deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-18 11:53:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into vs-intunechanges

Browse Source
This commit is contained in:
LizRoss
2017-04-03 14:01:57 -07:00
parent 706715aa00 2b9ea88bd4
commit dadaefc983
13 changed files with 4288 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
View File

@ -39,14 +39,15 @@ You can add apps to your Windows Information Protection (WIP) protected app list
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
>[!Note]
>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules.
7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
>**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
>[!Important]
>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
@ -86,15 +87,18 @@ After saving the policy, youll need to deploy it to your employees devices
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
>**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
>[!Important]
>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
>**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
>[!Note]
>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules.
7. In the left pane, right-click **AppLocker**, click **Export Policies**, go to where you want to save the XML file and type a file name, click **Save**, and then clear your AppLocker rules.
>**Important**<br>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
>[!Important]
>Be aware that what you're saving are the actual AppLocker rules using your local policy. You don't want to apply these rules to your employee devices, you just want to use them to create and export the XML content. You must delete the AppLocker rules before you apply your policy.
8. Open the Intune administration console, and go to the **Policy** node, click **Add Policy** from the **Tasks** area, go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)** policy, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.

6
windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
View File

@ -53,9 +53,9 @@ The recovery process included in this topic only works for desktop devices. WIP
3. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
<code>cipher /c <i>file_name</i></code>
<code>cipher /c <i>filename</i></code>
Where *file_name* is the name of the file you created in Step 1.
Where *filename* is the name of the file you created in Step 1.
4. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
@ -67,7 +67,7 @@ The recovery process included in this topic only works for desktop devices. WIP
3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
<code>cipher /d <i>encryptedfile.extension</i>></code>
<code>cipher /d <i>encryptedfile.extension</i></code>
Where *encryptedfile.extension* is the name of your encrypted file. For example, corporatedata.docx.