diff --git a/.gitignore b/.gitignore index b674ff367c..60755bf9e7 100644 --- a/.gitignore +++ b/.gitignore @@ -13,4 +13,5 @@ packages.config windows/keep-secure/index.md # User-specific files -.vs/ \ No newline at end of file +.vs/ +*.png \ No newline at end of file diff --git a/atp-mdm-onboarding-package.png b/atp-mdm-onboarding-package.png new file mode 100644 index 0000000000..23b9c49490 Binary files /dev/null and b/atp-mdm-onboarding-package.png differ diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md index 30385b6f81..9debfeb7b8 100644 --- a/devices/hololens/hololens-provisioning.md +++ b/devices/hololens/hololens-provisioning.md @@ -101,7 +101,7 @@ When you run ADKsetup.exe for Windows 10, version 1607, select **Configuration D Provisioning packages make use of configuration service providers (CSPs). If you're not familiar with CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](https://technet.microsoft.com/itpro/windows/manage/how-it-pros-can-use-configuration-service-providers). -In Windows ICD, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.co/library/windows/hardware/dn920025.aspx#HoloLens). The following table describes settings that you might want to configure for HoloLens. +In Windows ICD, when you create a provisioning package for Windows Holographic, the settings in **Available customizations** are based on [CSPs that are supported in Windows Holographic](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/configuration-service-provider-reference#hololens). The following table describes settings that you might want to configure for HoloLens. ![Common runtime settings for HoloLens](images/icd-settings.png) diff --git a/windows/deploy/images/upgrade-analytics-unsubscribe.png b/windows/deploy/images/upgrade-analytics-unsubscribe.png new file mode 100644 index 0000000000..402db94d6f Binary files /dev/null and b/windows/deploy/images/upgrade-analytics-unsubscribe.png differ diff --git a/windows/deploy/troubleshoot-upgrade-analytics.md b/windows/deploy/troubleshoot-upgrade-analytics.md index 7b2d58bc05..468de1e275 100644 --- a/windows/deploy/troubleshoot-upgrade-analytics.md +++ b/windows/deploy/troubleshoot-upgrade-analytics.md @@ -27,6 +27,8 @@ If you want to stop using Upgrade Analytics and stop sending telemetry data to M 1. Unsubscribe from the Upgrade Analytics solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option. + ![Upgrade Analytics unsubscribe](images/upgrade-analytics-unsubscribe.png) + 2. Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to **Security**: **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection* diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index d86fd9fc3e..0e4013b491 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -32,6 +32,7 @@ ##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md) #### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) +#### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) ### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md) ### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) ### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index f144437a78..2e7879cd8b 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md ## January 2017 |New or changed topic |Description | |---------------------|------------| +|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |New | |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Updated to include info about USB drives and Azure RMS (Windows Insider Program only) and to add more info about Work Folders and Offline files. | |[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |New | |[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |New | diff --git a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md index b5b16faf54..c842ea1668 100644 --- a/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md +++ b/windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md @@ -37,14 +37,14 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre b. Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file. - ![Endpoint onboarding](images/atp-onboard-mdm.png) + ![Endpoint onboarding](images/atp-mdm-onboarding-package.png) 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*. 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune). a. Select **Policy** > **Configuration Policies** > **Add**. - ![Microsoft Intune Configuration Policies](images/atp-intune-add-policy.png) + ![Microsoft Intune Configuration Policies](images/atp-add-intune-policy.png) b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**. ![Microsoft Intune Configuration Policies](images/atp-intune-new-policy.png) @@ -56,7 +56,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre ![Microsoft Intune add OMC-URI](images/atp-intune-add-oma.png) e. Type the following values then select **OK**: - + ![Microsoft Intune save policy](images/atp-intune-oma-uri-setting.png) - **Setting name**: Type a name for the setting. diff --git a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md index d790933a66..a47a3fcb64 100644 --- a/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md +++ b/windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md @@ -26,13 +26,14 @@ The credentials are put in Credential Manager as a "`*Session`" credential. A "`*Session`" credential implies that it is valid for the current user session. The credentials are also cleaned up when the WiFi or VPN connection is disconnected. -When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so WinInit.exe can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. +When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations). -WinInit.exe will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability. +WinInet will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability. If the app is not UWP, it does not matter. But if it is a UWP app, it will look at the device capability for Enterprise Authentication. -If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released. +If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released. +This behavior helps prevent credentials from being misused by untrusted third parties. ## Intranet zone diff --git a/windows/keep-secure/images/atp-add-intune-policy.png b/windows/keep-secure/images/atp-add-intune-policy.png new file mode 100644 index 0000000000..61a47e9f37 Binary files /dev/null and b/windows/keep-secure/images/atp-add-intune-policy.png differ diff --git a/windows/keep-secure/images/atp-intune-add-policy.png b/windows/keep-secure/images/atp-intune-add-policy.png deleted file mode 100644 index 570ab0a688..0000000000 Binary files a/windows/keep-secure/images/atp-intune-add-policy.png and /dev/null differ diff --git a/windows/keep-secure/images/atp-mdm-onboarding-package.png b/windows/keep-secure/images/atp-mdm-onboarding-package.png new file mode 100644 index 0000000000..23b9c49490 Binary files /dev/null and b/windows/keep-secure/images/atp-mdm-onboarding-package.png differ diff --git a/windows/keep-secure/images/wip-select-column.png b/windows/keep-secure/images/wip-select-column.png new file mode 100644 index 0000000000..d4e8a9e7a0 Binary files /dev/null and b/windows/keep-secure/images/wip-select-column.png differ diff --git a/windows/keep-secure/images/wip-taskmgr.png b/windows/keep-secure/images/wip-taskmgr.png new file mode 100644 index 0000000000..d69e829d65 Binary files /dev/null and b/windows/keep-secure/images/wip-taskmgr.png differ diff --git a/windows/keep-secure/overview-create-wip-policy.md b/windows/keep-secure/overview-create-wip-policy.md index 1cb74baed7..c3ad6bf5a3 100644 --- a/windows/keep-secure/overview-create-wip-policy.md +++ b/windows/keep-secure/overview-create-wip-policy.md @@ -24,6 +24,7 @@ Microsoft Intune and System Center Configuration Manager helps you create and de |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. | |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. | +|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). | >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/keep-secure/wip-app-enterprise-context.md b/windows/keep-secure/wip-app-enterprise-context.md new file mode 100644 index 0000000000..b4ebd4ced4 --- /dev/null +++ b/windows/keep-secure/wip-app-enterprise-context.md @@ -0,0 +1,55 @@ +--- +title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP) (Windows 10) +description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). +keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Task Manager, app context, enterprise context +ms.prod: w10 +ms.mktglfcycl: explore +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +--- + +# Determine the Enterprise Context of an app running in Windows Information Protection (WIP) +**Applies to:** + +- Windows 10, version 1607 +- Windows 10 Mobile + +>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare). + +Use Task Manager to check the context of your apps while running in Windows Information Protection (WIP) to make sure that your organization's policies are applied and running correctly. + +## Viewing the Enterprise Context column in Task Manager +You need to add the Enterprise Context column to the **Details** tab of the Task Manager. + +1. Make sure that you have an active WIP policy deployed and turned on in your organization. + +2. Open the Task Manager (taskmgr.exe), click the **Details** tab, right-click in the column heading area, and click **Select columns**. + + The **Select columns** box appears. + + ![Task Manager, Select column box with Enterprise Context option selected](images/wip-select-column.png) + +3. Scroll down and check the **Enterprise Context** option, and then click **OK** to close the box. + + The **Enterprise Context** column should now be available in Task Manager. + + ![Task Manager, Enterprise Context column highlighted](images/wip-taskmgr.png) + +## Review the Enterprise Context +The **Enterprise Context** column shows you what each app can do with your enterprise data: + +- **Domain.** Shows the employee's work domain (such as, corp.contoso.com). This app is considered work-related and can freely touch and open work data and resources. + +- **Personal.** Shows the text, *Personal*. This app is considered non-work-related and can't touch any work data or resources. + +- **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components). + + >[!IMPORTANT] + >Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials. + + + + + +