Merge remote-tracking branch 'refs/remotes/origin/master' into jdhello

windows/deploy/troubleshoot-upgrade-analytics.md

@@ -27,6 +27,8 @@ If you want to stop using Upgrade Analytics and stop sending telemetry data to M
 
 1.  Unsubscribe from the Upgrade Analytics solution in the OMS portal. In the OMS portal, go to **Settings** > **Connected Sources** > **Windows Telemetry** and choose the **Unsubscribe** option.
 
+  ![Upgrade Analytics unsubscribe](images/upgrade-analytics-unsubscribe.png)
+
 2.  Disable the Commercial Data Opt-in Key on computers running Windows 7 SP1 or 8.1. On computers running Windows 10, set the telemetry level to **Security**:
 
   **Windows 7 and Windows 8.1**: Delete CommercialDataOptIn registry property from *HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\DataCollection*

windows/keep-secure/TOC.md

@@ -32,6 +32,7 @@
 ##### [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
 #### [Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
 #### [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)
+#### [Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md)
 ### [Mandatory tasks and settings required to turn on Windows Information Protection (WIP)](mandatory-settings-for-wip.md)
 ### [Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md)
 ### [Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md)

windows/keep-secure/change-history-for-keep-windows-10-secure.md

@@ -16,6 +16,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md
 ## January 2017
 |New or changed topic |Description |
 |---------------------|------------|
+|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |New |
 |[Limitations while using Windows Information Protection (WIP)](limitations-with-wip.md) |Updated to include info about USB drives and Azure RMS (Windows Insider Program only) and to add more info about Work Folders and Offline files. |
 |[Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)](recommended-network-definitions-for-wip.md) |New |
 |[Using Outlook Web Access with Windows Information Protection (WIP)](using-owa-with-wip.md) |New |

windows/keep-secure/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md

@@ -37,14 +37,14 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
 
     b.  Select **Mobile Device Management/Microsoft Intune** > **Download package** and save the .zip file.
 
-      ![Endpoint onboarding](images/atp-onboard-mdm.png)
+      ![Endpoint onboarding](images/atp-mdm-onboarding-package.png)
 
 2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named  *WindowsDefenderATP.onboarding*.
 
 3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
 
   a. Select **Policy** > **Configuration Policies** > **Add**.
-  ![Microsoft Intune Configuration Policies](images/atp-intune-add-policy.png)
+  ![Microsoft Intune Configuration Policies](images/atp-add-intune-policy.png)
 
   b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**.
   ![Microsoft Intune Configuration Policies](images/atp-intune-new-policy.png)
@@ -56,7 +56,7 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
   ![Microsoft Intune add OMC-URI](images/atp-intune-add-oma.png)
 
   e. Type the following values then select **OK**:
-  
+
   ![Microsoft Intune save policy](images/atp-intune-oma-uri-setting.png)
 
   - **Setting name**: Type a name for the setting.

windows/keep-secure/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md

@@ -26,13 +26,14 @@ The credentials are put in Credential Manager as a "`*Session`" credential.
 A "`*Session`" credential implies that it is valid for the current user session. 
 The credentials are also cleaned up when the WiFi or VPN connection is disconnected. 
 
-When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so WinInit.exe can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. 
+When the user tries to access a domain resource, using Edge for example, Edge has the right Enterprise Authentication capability so [WinInet](https://msdn.microsoft.com/library/windows/desktop/aa385483.aspx) can release the credentials that it gets from the Credential Manager to the SSP that is requesting it. 
 For more information about the Enterprise Authentication capability, see [App capability declarations](https://msdn.microsoft.com/windows/uwp/packaging/app-capability-declarations). 
 
-WinInit.exe will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability. 
+WinInet will look at the device application, such as a Universal Windows Platform (UWP) application, to see if it has the right capability. 
 If the app is not UWP, it does not matter. 
 But if it is a UWP app, it will look at the device capability for Enterprise Authentication. 
-If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released. 
+If it does have that capability and if the resource that you are trying to access is in the Intranet zone in the Internet Options (ZoneMap), then the credential will be released.
+This behavior helps prevent credentials from being misused by untrusted third parties.  
 
 ## Intranet zone
 

windows/keep-secure/overview-create-wip-policy.md

@@ -24,6 +24,7 @@ Microsoft Intune and System Center Configuration Manager helps you create and de
 |[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
 |[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
 |[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md) |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
+|[Determine the Enterprise Context of an app running in Windows Information Protection (WIP)](wip-app-enterprise-context.md) |Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP). |
 
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/keep-secure/wip-app-enterprise-context.md

@@ -0,0 +1,55 @@
+---
+title: Determine the Enterprise Context of an app running in Windows Information Protection (WIP) (Windows 10)
+description: Use the Task Manager to determine whether an app is considered work, personal or exempt by Windows Information Protection (WIP).
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, WIP and Task Manager, app context, enterprise context
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+---
+
+# Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
+**Applies to:**
+
+-   Windows 10, version 1607
+-   Windows 10 Mobile
+
+>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+
+Use Task Manager to check the context of your apps while running in Windows Information Protection (WIP) to make sure that your organization's policies are applied and running correctly.
+
+## Viewing the Enterprise Context column in Task Manager
+You need to add the Enterprise Context column to the **Details** tab of the Task Manager.
+
+1. Make sure that you have an active WIP policy deployed and turned on in your organization.
+
+2. Open the Task Manager (taskmgr.exe), click the **Details** tab, right-click in the column heading area, and click **Select columns**.
+
+    The **Select columns** box appears.
+
+    ![Task Manager, Select column box with Enterprise Context option selected](images/wip-select-column.png)
+
+3. Scroll down and check the **Enterprise Context** option, and then click **OK** to close the box.
+
+    The **Enterprise Context** column should now be available in Task Manager.
+
+    ![Task Manager, Enterprise Context column highlighted](images/wip-taskmgr.png)
+
+## Review the Enterprise Context
+The **Enterprise Context** column shows you what each app can do with your enterprise data:
+
+- **Domain.** Shows the employee's work domain (such as, corp.contoso.com). This app is considered work-related and can freely touch and open work data and resources.
+
+- **Personal.** Shows the text, *Personal*. This app is considered non-work-related and can't touch any work data or resources.
+
+- **Exempt.** Shows the text, *Exempt*. WIP policies don't apply to these apps (such as, system components).
+
+    >[!IMPORTANT]
+    >Enlightened apps can change between Work and Personal, depending on the data being touched. For example, Microsoft Word 2016 shows as **Personal** when an employee opens a personal letter, but changes to **Work** when that same employee opens the company financials.
+
+
+
+
+
+