True: Windows Hello for Business will be provisioned for all users on the device.
False: Users will not be able to provision Windows Hello for Business.
True: Windows Hello for Business will only be provisioned using TPM.
False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.| |ExcludeSecurityDevice
TPM12|Device|False|Added in Windows 10, version 1703
True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business.
False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.| -|EnablePinRecovery|Device or use|False|
Added in Windows 10, version 1703
True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.
False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).| +|EnablePinRecovery|Device or use|False|
Added in Windows 10, version 1703
True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset.
False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).| ### Biometrics @@ -93,7 +93,7 @@ The following table lists the MDM policy settings that you can configure for Win |Special characters|Device or user|2|
0: Special characters are allowed.
1: At least one special character is required.
2: Special characters are not allowed.| |Uppercase letters|Device or user|2|
0: Uppercase letters are allowed.
1: At least one uppercase letter is required.
2: Uppercase letters are not allowed.| |Maximum PIN length |Device or user|127 |
Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.| -|Minimum PIN length|Device or user|4|
Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.| +|Minimum PIN length|Device or user|6|
Minimum length that can be set is 6. Minimum length cannot be greater than maximum setting.| |Expiration |Device or user|0|
Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.| |History|Device or user|0|
Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.| @@ -114,7 +114,7 @@ Policies for Windows Hello for Business are enforced using the following hierarc Feature enablement policy and certificate trust policy are grouped together and enforced from the same source (either GP or MDM), based on the rule above. The Use Passport for Work policy is used to determine the winning policy source. -All PIN complexity policies, are grouped separately from feature enablement and are enforced from a single policy source. Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies are enforced on a per policy basis. +All PIN complexity policies are grouped separately from feature enablement and are enforced from a single policy source. Use a hardware security device and RequireSecurityDevice enforcement are also grouped together with PIN complexity policy. Conflict resolution for other Windows Hello for Business policies are enforced on a per policy basis. >[!NOTE] > Windows Hello for Business policy conflict resolution logic does not respect the ControlPolicyConflict/MDMWinsOverGP policy in the Policy CSP. diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index 2efb2617f3..34d9f772e4 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -1,10 +1,10 @@ --- -title: VPN security features (Windows 10 and Windows 11) +title: VPN security features description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters. ms.prod: m365-security author: dansimp ms.localizationpriority: medium -ms.date: 09/03/2021 +ms.date: 07/21/2022 ms.reviewer: manager: dansimp ms.author: dansimp @@ -17,6 +17,12 @@ ms.author: dansimp - Windows 11 +## Hyper-V based containers and VPN + +Windows supports different kinds of Hyper-V based containers. This support includes, but isn't limited to, Microsoft Defender Application Guard and Windows Sandbox. When you use 3rd party VPN solutions, these Hyper-V based containers may not be able to seamlessly connect to the internet. Additional configurational changes might be needed to resolve connectivity issues. + +For example, for more information on a workaround for Cisco AnyConnect VPN, see [Cisco AnyConnect Secure Mobility Client Administrator Guide: Connectivity issues with VM-based subsystems](https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/troubleshoot-anyconnect.html#Cisco_Task_in_List_GUI.dita_3a9a8101-f034-4e9b-b24a-486ee47b5e9f). + ## Windows Information Protection (WIP) integration with VPN Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices, without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally. @@ -85,4 +91,4 @@ Deploy this feature with caution, as the resultant connection will not be able t - [VPN and conditional access](vpn-conditional-access.md) - [VPN name resolution](vpn-name-resolution.md) - [VPN auto-triggered profile options](vpn-auto-trigger-profile.md) -- [VPN profile options](vpn-profile-options.md) \ No newline at end of file +- [VPN profile options](vpn-profile-options.md) diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md index 3f1a5747a9..d382f10da0 100644 --- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md +++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md @@ -1,22 +1,26 @@ --- -title: Make & verify an EFS Data Recovery Agent certificate (Windows 10) -description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. +title: Create an EFS Data Recovery Agent certificate +description: Follow these steps to create, verify, and perform a quick recovery by using an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp +author: aczechowski +ms.author: aaroncz +manager: dougeby +ms.reviewer: rafals ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 03/05/2019 -ms.reviewer: +ms.topic: how-to +ms.date: 07/15/2022 --- # Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate -**Applies to:** +[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)] + -- Windows 10, version 1607 and later +_Applies to:_ + +- Windows 10 +- Windows 11 If you don't already have an EFS DRA certificate, you'll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we'll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you. @@ -123,7 +127,7 @@ Starting with Windows 10, version 1709, WIP includes a data recovery feature tha To help make sure employees can always access files, WIP creates an auto-recovery key that's backed up to their Azure Active Directory (Azure AD) identity. -The employee experience is based on sign in with an Azure AD work account. The employee can either: +The employee experience is based on signing in with an Azure AD work account. The employee can either: - Add a work account through the **Windows Settings > Accounts > Access work or school > Connect** menu. @@ -159,7 +163,3 @@ After signing in, the necessary WIP key info is automatically downloaded and emp - [Create a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](create-wip-policy-using-configmgr.md) - [Creating a Domain-Based Recovery Agent](/previous-versions/tn-archive/cc875821(v=technet.10)#EJAA) - - ->[!Note] ->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to this article](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md index 0c4214d344..87e2aed9c2 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md @@ -1,24 +1,28 @@ --- -title: Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Manager (Windows 10) -description: Use Configuration Manager to make & deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data. -ms.reviewer: +title: Create and deploy a WIP policy in Configuration Manager +description: Use Microsoft Endpoint Configuration Manager to create and deploy a Windows Information Protection (WIP) policy. Choose protected apps, WIP-protection level, and find enterprise data. ms.prod: m365-security ms.localizationpriority: medium -author: dansimp -ms.author: dansimp -manager: dansimp +author: aczechowski +ms.author: aaroncz +manager: dougeby +ms.reviewer: rafals ms.collection: M365-security-compliance -ms.topic: conceptual -ms.date: 01/09/2020 +ms.topic: how-to +ms.date: 07/15/2022 --- -# Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager -**Applies to:** +# Create and deploy a Windows Information Protection policy in Configuration Manager -- Windows 10, version 1607 and later -- Microsoft Endpoint Configuration Manager +[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)] + -Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. +_Applies to:_ + +- Windows 10 +- Windows 11 + +Microsoft Endpoint Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy. You can choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network. ## Add a WIP policy After you've installed and set up Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy. @@ -28,18 +32,18 @@ After you've installed and set up Configuration Manager for your organization, y **To create a configuration item for WIP** -1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node. +1. Open the Configuration Manager console, select the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.  -2. Click the **Create Configuration Item** button.
+2. Select the **Create Configuration Item** button.
The **Create Configuration Item Wizard** starts.
3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then click **Next**.
+4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use Configuration Manager for device management, and then select **Next**.
- **Settings for devices managed with the Configuration Manager client:** Windows 10
@@ -47,11 +51,11 @@ The **Create Configuration Item Wizard** starts.
- **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10
-5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
+5. On the **Supported Platforms** screen, select the **Windows 10** box, and then select **Next**.
-6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**.
+6. On the **Device Settings** screen, select **Windows Information Protection**, and then select **Next**.
@@ -71,7 +75,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap
**To add a store app**
-1. From the **App rules** area, click **Add**.
+1. From the **App rules** area, select **Add**.
The **Add app rule** box appears.
@@ -79,7 +83,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap
2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*.
-3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
+3. Select **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
@@ -87,7 +91,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap
The box changes to show the store app rule options.
-5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
+5. Type the name of the app and the name of its publisher, and then select **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
If you don't know the publisher or product name, you can find them for both desktop devices by following these steps.
@@ -131,7 +135,7 @@ For this example, we're going to add Internet Explorer, a desktop app, to the **
**To add a desktop app to your policy**
-1. From the **App rules** area, click **Add**.
+1. From the **App rules** area, select **Add**.
The **Add app rule** box appears.
@@ -139,7 +143,7 @@ For this example, we're going to add Internet Explorer, a desktop app, to the **
2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*.
-3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
+3. Select **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
@@ -147,15 +151,15 @@ For this example, we're going to add Internet Explorer, a desktop app, to the **
The box changes to show the desktop app rule options.
-5. Pick the options you want to include for the app rule (see table), and then click **OK**.
+5. Pick the options you want to include for the app rule (see table), and then select **OK**.
|Option|Manages|
|--- |--- |
|All fields left as "*"|All files signed by any publisher. (Not recommended.)|
- |**Publisher** selected|All files signed by the named publisher.This might be useful if your company is the publisher and signer of internal line-of-business apps.|
+ |**Publisher** selected|All files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.|
|**Publisher** and **Product Name** selected|All files for the specified product, signed by the named publisher.|
|**Publisher**, **Product Name**, and **Binary name** selected|Any version of the named file or package for the specified product, signed by the named publisher.|
- |**Publisher**, **Product Name**, **Binary name**, and **File Version, and above**, selected|Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.This option is recommended for enlightened apps that weren't previously enlightened.|
+ |**Publisher**, **Product Name**, **Binary name**, and **File Version, and above**, selected|Specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened.|
|**Publisher**, **Product Name**, **Binary name**, and **File Version, And below** selected|Specified version or older releases of the named file or package for the specified product, signed by the named publisher.|
|**Publisher**, **Product Name**, **Binary name**, and **File Version, Exactly** selected|Specified version of the named file or package for the specified product, signed by the named publisher.|
@@ -185,31 +189,31 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
1. Open the Local Security Policy snap-in (SecPol.msc).
-2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
+2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then select **Packaged App Rules**.
-3. Right-click in the right-hand pane, and then click **Create New Rule**.
+3. Right-click in the right-hand pane, and then select **Create New Rule**.
The **Create Packaged app Rules** wizard appears.
-4. On the **Before You Begin** page, click **Next**.
+4. On the **Before You Begin** page, select **Next**.
-5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
+5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then select **Next**.
-6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
+6. On the **Publisher** page, select **Select** from the **Use an installed packaged app as a reference** area.
-7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos.
+7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then select **OK**. For this example, we're using Microsoft Photos.
-8. On the updated **Publisher** page, click **Create**.
+8. On the updated **Publisher** page, select **Create**.
@@ -217,15 +221,15 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
-10. In the left pane, right-click on **AppLocker**, and then click **Export policy**.
+10. In the left pane, right-click on **AppLocker**, and then select **Export policy**.
The **Export policy** box opens, letting you export and save your new policy as XML.
-11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
+11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then select **Save**.
- The policy is saved and you'll see a message that says 1 rule was exported from the policy.
+ The policy is saved and you'll see a message that says one rule was exported from the policy.
**Example XML file**
This is the XML file that AppLocker creates for Microsoft Photos.
@@ -251,7 +255,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
**To import your Applocker policy file app rule using Configuration Manager**
-1. From the **App rules** area, click **Add**.
+1. From the **App rules** area, select **Add**.
The **Add app rule** box appears.
@@ -259,7 +263,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
2. Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*.
-3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
+3. Select **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that app's corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section.
@@ -267,7 +271,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
The box changes to let you import your AppLocker XML policy file.
-5. Click the ellipsis (...) to browse for your AppLocker XML file, click **Open**, and then click **OK** to close the **Add app rule** box.
+5. Select the ellipsis (...) to browse for your AppLocker XML file, select **Open**, and then select **OK** to close the **Add app rule** box.
The file is imported and the apps are added to your **App Rules** list.
@@ -276,25 +280,25 @@ If you're running into compatibility issues where your app is incompatible with
**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
-1. From the **App rules** area, click **Add**.
+1. From the **App rules** area, select **Add**.
The **Add app rule** box appears.
2. Add a friendly name for your app into the **Title** box. In this example, it's *Exempt apps list*.
-3. Click **Exempt** from the **Windows Information Protection mode** drop-down list.
+3. Select **Exempt** from the **Windows Information Protection mode** drop-down list.
- Be aware that when you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see [Add app rules to your policy](#add-app-rules-to-your-policy) in this article.
+ When you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see [Add app rules to your policy](#add-app-rules-to-your-policy) in this article.
4. Fill out the rest of the app rule info, based on the type of rule you're adding:
- - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
+ - **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this article.
- - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic.
+ - **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this article.
- - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps.
+ - **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this article, using a list of exempted apps.
-5. Click **OK**.
+5. Select **OK**.
## Manage the WIP-protection level for your enterprise data
After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
@@ -308,15 +312,15 @@ We recommend that you start with **Silent** or **Override** while verifying with
|-----|------------|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
-|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would've been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
-|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on.| +|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.| +|Off |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on. For more information, see [How to disable Windows Information Protection](how-to-disable-wip.md).|
:::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level" source="images/wip-configmgr-appmgmt.png":::
## Define your enterprise-managed identity domains
Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
-You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
+You can specify multiple domains owned by your enterprise by separating them with the `|` character. For example, `contoso.com|newcontoso.com`. With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
**To add your corporate identity**
@@ -333,7 +337,7 @@ There are no default locations included with WIP, you must add each of your netw
>Every WIP policy should include policy that defines your enterprise network locations. After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn Windows Information Protection back on. |
+|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that would've been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
+|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data. After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn't automatically reapplied if you turn Windows Information Protection back on. |
## Turn off WIP
-You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn’t recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won’t be automatically reapplied.
+You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isn't recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info won't be automatically reapplied.
## Next steps
-After deciding to use WIP in your enterprise, you need to:
-- [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
-
-
->[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
+After you decide to use WIP in your environment, [create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md).
>Classless Inter-Domain Routing (CIDR) notation isn't supported for WIP configurations.
-**To define where your protected apps can find and send enterprise data on you network**
+**To define where your protected apps can find and send enterprise data on your network**
1. Add additional network locations your apps can access by clicking **Add**.
@@ -345,7 +349,7 @@ There are no default locations included with WIP, you must add each of your netw
- **Enterprise Cloud Resources**: Specify the cloud resources to be treated as corporate and protected by WIP.
- For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.
+ For each cloud resource, you may also optionally specify a proxy server from your internal proxy servers list to route traffic for this cloud resource. All traffic routed through your internal proxy servers is considered enterprise.
If you have multiple resources, you must separate them using the `|` delimiter. If you don't use proxy servers, you must also include the `,` delimiter just before the `|`. For example: URL `<,proxy>|URL <,proxy>`.
@@ -358,7 +362,7 @@ There are no default locations included with WIP, you must add each of your netw
>[!Important]
> In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.
- - **Enterprise Network Domain Names (Required)**: Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
+ - **Enterprise Network Domain Names (Required)**: Specify the DNS suffixes used in your environment. All traffic to the fully qualified domains appearing in this list will be protected.
This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.
@@ -408,7 +412,7 @@ There are no default locations included with WIP, you must add each of your netw
**Format examples**: `sts.contoso.com,sts.contoso2.com`
-3. Add as many locations as you need, and then click **OK**.
+3. Add as many locations as you need, and then select **OK**.
The **Add or edit corporate network definition** box closes.
@@ -416,13 +420,13 @@ There are no default locations included with WIP, you must add each of your netw
:::image type="content" alt-text="Create Configuration Item wizard, Add whether to search for additional network settings" source="images/wip-configmgr-optsettings.png":::
- - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
+ - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Select this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network. Not configured is the default option.
- - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
+ - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Select this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network. Not configured is the default option.
- - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
+ - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware on corporate files in the File Explorer.** Select this box if you want the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but allowed apps, the icon overlay also appears on the app tile and with *Managed* text on the app name in the **Start** menu. Not configured is the default option.
-5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
+5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy.
@@ -452,27 +456,26 @@ After you've decided where your protected apps can access enterprise data on you
- **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Create a WIP policy using Intune](create-wip-policy-using-intune-azure.md). To confirm what templates your tenant has, run [Get-AadrmTemplate](/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](/azure/information-protection/administer-powershell). If you don't specify a template, WIP uses a key from a default RMS template that everyone in the tenant will have access to.
-2. After you pick all of the settings you want to include, click **Summary**.
+2. After you pick all of the settings you want to include, select **Summary**.
## Review your configuration choices in the Summary screen
After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
**To view the Summary screen**
-- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
+- Select the **Summary** button to review your policy choices, and then select **Next** to finish and to save your policy.
- A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
+ A progress bar appears, showing you progress for your policy. After it's done, select **Close** to return to the **Configuration Items** page.
## Deploy the WIP policy
-After you've created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
-- [Operations and Maintenance for Compliance Settings in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg699357(v=technet.10))
+After you've created your WIP policy, you'll need to deploy it to your organization's devices. For more information about your deployment options, see the following articles:
-- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/gg712268(v=technet.10))
+- [Create configuration baselines in Configuration Manager](/mem/configmgr/compliance/deploy-use/create-configuration-baselines)
-- [How to Deploy Configuration Baselines in Configuration Manager](/previous-versions/system-center/system-center-2012-R2/hh219289(v=technet.10))
+- [How to deploy configuration baselines in Configuration Manager](/mem/configmgr/compliance/deploy-use/deploy-configuration-baselines)
-## Related topics
+## Related articles
- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 39ff0696bb..06970b38c5 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -1,21 +1,25 @@
---
-title: Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune (Windows 10)
-description: Learn how to use the Azure portal for Microsoft Intune to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
+title: Create a WIP policy in Intune
+description: Learn how to use the Microsoft Endpoint Manager admin center to create and deploy your Windows Information Protection (WIP) policy to protect data on your network.
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
+ms.reviewer: rafals
ms.collection: M365-security-compliance
-ms.topic: conceptual
-ms.date: 05/13/2019
-ms.reviewer:
+ms.topic: how-to
+ms.date: 07/15/2022
---
-# Create a Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
+# Create a Windows Information Protection policy in Microsoft Intune
-**Applies to:**
+[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)]
+
-- Windows 10, version 1607 and later
+_Applies to:_
+
+- Windows 10
+- Windows 11
Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device.
@@ -118,7 +122,7 @@ If you don't know the Store app publisher or product name, you can find them by
4. Copy the `publisherCertificateName` value into the **Publisher** box and copy the `packageIdentityName` value into the **Name** box of Intune.
>[!Important]
- >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
+ >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
>
> For example:
>
@@ -147,7 +151,7 @@ If you don't know the Store app publisher or product name, you can find them by
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
>[!Important]
- >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
+ >The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that's using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
>
> For example:
>
@@ -164,19 +168,19 @@ To add **Desktop apps**, complete the following fields, based on what results yo
|Field|Manages|
|--- |--- |
-|All fields marked as “*”|All files signed by any publisher. (Not recommended and may not work)|
-|Publisher only|If you only fill out this field, you’ll get all files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.|
-|Publisher and Name only|If you only fill out these fields, you’ll get all files for the specified product, signed by the named publisher.|
-|Publisher, Name, and File only|If you only fill out these fields, you’ll get any version of the named file or package for the specified product, signed by the named publisher.|
-|Publisher, Name, File, and Min version only|If you only fill out these fields, you’ll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened.|
-|Publisher, Name, File, and Max version only|If you only fill out these fields, you’ll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.|
-|All fields completed|If you fill out all fields, you’ll get the specified version of the named file or package for the specified product, signed by the named publisher.|
+|All fields marked as `*`|All files signed by any publisher. (Not recommended and may not work)|
+|Publisher only|If you only fill out this field, you'll get all files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps.|
+|Publisher and Name only|If you only fill out these fields, you'll get all files for the specified product, signed by the named publisher.|
+|Publisher, Name, and File only|If you only fill out these fields, you'll get any version of the named file or package for the specified product, signed by the named publisher.|
+|Publisher, Name, File, and Min version only|If you only fill out these fields, you'll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened.|
+|Publisher, Name, File, and Max version only|If you only fill out these fields, you'll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher.|
+|All fields completed|If you fill out all fields, you'll get the specified version of the named file or package for the specified product, signed by the named publisher.|
-To add another Desktop app, select the ellipsis **…**. After you’ve entered the info into the fields, select **OK**.
+To add another Desktop app, select the ellipsis `…`. After you've entered the info into the fields, select **OK**.
-If you’re unsure about what to include for the publisher, you can run this PowerShell command:
+If you're unsure about what to include for the publisher, you can run this PowerShell command:
```powershell
Get-AppLockerFileInformation -Path "
This is the XML file that AppLocker creates for Microsoft Dynamics 365.
@@ -281,7 +285,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
```
-12. After you’ve created your XML file, you need to import it by using Microsoft Intune.
+12. After you've created your XML file, you need to import it by using Microsoft Intune.
## Create an Executable rule for unsigned apps
@@ -303,7 +307,7 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
-7. Select **Browse Folders...** and select the path for the unsigned apps. For this example, we’re using "C:\Program Files".
+7. Select **Browse Folders...** and select the path for the unsigned apps. For this example, we're using "C:\Program Files".
@@ -315,9 +319,9 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then select **Save**.
- The policy is saved and you’ll see a message that says one rule was exported from the policy.
+ The policy is saved and you'll see a message that says one rule was exported from the policy.
-12. After you’ve created your XML file, you need to import it by using Microsoft Intune.
+12. After you've created your XML file, you need to import it by using Microsoft Intune.
**To import a list of protected apps using Microsoft Intune**
@@ -343,9 +347,9 @@ If your app is incompatible with WIP, but still needs to be used with enterprise
2. In **Exempt apps**, select **Add apps**.
- When you exempt apps, they’re allowed to bypass the WIP restrictions and access your corporate data.
+ When you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data.
-3. Fill out the rest of the app info, based on the type of app you’re adding:
+3. Fill out the rest of the app info, based on the type of app you're adding:
- [Add Recommended apps](#add-recommended-apps)
@@ -371,12 +375,12 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Allow Overrides |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would have been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
- |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|
+ |Off |WIP is turned off and doesn't help to protect or audit your data.
After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on. For more information, see [How to disable Windows Information Protection](how-to-disable-wip.md).|
2. Select **Save**.
## Define your enterprise-managed corporate identity
-Corporate identity, typically expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
+Corporate identity, typically expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the **Corporate identity** field.
@@ -384,7 +388,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
1. From **App policy**, select the name of your policy, and then select **Required settings**.
-2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field.
+2. If the auto-defined identity isn't correct, you can change the info in the **Corporate identity** field.
@@ -395,7 +399,7 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
## Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations.
-There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
+There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
To define the network boundaries, select **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**.
@@ -420,7 +424,7 @@ Personal applications can access a cloud resource that has a blank space or an i
To add a subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example, to add all subdomains within Office.com, use ".office.com" (without the quotation marks).
-In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site.
+In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site.
In this case, Windows blocks the connection by default.
To stop Windows from automatically blocking these connections, you can add the `/*AppCompat*/` string to the setting.
For example:
@@ -466,9 +470,9 @@ corp.contoso.com,region.contoso.com
### Proxy servers
Specify the proxy servers your devices will go through to reach your cloud resources.
-Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
+Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
-This list shouldn’t include any servers listed in your Internal proxy servers list.
+This list shouldn't include any servers listed in your Internal proxy servers list.
Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
Separate multiple resources with the ";" delimiter.
@@ -478,9 +482,9 @@ proxy.contoso.com:80;proxy2.contoso.com:443
### Internal proxy servers
-Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources.
+Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
-This list shouldn’t include any servers listed in your Proxy servers list.
+This list shouldn't include any servers listed in your Proxy servers list.
Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
Separate multiple resources with the ";" delimiter.
@@ -492,7 +496,7 @@ contoso.internalproxy1.com;contoso.internalproxy2.com
Specify the addresses for a valid IPv4 value range within your intranet.
These addresses, used with your Network domain names, define your corporate network boundaries.
-Classless Inter-Domain Routing (CIDR) notation isn’t supported.
+Classless Inter-Domain Routing (CIDR) notation isn't supported.
Separate multiple ranges with the "," delimiter.
@@ -507,13 +511,13 @@ Starting with Windows 10, version 1703, this field is optional.
Specify the addresses for a valid IPv6 value range within your intranet.
These addresses, used with your network domain names, define your corporate network boundaries.
-Classless Inter-Domain Routing (CIDR) notation isn’t supported.
+Classless Inter-Domain Routing (CIDR) notation isn't supported.
Separate multiple ranges with the "," delimiter.
-**Starting IPv6 Address:** 2a01:110::
-**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
-**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
+**Starting IPv6 Address:** `2a01:110::`
+**Ending IPv6 Address:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff`
+**Custom URI:** `2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,'
'fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff`
### Neutral resources
@@ -534,10 +538,10 @@ Decide if you want Windows to look for more network settings:
## Upload your Data Recovery Agent (DRA) certificate
-After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
+After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
>[!Important]
->Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see [Data Recovery and Encrypting File System (EFS)](/previous-versions/tn-archive/cc512680(v=technet.10)). For more info about creating and verifying your EFS DRA certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
+>Using a DRA certificate isn't mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see [Data Recovery and Encrypting File System (EFS)](/previous-versions/tn-archive/cc512680(v=technet.10)). For more info about creating and verifying your EFS DRA certificate, see [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate).
**To upload your DRA certificate**
1. From **App policy**, select the name of your policy, and then select **Advanced settings** from the menu that appears.
@@ -553,11 +557,11 @@ After you've decided where your protected apps can access enterprise data on you
-**Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
+**Revoke encryption keys on unenroll.** Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **On, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
-- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
+- **Off.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you're migrating between Mobile Device Management (MDM) solutions.
**Show the enterprise data protection icon.** Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:
@@ -565,11 +569,11 @@ After you've decided where your protected apps can access enterprise data on you
- **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option.
-**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](/azure/information-protection/what-is-azure-rms) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared with employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they're copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template can read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp).
+**Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](/azure/information-protection/what-is-azure-rms) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared with employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they're copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template's license. Only users with permission to that template can read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp).
-- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files.
+- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn't actually apply Azure Information Protection to the files.
- If you don’t specify an [RMS template](/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that all users can access.
+ If you don't specify an [RMS template](/information-protection/deploy-use/configure-custom-templates), it's a regular EFS file using a default RMS template that all users can access.
- **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive.
@@ -601,6 +605,3 @@ You can restrict which files are protected by WIP when they're downloaded from a
- [Intune MAM Without Enrollment](/archive/blogs/configmgrdogs/intune-mam-without-enrollment)
- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
-
-> [!NOTE]
-> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
diff --git a/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
new file mode 100644
index 0000000000..1d285e189d
--- /dev/null
+++ b/windows/security/information-protection/windows-information-protection/how-to-disable-wip.md
@@ -0,0 +1,126 @@
+---
+title: How to disable Windows Information Protection (WIP)
+description: How to disable Windows Information Protection (WIP) in Microsoft Intune or Microsoft Endpoint Configuration Manager.
+ms.date: 07/21/2022
+ms.prod: m365-security
+ms.topic: how-to
+ms.localizationpriority: medium
+author: lizgt2000
+ms.author: lizlong
+ms.reviewer: aaroncz
+manager: dougeby
+---
+
+# How to disable Windows Information Protection (WIP)
+
+[!INCLUDE [wip-deprecation](includes/wip-deprecation.md)]
+
+
+_Applies to:_
+
+- Windows 10
+- Windows 11
+
+## Use Intune to disable WIP
+
+To disable Windows Information Protection (WIP) using Intune, you have the following options:
+
+### Option 1 - Unassign the WIP policy (preferred)
+
+When you unassign an existing policy, it removes the intent to deploy WIP from those devices. When that intent is removed, the device removes protection for files and the configuration for WIP. For more information, see [Assign user and device profiles in Microsoft Intune](/mem/intune/configuration/device-profile-assign).
+
+### Option 2 - Change current WIP policy to off
+
+If you're currently deploying a WIP policy for enrolled or unenrolled devices, you switch the WIP policy to Off. When devices check in after this change, the devices will proceed to unprotect files previously protected by WIP.
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com).
+1. Open Microsoft Intune and select **Apps** > **App protection policies**.
+1. Select the existing policy to turn off, and then select the **Properties**.
+1. Edit **Required settings**.
+ :::image type="content" alt-text="Intune App Protection policy properties, required settings, with WIP mode Off." source="images/intune-edit-app-protection-policy-mode-off.png":::
+1. Set **Windows Information Protection mode** to off.
+1. After making this change, select **Review and Save**.
+1. Select **Save**.
+
+> [!NOTE]
+> **Another option is to create a disable policy that sets WIP to Off.**
+>
+> You can create a separate disable policy for WIP (both enrolled and unenrolled) and deploy that to a new group. You then can stage the transition to this disabled state. Move devices from the existing group to the new group. This process slowly migrates devices instead of all at once.
+
+### Revoke local encryption keys during the unenrollment process
+
+Determine whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
+
+- Yes, or not configured. Revokes local encryption keys from a device during unenrollment.
+- No (recommended). Stop local encryption keys from being revoked from a device during unenrollment.
+
+## Use Configuration Manager to disable WIP
+
+To disable Windows Information Protection (WIP) using Configuration Manager, create a new configuration item that turns off WIP. Configure that new object for your environment to match the existing policy, except for disabling WIP. Then deploy the new policy, and move devices into the new collection.
+
+> [!WARNING]
+> Don't just delete your existing WIP policy. If you delete the old policy, Configuration Manager stops sending further WIP policy updates, but also leaves WIP enforced on the devices. To remove WIP from your managed devices, follow the steps in this section to create a new policy to turn off WIP.
+
+### Create a WIP policy
+
+To disable WIP for your organization, first create a configuration item.
+
+1. Open the Configuration Manager console, select the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
+
+2. Select the **Create Configuration Item** button.
+ The **Create Configuration Item Wizard** starts.
+
+ 
+
+3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+
+4. In the **Specify the type of configuration item you want to create** area, select **Windows 10 or later** for devices managed with the Configuration Manager client, and then select **Next**.
+
+5. On the **Supported Platforms** screen, select the **Windows 10** box, and then select **Next**.
+
+6. On the **Device Settings** screen, select **Windows Information Protection**, and then select **Next**.
+
+The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization. The following sections provide details on the required settings on this page.
+
+> [!TIP]
+> For more information on filling out the required fields, see [Create and deploy a Windows Information Protection (WIP) policy using Microsoft Endpoint Configuration Manager](/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr).
+
+#### Turn off WIP
+
+Of the four options to specify the restriction mode, select **Off** to turn off Windows Information Protection.
+
+:::image type="content" alt-text="Create Configuration Item wizard, choose your WIP-protection level." source="images/wip-configmgr-disable-wip.png":::
+
+#### Specify the corporate identity
+
+Paste the value of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
+
+
+
+> [!IMPORTANT]
+> This corporate identity value must match the string in the original policy. Copy and paste the string from your original policy that enables WIP.
+
+#### Specify the corporate network definition
+
+For the **Corporate network definition**, select **Add** to specify the necessary network locations. The **Add or edit corporate network definition** box appears. Add the required fields.
+
+> [!IMPORTANT]
+> These corporate network definitions must match the original policy. Copy and paste the strings from your original policy that enables WIP.
+
+#### Specify the data recovery agent certificate
+
+In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, select **Browse** to add a data recovery certificate for your policy. This certificate should be the same as the original policy that enables WIP.
+
+
+
+### Deploy the WIP policy
+
+After you've created the new policy to turn off WIP, deploy it to your organization's devices. For more information about deployment options, see the following articles:
+
+- [Create a configuration baseline that includes the new configuration item](/mem/configmgr/compliance/deploy-use/create-configuration-baselines).
+
+- [Create a new collection](/mem/configmgr/core/clients/manage/collections/create-collections).
+
+- [Deploy the baseline to the collection](/mem/configmgr/compliance/deploy-use/deploy-configuration-baselines).
+
+- Move devices from the old collection to new collection.
diff --git a/windows/security/information-protection/windows-information-protection/images/intune-edit-app-protection-policy-mode-off.png b/windows/security/information-protection/windows-information-protection/images/intune-edit-app-protection-policy-mode-off.png
new file mode 100644
index 0000000000..e5cb84a44e
Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/intune-edit-app-protection-policy-mode-off.png differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-disable-wip.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-disable-wip.png
new file mode 100644
index 0000000000..f1cf7c107d
Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-disable-wip.png differ
diff --git a/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen-off.png b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen-off.png
new file mode 100644
index 0000000000..ab05d9607a
Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/wip-configmgr-generalscreen-off.png differ
diff --git a/windows/security/information-protection/windows-information-protection/includes/wip-deprecation.md b/windows/security/information-protection/windows-information-protection/includes/wip-deprecation.md
new file mode 100644
index 0000000000..398ac1dfdc
--- /dev/null
+++ b/windows/security/information-protection/windows-information-protection/includes/wip-deprecation.md
@@ -0,0 +1,12 @@
+---
+author: aczechowski
+ms.author: aaroncz
+ms.prod: windows
+ms.topic: include
+ms.date: 07/20/2022
+---
+
+> [!NOTE]
+> Starting in July 2022, Microsoft is deprecating Windows Information Protection (WIP). Microsoft will continue to support WIP on supported versions of Windows. New versions of Windows won't include new capabilities for WIP, and it won't be supported in future versions of Windows. For more information, see [Announcing sunset of Windows Information Protection](https://go.microsoft.com/fwlink/?linkid=2202124).
+>
+> For your data protection needs, Microsoft recommends that you use [Microsoft Purview Information Protection](/microsoft-365/compliance/information-protection) and [Microsoft Purview Data Loss Prevention](/microsoft-365/compliance/dlp-learn-about-dlp). Purview simplifies the configuration set-up and provides an advanced set of capabilities.
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index d984b38ce8..73f91f204f 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -1,54 +1,59 @@
---
-title: Limitations while using Windows Information Protection (WIP) (Windows 10)
+title: Limitations while using Windows Information Protection (WIP)
description: This section includes info about the common problems you might encounter while using Windows Information Protection (WIP).
ms.prod: m365-security
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
+ms.reviewer: rafals
ms.collection: M365-security-compliance
ms.topic: conceptual
ms.date: 04/05/2019
-ms.reviewer:
ms.localizationpriority: medium
---
# Limitations while using Windows Information Protection (WIP)
-**Applies to:**
-- Windows 10, version 1607 and later
+_Applies to:_
+
+- Windows 10
+- Windows 11
This following list provides info about the most common problems you might encounter while running Windows Information Protection in your organization.
- **Limitation**: Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.
- **How it appears**:
- - If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.
- - If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.
+ - If you're using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.
+ - If you're not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.
- **Workaround**: Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.
We strongly recommend educating employees about how to limit or eliminate the need for this decryption.
- **Limitation**: Direct Access is incompatible with Windows Information Protection.
- - **How it appears**: Direct Access might experience problems with how Windows Information Protection enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.
+ - **How it appears**: Direct Access might experience problems with how Windows Information Protection enforces app behavior and data movement because of how WIP determines what is and isn't a corporate network resource.
- **Workaround**: We recommend that you use VPN for client access to your intranet resources.
> [!NOTE]
- > VPN is optional and isn’t required by Windows Information Protection.
+ > VPN is optional and isn't required by Windows Information Protection.
- **Limitation**: **NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings.
- **How it appears**: The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.
- **Workaround**: If you use both Group Policy and MDM to configure your **NetworkIsolation** settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.
-- **Limitation**: Cortana can potentially allow data leakage if it’s on the allowed apps list.
+- **Limitation**: Cortana can potentially allow data leakage if it's on the allowed apps list.
- **How it appears**: If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.
- - **Workaround**: We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.
+ - **Workaround**: We don't recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.
+
+
- **Limitation**: Windows Information Protection is designed for use by a single user per device.
- - **How it appears**: A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.
- - **Workaround**: We recommend only having one user per managed device.
+ - **How it appears**: A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user's content can be revoked during the unenrollment process.
+ - **Workaround**: Have only one user per managed device.
+ - If this scenario occurs, it may be possible to mitigate. Once protection is disabled, a second user can remove protection by changing the file ownership. Although the protection is in place, the file remains accessible to the user.
- **Limitation**: Installers copied from an enterprise network file share might not work properly.
- - **How it appears**: An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.
+ - **How it appears**: An app might fail to properly install because it can't read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.
- **Workaround**: To fix this, you can:
- Start the installer directly from the file share.
@@ -58,9 +63,9 @@ This following list provides info about the most common problems you might encou
OR
- - Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as **Authoritative** and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
+ - Mark the file share with the installation media as "personal". To do this, you'll need to set the Enterprise IP ranges as **Authoritative** and then exclude the IP address of the file server, or you'll need to put the file server on the Enterprise Proxy Server list.
-- **Limitation**: Changing your primary Corporate Identity isn’t supported.
+- **Limitation**: Changing your primary Corporate Identity isn't supported.
- **How it appears**: You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.
- **Workaround**: Turn off Windows Information Protection for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.
@@ -85,7 +90,7 @@ This following list provides info about the most common problems you might encou
- **Workaround**: Open File Explorer and change the file ownership to **Personal** before you upload.
- **Limitation**: ActiveX controls should be used with caution.
- - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using Windows Information Protection.
+ - **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that aren't protected by using Windows Information Protection.
- **Workaround**: We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.
For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
@@ -94,7 +99,7 @@ This following list provides info about the most common problems you might encou
- **How it appears**:Trying to save or transfer Windows Information Protection files to ReFS will fail.
- **Workaround**: Format drive for NTFS, or use a different drive.
-- **Limitation**: Windows Information Protection isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:
+- **Limitation**: Windows Information Protection isn't turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:
- AppDataRoaming
- Desktop
- StartMenu
@@ -111,8 +116,8 @@ This following list provides info about the most common problems you might encou
- - **How it appears**: Windows Information Protection isn’t turned on for employees in your organization. Error code 0x807c0008 will result if Windows Information Protection is deployed by using Microsoft Endpoint Configuration Manager.
- - **Workaround**: Don’t set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders. You can configure this parameter, as described [Disable Offline Files on individual redirected folders](/windows-server/storage/folder-redirection/disable-offline-files-on-folders).
+ - **How it appears**: Windows Information Protection isn't turned on for employees in your organization. Error code 0x807c0008 will result if Windows Information Protection is deployed by using Microsoft Endpoint Configuration Manager.
+ - **Workaround**: Don't set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders. You can configure this parameter, as described [Disable Offline Files on individual redirected folders](/windows-server/storage/folder-redirection/disable-offline-files-on-folders).
If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports Windows Information Protection, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after Windows Information Protection is already in place, you might be unable to open your files offline.
@@ -137,7 +142,7 @@ This following list provides info about the most common problems you might encou
2. Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop.
3. Copy the notebook folder and Paste it back into the OneDrive for Business folder.
- Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button.
+ Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the "Open in app" button.
- **Limitation**: Microsoft Office Outlook offline data files (PST and OST files) are not marked as **Work** files, and are therefore not protected.
- **How it appears**: If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected.
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index f5e201aa75..82bb52d344 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -1,26 +1,29 @@
---
-title: Protect your enterprise data using Windows Information Protection (WIP) (Windows 10)
+title: Protect your enterprise data using Windows Information Protection
description: Learn how to prevent accidental enterprise data leaks through apps and services, such as email, social media, and the public cloud.
ms.prod: m365-security
ms.localizationpriority: medium
-author: dansimp
-ms.author: dansimp
-manager: dansimp
+author: aczechowski
+ms.author: aaroncz
+manager: dougeby
+ms.reviewer: rafals
ms.collection:
- M365-security-compliance
- - highpri
-ms.topic: conceptual
-ms.date: 03/05/2019
+ms.topic: overview
+ms.date: 07/15/2022
---
# Protect your enterprise data using Windows Information Protection (WIP)
-**Applies to:**
-- Windows 10, version 1607 and later
+[!INCLUDE [Deprecate Windows Information Protection](includes/wip-deprecation.md)]
+
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
+_Applies to:_
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+- Windows 10
+- Windows 11
+
+With the increase of employee-owned devices in the enterprise, there's also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise's control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
Windows Information Protection (WIP), previously known as enterprise data protection (EDP), helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
@@ -32,18 +35,18 @@ Windows Information Protection (WIP), previously known as enterprise data protec
> [!Video https://www.microsoft.com/videoplayer/embed/RE2IGhh]
## Prerequisites
-You’ll need this software to run Windows Information Protection in your enterprise:
+You'll need this software to run Windows Information Protection in your enterprise:
|Operating system | Management solution |
|-----------------|---------------------|
-|Windows 10, version 1607 or later | Microsoft Intune
-OR-
Microsoft Endpoint Configuration Manager
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp) documentation.|
+|Windows 10, version 1607 or later | Microsoft Intune
-OR-
Microsoft Endpoint Configuration Manager
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](/windows/client-management/mdm/enterprisedataprotection-csp) documentation.|
## What is enterprise data control?
-Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can’t share anything and it’s all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.
+Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can't share anything and it's all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.
-As an admin, you can address the question of who gets access to your data by using access controls, such as employee credentials. However, just because someone has the right to access your data doesn’t guarantee that the data will remain within the secured locations of the enterprise. This means that while access controls are a great start, they’re not enough.
+As an admin, you can address the question of who gets access to your data by using access controls, such as employee credentials. However, just because someone has the right to access your data doesn't guarantee that the data will remain within the secured locations of the enterprise. This means that while access controls are a great start, they're not enough.
-In the end, all of these security measures have one thing in common: employees will tolerate only so much inconvenience before looking for ways around the security restrictions. For example, if you don’t allow employees to share files through a protected system, employees will turn to an outside app that more than likely lacks security controls.
+In the end, all of these security measures have one thing in common: employees will tolerate only so much inconvenience before looking for ways around the security restrictions. For example, if you don't allow employees to share files through a protected system, employees will turn to an outside app that more than likely lacks security controls.
### Using data loss prevention systems
To help address this security insufficiency, companies developed data loss prevention (also known as DLP) systems. Data loss prevention systems require:
@@ -53,15 +56,15 @@ To help address this security insufficiency, companies developed data loss preve
- **The ability to specify what happens when data matches a rule, including whether employees can bypass enforcement.** For example, in Microsoft SharePoint and SharePoint Online, the Microsoft Purview data loss prevention system lets you warn your employees that shared data includes sensitive info, and to share it anyway (with an optional audit log entry).
-Unfortunately, data loss prevention systems have their own problems. For example, the less detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees’ natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn’t see and can’t understand.
+Unfortunately, data loss prevention systems have their own problems. For example, the less detailed the rule set, the more false positives are created, leading employees to believe that the rules slow down their work and need to be bypassed in order to remain productive, potentially leading to data being incorrectly blocked or improperly released. Another major problem is that data loss prevention systems must be widely implemented to be effective. For example, if your company uses a data loss prevention system for email, but not for file shares or document storage, you might find that your data leaks through the unprotected channels. But perhaps the biggest problem with data loss prevention systems is that it provides a jarring experience that interrupts the employees' natural workflow by stopping some operations (such as sending a message with an attachment that the system tags as sensitive) while allowing others, often according to subtle rules that the employee doesn't see and can't understand.
### Using information rights management systems
To help address the potential data loss prevention system problems, companies developed information rights management (also known as IRM) systems. Information rights management systems embed protection directly into documents, so that when an employee creates a document, he or she determines what kind of protection to apply. For example, an employee can choose to stop the document from being forwarded, printed, shared outside of the organization, and so on.
-After the type of protection is set, the creating app encrypts the document so that only authorized people can open it, and even then, only in compatible apps. After an employee opens the document, the app becomes responsible for enforcing the specified protections. Because protection travels with the document, if an authorized person sends it to an unauthorized person, the unauthorized person won’t be able to read or change it. However, for this to work effectively information rights management systems require you to deploy and set up both a server and client environment. And, because only compatible clients can work with protected documents, an employees’ work might be unexpectedly interrupted if he or she attempts to use a non-compatible app.
+After the type of protection is set, the creating app encrypts the document so that only authorized people can open it, and even then, only in compatible apps. After an employee opens the document, the app becomes responsible for enforcing the specified protections. Because protection travels with the document, if an authorized person sends it to an unauthorized person, the unauthorized person won't be able to read or change it. However, for this to work effectively information rights management systems require you to deploy and set up both a server and client environment. And, because only compatible clients can work with protected documents, an employees' work might be unexpectedly interrupted if he or she attempts to use a non-compatible app.
### And what about when an employee leaves the company or unenrolls a device?
-Finally, there’s the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would simply erase all of the corporate data from the device, along with any other personal data on the device.
+Finally, there's the risk of data leaking from your company when an employee leaves or unenrolls a device. Previously, you would simply erase all of the corporate data from the device, along with any other personal data on the device.
## Benefits of WIP
Windows Information Protection provides:
@@ -78,17 +81,17 @@ Windows Information Protection provides:
## Why use WIP?
Windows Information Protection is the mobile application management (MAM) mechanism on Windows 10. WIP gives you a new way to manage data policy enforcement for apps and documents on Windows 10 desktop operating systems, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
-- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. Windows Information Protection helps protect enterprise on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
+- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. Windows Information Protection helps protect enterprise on both corporate and employee-owned devices, even when the employee isn't using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally maintained as enterprise data.
- **Manage your enterprise documents, apps, and encryption modes.**
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using a WIP-protected device, WIP encrypts the data on the device.
- - **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but makes a mistake and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+ - **Using protected apps.** Managed apps (apps that you've included on the **Protected apps** list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but makes a mistake and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn't paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your protected apps list, the app is trusted with enterprise data. All apps not on this list are stopped from accessing your enterprise data, depending on your WIP management-mode.
- You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the protected apps list.
+ You don't have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the protected apps list.
- **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Hiding overrides stops the action immediately. Allowing overrides lets the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without stopping anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your protected apps list. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
@@ -97,9 +100,9 @@ Windows Information Protection is the mobile application management (MAM) mechan
Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies Windows Information Protection to the new document.
- - **Helping prevent accidental data disclosure to public spaces.** Windows Information Protection helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your protected apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
+ - **Helping prevent accidental data disclosure to public spaces.** Windows Information Protection helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn't on your protected apps list, employees won't be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your protected apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
- - **Helping prevent accidental data disclosure to removable media.** Windows Information Protection helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
+ - **Helping prevent accidental data disclosure to removable media.** Windows Information Protection helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn't.
- **Remove access to enterprise data from enterprise-protected devices.** Windows Information Protection gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
@@ -115,7 +118,7 @@ Windows Information Protection helps address your everyday challenges in the ent
- Helping to maintain the ownership and control of your enterprise data.
-- Helping control the network and data access and data sharing for apps that aren’t enterprise aware
+- Helping control the network and data access and data sharing for apps that aren't enterprise aware
### Enterprise scenarios
Windows Information Protection currently addresses these enterprise scenarios:
@@ -125,12 +128,12 @@ Windows Information Protection currently addresses these enterprise scenarios:
- You can protect specific apps that can access enterprise data that are clearly recognizable to employees. You can also stop non-protected apps from accessing enterprise data.
-- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn’t required.
+- Your employees won't have their work otherwise interrupted while switching between personal and enterprise apps while the enterprise policies are in place. Switching environments or signing in multiple times isn't required.
### WIP-protection modes
-Enterprise data is automatically encrypted after it’s loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
+Enterprise data is automatically encrypted after it's loaded on a device from an enterprise source or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, Windows Information Protection uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.
-Your Windows Information Protection policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don’t have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it’s personally owned.
+Your Windows Information Protection policy includes a list of trusted apps that are protected to access and process corporate data. This list of apps is implemented through the [AppLocker](/windows/device-security/applocker/applocker-overview) functionality, controlling what apps are allowed to run and letting the Windows operating system know that the apps can edit corporate data. Apps included on this list don't have to be modified to open corporate data because their presence on the list allows Windows to determine whether to grant them access. However, new for Windows 10, app developers can use a new set of application programming interfaces (APIs) to create *enlightened* apps that can use and edit both enterprise and personal data. A huge benefit to working with enlightened apps is that dual-use apps, like Microsoft Word, can be used with less concern about encrypting personal data by mistake because the APIs allow the app to determine whether data is owned by the enterprise or if it's personally owned.
>[!NOTE]
>For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
@@ -139,19 +142,14 @@ You can set your Windows Information Protection policy to use 1 of 4 protection
|Mode|Description|
|----|-----------|
-|Block |Windows Information Protection looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
+|Block |Windows Information Protection looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization's network.|
|Allow overrides |Windows Information Protection looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log.|
-|Silent |Windows Information Protection runs silently, logging inappropriate data sharing, without stopping anything that would’ve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
-|Off |Windows Information Protection is turned off and doesn't help to protect or audit your data.