deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-17 19:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge pull request #3592 from MicrosoftDocs/dansimp-strongbad

Browse Source 
<strong> tags causing loc issues. replacing w <b>
This commit is contained in:
Tina Burden
2020-08-21 10:55:13 -07:00
committed by GitHub
parent e95816c762 cca1fe501d
commit acedee690f
44 changed files with 1587 additions and 1587 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
windows/security/information-protection/bitlocker/bitlocker-basic-deployment.md
View File

@ -252,11 +252,11 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><strong>Name</strong></p></td>
<td align="left"><p><strong>Parameters</strong></p></td>
<td align="left"><p><b>Name</b></p></td>
<td align="left"><p><b>Parameters</b></p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Add-BitLockerKeyProtector</strong></p></td>
<td align="left"><p><b>Add-BitLockerKeyProtector</b></p></td>
<td align="left"><p>-ADAccountOrGroup</p>
<p>-ADAccountOrGroupProtector</p>
<p>-Confirm</p>
@ -278,26 +278,26 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
<p>-WhatIf</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Backup-BitLockerKeyProtector</strong></p></td>
<td align="left"><p><b>Backup-BitLockerKeyProtector</b></p></td>
<td align="left"><p>-Confirm</p>
<p>-KeyProtectorId</p>
<p>-MountPoint</p>
<p>-WhatIf</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Disable-BitLocker</strong></p></td>
<td align="left"><p><b>Disable-BitLocker</b></p></td>
<td align="left"><p>-Confirm</p>
<p>-MountPoint</p>
<p>-WhatIf</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Disable-BitLockerAutoUnlock</strong></p></td>
<td align="left"><p><b>Disable-BitLockerAutoUnlock</b></p></td>
<td align="left"><p>-Confirm</p>
<p>-MountPoint</p>
<p>-WhatIf</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Enable-BitLocker</strong></p></td>
<td align="left"><p><b>Enable-BitLocker</b></p></td>
<td align="left"><p>-AdAccountOrGroup</p>
<p>-AdAccountOrGroupProtector</p>
<p>-Confirm</p>
@ -322,44 +322,44 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
<p>-WhatIf</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Enable-BitLockerAutoUnlock</strong></p></td>
<td align="left"><p><b>Enable-BitLockerAutoUnlock</b></p></td>
<td align="left"><p>-Confirm</p>
<p>-MountPoint</p>
<p>-WhatIf</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Get-BitLockerVolume</strong></p></td>
<td align="left"><p><b>Get-BitLockerVolume</b></p></td>
<td align="left"><p>-MountPoint</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Lock-BitLocker</strong></p></td>
<td align="left"><p><b>Lock-BitLocker</b></p></td>
<td align="left"><p>-Confirm</p>
<p>-ForceDismount</p>
<p>-MountPoint</p>
<p>-WhatIf</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Remove-BitLockerKeyProtector</strong></p></td>
<td align="left"><p><b>Remove-BitLockerKeyProtector</b></p></td>
<td align="left"><p>-Confirm</p>
<p>-KeyProtectorId</p>
<p>-MountPoint</p>
<p>-WhatIf</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Resume-BitLocker</strong></p></td>
<td align="left"><p><b>Resume-BitLocker</b></p></td>
<td align="left"><p>-Confirm</p>
<p>-MountPoint</p>
<p>-WhatIf</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Suspend-BitLocker</strong></p></td>
<td align="left"><p><b>Suspend-BitLocker</b></p></td>
<td align="left"><p>-Confirm</p>
<p>-MountPoint</p>
<p>-RebootCount</p>
<p>-WhatIf</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Unlock-BitLocker</strong></p></td>
<td align="left"><p><b>Unlock-BitLocker</b></p></td>
<td align="left"><p>-AdAccountOrGroup</p>
<p>-Confirm</p>
<p>-MountPoint</p>
@ -374,7 +374,7 @@ Windows PowerShell cmdlets provide an alternative way to work with BitLocker. Us
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the <code>Get-BitLocker</code> volume cmdlet. The output from this cmdlet displays information on the volume type, protectors, protection status, and other useful information.
Occasionally, all protectors may not be shown when using <strong>Get-BitLockerVolume</strong> due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
Occasionally, all protectors may not be shown when using <b>Get-BitLockerVolume</b> due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a listing of the protectors.
> **Note:**  In the event that there are more than four protectors for a volume, the pipe command may run out of display space. For volumes with more than four protectors, use the method described in the section below to generate a listing of all protectors with protector ID.

734
windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
View File

File diff suppressed because it is too large Load Diff

28
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
View File

@ -126,11 +126,11 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><strong>Name</strong></p></td>
<td align="left"><p><strong>Parameters</strong></p></td>
<td align="left"><p><b>Name</b></p></td>
<td align="left"><p><b>Parameters</b></p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Add-BitLockerKeyProtector</strong></p></td>
<td align="left"><p><b>Add-BitLockerKeyProtector</b></p></td>
<td align="left"><p>-ADAccountOrGroup</p>
<p>-ADAccountOrGroupProtector</p>
<p>-Confirm</p>
@ -152,26 +152,26 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
<p>-WhatIf</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Backup-BitLockerKeyProtector</strong></p></td>
<td align="left"><p><b>Backup-BitLockerKeyProtector</b></p></td>
<td align="left"><p>-Confirm</p>
<p>-KeyProtectorId</p>
<p>-MountPoint</p>
<p>-WhatIf</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Disable-BitLocker</strong></p></td>
<td align="left"><p><b>Disable-BitLocker</b></p></td>
<td align="left"><p>-Confirm</p>
<p>-MountPoint</p>
<p>-WhatIf</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Disable-BitLockerAutoUnlock</strong></p></td>
<td align="left"><p><b>Disable-BitLockerAutoUnlock</b></p></td>
<td align="left"><p>-Confirm</p>
<p>-MountPoint</p>
<p>-WhatIf</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Enable-BitLocker</strong></p></td>
<td align="left"><p><b>Enable-BitLocker</b></p></td>
<td align="left"><p>-AdAccountOrGroup</p>
<p>-AdAccountOrGroupProtector</p>
<p>-Confirm</p>
@ -196,44 +196,44 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
<p>-WhatIf</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Enable-BitLockerAutoUnlock</strong></p></td>
<td align="left"><p><b>Enable-BitLockerAutoUnlock</b></p></td>
<td align="left"><p>-Confirm</p>
<p>-MountPoint</p>
<p>-WhatIf</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Get-BitLockerVolume</strong></p></td>
<td align="left"><p><b>Get-BitLockerVolume</b></p></td>
<td align="left"><p>-MountPoint</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Lock-BitLocker</strong></p></td>
<td align="left"><p><b>Lock-BitLocker</b></p></td>
<td align="left"><p>-Confirm</p>
<p>-ForceDismount</p>
<p>-MountPoint</p>
<p>-WhatIf</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Remove-BitLockerKeyProtector</strong></p></td>
<td align="left"><p><b>Remove-BitLockerKeyProtector</b></p></td>
<td align="left"><p>-Confirm</p>
<p>-KeyProtectorId</p>
<p>-MountPoint</p>
<p>-WhatIf</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Resume-BitLocker</strong></p></td>
<td align="left"><p><b>Resume-BitLocker</b></p></td>
<td align="left"><p>-Confirm</p>
<p>-MountPoint</p>
<p>-WhatIf</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Suspend-BitLocker</strong></p></td>
<td align="left"><p><b>Suspend-BitLocker</b></p></td>
<td align="left"><p>-Confirm</p>
<p>-MountPoint</p>
<p>-RebootCount</p>
<p>-WhatIf</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Unlock-BitLocker</strong></p></td>
<td align="left"><p><b>Unlock-BitLocker</b></p></td>
<td align="left"><p>-AdAccountOrGroup</p>
<p>-Confirm</p>
<p>-MountPoint</p>

38
windows/security/information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
View File

@ -168,91 +168,91 @@ The following table contains information about both Physical Disk Resources (i.e
</colgroup>
<tbody>
<tr class="odd">
<td align="left"><p><strong>Action</strong></p></td>
<td align="left"><p><strong>On owner node of failover volume</strong></p></td>
<td align="left"><p><strong>On Metadata Server (MDS) of CSV</strong></p></td>
<td align="left"><p><strong>On (Data Server) DS of CSV</strong></p></td>
<td align="left"><p><strong>Maintenance Mode</strong></p></td>
<td align="left"><p><b>Action</b></p></td>
<td align="left"><p><b>On owner node of failover volume</b></p></td>
<td align="left"><p><b>On Metadata Server (MDS) of CSV</b></p></td>
<td align="left"><p><b>On (Data Server) DS of CSV</b></p></td>
<td align="left"><p><b>Maintenance Mode</b></p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Manage-bde on</strong></p></td>
<td align="left"><p><b>Manage-bde on</b></p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Allowed</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Manage-bde off</strong></p></td>
<td align="left"><p><b>Manage-bde off</b></p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Allowed</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Manage-bde Pause/Resume</strong></p></td>
<td align="left"><p><b>Manage-bde Pause/Resume</b></p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Blocked<strong></p></td>
<td align="left"><p>Blocked<b></p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Allowed</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Manage-bde lock</strong></p></td>
<td align="left"><p><b>Manage-bde lock</b></p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Allowed</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>manage-bde wipe</strong></p></td>
<td align="left"><p><b>manage-bde wipe</b></p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Allowed</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Unlock</strong></p></td>
<td align="left"><p><b>Unlock</b></p></td>
<td align="left"><p>Automatic via cluster service</p></td>
<td align="left"><p>Automatic via cluster service</p></td>
<td align="left"><p>Automatic via cluster service</p></td>
<td align="left"><p>Allowed</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>manage-bde protector add</strong></p></td>
<td align="left"><p><b>manage-bde protector add</b></p></td>
<td align="left"><p>Allowed</p></td>
<td align="left"><p>Allowed</p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Allowed</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>manage-bde -protector -delete</strong></p></td>
<td align="left"><p><b>manage-bde -protector -delete</b></p></td>
<td align="left"><p>Allowed</p></td>
<td align="left"><p>Allowed</p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Allowed</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>manage-bde autounlock</strong></p></td>
<td align="left"><p><b>manage-bde autounlock</b></p></td>
<td align="left"><p>Allowed (not recommended)</p></td>
<td align="left"><p>Allowed (not recommended)</p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Allowed (not recommended)</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Manage-bde -upgrade</strong></p></td>
<td align="left"><p><b>Manage-bde -upgrade</b></p></td>
<td align="left"><p>Allowed</p></td>
<td align="left"><p>Allowed</p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Allowed</p></td>
</tr>
<tr class="even">
<td align="left"><p><strong>Shrink</strong></p></td>
<td align="left"><p><b>Shrink</b></p></td>
<td align="left"><p>Allowed</p></td>
<td align="left"><p>Allowed</p></td>
<td align="left"><p>Blocked</p></td>
<td align="left"><p>Allowed</p></td>
</tr>
<tr class="odd">
<td align="left"><p><strong>Extend</strong></p></td>
<td align="left"><p><b>Extend</b></p></td>
<td align="left"><p>Allowed</p></td>
<td align="left"><p>Allowed</p></td>
<td align="left"><p>Blocked</p></td>
@ -261,7 +261,7 @@ The following table contains information about both Physical Disk Resources (i.e
</tbody>
</table>
&gt;</strong>Note:** Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
&gt;</b>Note:** Although the manage-bde -pause command is Blocked in clusters, the cluster service will automatically resume a paused encryption or decryption from the MDS node
In the case where a physical disk resource experiences a failover event during conversion, the new owning node will detect the conversion is not complete and will complete the conversion process.

14
windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
View File

@ -53,7 +53,7 @@ This table includes info about how unenlightened apps might behave, based on you
<th align="center">Name-based policies, using the /&#42;AppCompat&#42;/ string or proxy-based policies</th>
</tr>
<tr align="left">
<td><strong>Not required.</strong> App connects to enterprise cloud resources directly, using an IP address.</td>
<td><b>Not required.</b> App connects to enterprise cloud resources directly, using an IP address.</td>
<td>
<ul>
<li>App is entirely blocked from both personal and enterprise cloud resources.</li>
@ -70,7 +70,7 @@ This table includes info about how unenlightened apps might behave, based on you
</td>
</tr>
<tr align="left">
<td><strong>Not required.</strong> App connects to enterprise cloud resources, using a hostname.</td>
<td><b>Not required.</b> App connects to enterprise cloud resources, using a hostname.</td>
<td colspan="2">
<ul>
<li>App is blocked from accessing enterprise cloud resources, but can access other network resources.</li>
@ -80,7 +80,7 @@ This table includes info about how unenlightened apps might behave, based on you
</td>
</tr>
<tr align="left">
<td><strong>Allow.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
<td><b>Allow.</b> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
<td colspan="2">
<ul>
<li>App can access both personal and enterprise cloud resources.</li>
@ -90,7 +90,7 @@ This table includes info about how unenlightened apps might behave, based on you
</td>
</tr>
<tr align="left" colspan="2">
<td><strong>Exempt.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
<td><b>Exempt.</b> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
<td colspan="2">
<ul>
<li>App can access both personal and enterprise cloud resources.</li>
@ -110,7 +110,7 @@ This table includes info about how enlightened apps might behave, based on your
<th>Networking policy configuration for name-based policies, possibly using the /&#42;AppCompat&#42;/ string, or proxy-based policies</th>
</tr>
<tr>
<td><strong>Not required.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
<td><b>Not required.</b> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
<td>
<ul>
<li>App is blocked from accessing enterprise cloud resources, but can access other network resources.</li>
@ -120,7 +120,7 @@ This table includes info about how enlightened apps might behave, based on your
</td>
</tr>
<tr>
<td><strong>Allow.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
<td><b>Allow.</b> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
<td>
<ul>
<li>App can access both personal and enterprise cloud resources.</li>
@ -130,7 +130,7 @@ This table includes info about how enlightened apps might behave, based on your
</td>
</tr>
<tr>
<td><strong>Exempt.</strong> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
<td><b>Exempt.</b> App connects to enterprise cloud resources, using an IP address or a hostname.</td>
<td>
<ul>
<li>App can access both personal and enterprise cloud resources.</li>

20
windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
View File

@ -190,27 +190,27 @@ For this example, we're going to add Internet Explorer, a desktop app, to the **
<td>All files signed by any publisher. (Not recommended.)</td>
</tr>
<tr>
<td><strong>Publisher</strong> selected</td>
<td><b>Publisher</b> selected</td>
<td>All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
</tr>
<tr>
<td><strong>Publisher</strong> and <strong>Product Name</strong> selected</td>
<td><b>Publisher</b> and <b>Product Name</b> selected</td>
<td>All files for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>Binary name</strong> selected</td>
<td><b>Publisher</b>, <b>Product Name</b>, and <b>Binary name</b> selected</td>
<td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, and above</strong>, selected</td>
<td><b>Publisher</b>, <b>Product Name</b>, <b>Binary name</b>, and <b>File Version, and above</b>, selected</td>
<td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, And below</strong> selected</td>
<td><b>Publisher</b>, <b>Product Name</b>, <b>Binary name</b>, and <b>File Version, And below</b> selected</td>
<td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, Exactly</strong> selected</td>
<td><b>Publisher</b>, <b>Product Name</b>, <b>Binary name</b>, and <b>File Version, Exactly</b> selected</td>
<td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
</table>
@ -403,8 +403,8 @@ There are no default locations included with WIP, you must add each of your netw
</tr>
<tr>
<td>Enterprise Cloud Resources</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<p>If you have multiple resources, you must separate them using the &quot;|&quot; delimiter. If you don't use proxy servers, you must also include the &quot;,&quot; delimiter just before the &quot;|&quot;. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.</td>
<td><b>With proxy:</b> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><b>Without proxy:</b> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<p>If you have multiple resources, you must separate them using the &quot;|&quot; delimiter. If you don't use proxy servers, you must also include the &quot;,&quot; delimiter just before the &quot;|&quot;. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><b>Important</b><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.</td>
</tr>
<tr>
<td>Enterprise Network Domain Names (Required)</td>
@ -422,12 +422,12 @@ There are no default locations included with WIP, you must add each of your netw
<td>Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.<br><br>This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.<br><br>If you have multiple resources, you must separate them using the &quot;;&quot; delimiter.</td><br/> </tr>
<tr>
<td>Enterprise IPv4 Range (Required)</td>
<td><strong>Starting IPv4 Address:</strong> 3.4.0.1<br><strong>Ending IPv4 Address:</strong> 3.4.255.254<br><strong>Custom URI:</strong> 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
<td><b>Starting IPv4 Address:</b> 3.4.0.1<br><b>Ending IPv4 Address:</b> 3.4.255.254<br><b>Custom URI:</b> 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
<td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the &quot;,&quot; delimiter.</td>
</tr>
<tr>
<td>Enterprise IPv6 Range</td>
<td><strong>Starting IPv6 Address:</strong> 2a01:110::<br><strong>Ending IPv6 Address:</strong> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br><strong>Custom URI:</strong> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
<td><b>Starting IPv6 Address:</b> 2a01:110::<br><b>Ending IPv6 Address:</b> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br><b>Custom URI:</b> 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
<td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the &quot;,&quot; delimiter.</td>
</tr>
<tr>

2
windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -108,7 +108,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
| Microsoft Messaging | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Messaging<br>**App Type:** Universal app |
| IE11 | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** iexplore.exe<br>**App Type:** Desktop app |
| OneDrive Sync Client | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** onedrive.exe<br>**App Type:** Desktop app |
| OneDrive app | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Microsoftskydrive<br><strong>Product Version:</strong>Product version: 17.21.0.0 (and later)<br>**App Type:** Universal app |
| OneDrive app | **Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Microsoftskydrive<br><b>Product Version:</b>Product version: 17.21.0.0 (and later)<br>**App Type:** Universal app |
| Notepad | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** notepad.exe<br>**App Type:** Desktop app |
| Microsoft Paint | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mspaint.exe<br>**App Type:** Desktop app |
| Microsoft Remote Desktop | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mstsc.exe<br>**App Type:** Desktop app |

26
windows/security/information-protection/windows-information-protection/limitations-with-wip.md
View File

@ -33,18 +33,18 @@ This table provides info about the most common problems you might encounter whil
</tr>
<tr>
<td>Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.</td>
<td><strong>If youre using Azure RMS:</strong> Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.<br><br><strong>If youre not using Azure RMS:</strong> Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won&#39;t open or the file opens, but doesn&#39;t contain readable text.</td>
<td><b>If youre using Azure RMS:</b> Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.<br><br><b>If youre not using Azure RMS:</b> Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won&#39;t open or the file opens, but doesn&#39;t contain readable text.</td>
<td>Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<br><br>We strongly recommend educating employees about how to limit or eliminate the need for this decryption.</td>
</tr>
<tr>
<td>Direct Access is incompatible with WIP.</td>
<td>Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isnt a corporate network resource.</td>
<td>We recommend that you use VPN for client access to your intranet resources.<br><br><strong>Note</strong><br>VPN is optional and isnt required by WIP.</td>
<td>We recommend that you use VPN for client access to your intranet resources.<br><br><b>Note</b><br>VPN is optional and isnt required by WIP.</td>
</tr>
<tr>
<td><strong>NetworkIsolation</strong> Group Policy setting takes precedence over MDM Policy settings.</td>
<td>The <strong>NetworkIsolation</strong> Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.</td>
<td>If you use both Group Policy and MDM to configure your <strong>NetworkIsolation</strong> settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.</td>
<td><b>NetworkIsolation</b> Group Policy setting takes precedence over MDM Policy settings.</td>
<td>The <b>NetworkIsolation</b> Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.</td>
<td>If you use both Group Policy and MDM to configure your <b>NetworkIsolation</b> settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.</td>
</tr>
<tr>
<td>Cortana can potentially allow data leakage if its on the allowed apps list.</td>
@ -63,7 +63,7 @@ This table provides info about the most common problems you might encounter whil
<ul>
<li>Start the installer directly from the file share.<br><br>-OR-<br><br></li>
<li>Decrypt the locally copied files needed by the installer.<br><br>-OR-<br><br></li>
<li>Mark the file share with the installation media as “personal”. To do this, youll need to set the Enterprise IP ranges as <strong>Authoritative</strong> and then exclude the IP address of the file server, or youll need to put the file server on the Enterprise Proxy Server list.</li>
<li>Mark the file share with the installation media as “personal”. To do this, youll need to set the Enterprise IP ranges as <b>Authoritative</b> and then exclude the IP address of the file server, or youll need to put the file server on the Enterprise Proxy Server list.</li>
</ul></td>
</tr>
<tr>
@ -74,17 +74,17 @@ This table provides info about the most common problems you might encounter whil
<tr>
<td>Redirected folders with Client Side Caching are not compatible with WIP.</td>
<td>Apps might encounter access errors while attempting to read a cached, offline file.</td>
<td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<br><br><strong>Note</strong><br>For more info about Work Folders and Offline Files, see the blog, <a href="https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/" data-raw-source="[Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/)">Work Folders and Offline Files support for Windows Information Protection</a>. If you&#39;re having trouble opening files offline while using Offline Files and WIP, see the support article, <a href="https://support.microsoft.com/kb/3187045" data-raw-source="[Can&#39;t open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045)">Can&#39;t open files offline when you use Offline Files and Windows Information Protection</a>.</td>
<td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<br><br><b>Note</b><br>For more info about Work Folders and Offline Files, see the blog, <a href="https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/" data-raw-source="[Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/)">Work Folders and Offline Files support for Windows Information Protection</a>. If you&#39;re having trouble opening files offline while using Offline Files and WIP, see the support article, <a href="https://support.microsoft.com/kb/3187045" data-raw-source="[Can&#39;t open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045)">Can&#39;t open files offline when you use Offline Files and Windows Information Protection</a>.</td>
</tr>
<tr>
<td>An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.</td>
<td><p>Data copied from the WIP-managed device is marked as <strong>Work</strong>.<p>Data copied to the WIP-managed device is not marked as <strong>Work</strong>.<p>Local <strong>Work</strong> data copied to the WIP-managed device remains <strong>Work</strong> data.<p><strong>Work</strong> data that is copied between two apps in the same session remains </strong> data.</td>
<td><p>Data copied from the WIP-managed device is marked as <b>Work</b>.<p>Data copied to the WIP-managed device is not marked as <b>Work</b>.<p>Local <b>Work</b> data copied to the WIP-managed device remains <b>Work</b> data.<p><b>Work</b> data that is copied between two apps in the same session remains </b> data.</td>
<td>Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default.</td>
</tr>
<tr>
<td>You can&#39;t upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.</td>
<td>A message appears stating that the content is marked as <strong>Work</strong> and the user isn&#39;t given an option to override to <strong>Personal</strong>.</td>
<td>Open File Explorer and change the file ownership to <strong>Personal</strong> before you upload.</td>
<td>A message appears stating that the content is marked as <b>Work</b> and the user isn&#39;t given an option to override to <b>Personal</b>.</td>
<td>Open File Explorer and change the file ownership to <b>Personal</b> before you upload.</td>
</tr>
<tr>
<td>ActiveX controls should be used with caution.</td>
@ -97,7 +97,7 @@ This table provides info about the most common problems you might encounter whil
<td>Format drive for NTFS, or use a different drive.</td>
</tr>
<tr>
<td>WIP isnt turned on if any of the following folders have the <strong>MakeFolderAvailableOfflineDisabled</strong> option set to <strong>False</strong>:
<td>WIP isnt turned on if any of the following folders have the <b>MakeFolderAvailableOfflineDisabled</b> option set to <b>False</b>:
<ul>
<li>AppDataRoaming</li>
<li>Desktop</li>
@ -115,7 +115,7 @@ This table provides info about the most common problems you might encounter whil
</ul>
</td>
<td>WIP isnt turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.</td>
<td>Dont set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders. You can configure this parameter, as described <a href="https://docs.microsoft.com/windows-server/storage/folder-redirection/disable-offline-files-on-folders" data-raw-source="[here](https://docs.microsoft.com/windows-server/storage/folder-redirection/disable-offline-files-on-folders)">here</a>.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see <a href="https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection" data-raw-source="[Can&#39;t open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection)">Can&#39;t open files offline when you use Offline Files and Windows Information Protection</a>.
<td>Dont set the <b>MakeFolderAvailableOfflineDisabled</b> option to <b>False</b> for any of the specified folders. You can configure this parameter, as described <a href="https://docs.microsoft.com/windows-server/storage/folder-redirection/disable-offline-files-on-folders" data-raw-source="[here](https://docs.microsoft.com/windows-server/storage/folder-redirection/disable-offline-files-on-folders)">here</a>.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see <a href="https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection" data-raw-source="[Can&#39;t open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection)">Can&#39;t open files offline when you use Offline Files and Windows Information Protection</a>.
</td>
</tr>
<tr>
@ -143,7 +143,7 @@ This table provides info about the most common problems you might encounter whil
Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button.</td>
</tr>
<tr>
<td>Microsoft Office Outlook offline data files (PST and OST files) are not marked as <strong>Work</strong> files, and are therefore not protected.
<td>Microsoft Office Outlook offline data files (PST and OST files) are not marked as <b>Work</b> files, and are therefore not protected.
</td>
<td>If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected.
</td>

56
windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md
View File

@ -39,30 +39,30 @@ You can try any of the processes included in these scenarios, but you should foc
</tr>
<tr>
<td>Encrypt and decrypt files using File Explorer.</td>
<td><strong>For desktop:</strong><br><br>
<td><b>For desktop:</b><br><br>
<ol>
<li>Open File Explorer, right-click a work document, and then click <strong>Work</strong> from the <strong>File Ownership</strong> menu.<br>Make sure the file is encrypted by right-clicking the file again, clicking <strong>Advanced</strong> from the <strong>General</strong> tab, and then clicking <strong>Details</strong> from the <strong>Compress or Encrypt attributes</strong> area. The file should show up under the heading, <strong>This enterprise domain can remove or revoke access:</strong> <em>&lt;your_enterprise_identity&gt;</em>. For example, contoso.com.</li>
<li>In File Explorer, right-click the same document, and then click <strong>Personal</strong> from the <strong>File Ownership</strong> menu.<br>Make sure the file is decrypted by right-clicking the file again, clicking <strong>Advanced</strong> from the <strong>General</strong> tab, and then verifying that the <strong>Details</strong> button is unavailable.</li>
<li>Open File Explorer, right-click a work document, and then click <b>Work</b> from the <b>File Ownership</b> menu.<br>Make sure the file is encrypted by right-clicking the file again, clicking <b>Advanced</b> from the <b>General</b> tab, and then clicking <b>Details</b> from the <b>Compress or Encrypt attributes</b> area. The file should show up under the heading, <b>This enterprise domain can remove or revoke access:</b> <em>&lt;your_enterprise_identity&gt;</em>. For example, contoso.com.</li>
<li>In File Explorer, right-click the same document, and then click <b>Personal</b> from the <b>File Ownership</b> menu.<br>Make sure the file is decrypted by right-clicking the file again, clicking <b>Advanced</b> from the <b>General</b> tab, and then verifying that the <b>Details</b> button is unavailable.</li>
</ol>
<strong>For mobile:</strong><br><br>
<b>For mobile:</b><br><br>
<ol>
<li>Open the File Explorer app, browse to a file location, click the elipsis (...), and then click <strong>Select</strong> to mark at least one file as work-related.</li>
<li>Click the elipsis (...) again, click <strong>File ownership</strong> from the drop down menu, and then click <strong>Work</strong>.<br>Make sure the file is encrypted, by locating the <strong>Briefcase</strong> icon next to the file name.</li>
<li>Select the same file, click <strong>File ownership</strong> from the drop down menu, and then click <strong>Personal</strong>.<br>Make sure the file is decrypted and that you&#39;re no longer seeing the <strong>Briefcase</strong> icon next to file name.</li>
<li>Open the File Explorer app, browse to a file location, click the elipsis (...), and then click <b>Select</b> to mark at least one file as work-related.</li>
<li>Click the elipsis (...) again, click <b>File ownership</b> from the drop down menu, and then click <b>Work</b>.<br>Make sure the file is encrypted, by locating the <b>Briefcase</b> icon next to the file name.</li>
<li>Select the same file, click <b>File ownership</b> from the drop down menu, and then click <b>Personal</b>.<br>Make sure the file is decrypted and that you&#39;re no longer seeing the <b>Briefcase</b> icon next to file name.</li>
</ol>
</td>
</tr>
<tr>
<td>Create work documents in enterprise-allowed apps.</td>
<td><strong>For desktop:</strong><br><br>
<td><b>For desktop:</b><br><br>
<ul>
<li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br><strong>Important</strong><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either <a href="create-wip-policy-using-intune-azure.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)">Create a Windows Information Protection (WIP) policy using Microsoft Intune</a> or <a href="create-wip-policy-using-configmgr.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md)">Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager</a>, based on your deployment system.</li>
<li>Start an unenlightened but allowed app, such as a line-of-business app, and then create a new document, saving your changes.<br>Make sure the document is encrypted to your Enterprise Identity. This might take a few minutes and require you to close and re-open the file.<br><br><b>Important</b><br>Certain file types like <code>.exe</code> and <code>.dll</code>, along with certain file paths, such as <code>%windir%</code> and <code>%programfiles%</code> are excluded from automatic encryption.<br><br>For more info about your Enterprise Identity and adding apps to your allowed apps list, see either <a href="create-wip-policy-using-intune-azure.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune-azure.md)">Create a Windows Information Protection (WIP) policy using Microsoft Intune</a> or <a href="create-wip-policy-using-configmgr.md" data-raw-source="[Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md)">Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager</a>, based on your deployment system.</li>
</ul>
<strong>For mobile:</strong><br><br>
<b>For mobile:</b><br><br>
<ol>
<li>Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as <strong>Work</strong> to a local, work-related location.<br>Make sure the document is encrypted, by locating the <strong>Briefcase</strong> icon next to the file name.</li>
<li>Start an allowed mobile app, such as Word Mobile, create a new document, and then save your changes as <b>Work</b> to a local, work-related location.<br>Make sure the document is encrypted, by locating the <b>Briefcase</b> icon next to the file name.</li>
<li>Open the same document and attempt to save it to a non-work-related location.<br>WIP should stop you from saving the file to this location.</li>
<li>Open the same document one last time, make a change to the contents, and then save it again using the <strong>Personal</strong> option.<br>Make sure the file is decrypted and that you&#39;re no longer seeing the <strong>Briefcase</strong> icon next to file name.</li>
<li>Open the same document one last time, make a change to the contents, and then save it again using the <b>Personal</b> option.<br>Make sure the file is decrypted and that you&#39;re no longer seeing the <b>Briefcase</b> icon next to file name.</li>
</ol>
</td><br/> </tr>
<tr>
@ -70,7 +70,7 @@ You can try any of the processes included in these scenarios, but you should foc
<td>
<ol>
<li>Start an app that doesn&#39;t appear on your allowed apps list, and then try to open a work-encrypted file.<br>The app shouldn&#39;t be able to access the file.</li>
<li>Try double-clicking or tapping on the work-encrypted file.<br>If your default app association is an app not on your allowed apps list, you should get an <strong>Access Denied</strong> error message.</li>
<li>Try double-clicking or tapping on the work-encrypted file.<br>If your default app association is an app not on your allowed apps list, you should get an <b>Access Denied</b> error message.</li>
</ol>
</td>
</tr>
@ -78,9 +78,9 @@ You can try any of the processes included in these scenarios, but you should foc
<td>Copy and paste from enterprise apps to non-enterprise apps.</td>
<td>
<ol>
<li>Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn&#39;t appear on your allowed apps list.<br>You should see a WIP-related warning box, asking you to click either <strong>Change to personal</strong> or <strong>Keep at work</strong>.</li>
<li>Click <strong>Keep at work</strong>.<br>The content isn&#39;t pasted into the non-enterprise app.</li>
<li>Repeat Step 1, but this time click <strong>Change to personal</strong>, and try to paste the content again.<br>The content is pasted into the non-enterprise app.</li>
<li>Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn&#39;t appear on your allowed apps list.<br>You should see a WIP-related warning box, asking you to click either <b>Change to personal</b> or <b>Keep at work</b>.</li>
<li>Click <b>Keep at work</b>.<br>The content isn&#39;t pasted into the non-enterprise app.</li>
<li>Repeat Step 1, but this time click <b>Change to personal</b>, and try to paste the content again.<br>The content is pasted into the non-enterprise app.</li>
<li>Try copying and pasting content between apps on your allowed apps list.<br>The content should copy and paste between apps without any warning messages.</li>
</ol>
</td>
@ -89,9 +89,9 @@ You can try any of the processes included in these scenarios, but you should foc
<td>Drag and drop from enterprise apps to non-enterprise apps.</td>
<td>
<ol>
<li>Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn&#39;t appear on your allowed apps list.<br>You should see a WIP-related warning box, asking you to click either <strong>Keep at work</strong> or <strong>Change to personal</strong>.</li>
<li>Click <strong>Keep at work</strong>.<br>The content isn&#39;t dropped into the non-enterprise app.</li>
<li>Repeat Step 1, but this time click <strong>Change to personal</strong>, and try to drop the content again.<br>The content is dropped into the non-enterprise app.</li>
<li>Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn&#39;t appear on your allowed apps list.<br>You should see a WIP-related warning box, asking you to click either <b>Keep at work</b> or <b>Change to personal</b>.</li>
<li>Click <b>Keep at work</b>.<br>The content isn&#39;t dropped into the non-enterprise app.</li>
<li>Repeat Step 1, but this time click <b>Change to personal</b>, and try to drop the content again.<br>The content is dropped into the non-enterprise app.</li>
<li>Try dragging and dropping content between apps on your allowed apps list.<br>The content should move between the apps without any warning messages.</li>
</ol>
</td>
@ -100,9 +100,9 @@ You can try any of the processes included in these scenarios, but you should foc
<td>Share between enterprise apps and non-enterprise apps.</td>
<td>
<ol>
<li>Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn&#39;t appear on your allowed apps list, like Facebook.<br>You should see a WIP-related warning box, asking you to click either <strong>Keep at work</strong> or <strong>Change to personal</strong>.</li>
<li>Click <strong>Keep at work</strong>.<br>The content isn&#39;t shared into Facebook.</li>
<li>Repeat Step 1, but this time click <strong>Change to personal</strong>, and try to share the content again.<br>The content is shared into Facebook.</li>
<li>Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn&#39;t appear on your allowed apps list, like Facebook.<br>You should see a WIP-related warning box, asking you to click either <b>Keep at work</b> or <b>Change to personal</b>.</li>
<li>Click <b>Keep at work</b>.<br>The content isn&#39;t shared into Facebook.</li>
<li>Repeat Step 1, but this time click <b>Change to personal</b>, and try to share the content again.<br>The content is shared into Facebook.</li>
<li>Try sharing content between apps on your allowed apps list.<br>The content should share between the apps without any warning messages.</li>
</ol>
</td>
@ -112,8 +112,8 @@ You can try any of the processes included in these scenarios, but you should foc
<td>
<ol>
<li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.<br>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li>
<li>Open File Explorer and make sure your modified files are appearing with a <strong>Lock</strong> icon.</li>
<li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<br><br><strong>Note</strong><br>Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.<br><br>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don&#39;t have access by default, but can be added to your allowed apps list.</li>
<li>Open File Explorer and make sure your modified files are appearing with a <b>Lock</b> icon.</li>
<li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<br><br><b>Note</b><br>Most Windows-signed components like File Explorer (when running in the user's context), should have access to enterprise data.<br><br>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don&#39;t have access by default, but can be added to your allowed apps list.</li>
</ol>
</td>
</tr>
@ -130,7 +130,7 @@ You can try any of the processes included in these scenarios, but you should foc
<td>Verify your shared files can use WIP.</td>
<td>
<ol>
<li>Download a file from a protected file share, making sure the file is encrypted by locating the <strong>Briefcase</strong> icon next to the file name.</li>
<li>Download a file from a protected file share, making sure the file is encrypted by locating the <b>Briefcase</b> icon next to the file name.</li>
<li>Open the same file, make a change, save it and then try to upload it back to the file share. Again, this should work without any warnings.</li>
<li>Open an app that doesn&#39;t appear on your allowed apps list and attempt to access a file on the WIP-enabled file share.<br>The app shouldn&#39;t be able to access the file share.</li>
</ol>
@ -142,7 +142,7 @@ You can try any of the processes included in these scenarios, but you should foc
<ol>
<li>Add both Internet Explorer 11 and Microsoft Edge to your allowed apps list.</li>
<li>Open SharePoint (or another cloud resource that&#39;s part of your policy) and access a WIP-enabled resource by using both IE11 and Microsoft Edge.<br>Both browsers should respect the enterprise and personal boundary.</li>
<li>Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.<br>IE11 shouldn&#39;t be able to access the sites.<br><br><strong>Note</strong><br>Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as <strong>Work</strong>.</li>
<li>Remove Internet Explorer 11 from your allowed app list and then try to access an intranet site or enterprise-related cloud resource.<br>IE11 shouldn&#39;t be able to access the sites.<br><br><b>Note</b><br>Any file downloaded from your work SharePoint site, or any other WIP-enabled cloud resource, is automatically marked as <b>Work</b>.</li>
</ol>
</td>
</tr>
@ -150,7 +150,7 @@ You can try any of the processes included in these scenarios, but you should foc
<td>Verify your Virtual Private Network (VPN) can be auto-triggered.</td>
<td>
<ol>
<li>Set up your VPN network to start based on the <strong>WIPModeID</strong> setting.<br>For specific info about how to do this, see the <a href="create-vpn-and-wip-policy-using-intune-azure.md" data-raw-source="[Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune-azure.md)">Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune</a> topic.</li>
<li>Set up your VPN network to start based on the <b>WIPModeID</b> setting.<br>For specific info about how to do this, see the <a href="create-vpn-and-wip-policy-using-intune-azure.md" data-raw-source="[Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune-azure.md)">Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune</a> topic.</li>
<li>Start an app from your allowed apps list.<br>The VPN network should automatically start.</li>
<li>Disconnect from your network and then start an app that isn&#39;t on your allowed apps list.<br>The VPN shouldn&#39;t start and the app shouldn&#39;t be able to access your enterprise network.</li>
</ol>
@ -160,7 +160,7 @@ You can try any of the processes included in these scenarios, but you should foc
<td>Unenroll client devices from WIP.</td>
<td>
<ul>
<li>Unenroll a device from WIP by going to <strong>Settings</strong>, click <strong>Accounts</strong>, click <strong>Work</strong>, click the name of the device you want to unenroll, and then click <strong>Remove</strong>.<br>The device should be removed and all of the enterprise content for that managed account should be gone.<br><br><strong>Important</strong><br>On desktop devices, the data isn&#39;t removed and can be recovered, so you must make sure the content is marked as <strong>Revoked</strong> and that access is denied for the employee. On mobile devices, the data is removed.</li>
<li>Unenroll a device from WIP by going to <b>Settings</b>, click <b>Accounts</b>, click <b>Work</b>, click the name of the device you want to unenroll, and then click <b>Remove</b>.<br>The device should be removed and all of the enterprise content for that managed account should be gone.<br><br><b>Important</b><br>On desktop devices, the data isn&#39;t removed and can be recovered, so you must make sure the content is marked as <b>Revoked</b> and that access is denied for the employee. On mobile devices, the data is removed.</li>
</ul>
</td>
</tr>