From 91f02e441e61af5ef2c39fec855172fadfd51e28 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Wed, 21 Sep 2016 12:51:04 -0700 Subject: [PATCH 01/12] Added new limitations topic --- windows/keep-secure/TOC.md | 1 + .../guidance-and-best-practices-wip.md | 3 +- windows/keep-secure/limitations-with-wip.md | 72 +++++++++++++++++++ 3 files changed, 75 insertions(+), 1 deletion(-) create mode 100644 windows/keep-secure/limitations-with-wip.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index 57a7d44fcf..c43b7b759f 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -35,6 +35,7 @@ #### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) #### [Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) #### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) +#### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) ## [Use Windows Event Forwarding to help with intrusion detection](use-windows-event-forwarding-to-assist-in-instrusion-detection.md) ## [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) ## [VPN profile options](vpn-profile-options.md) diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md index b64a82a6e0..b91386f0c0 100644 --- a/windows/keep-secure/guidance-and-best-practices-wip.md +++ b/windows/keep-secure/guidance-and-best-practices-wip.md @@ -25,4 +25,5 @@ This section includes info about the enlightened Microsoft apps, including how t |[Windows Information Protection (WIP) overview](wip-enterprise-overview.md) |High-level overview info about why to use WIP, the enterprise scenarios, and how to turn it off. | |[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. | |[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. | -|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. | \ No newline at end of file +|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. | +|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |The most common problems you might encounter while using Windows Information Protection (WIP). | \ No newline at end of file diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md new file mode 100644 index 0000000000..07244d94d6 --- /dev/null +++ b/windows/keep-secure/limitations-with-wip.md @@ -0,0 +1,72 @@ +--- +title: Limitations while using Windows Information Protection (WIP) (Windows 10) +description: This section includes info about the common problems you might encounter while using Windows Information Protection (WIP). +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +author: eross-msft +localizationpriority: high +--- + +# Limitations while using Windows Information Protection (WIP) +**Applies to:** + +- Windows 10, version 1607 +- Windows 10 Mobile + +This table provides info about the most common problems you might encounter while running WIP in your organization. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
LimitationHow it appearsWorkaround
Enterprise data on USB drives is tied to the device it was protected on.Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.

We strongly recommend educating employees about how to limit or eliminate the need for this decryption.

Direct Access is incompatible with WIP.Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource.We recommend that you use VPN for client access to your intranet resources.

Note
VPN is optional and isn’t required by WIP.

NetworkIsolation Group Policy setting is incompatible with WIP.The NetworkIsolation Group Policy setting has incompatible network settings that can conflict and cause problems with WIP.We recommend that you don’t use the NetworkIsolation Group Policy setting.
Cortana can potentially allow data leakage if it’s on the allowed apps list.Don’t add Cortana to your allowed apps list.
WIP is designed for use by a single user per device.A secondary user on a device might experience app compat issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.We recommend only having one user per managed device.
Installers copied from an enterprise network file share might not work properly.An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.To fix this, you can: +
    +
  1. Start the installer directly from the file share.

    -OR-

    2. +
  2. Decrypt the locally copied files needed by the installer.

    -OR-

    3. +
  3. Mark the file share with the installation media as “personal”. To do this, you’ll need to set the Enterprise IP ranges as Authoritative and then exclude the IP address of the file server, or you’ll need to put the file server on the Enterprise Proxy Server list.
    4. +
Changing your primary Corporate Identity isn’t supported.You may experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.
Redirected folders with Client Side Caching are not compatible with WIP.Apps might encounter access errors while attempting to read a cached, offline file.Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
From ffcfed9c30ebdf6a6cb60484f9d15260a6e50ce8 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 22 Sep 2016 08:59:23 -0700 Subject: [PATCH 02/12] Changed may to might --- windows/keep-secure/limitations-with-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index 07244d94d6..d30082e0f4 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -61,7 +61,7 @@ This table provides info about the most common problems you might encounter whil Changing your primary Corporate Identity isn’t supported. - You may experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access. + You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access. Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying. From f384c159dd41e0b8872ec22fb8a0a7e71b21a5c3 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 22 Sep 2016 10:02:33 -0700 Subject: [PATCH 03/12] Added info about Cortana --- windows/keep-secure/limitations-with-wip.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index d30082e0f4..9863a66944 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -41,7 +41,7 @@ This table provides info about the most common problems you might encounter whil Cortana can potentially allow data leakage if it’s on the allowed apps list. - + Some files might become unexpectedly encrypted after searches. Cortana can search and provide results on enterprise documents and locations. Don’t add Cortana to your allowed apps list. From daf00e41cc2e12f40c2364aea51790430870a917 Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 22 Sep 2016 11:36:36 -0700 Subject: [PATCH 04/12] Added one last limitation --- windows/keep-secure/limitations-with-wip.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index 9863a66944..cb394d0ba4 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -69,4 +69,8 @@ This table provides info about the most common problems you might encounter whil Apps might encounter access errors while attempting to read a cached, offline file. Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business. + + You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. + A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**. + Open File Explorer and change the file ownership to **Personal** before you upload. From d5ef1fd4256bf8c6c06e21d7a279b928b8df283b Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 22 Sep 2016 11:59:05 -0700 Subject: [PATCH 05/12] Updated Cortana text, waiting for approval --- windows/keep-secure/limitations-with-wip.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index cb394d0ba4..baeed3415a 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -41,8 +41,8 @@ This table provides info about the most common problems you might encounter whil Cortana can potentially allow data leakage if it’s on the allowed apps list. - Some files might become unexpectedly encrypted after searches. Cortana can search and provide results on enterprise documents and locations. - Don’t add Cortana to your allowed apps list. + Some files might become unexpectedly encrypted after an employee performs a search using Cortana while it's on the allowed apps list. Regardless whether Cortana is on the allowed list, your employees will still be able to use Cortana to search and provide results on enterprise documents and locations. + We don’t recommend adding Cortana to your allowed apps list. WIP is designed for use by a single user per device. From d0eb64e4864b999143881146804ad73d2f6a672e Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 22 Sep 2016 13:36:22 -0700 Subject: [PATCH 06/12] Fixed HTML --- windows/keep-secure/limitations-with-wip.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index baeed3415a..c7cc2666e0 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -73,4 +73,5 @@ This table provides info about the most common problems you might encounter whil You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**. Open File Explorer and change the file ownership to **Personal** before you upload. + From d8d19bdda95c977b96603c2ed7db1a4ace988cde Mon Sep 17 00:00:00 2001 From: LizRoss Date: Thu, 22 Sep 2016 13:44:01 -0700 Subject: [PATCH 07/12] Updated to reflect changes to networking and limitations --- .../keep-secure/change-history-for-keep-windows-10-secure.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 5de6b76a7a..6dc8ea8b8c 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,9 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md | New or changed topic | Description | | --- | --- | +|[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) | New | +|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. | +|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |Updated the networking table to clarify details around Enterprise Cloud Resources and Enterprise Proxy Servers. | | [Implement Windows Hello for Business in your organization](implement-microsoft-passport-in-your-organization.md) | Clarified how convenience PIN works in Windows 10, version 1607, on domain-joined PCs | | [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md) | Corrected certreq ezxample and added a new Windows PowerShell example for creating a self-signed certficate | From cfb9c194b9a5f854de770e01f9fac51ac1673f64 Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 23 Sep 2016 12:56:16 -0700 Subject: [PATCH 08/12] adding localizationpriority YAML metadata --- browsers/internet-explorer/ie11-deploy-guide/index.md | 1 + browsers/internet-explorer/ie11-ieak/index.md | 1 + devices/surface/index.md | 1 + 3 files changed, 3 insertions(+) diff --git a/browsers/internet-explorer/ie11-deploy-guide/index.md b/browsers/internet-explorer/ie11-deploy-guide/index.md index b1b9d3ce0b..f26bdcd631 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/index.md +++ b/browsers/internet-explorer/ie11-deploy-guide/index.md @@ -6,6 +6,7 @@ ms.prod: ie11 ms.assetid: bddc2d97-c38d-45c5-9588-1f5bbff2e9c3 title: Internet Explorer 11 (IE11) - Deployment Guide for IT Pros (Internet Explorer 11 for IT Pros) ms.sitesec: library +localizationpriority: low --- diff --git a/browsers/internet-explorer/ie11-ieak/index.md b/browsers/internet-explorer/ie11-ieak/index.md index b0c1e0c9fe..00b9d78815 100644 --- a/browsers/internet-explorer/ie11-ieak/index.md +++ b/browsers/internet-explorer/ie11-ieak/index.md @@ -6,6 +6,7 @@ ms.prod: ie11 ms.assetid: 847bd7b4-d5dd-4e10-87b5-4d7d3a99bbac title: Internet Explorer Administration Kit 11 (IEAK 11) - Administrator's Guide (Internet Explorer Administration Kit 11 for IT Pros) ms.sitesec: library +localizationpriority: low --- diff --git a/devices/surface/index.md b/devices/surface/index.md index 39305ac4af..1b70df3e57 100644 --- a/devices/surface/index.md +++ b/devices/surface/index.md @@ -2,6 +2,7 @@ title: Surface (Surface) description: ms.assetid: 2a6aec85-b8e2-4784-8dc1-194ed5126a04 +localizationpriority: high ms.prod: w10 ms.mktglfcycl: manage ms.pagetype: surface, devices From 065d4745ccc70e57d67f3589bb7cfac8019ca9cc Mon Sep 17 00:00:00 2001 From: Brian Lich Date: Fri, 23 Sep 2016 14:35:54 -0700 Subject: [PATCH 09/12] removing duplicate localizationpriority YAML metadata --- ...tion-to-deploy-with-windows-10-using-configuration-manager.md | 1 - .../deploy-windows-10-with-the-microsoft-deployment-toolkit.md | 1 - ...ouch-installation-of-windows-10-with-configuration-manager.md | 1 - .../replace-a-windows-7-computer-with-a-windows-10-computer.md | 1 - 4 files changed, 4 deletions(-) diff --git a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index 4e7b504b13..30ed33ca81 100644 --- a/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deploy/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -6,7 +6,6 @@ keywords: deployment, task sequence, custom, customize ms.prod: w10 localizationpriority: high ms.mktglfcycl: deploy -localizationpriority: high ms.sitesec: library author: mtniehaus --- diff --git a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md index 4963952ab4..b5bd6bcf7a 100644 --- a/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md +++ b/windows/deploy/deploy-windows-10-with-the-microsoft-deployment-toolkit.md @@ -7,7 +7,6 @@ ms.prod: w10 ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library -localizationpriority: high author: mtniehaus ms.pagetype: mdt --- diff --git a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index 499573e6a0..4f25bc9987 100644 --- a/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deploy/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -6,7 +6,6 @@ keywords: install, configure, deploy, deployment ms.prod: w10 localizationpriority: high ms.mktglfcycl: deploy -localizationpriority: high ms.sitesec: library author: mtniehaus --- diff --git a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md index 9a3311910e..c4d80c812b 100644 --- a/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md +++ b/windows/deploy/replace-a-windows-7-computer-with-a-windows-10-computer.md @@ -7,7 +7,6 @@ ms.prod: w10 ms.mktglfcycl: deploy localizationpriority: high ms.sitesec: library -localizationpriority: high ms.pagetype: mdt author: mtniehaus --- From 883f13d19720d55137f4e7848fc1817aa2742ef4 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Fri, 23 Sep 2016 16:07:28 -0700 Subject: [PATCH 10/12] Tweaked the intro text --- .../manage/appv-deploying-microsoft-office-2013-with-appv.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md b/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md index 90cdcd48d7..c492e3a97e 100644 --- a/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md +++ b/windows/manage/appv-deploying-microsoft-office-2013-with-appv.md @@ -14,7 +14,7 @@ ms.prod: w10 **Applies to** - Windows 10, version 1607 -Use the information in this article to use Microsoft Application Virtualization (App-V), or later versions, to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V. +Use the information in this article to use Application Virtualization (App-V) to deliver Microsoft Office 2013 as a virtualized application to computers in your organization. For information about using App-V to deliver Office 2010, see [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md). To successfully deploy Office 2013 with App-V, you need to be familiar with Office 2013 and App-V. This topic contains the following sections: From 23d06d225da66b96d39538698b3a38b7e367b483 Mon Sep 17 00:00:00 2001 From: JanKeller1 Date: Fri, 23 Sep 2016 17:40:03 -0700 Subject: [PATCH 11/12] Tweaked links --- windows/manage/appv-deploying-appv.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/windows/manage/appv-deploying-appv.md b/windows/manage/appv-deploying-appv.md index 53ad22d7a7..d9b76d330e 100644 --- a/windows/manage/appv-deploying-appv.md +++ b/windows/manage/appv-deploying-appv.md @@ -30,6 +30,11 @@ App-V supports a number of different deployment options. Review this topic for i This section provides a deployment checklist that can be used to assist with installing App-V. +- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
+[Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md) + + These sections describe how to use App-V to deliver Microsoft Office as a virtualized application to computers in your organization. + ## Other Resources for Deploying App-V From 9cb85d75d589167a9c48750c8691c958f2c71e3b Mon Sep 17 00:00:00 2001 From: LizRoss Date: Fri, 23 Sep 2016 18:29:03 -0700 Subject: [PATCH 12/12] Updated cortana text from final PM review --- windows/keep-secure/limitations-with-wip.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/keep-secure/limitations-with-wip.md b/windows/keep-secure/limitations-with-wip.md index c7cc2666e0..ad98fc7971 100644 --- a/windows/keep-secure/limitations-with-wip.md +++ b/windows/keep-secure/limitations-with-wip.md @@ -41,8 +41,8 @@ This table provides info about the most common problems you might encounter whil Cortana can potentially allow data leakage if it’s on the allowed apps list. - Some files might become unexpectedly encrypted after an employee performs a search using Cortana while it's on the allowed apps list. Regardless whether Cortana is on the allowed list, your employees will still be able to use Cortana to search and provide results on enterprise documents and locations. - We don’t recommend adding Cortana to your allowed apps list. + If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft. + We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app. WIP is designed for use by a single user per device.