diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index cbae7321c4..be51cbc165 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -588,9 +588,11 @@ After you've decided where your protected apps can access enterprise data on you - **Off, or not configured (recommended).** Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option. - - **Use Azure RMS for WIP.** Determines whether WIP encrypts [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) Files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. You must already have Azure Rights Management set up. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. + - **Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. You must already have Azure Rights Management set up. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. In other words, WIP uses AIP "machinery" to apply EFS encryption to files when they are copied to removable media. - - **On.** Protects files that are copied to a removable drive. You can also add a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces -- {} -- are required around the RMS Template ID, but they are omitted when you view the saved settings. The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with permission to that template will be able to read it from the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. + - **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy. + + The EFS file uses the key from the RMS template’s license to protect the EFS file encryption key. Only users with permission to that template will be able to read it from the USB. If you don’t specify a template, it’s a regular EFS file using a default RMS template that everyone in the tenant will have access to. - **Off, or not configured.** Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive.