deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-21 05:13:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into v-benzyd-5358673

Browse Source
This commit is contained in:
Benzy Dharmanayagam
2021-09-01 11:41:16 +05:30
committed by GitHub
parent 93f73639d4 3dc06dfbc0
commit c1a25e1c73
571 changed files with 6183 additions and 5427 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
View File

@ -92,7 +92,7 @@ On computers with a compatible TPM, operating system drives that are BitLocker-p
In the following Group Policy example, TPM + PIN is required to unlock an operating system drive:
![Pre-boot authentication setting in Group Policy](images/pre-boot-authentication-group-policy.png)
![Pre-boot authentication setting in Group Policy.](images/pre-boot-authentication-group-policy.png)
Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup.
Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
@ -113,7 +113,7 @@ This Kernel DMA Protection is available only for new systems beginning with Wind
You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled:
![Kernel DMA protection](images/kernel-dma-protection.png)
![Kernel DMA protection.](images/kernel-dma-protection.png)
If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:

48
windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
View File

@ -36,31 +36,31 @@ This article depicts the BitLocker deployment comparison chart.
|Supported domain-joined status | Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined | Active Directory joined, hybrid Azure AD joined | Active Directory joined |
|Permissions required to manage policies | Endpoint security manager or custom | Full administrator or custom | Domain Admin or Delegated GPO access |
|Cloud or on premises | Cloud | On premises | On premises |
|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Server components required? | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Additional agent required? | No (device enrollment only) | Configuration Manager client | MBAM client |
|Administrative plane | Microsoft Endpoint Manager admin center | Configuration Manager console | Group Policy Management Console and MBAM sites |
|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |
|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Administrative portal installation required | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Compliance reporting capabilities | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Force encryption | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Encryption for storage cards (mobile) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |
|Allow recovery password | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Manage startup authentication | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Select cipher strength and algorithms for fixed drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Select cipher strength and algorithms for removable drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Select cipher strength and algorithms for operating environment drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Standard recovery password storage location | Azure AD or Active Directory | Configuration Manager site database | MBAM database |
|Store recovery password for operating system and fixed drives to Azure AD or Active Directory | Yes (Active Directory and Azure AD) | Yes (Active Directory only) | Yes (Active Directory only) |
|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | |
|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later or Windows 11) | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | | |
|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: | :::image type="content" source="images/yes-icon.png" alt-text="supported"::: |
|Customize preboot message and recovery link | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Allow/deny key file creation | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Deny Write permission to unprotected drives | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Can be administered outside company network | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | |
|Support for organization unique IDs | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Self-service recovery | Yes (through Azure AD or Company Portal app) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Recovery password rotation for fixed and operating environment drives | Yes (Windows 10, version 1909 and later or Windows 11) | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Wait to complete encryption until recovery information is backed up to Azure AD | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | | |
|Wait to complete encryption until recovery information is backed up to Active Directory | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Allow or deny Data Recovery Agent | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Unlock a volume using certificate with custom object identifier | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Prevent memory overwrite on restart | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Configure custom Trusted Platform Module Platform Configuration Register profiles | | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |
|Manage auto-unlock functionality | | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: | :::image type="content" source="images/yes-icon.png" alt-text="supported."::: |

16
windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
View File

@ -300,18 +300,18 @@ This policy can be configured using GPO under **Computer Configuration** > **Adm
It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP:
*\<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage\</LocURI>*
![Custom URL](./images/bl-intune-custom-url.png)
![Custom URL.](./images/bl-intune-custom-url.png)
Example of customized recovery screen:
![Customized BitLocker Recovery Screen](./images/bl-password-hint1.png)
![Customized BitLocker Recovery Screen.](./images/bl-password-hint1.png)
### BitLocker recovery key hints
BitLocker metadata has been enhanced in Windows 10, version 1903 or Windows 11 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
![Customized BitLocker recovery screen](./images/bl-password-hint2.png)
![Customized BitLocker recovery screen.](./images/bl-password-hint2.png)
> [!IMPORTANT]
> We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account.
@ -341,7 +341,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** The hint for the Microsoft Account and the custom URL are displayed.
![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.png)
![Example 1 of Customized BitLocker recovery screen.](./images/rp-example1.png)
#### Example 2 (single recovery key with single backup)
@ -356,7 +356,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** Only the custom URL is displayed.
![Example 2 of customized BitLocker recovery screen](./images/rp-example2.png)
![Example 2 of customized BitLocker recovery screen.](./images/rp-example2.png)
#### Example 3 (single recovery key with multiple backups)
@ -371,7 +371,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** Only the Microsoft Account hint is displayed.
![Example 3 of customized BitLocker recovery screen](./images/rp-example3.png)
![Example 3 of customized BitLocker recovery screen.](./images/rp-example3.png)
#### Example 4 (multiple recovery passwords)
@ -401,7 +401,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key.
![Example 4 of customized BitLocker recovery screen](./images/rp-example4.png)
![Example 4 of customized BitLocker recovery screen.](./images/rp-example4.png)
#### Example 5 (multiple recovery passwords)
@ -431,7 +431,7 @@ There are rules governing which hint is shown during the recovery (in order of p
**Result:** The hint for the most recent key is displayed.
![Example 5 of customized BitLocker recovery screen](./images/rp-example5.png)
![Example 5 of customized BitLocker recovery screen.](./images/rp-example5.png)
## <a href="" id="bkmk-usingaddrecovery"></a>Using additional recovery information

2
windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
View File

@ -55,7 +55,7 @@ manage-bde -status
```
This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume:
![Using manage-bde to check encryption status](images/manage-bde-status.png)
![Using manage-bde to check encryption status.](images/manage-bde-status.png)
The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.

4
windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
View File

@ -58,7 +58,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in
The output of such a command resembles the following.
![Display of events that is produced by using Get-WinEvent and a BitLocker filter](./images/psget-winevent-1.png)
![Display of events that is produced by using Get-WinEvent and a BitLocker filter.](./images/psget-winevent-1.png)
- To export BitLocker-related information:
```ps
@ -77,7 +77,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in
The output of such a command resembles the following.
![Display of events that is produced by using Get-WinEvent and a TPM filter](./images/psget-winevent-2.png)
![Display of events that is produced by using Get-WinEvent and a TPM filter.](./images/psget-winevent-2.png)
> [!NOTE]
> If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section.

4
windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
View File

@ -82,11 +82,11 @@ To verify that this issue has occurred, follow these steps:
1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring) command in the PowerShell window, as follows.
![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE](./images/ts-bitlocker-usb-sddl.png)
![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE.](./images/ts-bitlocker-usb-sddl.png)
If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following:
![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users](./images/ts-bitlocker-usb-default-sddl.png)
![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users.](./images/ts-bitlocker-usb-default-sddl.png)
> [!NOTE]
> GPOs that change the security descriptors of services have been known to cause this issue.

16
windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
View File

@ -45,11 +45,11 @@ To install the tool, follow these steps:
1. Accept the default installation path.
![Specify Location page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-1.png)
![Specify Location page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-1.png)
1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit&mdash;Controller + Studio**.
![Select features page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-2.png)
![Select features page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-2.png)
1. Finish the installation.
@ -60,7 +60,7 @@ To use TBSLogGenerator, follow these steps:
This folder contains the TBSLogGenerator.exe file.
![Properties and location of the TBSLogGenerator.exe file](./images/ts-tpm-3.png)
![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png)
1. Run the following command:
```cmd
@ -78,19 +78,19 @@ To use TBSLogGenerator, follow these steps:
TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
```
![Command Prompt window that shows an example of how to use TBSLogGenerator](./images/ts-tpm-4.png)
![Command Prompt window that shows an example of how to use TBSLogGenerator.](./images/ts-tpm-4.png)
The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file is located in the same folder as the original .log file.
![Windows Explorer window that shows the text file that TBSLogGenerator produces](./images/ts-tpm-5.png)
![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png)
The content of this text file resembles the following.
![Contents of the text file, as shown in NotePad](./images/ts-tpm-6.png)
![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png)
To find the PCR information, go to the end of the file.
![View of NotePad that shows the PCR information at the end of the text file](./images/ts-tpm-7.png)
![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png)
## Use PCPTool to decode Measured Boot logs
@ -114,4 +114,4 @@ where the variables represent the following values:
The content of the XML file resembles the following.
![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg)
![Command Prompt window that shows an example of how to use PCPTool.](./images/pcptool-output.jpg)

38
windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
View File

@ -20,7 +20,7 @@ ms.custom: bitlocker
This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
![The BitLocker status indictors on the Intune portal](./images/4509189-en-1.png)
![The BitLocker status indictors on the Intune portal.](./images/4509189-en-1.png)
To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
@ -43,7 +43,7 @@ For information about how to verify that Intune policies are enforcing BitLocker
Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device does not appear to have a TPM. The event information resembles the following:
![Details of event ID 853 (TPM is not available, cannot find TPM)](./images/4509190-en-1.png)
![Details of event ID 853 (TPM is not available, cannot find TPM).](./images/4509190-en-1.png)
### Cause
@ -64,7 +64,7 @@ For more information, see [Troubleshoot the TPM](../tpm/initialize-and-configure
In this case, you see event ID 853, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following.
![Details of event ID 853 (TPM is not available, bootable media found)](./images/4509191-en-1.png)
![Details of event ID 853 (TPM is not available, bootable media found).](./images/4509191-en-1.png)
### Cause
@ -100,7 +100,7 @@ You can resolve this issue by verifying the configuration of the disk partitions
The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 11 and Windows 10 automatically create a recovery partition that contains the Winre.wim file. The partition configuration resembles the following.
![Default disk partitions, including the recovery partition](./images/4509194-en-1.png)
![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png)
To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands:
@ -108,11 +108,11 @@ To verify the configuration of the disk partitions, open an elevated Command Pro
diskpart
list volume
```
![Output of the list volume command in the Diskpart app](./images/4509195-en-1.png)
![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png)
If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/configmgr-imageconfig.jpg)
![Windows image configuration in Microsoft Endpoint Configuration Manager.](./images/configmgr-imageconfig.jpg)
#### Step 2: Verify the status of WinRE
@ -123,7 +123,7 @@ reagentc /info
```
The output of this command resembles the following.
![Output of the reagentc /info command](./images/4509193-en-1.png)
![Output of the reagentc /info command.](./images/4509193-en-1.png)
If the **Windows RE status** is not **Enabled**, run the following command to enable it:
@ -141,7 +141,7 @@ bcdedit /enum all
The output of this command resembles the following.
![Output of the bcdedit /enum all command](./images/4509196-en-1.png)
![Output of the bcdedit /enum all command.](./images/4509196-en-1.png)
In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
@ -163,7 +163,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes
1. Select **Start**, and enter **msinfo32** in the **Search** box.
1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.
![System Information app, showing the BIOS Mode setting](./images/4509198-en-1.png)
![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png)
1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
> [!NOTE]
> If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.
@ -192,11 +192,11 @@ Manage-bde -protectors -get %systemdrive%
In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows.
![Output of the manage-bde command](./images/4509199-en-1.png)
![Output of the manage-bde command.](./images/4509199-en-1.png)
If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on.
![Output of the manage-bde command when PCR 7 is not present](./images/4509200-en-1.png)
![Output of the manage-bde command when PCR 7 is not present.](./images/4509200-en-1.png)
#### 2. Verify the Secure Boot state
@ -204,9 +204,9 @@ To verify the Secure Boot state, use the System Information app. To do this, fol
1. Select **Start**, and enter **msinfo32** in the **Search** box.
1. Verify that the **Secure Boot State** setting is **On**, as follows:
![System Information app, showing a supported Secure Boot State](./images/4509201-en-1.png)
![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png)
1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device.
![System Information app, showing a unsupported Secure Boot State](./images/4509202-en-1.png)
![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png)
> [!NOTE]
> You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command:
@ -290,7 +290,7 @@ If your device runs Windows 10 version 1703 or later, or Windows 11, supports M
If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following:
![Intune policy settings](./images/4509186-en-1.png)
![Intune policy settings.](./images/4509186-en-1.png)
The OMA-URI references for these settings are as follows:
@ -316,7 +316,7 @@ The Intune 1901 release provides settings that you can use to configure automati
- Support Modern Standby
- Use Windows 10 version 1803 or later, or Windows 11
![Intune policy setting](./images/4509188-en-1.png)
![Intune policy setting.](./images/4509188-en-1.png)
The OMA-URI references for these settings are as follows:
@ -331,17 +331,17 @@ The OMA-URI references for these settings are as follows:
During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845.
![Event ID 796, as shown in Event Viewer](./images/4509203-en-1.png)
![Event ID 796, as shown in Event Viewer.](./images/4509203-en-1.png)
![Event ID 845, as shown in Event Viewer](./images/4509204-en-1.png)
![Event ID 845, as shown in Event Viewer.](./images/4509204-en-1.png)
You can also determine whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section.
![BitLocker recovery information as viewed in Azure AD](./images/4509205-en-1.png)
![BitLocker recovery information as viewed in Azure AD.](./images/4509205-en-1.png)
On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys:
- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker**
- **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device**
![Registry subkeys that relate to Intune policy](./images/4509206-en-1.png)
![Registry subkeys that relate to Intune policy.](./images/4509206-en-1.png)

10
windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
View File

@ -53,7 +53,7 @@ By default, peripherals with DMA Remapping incompatible drivers will be blocked
## User experience
![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png)
![Kernel DMA protection user experience.](images/kernel-dma-protection-user-experience.png)
By default, peripherals with DMA remapping compatible device drivers will be automatically enumerated and started. Peripherals with DMA Remapping incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged.
The peripheral will continue to function normally if the user locks the screen or logs out of the system.
@ -77,7 +77,7 @@ Systems running Windows 10 version 1803 that do support Kernel DMA Protection do
Beginning with Windows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**.
![Kernel DMA protection in Security Center](bitlocker/images/kernel-dma-protection-security-center.png)
![Kernel DMA protection in Security Center.](bitlocker/images/kernel-dma-protection-security-center.png)
### Using System information
@ -85,7 +85,7 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if
2. Check the value of **Kernel DMA Protection**.
![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png)
![Kernel DMA protection in System Information.](bitlocker/images/kernel-dma-protection.png)
3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO:
@ -113,11 +113,11 @@ No, Kernel DMA Protection only protects against drive-by DMA attacks after the O
DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (i.e. the device driver does not support DMA-remapping).
Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
![Kernel DMA protection user experience](images/device_details_tab_1903.png)
![Kernel DMA protection user experience.](images/device_details_tab_1903.png)
*For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image.
![Kernel DMA protection user experience](images/device-details-tab.png)
![Kernel DMA protection user experience.](images/device-details-tab.png)
### What should I do if the drivers for my PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping?

4
windows/security/information-protection/secure-the-windows-10-boot-process.md
View File

@ -55,7 +55,7 @@ Windows 10 supports four features to help prevent rootkits and bootkits from lo
Figure 1 shows the Windows 10 startup process.
![Windows 10 startup process](./images/dn168167.boot_process(en-us,MSDN.10).png)
![Windows 10 startup process.](./images/dn168167.boot_process(en-us,MSDN.10).png)
**Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage**
@ -115,7 +115,7 @@ Depending on the implementation and configuration, the server can now determine
Figure 2 illustrates the Measured Boot and remote attestation process.
![Measured Boot and remote attestation process](./images/dn168167.measure_boot(en-us,MSDN.10).png)
![Measured Boot and remote attestation process.](./images/dn168167.measure_boot(en-us,MSDN.10).png)
**Figure 2. Measured Boot proves the PCs health to a remote server**

4
windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
View File

@ -84,7 +84,7 @@ Identity providers have flexibility in how they provision credentials on client
**Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
![TPM Capabilities](images/tpm-capabilities.png)
![TPM Capabilities.](images/tpm-capabilities.png)
*Figure 1: TPM Cryptographic Key Management*
@ -126,7 +126,7 @@ The TPM provides the following way for scenarios to use the measurements recorde
When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state.
![Process to Create Evidence of Boot Software and Configuration Using TPM](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png)
![Process to Create Evidence of Boot Software and Configuration Using TPM.](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png)
*Figure 2: Process used to create evidence of boot software and configuration using a TPM*

2
windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
View File

@ -91,7 +91,7 @@ It's possible that you might revoke data from an unenrolled device only to later
To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**.
![Robocopy in S mode](images/robocopy-s-mode.png)
![Robocopy in S mode.](images/robocopy-s-mode.png)
If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type:

8
windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
View File

@ -34,11 +34,11 @@ Follow these steps to associate your WIP policy with your organization's existin
2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.
![Microsoft Intune, Create a new policy using the portal](images/wip-azure-vpn-device-policy.png)
![Microsoft Intune, Create a new policy using the portal.](images/wip-azure-vpn-device-policy.png)
3. In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**.
![Microsoft Intune, Create a new policy using the Create Profile blade](images/wip-azure-vpn-configure-policy.png)
![Microsoft Intune, Create a new policy using the Create Profile blade.](images/wip-azure-vpn-configure-policy.png)
4. In the **Custom OMA-URI Settings** blade, click **Add**.
@ -54,7 +54,7 @@ Follow these steps to associate your WIP policy with your organization's existin
- **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_.
![Microsoft Intune, Add your OMA-URI settings](images/wip-azure-vpn-custom-omauri.png)
![Microsoft Intune, Add your OMA-URI settings.](images/wip-azure-vpn-custom-omauri.png)
6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy.
@ -73,7 +73,7 @@ After youve created your VPN policy, you'll need to deploy it to the same gro
The policy is deployed to the selected users' devices.
![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
![Microsoft Intune: Pick your user groups that should get the policy when it's deployed.](images/wip-azure-add-user-groups.png)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

40
windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
View File

@ -36,12 +36,12 @@ After you've installed and set up Configuration Manager for your organization, y
1. Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
![Configuration Manager, Configuration Items screen](images/wip-configmgr-addpolicy.png)
![Configuration Manager, Configuration Items screen.](images/wip-configmgr-addpolicy.png)
2. Click the **Create Configuration Item** button.<p>
The **Create Configuration Item Wizard** starts.
![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-configmgr-generalscreen.png)
![Create Configuration Item wizard, define the configuration item and choose the configuration type.](images/wip-configmgr-generalscreen.png)
3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
@ -55,11 +55,11 @@ The **Create Configuration Item Wizard** starts.
5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-configmgr-supportedplat.png)
![Create Configuration Item wizard, choose the supported platforms for the policy.](images/wip-configmgr-supportedplat.png)
6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**.
![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-configmgr-devicesettings.png)
![Create Configuration Item wizard, choose the Windows Information Protection settings.](images/wip-configmgr-devicesettings.png)
The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
@ -81,7 +81,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap
The **Add app rule** box appears.
![Create Configuration Item wizard, add a universal store app](images/wip-configmgr-adduniversalapp.png)
![Create Configuration Item wizard, add a universal store app.](images/wip-configmgr-adduniversalapp.png)
2. Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*.
@ -141,7 +141,7 @@ For this example, we're going to add Internet Explorer, a desktop app, to the **
The **Add app rule** box appears.
![Create Configuration Item wizard, add a classic desktop app](images/wip-configmgr-adddesktopapp.png)
![Create Configuration Item wizard, add a classic desktop app.](images/wip-configmgr-adddesktopapp.png)
2. Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*.
@ -218,7 +218,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png)
![Local security snap-in, showing the Packaged app Rules.](images/intune-local-security-snapin.png)
3. Right-click in the right-hand pane, and then click **Create New Rule**.
@ -226,33 +226,33 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
4. On the **Before You Begin** page, click **Next**.
![Create a Packaged app Rules wizard and showing the Before You Begin page](images/intune-applocker-before-begin.png)
![Create a Packaged app Rules wizard and showing the Before You Begin page.](images/intune-applocker-before-begin.png)
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
![Create Packaged app Rules wizard, set action to Allow](images/intune-applocker-permissions.png)
![Create Packaged app Rules wizard, set action to Allow.](images/intune-applocker-permissions.png)
6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
![Create Packaged app Rules wizard, select use an installed packaged app](images/intune-applocker-publisher.png)
![Create Packaged app Rules wizard, select use an installed packaged app.](images/intune-applocker-publisher.png)
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos.
![Create Packaged app Rules wizard, select application and click ok](images/intune-applocker-select-apps.png)
![Create Packaged app Rules wizard, select application and click ok.](images/intune-applocker-select-apps.png)
8. On the updated **Publisher** page, click **Create**.
![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png)
![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page.](images/intune-applocker-publisher-with-app.png)
9. Review the Local Security Policy snap-in to make sure your rule is correct.
![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png)
![Local security snap-in, showing the new rule.](images/intune-local-security-snapin-updated.png)
10. In the left pane, right-click on **AppLocker**, and then click **Export policy**.
The **Export policy** box opens, letting you export and save your new policy as XML.
![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png)
![Local security snap-in, showing the Export Policy option.](images/intune-local-security-export.png)
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
@ -286,7 +286,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
The **Add app rule** box appears.
![Create Configuration Item wizard, add an AppLocker policy](images/wip-configmgr-addapplockerfile.png)
![Create Configuration Item wizard, add an AppLocker policy.](images/wip-configmgr-addapplockerfile.png)
2. Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*.
@ -353,7 +353,7 @@ You can specify multiple domains owned by your enterprise by separating them wit
- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-configmgr-corp-identity.png)
![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity.](images/wip-configmgr-corp-identity.png)
## Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
@ -372,7 +372,7 @@ There are no default locations included with WIP, you must add each of your netw
2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-configmgr-add-network-domain.png)
![Add or edit corporate network definition box, Add your enterprise network locations.](images/wip-configmgr-add-network-domain.png)
<table>
<tr>
@ -431,7 +431,7 @@ There are no default locations included with WIP, you must add each of your netw
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-configmgr-dra.png)
![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate.](images/wip-configmgr-dra.png)
After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
@ -440,7 +440,7 @@ There are no default locations included with WIP, you must add each of your netw
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings.
![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-configmgr-additionalsettings.png)
![Create Configuration Item wizard, Choose any additional, optional settings.](images/wip-configmgr-additionalsettings.png)
**To set your optional settings**
1. Choose to set any or all of the optional settings:
@ -467,7 +467,7 @@ After you've finished configuring your policy, you can review all of your info o
**To view the Summary screen**
- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-configmgr-summaryscreen.png)
![Create Configuration Item wizard, Summary screen for all of your policy choices.](images/wip-configmgr-summaryscreen.png)
A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.

56
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -50,7 +50,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
3. Click **Restore Default URLs** or enter the settings for MDM or MAM user scope and click **Save**:
![Configure MDM or MAM provider](images/mobility-provider.png)
![Configure MDM or MAM provider.](images/mobility-provider.png)
## Create a WIP policy
@ -58,7 +58,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**.
![Open Client apps](images/create-app-protection-policy.png)
![Open Client apps.](images/create-app-protection-policy.png)
3. In the **App policy** screen, click **Add a policy**, and then fill out the fields:
@ -70,11 +70,11 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
- **Enrollment state.** Choose **Without enrollment** for MAM or **With enrollment** for MDM.
![Add a mobile app policy](images/add-a-mobile-app-policy.png)
![Add a mobile app policy.](images/add-a-mobile-app-policy.png)
4. Click **Protected apps** and then click **Add apps**.
![Add protected apps](images/add-protected-apps.png)
![Add protected apps.](images/add-protected-apps.png)
You can add these types of apps:
@ -89,7 +89,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and click **OK**.
![Microsoft Intune management console: Recommended apps](images/recommended-apps.png)
![Microsoft Intune management console: Recommended apps.](images/recommended-apps.png)
### Add Store apps
@ -99,7 +99,7 @@ Select **Store apps**, type the app product name and publisher, and click **OK**
- **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
- **Product Name**: `Microsoft.MicrosoftPowerBIForWindows`
![Add Store app](images/add-a-protected-store-app.png)
![Add Store app.](images/add-a-protected-store-app.png)
To add multiple Store apps, click the ellipsis **…**.
@ -201,7 +201,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo
To add another Desktop app, click the ellipsis **…**. After youve entered the info into the fields, click **OK**.
![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png)
![Microsoft Intune management console: Adding Desktop app info.](images/wip-azure-add-desktop-apps.png)
If youre unsure about what to include for the publisher, you can run this PowerShell command:
@ -242,7 +242,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
![Local security snap-in, showing the Packaged app Rules](images/wip-applocker-secpol-1.png)
![Local security snap-in, showing the Packaged app Rules.](images/wip-applocker-secpol-1.png)
3. Right-click in the right-hand blade, and then click **Create New Rule**.
@ -250,7 +250,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
4. On the **Before You Begin** page, click **Next**.
![Screenshot of the Before You Begin tab](images/wip-applocker-secpol-wizard-1.png)
![Screenshot of the Before You Begin tab.](images/wip-applocker-secpol-wizard-1.png)
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
@ -262,25 +262,25 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, were using Microsoft Dynamics 365.
![Screenshot of the Select applications list](images/wip-applocker-secpol-wizard-4.png)
![Screenshot of the Select applications list.](images/wip-applocker-secpol-wizard-4.png)
8. On the updated **Publisher** page, click **Create**.
![Screenshot of the Publisher tab](images/wip-applocker-secpol-wizard-5.png)
![Screenshot of the Publisher tab.](images/wip-applocker-secpol-wizard-5.png)
9. Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy.
![Screenshot of AppLocker warning](images/wip-applocker-default-rule-warning.png)
![Screenshot of AppLocker warning.](images/wip-applocker-default-rule-warning.png)
9. Review the Local Security Policy snap-in to make sure your rule is correct.
![Local security snap-in, showing the new rule](images/wip-applocker-secpol-create.png)
![Local security snap-in, showing the new rule.](images/wip-applocker-secpol-create.png)
10. In the left blade, right-click on **AppLocker**, and then click **Export policy**.
The **Export policy** box opens, letting you export and save your new policy as XML.
![Local security snap-in, showing the Export Policy option](images/wip-applocker-secpol-export.png)
![Local security snap-in, showing the Export Policy option.](images/wip-applocker-secpol-export.png)
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
@ -320,7 +320,7 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
3. Right-click **Executable Rules** > **Create New Rule**.
![Local security snap-in, showing the Executable Rules](images/create-new-path-rule.png)
![Local security snap-in, showing the Executable Rules.](images/create-new-path-rule.png)
4. On the **Before You Begin** page, click **Next**.
@ -328,11 +328,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
6. On the **Conditions** page, click **Path** and then click **Next**.
![Screenshot with Path conditions selected in the Create Executable Rules wizard](images/path-condition.png)
![Screenshot with Path conditions selected in the Create Executable Rules wizard.](images/path-condition.png)
7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, were using "C:\Program Files".
![Screenshot of the Path field of the Create Executable Rules wizard](images/select-path.png)
![Screenshot of the Path field of the Create Executable Rules wizard.](images/select-path.png)
8. On the **Exceptions** page, add any exceptions and then click **Next**.
@ -351,11 +351,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
1. In **Protected apps**, click **Import apps**.
![Import protected apps](images/import-protected-apps.png)
![Import protected apps.](images/import-protected-apps.png)
Then import your file.
![Microsoft Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png)
![Microsoft Intune, Importing your AppLocker policy file using Intune.](images/wip-azure-import-apps.png)
2. Browse to your exported AppLocker policy file, and then click **Open**.
@ -366,7 +366,7 @@ If your app is incompatible with WIP, but still needs to be used with enterprise
1. In **Client apps - App protection policies**, click **Exempt apps**.
![Exempt apps](images/exempt-apps.png)
![Exempt apps.](images/exempt-apps.png)
2. In **Exempt apps**, click **Add apps**.
@ -391,7 +391,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings**.
![Microsoft Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png)
![Microsoft Intune, Required settings blade showing Windows Information Protection mode.](images/wip-azure-required-settings-protection-mode.png)
|Mode |Description |
|-----|------------|
@ -413,11 +413,11 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
2. If the auto-defined identity isnt correct, you can change the info in the **Corporate identity** field.
![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)
![Microsoft Intune, Set your corporate identity for your organization.](images/wip-azure-required-settings-corp-identity.png)
3. To add domains, such your email domain names, click **Configure Advanced settings** > **Add network boundary** and select **Protected domains**.
![Add protected domains](images/add-protected-domains.png)
![Add protected domains.](images/add-protected-domains.png)
## Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations.
@ -426,7 +426,7 @@ There are no default locations included with WIP, you must add each of your netw
To define the network boundaries, click **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**.
![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png)
![Microsoft Intune, Set where your apps can access enterprise data on your network.](images/wip-azure-advanced-settings-network.png)
Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then click **OK**.
@ -558,7 +558,7 @@ Decide if you want Windows to look for additional network settings:
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png)
![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise.](images/wip-azure-advanced-settings-network-autodetect.png)
## Upload your Data Recovery Agent (DRA) certificate
After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
@ -573,12 +573,12 @@ After you create and deploy your WIP policy to your employees, Windows begins to
2. In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png)
![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate.](images/wip-azure-advanced-settings-efsdra.png)
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings.
![Advanced optional settings](images/wip-azure-advanced-settings-optional.png)
![Advanced optional settings.](images/wip-azure-advanced-settings-optional.png)
**Revoke encryption keys on unenroll.** Determines whether to revoke a users local encryption keys from a device when its unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
@ -613,7 +613,7 @@ After you've decided where your protected apps can access enterprise data on you
You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied.
![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png)
![WIP encrypted file extensions.](images/wip-encrypted-file-extensions.png)
## Related topics

2
windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
View File

@ -34,7 +34,7 @@ After youve created your Windows Information Protection (WIP) policy, you'll
The policy is deployed to the selected users' devices.
![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
![Microsoft Intune: Pick your user groups that should get the policy when it's deployed.](images/wip-azure-add-user-groups.png)
>[!NOTE]

4
windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
View File

@ -36,13 +36,13 @@ You need to add the Enterprise Context column to the **Details** tab of the Task
The **Select columns** box appears.
![Task Manager, Select column box with Enterprise Context option selected](images/wip-select-column.png)
![Task Manager, Select column box with Enterprise Context option selected.](images/wip-select-column.png)
3. Scroll down and check the **Enterprise Context** option, and then click **OK** to close the box.
The **Enterprise Context** column should now be available in Task Manager.
![Task Manager, Enterprise Context column highlighted](images/wip-taskmgr.png)
![Task Manager, Enterprise Context column highlighted.](images/wip-taskmgr.png)
## Review the Enterprise Context
The **Enterprise Context** column shows you what each app can do with your enterprise data:

8
windows/security/information-protection/windows-information-protection/wip-learning.md
View File

@ -38,11 +38,11 @@ In the **Website learning report**, you can view a summary of the devices that h
1. Click **Intune** > **Client apps** > **App protection status** > **Reports**.
![Image showing the UI path to the WIP report](images/access-wip-learning-report.png)
![Image showing the UI path to the WIP report.](images/access-wip-learning-report.png)
1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**.
![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png)
![Image showing the UI with for app and website learning reports.](images/wip-learning-select-report.png)
Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies.
@ -75,7 +75,7 @@ The information needed for the following steps can be found using Device Health,
4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app).
![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png)
![View of drop down menu for Store or desktop apps.](images/wip-learning-choose-store-or-desktop-app.png)
5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above.
@ -87,7 +87,7 @@ The information needed for the following steps can be found using Device Health,
`O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US`
![View of Add Apps app info entry boxes](images/wip-learning-app-info.png)
![View of Add Apps app info entry boxes.](images/wip-learning-app-info.png)
6. Type the name of the product in **PRODUCT NAME** (required) (this will probably be the same as what you typed for **NAME**).