1. Can be with or without anti-spoofing or liveness detection.
### <a href="" id="fingerprint-sensor-reqs"></a>Fingerprint sensor requirements
### Fingerprint sensor requirements
To allow fingerprint matching, you must have devices with fingerprint sensors and software. Fingerprint sensors, or sensors that use an employees unique fingerprint as an alternative log on option, can be touch sensors (large area or small area) or swipe sensors. Each type of sensor has its own set of detailed requirements that must be implemented by the manufacturer, but all of the sensors must include anti-spoofing measures (required) and a way to configure them (optional).
**Acceptable performance range for small to large size touch sensors**
- False Accept Rate (FAR): &lt; 0.001 0.002%
- False Accept Rate (FAR): &lt;0.001 0.002%
- False Reject Rate (FRR) without Anti-spoofing or liveness detection: &lt;5%
@ -68,34 +55,27 @@ To allow fingerprint matching, you must have devices with fingerprint sensors an
**Acceptable performance range for swipe sensors**
- False Accept Rate (FAR): &lt; 0.002%
- False Accept Rate (FAR): &lt;0.002%
- False Reject Rate (FRR) without Anti-spoofing or liveness detection: &lt;5%
- Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
### <a href="" id="facial-sensor-reqs"></a>Facial recognition sensors
### Facial recognition sensors
To allow facial recognition, you must have devices with integrated special infrared (IR) sensors and software. Facial recognition sensors use special cameras that see in IR light, letting them tell the difference between a photo and a living person while scanning an employees facial features. These sensors, like the fingerprint sensors, must also include anti-spoofing measures (required) and a way to configure them (optional).
- False Accept Rate (FAR): &lt; 0.001
- False Accept Rate (FAR): &lt;0.001
- False Reject Rate (FRR) without Anti-spoofing or liveness detection: &lt;5%
- Effective, real world FRR with Anti-spoofing or liveness detection: &lt;10%
## Related topics
[Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
[Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
[Microsoft Passport guide](microsoft-passport-guide.md)
[Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
[PassportforWork CSP](http://go.microsoft.com/fwlink/p/?LinkId=708219)
- [Manage identity verification using Microsoft Passport](manage-identity-verification-using-microsoft-passport.md)
- [Implement Microsoft Passport in your organization](implement-microsoft-passport-in-your-organization.md)
- [Microsoft Passport guide](microsoft-passport-guide.md)
- [Prepare people to use Microsoft Passport](prepare-people-to-use-microsoft-passport.md)
- [PassportforWork CSP](http://go.microsoft.com/fwlink/p/?LinkId=708219)