From a24763ffc2e3f2c3885ddc968983243d0077752f Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 20 Mar 2017 13:01:05 -0700 Subject: [PATCH 01/32] Updated applies to about Azure RMS --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index f0c94d6dba..fc6d4fbfea 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -14,7 +14,7 @@ localizationpriority: high **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile +- Windows 10 Mobile (except Microsoft Azure Rights Management (Azure RMS), which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. From 54b10176b832d8dbcb5f8381935f1c22e22fb8e3 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 20 Mar 2017 13:21:26 -0700 Subject: [PATCH 02/32] Added content --- windows/keep-secure/create-wip-policy-using-intune.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index fc6d4fbfea..6560a80e36 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -11,6 +11,7 @@ localizationpriority: high --- # Create a Windows Information Protection (WIP) policy using Microsoft Intune + **Applies to:** - Windows 10, version 1607 @@ -18,12 +19,12 @@ localizationpriority: high Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. -## Important note about the June service update for Insider Preview + ## Add a WIP policy After you’ve set up Intune for your organization, you must create a WIP-specific policy. From baafc02843c361a2071f9f3e1c00382735c2dafc Mon Sep 17 00:00:00 2001 From: LizRoss Date: Mon, 20 Mar 2017 14:25:04 -0700 Subject: [PATCH 03/32] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 6560a80e36..2ae0e7e014 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -378,7 +378,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the /*AppCompat*/ string to this setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

We recommend that you use the /*AppCompat*/ string to help Windows determine whether an app should be allowed to connect to a network resource, without automatically blocking the connection. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ Enterprise Network Domain Names (Required) From b4437638e9ea92ad1b1e1e465717a4fe8b031af2 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 08:36:19 -0700 Subject: [PATCH 04/32] check in --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 2ae0e7e014..cc0b417bfc 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -378,7 +378,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

We recommend that you use the /*AppCompat*/ string to help Windows determine whether an app should be allowed to connect to a network resource, without automatically blocking the connection. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/ + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-policy-connected-applications/), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. Enterprise Network Domain Names (Required) From 572a75904fe5db3838f9fc8d682a3f57ba1e8393 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 09:14:22 -0700 Subject: [PATCH 05/32] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index cc0b417bfc..f7db61c525 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -378,7 +378,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/. When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://azure.microsoft.com/en-us/documentation/articles/active-directory-conditional-access-policy-connected-applications/), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. Enterprise Network Domain Names (Required) From 9f1fd09d560a606000580011f4090bae77b93714 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 10:43:32 -0700 Subject: [PATCH 06/32] Fixing broken code --- windows/keep-secure/create-wip-policy-using-intune.md | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index f7db61c525..5a748154ff 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -19,13 +19,6 @@ localizationpriority: high Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. - - ## Add a WIP policy After you’ve set up Intune for your organization, you must create a WIP-specific policy. @@ -378,7 +371,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. Enterprise Network Domain Names (Required) From 51a28ae8968c78887ae3af359af6970312b0b712 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 10:50:54 -0700 Subject: [PATCH 07/32] Fixing broken code --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 5a748154ff..d32508207a 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -371,7 +371,7 @@ There are no default locations included with WIP, you must add each of your netw Enterprise Cloud Resources With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com - Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. Enterprise Network Domain Names (Required) From dc06f2f49c8ac551826e5bbbdcbf616dbfea1d82 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 12:01:54 -0700 Subject: [PATCH 08/32] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index d32508207a..22b83114e4 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -425,6 +425,9 @@ There are no default locations included with WIP, you must add each of your netw For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). +### Choose to set up Azure Rights Management with WIP + + ### Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. From 3c749ca9491e215d42e2f87c2b0b8714b592de70 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 12:17:26 -0700 Subject: [PATCH 09/32] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 22b83114e4..90a69c59bf 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -15,7 +15,7 @@ localizationpriority: high **Applies to:** - Windows 10, version 1607 -- Windows 10 Mobile (except Microsoft Azure Rights Management (Azure RMS), which is only available on the desktop) +- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. From 1d58cd4012ec4fe42eed86648dc334877373051f Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 12:48:52 -0700 Subject: [PATCH 10/32] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 90a69c59bf..62bba049af 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -426,7 +426,13 @@ There are no default locations included with WIP, you must add each of your netw For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ### Choose to set up Azure Rights Management with WIP +WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. +To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to start encrypting files copied to removeable drives that use Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. + +Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting as the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. + +For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. ### Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. @@ -475,4 +481,6 @@ After you've decided where your protected apps can access enterprise data on you - [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) - [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) -- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) \ No newline at end of file +- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) +- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/) +- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms) \ No newline at end of file From 037e6125ad0da2c8fc150859065a48379fdbf156 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 12:59:04 -0700 Subject: [PATCH 11/32] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 62bba049af..3b1d08495b 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -432,7 +432,8 @@ To configure WIP to use Azure Rights Management, you must set the **AllowAzureRM Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting as the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. -For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. +>[!NOTE] +>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. ### Choose your optional WIP-related settings After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings. From af97f15f3ea771af18102caa256da1cde16af630 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 13:16:12 -0700 Subject: [PATCH 12/32] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 3b1d08495b..ead8eddf33 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -428,7 +428,7 @@ There are no default locations included with WIP, you must add each of your netw ### Choose to set up Azure Rights Management with WIP WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. -To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to start encrypting files copied to removeable drives that use Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. +To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to start encrypting files copied to removable drives that use Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting as the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. From 8a133bd824f2a7a317959eb39c99c4bff675a245 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 14:09:57 -0700 Subject: [PATCH 13/32] Adding content --- .../create-wip-policy-using-intune.md | 384 +++++++++--------- 1 file changed, 188 insertions(+), 196 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index ead8eddf33..b1ce416071 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -14,8 +14,8 @@ localizationpriority: high **Applies to:** -- Windows 10, version 1607 -- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) +- Windows 10, version 1607 +- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. @@ -23,15 +23,15 @@ Microsoft Intune helps you create and deploy your Windows Information Protection After you’ve set up Intune for your organization, you must create a WIP-specific policy. **To add a WIP policy** -1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. +1.Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. -2. Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. +2.Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. - ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) +![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) -3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. +3.Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. - ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) +![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) ### Add app rules to your policy During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. @@ -50,19 +50,19 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the ** **To add a store app** 1. From the **App Rules** area, click **Add**. - The **Add App Rule** box appears. +The **Add App Rule** box appears. - ![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) +![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. +Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **Store App** from the **Rule template** drop-down list. - The box changes to show the store app rule options. +The box changes to show the store app rule options. 5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. @@ -71,40 +71,35 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for Store apps without installing them** 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. - >[!NOTE] - >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. +>**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. 3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value. - The API runs and opens a text editor with the app details. +The API runs and opens a text editor with the app details. - ```json - { - "packageIdentityName": "Microsoft.Office.OneNote", - "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" - } - ``` +```json +{ +"packageIdentityName": "Microsoft.Office.OneNote", +"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" +} +``` 4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. - >[!IMPORTANT] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`. - - For example: - - ```json - { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } - ``` +>**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example: + +```json +{ +"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", +} +``` **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - >[!NOTE] - >Your PC and phone must be on the same wireless network. +>**Note**
Your PC and phone must be on the same wireless network. 2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. @@ -120,16 +115,13 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - >[!IMPORTANT] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`. - - For example: - - ``` json - { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } - ``` +>**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example: + +``` json +{ + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } +``` #### Add a desktop app rule to your policy For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. @@ -137,70 +129,70 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the **To add a desktop app** 1. From the **App Rules** area, click **Add**. - The **Add App Rule** box appears. - - ![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) +The **Add App Rule** box appears. + +![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. +Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **Desktop App** from the **Rule template** drop-down list. - The box changes to show the store app rule options. +The box changes to show the store app rule options. 5. Pick the options you want to include for the app rule (see table), and then click **OK**. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionManages
All fields left as “*”All files signed by any publisher. (Not recommended)
Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.

Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.

Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
OptionManages
All fields left as “*”All files signed by any publisher. (Not recommended)
Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.

Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.

Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
If you’re unsure about what to include for the publisher, you can run this PowerShell command: ```ps1 - Get-AppLockerFileInformation -Path "" +Get-AppLockerFileInformation -Path "" ``` Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`. In this example, you'd get the following info: ``` json - Path Publisher - ---- --------- - %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... +Path Publisher +---- --------- +%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... ``` Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. @@ -209,113 +201,113 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* **To create an app rule and xml file using the AppLocker tool** 1. Open the Local Security Policy snap-in (SecPol.msc). - + 2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. - ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) +![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) 3. Right-click in the right-hand pane, and then click **Create New Rule**. - The **Create Packaged app Rules** wizard appears. +The **Create Packaged app Rules** wizard appears. 4. On the **Before You Begin** page, click **Next**. - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) +![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. - ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) +![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) 6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. - ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) +![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) 7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. - ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) +![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) 8. On the updated **Publisher** page, click **Create**. - ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) +![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) 9. Review the Local Security Policy snap-in to make sure your rule is correct. - ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) +![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) 10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. - The **Export policy** box opens, letting you export and save your new policy as XML. +The **Export policy** box opens, letting you export and save your new policy as XML. - ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) +![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. - The policy is saved and you’ll see a message that says 1 rule was exported from the policy. +The policy is saved and you’ll see a message that says 1 rule was exported from the policy. - **Example XML file**
- This is the XML file that AppLocker creates for Microsoft Photos. +**Example XML file**
+This is the XML file that AppLocker creates for Microsoft Photos. - ```xml - - - - - - - - - - - - - - +```xml + + + + + + + + + + + + + + - ``` +``` 12. After you’ve created your XML file, you need to import it by using Microsoft Intune. **To import your Applocker policy file app rule using Microsoft Intune** 1. From the **App Rules** area, click **Add**. - - The **Add App Rule** box appears. - - ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) + +The **Add App Rule** box appears. + +![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. - Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. +Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **AppLocker policy file** from the **Rule template** drop-down list. - The box changes to let you import your AppLocker XML policy file. +The box changes to let you import your AppLocker XML policy file. 5. Click **Import**, browse to your AppLocker XML file, click **Open**, and then click **OK** to close the **Add App Rule** box. - The file is imported and the apps are added to your **App Rules** list. +The file is imported and the apps are added to your **App Rules** list. #### Exempt apps from WIP restrictions If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. **To exempt a store app, a desktop app, or an AppLocker policy file app rule** 1. From the **App Rules** area, click **Add**. - - The **Add App Rule** box appears. + +The **Add App Rule** box appears. 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. 3. Click **Exempt** from the **Windows Information Protection mode** drop-down list. - Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. +Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. 4. Fill out the rest of the app rule info, based on the type of rule you’re adding: - - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. +- **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. - - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. +- **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. - - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. +- **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. 5. Click **OK**. @@ -341,7 +333,7 @@ You can specify multiple domains owned by your enterprise by separating them wit **To add your corporate identity** - Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. - ![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) +![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) ### Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. @@ -356,74 +348,74 @@ There are no default locations included with WIP, you must add each of your netw 1. Add additional network locations your apps can access by clicking **Add**. - The **Add or edit corporate network definition** box appears. +The **Add or edit corporate network definition** box appears. 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. - ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png) +![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network location typeFormatDescription
Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Network location typeFormatDescription
Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

3. Add as many locations as you need, and then click **OK**. - The **Add corporate network definition** box closes. +The **Add corporate network definition** box closes. 4. Decide if you want to Windows to look for additional network settings: - ![Microsoft Intune, Choose if you want Windows to search for additinal proxy servers or IP ranges in your enterprise](images/intune-network-detection-boxes.png) +![Microsoft Intune, Choose if you want Windows to search for additinal proxy servers or IP ranges in your enterprise](images/intune-network-detection-boxes.png) - - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. +- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) + ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) - After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. +After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. - For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). +For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ### Choose to set up Azure Rights Management with WIP WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. @@ -443,35 +435,35 @@ After you've decided where your protected apps can access enterprise data on you **To set your optional settings** 1. Choose to set any or all of the optional settings: - - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: - - - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. +- **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: + +- **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. - - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. +- **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. - - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: +- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: - - **Yes (recommended).** Turns on the feature and provides the additional protection. +- **Yes (recommended).** Turns on the feature and provides the additional protection. - - **No, or not configured.** Doesn't enable this feature. +- **No, or not configured.**Doesn't enable this feature. - - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: +- **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: - - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. +- **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. - - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: +- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. - - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. +- **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: - - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. + - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. - - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: + - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. - - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. +- **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: - - **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. + - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. + +- **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. 2. Click **Save Policy**. From 024cd88e44c7c649bd1e6a934872f75a5a634b68 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 21 Mar 2017 14:24:31 -0700 Subject: [PATCH 14/32] Fixing formatting and adding content --- ...ange-history-for-keep-windows-10-secure.md | 1 + .../create-wip-policy-using-intune.md | 374 +++++++++--------- 2 files changed, 187 insertions(+), 188 deletions(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 858577af50..1ac38ed7d2 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md ## March 2017 |New or changed topic |Description | |---------------------|------------| +|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. | |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index b1ce416071..9af07a2e91 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -14,8 +14,8 @@ localizationpriority: high **Applies to:** -- Windows 10, version 1607 -- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) +- Windows 10, version 1607 +- Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. @@ -23,15 +23,15 @@ Microsoft Intune helps you create and deploy your Windows Information Protection After you’ve set up Intune for your organization, you must create a WIP-specific policy. **To add a WIP policy** -1.Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. +1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area. -2.Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. +2. Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. -![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) + ![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png) -3.Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. +3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes. -![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) + ![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png) ### Add app rules to your policy During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps. @@ -50,19 +50,19 @@ For this example, we’re going to add Microsoft OneNote, a store app, to the ** **To add a store app** 1. From the **App Rules** area, click **Add**. -The **Add App Rule** box appears. + The **Add App Rule** box appears. -![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) + ![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. -Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **Store App** from the **Rule template** drop-down list. -The box changes to show the store app rule options. + The box changes to show the store app rule options. 5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`. @@ -71,35 +71,34 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for Store apps without installing them** 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. ->**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. + >**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. 3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value. -The API runs and opens a text editor with the app details. + The API runs and opens a text editor with the app details. -```json -{ -"packageIdentityName": "Microsoft.Office.OneNote", -"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" -} -``` + ```json + { + "packageIdentityName": "Microsoft.Office.OneNote", + "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" + } + ``` 4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. ->**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example: - -```json -{ -"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", -} -``` + >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
+ ```json + { + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } + ``` **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. ->**Note**
Your PC and phone must be on the same wireless network. + >**Note**
Your PC and phone must be on the same wireless network. 2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. @@ -115,13 +114,12 @@ The API runs and opens a text editor with the app details. 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. ->**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example: - -``` json -{ - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } -``` + >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
+ ``` json + { + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } + ``` #### Add a desktop app rule to your policy For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. @@ -129,70 +127,70 @@ For this example, we’re going to add Internet Explorer, a desktop app, to the **To add a desktop app** 1. From the **App Rules** area, click **Add**. -The **Add App Rule** box appears. - -![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) + The **Add App Rule** box appears. + + ![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. -Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **Desktop App** from the **Rule template** drop-down list. -The box changes to show the store app rule options. + The box changes to show the store app rule options. 5. Pick the options you want to include for the app rule (see table), and then click **OK**. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
OptionManages
All fields left as “*”All files signed by any publisher. (Not recommended)
Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.

Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.

Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
OptionManages
All fields left as “*”All files signed by any publisher. (Not recommended)
Publisher selectedAll files signed by the named publisher.

This might be useful if your company is the publisher and signer of internal line-of-business apps.

Publisher and Product Name selectedAll files for the specified product, signed by the named publisher.
Publisher, Product Name, and Binary name selectedAny version of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, and above, selectedSpecified version or newer releases of the named file or package for the specified product, signed by the named publisher.

This option is recommended for enlightened apps that weren't previously enlightened.

Publisher, Product Name, Binary name, and File Version, And below selectedSpecified version or older releases of the named file or package for the specified product, signed by the named publisher.
Publisher, Product Name, Binary name, and File Version, Exactly selectedSpecified version of the named file or package for the specified product, signed by the named publisher.
If you’re unsure about what to include for the publisher, you can run this PowerShell command: ```ps1 -Get-AppLockerFileInformation -Path "" + Get-AppLockerFileInformation -Path "" ``` Where `""` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`. In this example, you'd get the following info: ``` json -Path Publisher ----- --------- -%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... + Path Publisher + ---- --------- + %PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR... ``` Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box. @@ -201,113 +199,113 @@ For this example, we’re going to add an AppLocker XML file to the **App Rules* **To create an app rule and xml file using the AppLocker tool** 1. Open the Local Security Policy snap-in (SecPol.msc). - + 2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**. -![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) + ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png) 3. Right-click in the right-hand pane, and then click **Create New Rule**. -The **Create Packaged app Rules** wizard appears. + The **Create Packaged app Rules** wizard appears. 4. On the **Before You Begin** page, click **Next**. -![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png) 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**. -![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) + ![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png) 6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area. -![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) + ![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png) 7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Photos. -![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) + ![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png) 8. On the updated **Publisher** page, click **Create**. -![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) + ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png) 9. Review the Local Security Policy snap-in to make sure your rule is correct. -![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) + ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png) 10. In the left pane, right-click on **AppLocker**, and then click **Export policy**. -The **Export policy** box opens, letting you export and save your new policy as XML. + The **Export policy** box opens, letting you export and save your new policy as XML. -![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) + ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png) 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**. -The policy is saved and you’ll see a message that says 1 rule was exported from the policy. + The policy is saved and you’ll see a message that says 1 rule was exported from the policy. -**Example XML file**
-This is the XML file that AppLocker creates for Microsoft Photos. + **Example XML file**
+ This is the XML file that AppLocker creates for Microsoft Photos. -```xml - - - - - - - - - - - - - - + ```xml + + + + + + + + + + + + + + -``` + ``` 12. After you’ve created your XML file, you need to import it by using Microsoft Intune. **To import your Applocker policy file app rule using Microsoft Intune** 1. From the **App Rules** area, click **Add**. - -The **Add App Rule** box appears. - -![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) + + The **Add App Rule** box appears. + + ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png) 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Allowed app list*. 3. Click **Allow** from the **Windows Information Protection mode** drop-down list. -Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. + Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic. 4. Pick **AppLocker policy file** from the **Rule template** drop-down list. -The box changes to let you import your AppLocker XML policy file. + The box changes to let you import your AppLocker XML policy file. 5. Click **Import**, browse to your AppLocker XML file, click **Open**, and then click **OK** to close the **Add App Rule** box. -The file is imported and the apps are added to your **App Rules** list. + The file is imported and the apps are added to your **App Rules** list. #### Exempt apps from WIP restrictions If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak. **To exempt a store app, a desktop app, or an AppLocker policy file app rule** 1. From the **App Rules** area, click **Add**. - -The **Add App Rule** box appears. + + The **Add App Rule** box appears. 2. Add a friendly name for your app into the **Title** box. In this example, it’s *Exempt apps list*. 3. Click **Exempt** from the **Windows Information Protection mode** drop-down list. -Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. + Be aware that when you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic. 4. Fill out the rest of the app rule info, based on the type of rule you’re adding: -- **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. + - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic. -- **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. + - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic. -- **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. + - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps. 5. Click **OK**. @@ -333,7 +331,7 @@ You can specify multiple domains owned by your enterprise by separating them wit **To add your corporate identity** - Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`. -![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) + ![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png) ### Choose where apps can access enterprise data After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. @@ -348,74 +346,74 @@ There are no default locations included with WIP, you must add each of your netw 1. Add additional network locations your apps can access by clicking **Add**. -The **Add or edit corporate network definition** box appears. + The **Add or edit corporate network definition** box appears. 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. -![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png) + ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network location typeFormatDescription
Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Network location typeFormatDescription
Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

3. Add as many locations as you need, and then click **OK**. -The **Add corporate network definition** box closes. + The **Add corporate network definition** box closes. 4. Decide if you want to Windows to look for additional network settings: -![Microsoft Intune, Choose if you want Windows to search for additinal proxy servers or IP ranges in your enterprise](images/intune-network-detection-boxes.png) + ![Microsoft Intune, Choose if you want Windows to search for additinal proxy servers or IP ranges in your enterprise](images/intune-network-detection-boxes.png) -- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. + - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy. - ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) + ![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png) -After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. + After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. -For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). + For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md). ### Choose to set up Azure Rights Management with WIP WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. @@ -435,35 +433,35 @@ After you've decided where your protected apps can access enterprise data on you **To set your optional settings** 1. Choose to set any or all of the optional settings: -- **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: - -- **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. + - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are: + + - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box. -- **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. + - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult. -- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: + - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are: -- **Yes (recommended).** Turns on the feature and provides the additional protection. + - **Yes (recommended).** Turns on the feature and provides the additional protection. -- **No, or not configured.**Doesn't enable this feature. + - **No, or not configured.** Doesn't enable this feature. -- **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: + - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are: -- **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. + - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment. + + - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. -- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. + - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: -- **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are: + - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. - - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps. + - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. - - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps. + - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: -- **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are: + - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. - - **Yes.** Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. - -- **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. + - **No, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but allowed apps. Not configured is the default option. 2. Click **Save Policy**. From b28c22277bb40c535fed8320b0fb9c4ad1447cb2 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 07:30:38 -0700 Subject: [PATCH 15/32] Updating content from tech review --- windows/keep-secure/create-wip-policy-using-intune.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 9af07a2e91..b3ec476d6b 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -418,9 +418,9 @@ There are no default locations included with WIP, you must add each of your netw ### Choose to set up Azure Rights Management with WIP WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up. -To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to start encrypting files copied to removable drives that use Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. +To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703. -Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting as the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. +Optionally, if you don’t want everyone in your organization to be able to share your enterprise data, you can set the **RMSTemplateIDForEDP** MDM setting to the **TemplateID** of the Azure Rights Management template used to encrypt the data. You must make sure to mark the template with the **EditRightsData** option. >[!NOTE] >For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic. From 86532a8e914f88c5d274ebe87227e62ebee01922 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 07:35:30 -0700 Subject: [PATCH 16/32] Added content --- windows/keep-secure/change-history-for-keep-windows-10-secure.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 1ac38ed7d2..a3fedca01f 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -17,6 +17,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |New or changed topic |Description | |---------------------|------------| |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. | +|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703. | |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| From c9d828821706dc75d0c3e25546b9d86a71cf8df8 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 07:38:08 -0700 Subject: [PATCH 17/32] Fixing formatting --- windows/keep-secure/create-wip-policy-using-intune.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index b3ec476d6b..44605fccd9 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -71,6 +71,9 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for Store apps without installing them** 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. + > [!NOTE] + > If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. + >**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. From 86a65acca2bfdcf80ba1eda8cad6c4b8aeb75800 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 08:00:13 -0700 Subject: [PATCH 18/32] Adding content --- ...reate-and-verify-an-efs-dra-certificate.md | 28 +++++++++++++++++++ .../create-wip-policy-using-intune.md | 9 ++---- 2 files changed, 30 insertions(+), 7 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 4bd92ff06f..b05c43ed2b 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -94,6 +94,34 @@ It's possible that you might revoke data from an unenrolled device only to later The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. +**To quickly recover WIP-protected desktop data after unenrollment in a cloud-based environment**
+If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences. + +>[!IMPORTANT] +>To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. + +1. Have your employee sign in to the unenrolled device, open the Run command (Windows logo key + R), and type: + + `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> * /EFSRAW` + + -or- + + `Robocopy “{X:\}System Volume Information\EDP\Recovery\ ” <“new_location”> * /EFSRAW` + + Where the keys are stored either within the employee's profile or, if the employee performed a clean installation over the operating system, in the System Volume folder. Also, where *<”new_location”>* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent. + +2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing: + + `cipher.exe /D <“new_location”>` + +3. Have your employee sign in to the unenrolled device, open the Run command, and type: + + `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` + +4. Ask the employee to lock and unlock the device. + + The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. + >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 44605fccd9..0067c51efa 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -38,11 +38,9 @@ During the policy-creation process in Intune, you can choose the apps you want t The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. ->[!IMPORTANT] ->WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. + >**Important**
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. ->[!NOTE] ->If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. +>**Note**
If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. #### Add a store app rule to your policy For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -71,9 +69,6 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for Store apps without installing them** 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*. - > [!NOTE] - > If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. - >**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. From 4a4c6efe5b9961fe1a6a6078d7468427a1ad9579 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 08:25:37 -0700 Subject: [PATCH 19/32] Adding content --- .../keep-secure/create-and-verify-an-efs-dra-certificate.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index b05c43ed2b..5bfc60d3cc 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -41,8 +41,7 @@ The recovery process included in this topic only works for desktop devices. WIP 4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. - >[!NOTE] - >To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. + **Note**
To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. **To verify your data recovery certificate is correctly set up on a WIP client computer** @@ -122,8 +121,7 @@ If you use a cloud environment in your organization, you may still want to resto The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). +

**Note**
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). ## Related topics - [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) From 3727fd8bef3d24a2e7bd0bf981b2544fdcc4ecd5 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 08:41:06 -0700 Subject: [PATCH 20/32] Fixing formatting --- ...add-apps-to-protected-list-using-custom-uri.md | 14 +++++--------- .../keep-secure/create-wip-policy-using-sccm.md | 15 ++++----------- 2 files changed, 9 insertions(+), 20 deletions(-) diff --git a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md index 9176b41ff8..b0396cdfd0 100644 --- a/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md +++ b/windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md @@ -39,15 +39,14 @@ You can add apps to your Windows Information Protection (WIP) protected app list 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules. - >[!NOTE] + >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule. 6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules. 7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules. - >[!IMPORTANT] - >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. + >**Important**
Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. 8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. @@ -87,18 +86,15 @@ After saving the policy, you’ll need to deploy it to your employee’s devices 5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules. - >[!IMPORTANT] - >You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future. + >**Important**
You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future. - >[!NOTE] - >We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.

Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed. + >**Note**
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.

If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.

Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed. 6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules. 7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules. - >[!IMPORTANT] - >Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. + >**Important**
Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy. 8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**. diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md index 49801ae337..5a51f50d60 100644 --- a/windows/keep-secure/create-wip-policy-using-sccm.md +++ b/windows/keep-secure/create-wip-policy-using-sccm.md @@ -94,8 +94,7 @@ If you don't know the publisher or product name, you can find them for both desk 1. Go to the [Windows Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote. - >[!NOTE] - >If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section. + >**Note**
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section. 2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`. @@ -112,10 +111,7 @@ If you don't know the publisher or product name, you can find them for both desk 4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune. - >[!IMPORTANT] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. - >For example:

- + >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.

For example:

```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", @@ -125,8 +121,7 @@ If you don't know the publisher or product name, you can find them for both desk **To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones** 1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature. - >[!NOTE] - >Your PC and phone must be on the same wireless network. + >**Note**
Your PC and phone must be on the same wireless network. 2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**. @@ -142,10 +137,8 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - >[!IMPORTANT] - >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. + >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`. >For example:

- ```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", From 5ceb091f25f0a22b11bfbcd023eb9f80a1fb374f Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 08:42:45 -0700 Subject: [PATCH 21/32] Fixing formatting --- windows/keep-secure/protect-enterprise-data-using-wip.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md index a37553eb2c..7f5e04babd 100644 --- a/windows/keep-secure/protect-enterprise-data-using-wip.md +++ b/windows/keep-secure/protect-enterprise-data-using-wip.md @@ -93,8 +93,8 @@ WIP gives you a new way to manage data policy enforcement for apps and documents - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t. - **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. - >[!NOTE] - >For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. + + >**Note**
For management of Surface devices it is recommended that you use the Current Branch of System Center Configuration Manager.
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device. ## How WIP works WIP helps address your everyday challenges in the enterprise. Including: From 99106b6a79c9f9a212726400a5e95d94c908bbd8 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 08:47:04 -0700 Subject: [PATCH 22/32] Fixing formatting --- .../keep-secure/create-and-verify-an-efs-dra-certificate.md | 3 +-- windows/keep-secure/wip-app-enterprise-context.md | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 5bfc60d3cc..58a3228aef 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -36,8 +36,7 @@ The recovery process included in this topic only works for desktop devices. WIP The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - >[!IMPORTANT] - >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. + >**Important**
Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. 4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. diff --git a/windows/keep-secure/wip-app-enterprise-context.md b/windows/keep-secure/wip-app-enterprise-context.md index b4ebd4ced4..c6fa730a12 100644 --- a/windows/keep-secure/wip-app-enterprise-context.md +++ b/windows/keep-secure/wip-app-enterprise-context.md @@ -45,8 +45,7 @@ The **Enterprise Context** column shows you what each app can do with your enter - **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components). - >[!IMPORTANT] - >Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials. + >**Important**
Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials. From 3399404dd892b2008e434e56644ebc383b2dcd4b Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 09:13:55 -0700 Subject: [PATCH 23/32] Adding content --- windows/keep-secure/change-history-for-keep-windows-10-secure.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index a3fedca01f..1cdc7573bd 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -18,6 +18,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |---------------------|------------| |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. | |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703. | +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate)|Added content about recovering data from a cloud environment.| |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| From 661616568cb3250e73e1358c7c9e95ea221d1a05 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 09:24:24 -0700 Subject: [PATCH 24/32] Fixing link --- .../keep-secure/change-history-for-keep-windows-10-secure.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 1cdc7573bd..1cf0bcdc14 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -18,7 +18,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |---------------------|------------| |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. | |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703. | -|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate)|Added content about recovering data from a cloud environment.| +|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)|Added content about recovering data from a cloud environment.| |[Protect derived domain credentials with Credential Guard](credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| |[Requirements and deployment planning guidelines for Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| From 3662fd52c24d4f140632924e4d27b1fc6fb10d45 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 09:31:49 -0700 Subject: [PATCH 25/32] Adding content --- windows/keep-secure/create-wip-policy-using-intune.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 0067c51efa..4a5f3873fb 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -40,7 +40,7 @@ The steps to add your app rules are based on the type of rule template being app >**Important**
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. ->**Note**
If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. + >**Note**
If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. #### Add a store app rule to your policy For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -113,7 +113,7 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
- ``` json + ```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", } From 63c502615dccdfb498758980f417b6d5289da9ba Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 13:07:15 -0700 Subject: [PATCH 26/32] Updated content --- windows/keep-secure/limitations-with-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index 39aaeb8dc5..70b4062521 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -26,7 +26,7 @@ This table provides info about the most common problems you might encounter whil Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. - If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running the latest build from the Windows Insider Program.

If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. + If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.

If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

We strongly recommend educating employees about how to limit or eliminate the need for this decryption. From c6d1289421374540d9be2bd6cc53b3c5c3a2b679 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 22 Mar 2017 14:34:39 -0700 Subject: [PATCH 27/32] Updated content --- windows/keep-secure/create-wip-policy-using-intune.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index 4a5f3873fb..f36171596d 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -14,7 +14,7 @@ localizationpriority: high **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1703 - Windows 10 Mobile (except Microsoft Azure Rights Management, which is only available on the desktop) Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network. From e0f58566e150bab98bc21cb61a6dd36db683cd88 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 28 Mar 2017 10:31:10 -0700 Subject: [PATCH 28/32] Fixing formatting --- ...reate-and-verify-an-efs-dra-certificate.md | 28 +++++++++---------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 58a3228aef..e0d89f176c 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -92,35 +92,35 @@ It's possible that you might revoke data from an unenrolled device only to later The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. -**To quickly recover WIP-protected desktop data after unenrollment in a cloud-based environment**
+**To quickly recover WIP-protected desktop data in a cloud-based environment**
If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences. >[!IMPORTANT] >To maintain control over your enterprise data, and to be able to revoke again in the future, you must only perform this process after the employee has re-enrolled the device. -1. Have your employee sign in to the unenrolled device, open the Run command (Windows logo key + R), and type: - - `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> * /EFSRAW` +1. Have your employee sign in to the device that has revoked data for you to restore, open the **Run** command (Windows logo key + R), and type one of the following commands: + + - If the keys are still stored within the employee's profile, type: `Robocopy “%localappdata%\Microsoft\EDP\Recovery” “*new_location*” * /EFSRAW` -or- - `Robocopy “{X:\}System Volume Information\EDP\Recovery\ ” <“new_location”> * /EFSRAW` + - If the employee performed a clean installation over the operating system and you need to recover the keys from the System Volume folder, type: `Robocopy “drive_letter:\System Volume Information\EDP\Recovery\” “*new_location*” * /EFSRAW` - Where the keys are stored either within the employee's profile or, if the employee performed a clean installation over the operating system, in the System Volume folder. Also, where *<”new_location”>* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent. + >[!Important] + >The “*new_location*” must be in a different directory, either on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share, which can be accessed while you're logged in as a data recovery agent. -2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing: - `cipher.exe /D <“new_location”>` +2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate private key, and perform the file decryption and recovery by typing: -3. Have your employee sign in to the unenrolled device, open the Run command, and type: + `cipher.exe /D “new_location”` - `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` +3. Have your employee sign in to the device again, open the **Run** command, and type: + + `Robocopy `*“new_location”*` “%localappdata%\Microsoft\EDP\Recovery\Input”` 4. Ask the employee to lock and unlock the device. - The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. - -

**Note**
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). + The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. All your company’s previously revoked files should be accessible to the employee again. ## Related topics - [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) @@ -133,5 +133,5 @@ If you use a cloud environment in your organization, you may still want to resto - [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA) - +

**Note**
Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). From 31c62d89b892b3eca3c3d877bb002fa978f17ded Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 28 Mar 2017 11:01:08 -0700 Subject: [PATCH 29/32] Fixing formatting --- .../create-and-verify-an-efs-dra-certificate.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index e0d89f176c..75e3394ad7 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -100,11 +100,11 @@ If you use a cloud environment in your organization, you may still want to resto 1. Have your employee sign in to the device that has revoked data for you to restore, open the **Run** command (Windows logo key + R), and type one of the following commands: - - If the keys are still stored within the employee's profile, type: `Robocopy “%localappdata%\Microsoft\EDP\Recovery” “*new_location*” * /EFSRAW` + - If the keys are still stored within the employee's profile, type: Robocopy “%localappdata%\Microsoft\EDP\Recovery” “new_location” * /EFSRAW -or- - - If the employee performed a clean installation over the operating system and you need to recover the keys from the System Volume folder, type: `Robocopy “drive_letter:\System Volume Information\EDP\Recovery\” “*new_location*” * /EFSRAW` + - If the employee performed a clean installation over the operating system and you need to recover the keys from the System Volume folder, type: Robocopy “drive_letter:\System Volume Information\EDP\Recovery\” "new_location” * /EFSRAW> >[!Important] >The “*new_location*” must be in a different directory, either on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share, which can be accessed while you're logged in as a data recovery agent. @@ -112,15 +112,15 @@ If you use a cloud environment in your organization, you may still want to resto 2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate private key, and perform the file decryption and recovery by typing: - `cipher.exe /D “new_location”` + cipher.exe /D “new_location 3. Have your employee sign in to the device again, open the **Run** command, and type: - `Robocopy `*“new_location”*` “%localappdata%\Microsoft\EDP\Recovery\Input”` + Robocopy “new_location” “%localappdata%\Microsoft\EDP\Recovery\Input” 4. Ask the employee to lock and unlock the device. - The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. All your company’s previously revoked files should be accessible to the employee again. + The Windows Credential service automatically recovers the employee’s previously revoked keys from the Recovery\Input location. All your company’s previously revoked files should be accessible to the employee again. ## Related topics - [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) From cf5bafb51a849a2280d2dfc55050efb155bcca1f Mon Sep 17 00:00:00 2001 From: LizRoss Date: Tue, 28 Mar 2017 11:16:26 -0700 Subject: [PATCH 30/32] Fixing formatting --- ...reate-and-verify-an-efs-dra-certificate.md | 31 ++++++++++--------- 1 file changed, 16 insertions(+), 15 deletions(-) diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index 75e3394ad7..bfd0d8535f 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -28,19 +28,21 @@ The recovery process included in this topic only works for desktop devices. WIP 2. Run this command: - `cipher /r:` + cipher /r:EFSRA - Where *<EFSRA>* is the name of the .cer and .pfx files that you want to create. + Where *EFSRA* is the name of the .cer and .pfx files that you want to create. 3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file. The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1. - >**Important**
Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. + >[!Important] + >Because the private keys in your DRA .pfx files can be used to decrypt any WIP file, you must protect them accordingly. We highly recommend storing these files offline, keeping copies on a smart card with strong protection for normal use and master copies in a secured physical location. -4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. +4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager. - **Note**
To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. + >[!Note] + >To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic. **To verify your data recovery certificate is correctly set up on a WIP client computer** @@ -50,9 +52,9 @@ The recovery process included in this topic only works for desktop devices. WIP 3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command: - `cipher /c ` + cipher /c file_name - Where *<filename>* is the name of the file you created in Step 1. + Where *file_name* is the name of the file you created in Step 1. 4. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list. @@ -64,9 +66,9 @@ The recovery process included in this topic only works for desktop devices. WIP 3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command: - `cipher /d ` + cipher /d encryptedfile.extension> - Where *<encryptedfile.extension>* is the name of your encrypted file. For example, corporatedata.docx. + Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx. **To quickly recover WIP-protected desktop data after unenrollment**
It's possible that you might revoke data from an unenrolled device only to later want to restore it all. This can happen in the case of a missing device being returned or if an unenrolled employee enrolls again. If the employee enrolls again using the original user profile, and the revoked key store is still on the device, all of the revoked data can be restored at once, by following these steps. @@ -76,21 +78,21 @@ It's possible that you might revoke data from an unenrolled device only to later 1. Have your employee sign in to the unenrolled device, open a command prompt, and type: - `Robocopy “%localappdata%\Microsoft\EDP\Recovery” <“new_location”> /EFSRAW` + Robocopy “%localappdata%\Microsoft\EDP\Recovery” “new_location” /EFSRAW - Where *<”new_location”>* is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent. + Where ”*new_location*" is in a different directory. This can be on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share that can be accessed while you're logged in as a data recovery agent. 2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate, and perform the file decryption and recovery by typing: - `cipher.exe /D <“new_location”>` + cipher.exe /D "new_location" 3. Have your employee sign in to the unenrolled device, and type: - `Robocopy <”new_location”> “%localappdata%\Microsoft\EDP\Recovery\Input”` + Robocopy "new_location" “%localappdata%\Microsoft\EDP\Recovery\Input” 4. Ask the employee to lock and unlock the device. - The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location. + The Windows Credential service automatically recovers the employee’s previously revoked keys from the Recovery\Input location. **To quickly recover WIP-protected desktop data in a cloud-based environment**
If you use a cloud environment in your organization, you may still want to restore an employee's data after revocation. While much of the process is the same as when you're not in a cloud environment, there are a couple of differences. @@ -109,7 +111,6 @@ If you use a cloud environment in your organization, you may still want to resto >[!Important] >The “*new_location*” must be in a different directory, either on the employee’s device or on a Windows 8 or Windows Server 2012 or newer server file share, which can be accessed while you're logged in as a data recovery agent. - 2. Sign in to a different device with administrator credentials that have access to your organization's DRA certificate private key, and perform the file decryption and recovery by typing: cipher.exe /D “new_location From 5587f731050dac9adf1e4a4cf9bf7a5cb35654aa Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 29 Mar 2017 08:09:07 -0700 Subject: [PATCH 31/32] Fixing formatting --- .../create-wip-policy-using-intune.md | 109 +++++++++--------- 1 file changed, 57 insertions(+), 52 deletions(-) diff --git a/windows/keep-secure/create-wip-policy-using-intune.md b/windows/keep-secure/create-wip-policy-using-intune.md index f36171596d..76ded492c6 100644 --- a/windows/keep-secure/create-wip-policy-using-intune.md +++ b/windows/keep-secure/create-wip-policy-using-intune.md @@ -38,9 +38,12 @@ During the policy-creation process in Intune, you can choose the apps you want t The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file. - >**Important**
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. +>[!Important] +>WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.

Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. - >**Note**
If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. + +>[!Note] +>If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic. #### Add a store app rule to your policy For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list. @@ -86,7 +89,8 @@ If you don't know the publisher or product name, you can find them for both desk 4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune. - >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
+ >[!Important] + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
```json { "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", @@ -112,11 +116,12 @@ If you don't know the publisher or product name, you can find them for both desk 8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune. - >**Important**
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
+ >[!Important] + >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.

For example:
```json { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } + "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", + } ``` #### Add a desktop app rule to your policy @@ -349,49 +354,49 @@ There are no default locations included with WIP, you must add each of your netw 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. ![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png) -

+

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Network location typeFormatDescription
Enterprise Cloud ResourcesWith proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com

Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

Enterprise Network Domain Names (Required)corp.contoso.com,region.contoso.comSpecify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter.

Enterprise Proxy Serversproxy.contoso.com:80;proxy2.contoso.com:443Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise Internal Proxy Serverscontoso.internalproxy1.com;contoso.internalproxy2.comSpecify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter.

Enterprise IPv4 Range (Required, if not using IPv6)**Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254		Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Enterprise IPv6 Range (Required, if not using IPv4)**Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff		Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter.

Neutral Resourcessts.contoso.com,sts.contoso2.comSpecify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter.

+ + Network location type + Format + Description + + + Enterprise Cloud Resources + With proxy: contoso.sharepoint.com,contoso.internalproxy1.com|
contoso.visualstudio.com,contoso.internalproxy2.com

Without proxy: contoso.sharepoint.com|contoso.visualstudio.com + Specify the cloud resources to be treated as corporate and protected by WIP.

For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.

If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: URL <,proxy>|URL <,proxy>.

Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.

When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access. + + + Enterprise Network Domain Names (Required) + corp.contoso.com,region.contoso.com + Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.

This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.

If you have multiple resources, you must separate them using the "," delimiter. + + + Enterprise Proxy Servers + proxy.contoso.com:80;proxy2.contoso.com:443 + Specify your externally-facing proxy server addresses, along with the port through which traffic accesses the Internet.

This list must not include any servers listed in the Enterprise Internal Proxy Servers list, because they’re used for WIP-protected traffic.

This setting is also required if there’s a chance you could end up behind a proxy server on another network. In this situation, if you don't have a proxy server pre-defined, you might find that enterprise resources are unavailable to your client device, such as when you’re visiting another company and not on the guest network. To make sure this doesn’t happen, the client device also needs to be able to reach the pre-defined proxy server through the VPN network.

If you have multiple resources, you must separate them using the ";" delimiter. + + + Enterprise Internal Proxy Servers + contoso.internalproxy1.com;contoso.internalproxy2.com + Specify the proxy servers your devices will go through to reach your cloud resources.

Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.

This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.

If you have multiple resources, you must separate them using the ";" delimiter. + + + Enterprise IPv4 Range (Required, if not using IPv6) + **Starting IPv4 Address:** 3.4.0.1
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254 + Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter. + + + Enterprise IPv6 Range (Required, if not using IPv4) + **Starting IPv6 Address:** 2a01:110::
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff + Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.

If you have multiple ranges, you must separate them using the "," delimiter. + + + Neutral Resources + sts.contoso.com,sts.contoso2.com + Specify your authentication redirection endpoints for your company.

These locations are considered enterprise or personal, based on the context of the connection before the redirection.

If you have multiple resources, you must separate them using the "," delimiter. + + 3. Add as many locations as you need, and then click **OK**. @@ -463,13 +468,13 @@ After you've decided where your protected apps can access enterprise data on you 2. Click **Save Policy**. ->[!NOTE] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). - ## Related topics - [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) - [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) - [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md) - [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/) -- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms) \ No newline at end of file +- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms) + +>[!NOTE] +>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file From bed4d7c02bca53dd51f1bcedf512ffd764080a13 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 29 Mar 2017 08:59:07 -0700 Subject: [PATCH 32/32] Updated content --- .../keep-secure/change-history-for-keep-windows-10-secure.md | 1 + windows/keep-secure/create-and-verify-an-efs-dra-certificate.md | 2 +- windows/keep-secure/limitations-with-wip.md | 2 +- windows/keep-secure/mandatory-settings-for-wip.md | 2 +- 4 files changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 1cf0bcdc14..10f723df74 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md ## March 2017 |New or changed topic |Description | |---------------------|------------| +|[Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |Updated based on Windows 10, version 1703. | |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Added new content about Azure Rights Management. | |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Added additional limitations for Windows 10, version 1703. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)|Added content about recovering data from a cloud environment.| diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md index bfd0d8535f..a872b455ba 100644 --- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md +++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md @@ -12,7 +12,7 @@ localizationpriority: high # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1703 - Windows 10 Mobile If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index 70b4062521..9d6d1d1907 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -13,7 +13,7 @@ localizationpriority: high # Limitations while using Windows Information Protection (WIP) **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1703 - Windows 10 Mobile This table provides info about the most common problems you might encounter while running WIP in your organization. diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md index 1c7ea0a9ff..8582716a30 100644 --- a/windows/keep-secure/mandatory-settings-for-wip.md +++ b/windows/keep-secure/mandatory-settings-for-wip.md @@ -12,7 +12,7 @@ localizationpriority: high # Mandatory tasks and settings required to turn on Windows Information Protection (WIP) **Applies to:** -- Windows 10, version 1607 +- Windows 10, version 1703 - Windows 10 Mobile This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.