deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 21:37:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

commit

Browse Source
This commit is contained in:
Joey Caparas 2016-07-29 15:19:46 +10:00
commit eab21fc40c
58 changed files with 1508 additions and 1586 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.gitignore vendored
View File

@ -10,3 +10,6 @@ Tools/NuGet/
.openpublishing.buildcore.ps1
packages.config
windows/keep-secure/index.md
windows/keep-secure/index.md
windows/keep-secure/TOC.md
windows/keep-secure/index.md

5
browsers/edge/available-policies.md
View File

@ -12,8 +12,9 @@ title: Available policies for Microsoft Edge (Microsoft Edge for IT Pros)
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile
- Windows 10
- Windows 10 Mobile
- Windows Server 2016
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>

7
browsers/edge/change-history-for-microsoft-edge.md
View File

@ -9,7 +9,12 @@ ms.sitesec: library
# Change history for Microsoft Edge
This topic lists new and updated topics in the Microsoft Edge documentation for both Windows 10 and Windows 10 Mobile.
For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/en-us/microsoft-edge/platform/changelog/).
For a detailed feature list of what's in the current Microsoft Edge releases, the Windows Insider Preview builds, and what was introduced in previous releases, see the [Microsoft Edge changelog](https://developer.microsoft.com/microsoft-edge/platform/changelog/).
## July 2016
|New or changed topic | Description |
|----------------------|-------------|
|[Microsoft Edge - Deployment Guide for IT Pros](index.md)| Updated to include support for Windows Server 2016 and a note about the Long Term Servicing Branch (LTSB) |
## July 2016
|New or changed topic | Description |

4
browsers/edge/emie-to-improve-compatibility.md
View File

@ -13,7 +13,9 @@ title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros)
**Applies to:**
- Windows 10
- Windows 10
- Windows 10 Mobile
- Windows Server 2016
If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.

9
browsers/edge/hardware-and-software-requirements.md
View File

@ -13,12 +13,15 @@ title: Microsoft Edge requirements and language support (Microsoft Edge for IT P
**Applies to:**
- Windows 10
- Windows 10 Mobile
- Windows 10
- Windows 10 Mobile
- Windows Server 2016
Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.
>**Note**<br>The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality, and can't be supported on systems running the LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11.
## Minimum system requirements
Some of the components in this table might also need additional system resources. Check the component's documentation for more information.
@ -26,7 +29,7 @@ Some of the components in this table might also need additional system resources
| Item | Minimum requirements |
| ------------------ | -------------------------------------------- |
| Computer/processor | 1 gigahertz (GHz) or faster (32-bit (x86) or 64-bit (x64)) |
| Operating system | <ul><li>Windows 10 (32-bit or 64-bit)</li><li>Windows 10 Mobile</li></ul><p>**Note**<br> For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkID=699266) topic. |
| Operating system | <ul><li>Windows 10 (32-bit or 64-bit)</li><li>Windows 10 Mobile</li><li>Windows Server 2016</li></ul><p>**Note**<br> For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkID=699266) topic. |
| Memory | <ul><li>Windows 10 (32-bit) - 1 GB</li><li>Windows 10 (64-bit) - 2 GB</li></ul> |
| Hard drive space | <ul><li>Windows 10 (32-bit) - 16 GB</li><li>Windows 10 (64-bit) - 20 GB</li></ul> |
| DVD drive | DVD-ROM drive (if installing from a DVD-ROM) |

17
browsers/edge/security-enhancements-microsoft-edge.md
View File

@ -8,6 +8,13 @@ title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)
---
# Security enhancements for Microsoft Edge
**Applies to:**
- Windows 10
- Windows 10 Mobile
- Windows Server 2016
Microsoft Edge is designed with significant security improvements, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows.
## Help to protect against web-based security threats
@ -43,15 +50,15 @@ Microsoft Edge has a new rendering engine, Microsoft EdgeHTML, which is focused
The Microsoft EdgeHTML engine also helps to defend against hacking through these new security standards features:
- Support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks.
- Support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks.
- Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). This helps ensure that connections to important sites, such as to your bank, are always secured.
- Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). This helps ensure that connections to important sites, such as to your bank, are always secured.
**Note**<br>
Both Microsoft Edge and Internet Explorer 11 support HSTS.
#### All web content runs in an app container sandbox
Internet Explorer 7 on Windows Vista was the first web browser to provide a browsing sandbox, called [Protected Mode](http://windows.microsoft.com/en-US/windows-vista/What-does-Internet-Explorer-protected-mode-do). Protected Mode forced the part of the browser that rendered web content to run with less privilege than the browser controls or the user, providing a level of isolation and protection should a malicious website attempt to exploit a bug in the browser or one of its plug-ins.
Internet Explorer 7 on Windows Vista was the first web browser to provide a browsing sandbox, called [Protected Mode](http://windows.microsoft.com/windows-vista/What-does-Internet-Explorer-protected-mode-do). Protected Mode forced the part of the browser that rendered web content to run with less privilege than the browser controls or the user, providing a level of isolation and protection should a malicious website attempt to exploit a bug in the browser or one of its plug-ins.
Internet Explorer 10 introduced Enhanced Protected Mode (EPM), based on the Windows 8 app container technology, providing a stronger sandbox by adding deny-by-default and no-read-up semantics. EPM was turned on by default in the Windows 8 and Windows 8.1 immersive browser, but was optional on the Internet Explorer 10 and Internet Explorer 11 desktop versions.
@ -68,10 +75,10 @@ The value of running 64-bit all the time is that it strengthens Windows Address
#### New extension model and HTML5 support
Back in 1996, we introduced ActiveX for web browser extensions in an attempt to let 3rd parties experiment with various forms of alternate content on the web. However, we quickly learned that browser extensions can come at a cost of security and reliability. For example, binary extensions can bring code and data into the browsers processes without any protection, meaning that if anything goes wrong, the entire browser itself can be compromised or go down.
Based on that learning, weve stopped supporting binary extensions in Microsoft Edge and instead encourage everyone to use our new, scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/en-us/microsoft-edge/extensions/).
Based on that learning, weve stopped supporting binary extensions in Microsoft Edge and instead encourage everyone to use our new, scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/).
#### Reduced attack surfaces
In addition to removing support for VBScript, Jscript, VML, Browser Helper Objects, Toolbars, and ActiveX controls, Microsoft Edge also removed support for legacy Internet Explorer [document modes](https://msdn.microsoft.com/en-us/library/jj676915.aspx). Because many IE browser vulnerabilities are only present in legacy document modes, removing support for document modes significantly reduces attack surface, making the browser much more secure than before. However, it also means that its not as backward compatible.
In addition to removing support for VBScript, Jscript, VML, Browser Helper Objects, Toolbars, and ActiveX controls, Microsoft Edge also removed support for legacy Internet Explorer [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Because many IE browser vulnerabilities are only present in legacy document modes, removing support for document modes significantly reduces attack surface, making the browser much more secure than before. However, it also means that its not as backward compatible.
Because of the reduced backward compatibility, weve given Microsoft Edge the ability to automatically fall back to Internet Explorer 11, using the Enterprise Mode Site List, for any apps that need backward compatibility.

2
browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
View File

@ -21,7 +21,7 @@ title: System requirements and language support for Internet Explorer 11 (IE11)
Internet Explorer 11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support.
## Minimum system requirements for IE11
IE11 is pre-installed on Windows 8.1 and Windows Server 2012 R2 and is listed here for reference. It's also supported on Windows 10, but isn't pre-installed. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/en-us/library/mt156988.aspx).
IE11 is pre-installed on Windows 8.1 and Windows Server 2012 R2 and is listed here for reference. It's also supported on Windows 10, but isn't pre-installed. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/library/mt156988.aspx).
**Important**<br> 
IE11 isn't supported on Windows 8 or Windows Server 2012.

2
education/windows/windows-editions-for-education-customers.md
View File

@ -30,7 +30,7 @@ Existing devices running Windows 10 Pro, currently activated with the original O
Customers with Academic Volume Licensing agreements with rights for Windows can get Windows 10 Pro Education through the [Volume Licensing Service Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx), available at a later date.
Customers that deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in [MManage Windows 10 and Windows Store tips, tricks and suggestions](http://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](http://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
Customers that deploy Windows 10 Pro are able to configure the product to have similar feature settings to Windows 10 Pro Education using policies. More detailed information on these policies and the configuration steps required is available in [Manage Windows 10 and Windows Store tips, tricks and suggestions](http://go.microsoft.com/fwlink/?LinkId=822627). We recommend that K-12 customers using commercial Windows 10 Pro read the [document](http://go.microsoft.com/fwlink/?LinkId=822627) and apply desired settings for your environment.
## Windows 10 Education

BIN
windows/deploy/images/check_blu.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 20 KiB

17
windows/deploy/windows-10-edition-upgrades.md
View File

@ -17,17 +17,22 @@ author: greg-lindsay
With Windows 10, you can quickly upgrade from one edition of Windows 10 to another, provided the upgrade path is supported. For information on what edition of Windows 10 is right for you, see [Compare Windows 10 Editions](http://go.microsoft.com/fwlink/p/?LinkID=690882). For a comprehensive list of all possible upgrade paths to Windows 10, see [Windows 10 upgrade paths](windows-10-upgrade-paths.md).
The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer.
The following table shows the methods and paths available to change the edition of Windows 10 that is running on your computer. **Note**: The reboot requirement for upgrading from Pro to Enterprise was removed in version 1607.
X = unsupported <BR>
✔ (green) = supported; reboot required<BR>
✔ (blue) = supported; no reboot required.
|Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile > Mobile Enterprise |
|-------|-----------|-----------------|----------------|-----------------|----------------|--------|
| Using mobile device management (MDM) |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |
| Using a provisioning package |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |
| Using a command-line tool |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |
| Entering a product key manually |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |
| Using mobile device management (MDM) |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |
| Using a provisioning package |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |
| Using a command-line tool |![unsupported](images/x_blk.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |
| Entering a product key manually |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_grn.png) |![supported](images/check_blu.png) |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |
| Purchasing a license from the Windows Store |![supported](images/check_grn.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |![unsupported](images/x_blk.png) |
**Note**<br>Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.
>**Note**: Each desktop edition in the table also has an N and KN edition. These editions have had media-related functionality removed. Devices with N or KN editions installed can be upgraded to corresponding N or KN editions using the same methods.
## Upgrade using mobile device management (MDM)
- To upgrade desktop editions of Windows 10 using MDM, you'll need to enter the product key for the upgraded edition in the **UpgradeEditionWithProductKey** policy setting of the **WindowsLicensing** CSP. For more info, see [WindowsLicensing CSP](http://go.microsoft.com/fwlink/p/?LinkID=690907).

42
windows/keep-secure/add-apps-to-protected-list-using-custom-uri.md
View File

@ -1,8 +1,8 @@
---
title: Add apps to your enterprise data protection (EDP) policy by using Microsoft Intune and custom URI functionality (Windows 10)
description: Add apps to your enterprise data protection (EDP) allowed app list, by using the Microsoft Intune custom URI functionality and AppLocker.
title: Add apps to your Windows Information Protection (WIP) policy by using Microsoft Intune and custom URI functionality (Windows 10)
description: Add apps to your Windows Information Protection (WIP) allowed app list, by using the Microsoft Intune custom URI functionality and AppLocker.
ms.assetid: b50db35d-a2a9-4b78-a95d-a1b066e66880
keywords: EDP, Enterprise Data Protection, protected apps, protected app list
keywords: WIP, Enterprise Data Protection, protected apps, protected app list
ms.prod: w10
ms.mktglfcycl: explore
ms.pagetype: security
@ -10,17 +10,15 @@ ms.sitesec: library
author: eross-msft
---
# Add apps to your enterprise data protection (EDP) policy by using the Microsoft Intune custom URI functionality
# Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
- Windows 10, version 1607
- Windows 10 Mobile
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
You can add apps to your Windows Information Protection (WIP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
You can add apps to your enterprise data protection (EDP) protected app list using the Microsoft Intune custom URI functionality and AppLocker. For more info about how to create a custom URI using Intune, [Windows 10 custom policy settings in Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkID=691330).
>**Important**  
>**Important**<br>
Results can be unpredictable if you configure your policy using both the UI and the Custom URI method together. We recommend using a single method for each policy.
## Add Store apps
@ -28,15 +26,15 @@ Results can be unpredictable if you configure your policy using both the UI and
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Packaged app Rules**, and then click **Automatically Generate Rules**.
The **Automatically Generate Packaged app Rules** wizard opens, letting you create EDP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder.
The **Automatically Generate Packaged app Rules** wizard opens, letting you create WIP-protected app polices for all of the installed apps on the device or for packaged apps within a specific folder.
3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users.
4. Type the name youll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
This name should be easily recognizable, such as *EDP_StoreApps_Rules*.
This name should be easily recognizable, such as *WIP_StoreApps_Rules*.
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
@ -67,29 +65,29 @@ Results can be unpredictable if you configure your policy using both the UI and
```
15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.<p>
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
## Add Desktop apps
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**.
The **Automatically Generate Executable Rules** wizard opens, letting you create EDP-protected app polices by analyzing the files within a specific folder.
The **Automatically Generate Executable Rules** wizard opens, letting you create WIP-protected app polices by analyzing the files within a specific folder.
3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users.
4. Type the name youll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
This name should be easily recognizable, such as *EDP_DesktopApps_Rules*.
This name should be easily recognizable, such as *WIP_DesktopApps_Rules*.
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
>**Important**<br>You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
<p>
>**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
>**Note**<br>We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.<p>If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.<p>Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
6. In the **Review Rules** screen, look over your rules to make sure theyre right, and then click **Create** to add them to your collection of rules.
@ -117,12 +115,12 @@ After saving the policy, youll need to deploy it to your employees devices
15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
After saving the policy, youll need to deploy it to your employees devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
##Related topics
- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
- [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
 

22
windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
View File

@ -1,7 +1,7 @@
---
title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10)
description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate.
keywords: Windows Information Protection, WIP, WIP, Enterprise Data Protection
keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@ -11,17 +11,15 @@ ms.pagetype: security
# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
- Windows 10, version 1607
- Windows 10 Mobile
If you dont already have an EFS DRA certificate, youll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, well use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.
>**Important**<br>
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx).<p>If your DRA certificate has expired, you wont be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).<p>If your DRA certificate has expired, you wont be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
**To manually create an EFS DRA certificate**
@ -43,7 +41,7 @@ If you already have an EFS DRA certificate for your organization, you can skip c
4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager.
>**Note**<br>
To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic.
To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic.
**To verify your data recovery certificate is correctly set up on an WIP client computer**
@ -95,15 +93,15 @@ It's possible that you might revoke data from an unenrolled device only to later
The Windows Credential service automatically recovers the employees previously revoked keys from the `Recovery\Input` location.
## Related topics
- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx)
- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx)
- [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx)
- [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx)
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md)
- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/en-us/library/cc875821.aspx#EJAA)
- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA)

512
windows/keep-secure/create-edp-policy-using-intune.md
View File

@ -1,513 +1,5 @@
---
title: Create an enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
description: Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# Create an enterprise data protection (EDP) policy using Microsoft Intune
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
## Important note about the June service update
We've received some great feedback from you, our Windows 10 Insider Preview customers, about our enterprise data protection experiences and processes. Because of that feedback, we're delighted to deliver an enhanced apps policy experience with the June service update. This means that when you open an existing enterprise data protection policy after we release the June service update in your test environment, your existing Windows 10 enterprise data protection app rules (formerly in the **Protected Apps** area) will be removed.<p>To prepare for this change, we recommend that you make an immediate backup of your current app rules as they are today, so you can use them to help reconfigure your app rules with the enhanced experience. When you open an existing enterprise data protection policy after we release the June service update, you'll get a dialog box telling you about this change. Click the **OK** button to close the box and to begin reconfiguring your app rules.
![Microsoft Intune: Reconfigure app rules list dialog box](images/edp-intune-app-reconfig-warning.png)
Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list.
## Add an EDP policy
After youve set up Intune for your organization, you must create an EDP-specific policy.
**To add an EDP policy**
1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area.
2. Go to **Windows**, click the **Enterprise data protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png)
3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png)
### Add app rules to your policy
During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file.
>**Important**<br>
EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your App Rules list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
<p>
>**Note**<br>
If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps using Microsoft Intune and custom URI](add-apps-to-protected-list-using-custom-uri.md) topic.
#### Add a store app rule to your policy
For this example, were going to add Microsoft OneNote, a store app, to the **App Rules** list.
**To add a store app**
1. From the **App Rules** area, click **Add**.
The **Add App Rule** box appears.
![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Microsoft OneNote*.
3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
Allow turns on EDP, helping to protect that apps corporate data through the enforcement of EDP restrictions. Instructions for exempting an app are included in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp-restrictions) section of this topic.
4. Pick **Store App** from the **Rule template** drop-down list.
The box changes to show the store app rule options.
5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is`CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
**To find the Publisher and Product Name values for Store apps without installing them**
1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*.
>**Note**<br>
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps using Microsoft Intune and custom URI](add-apps-to-protected-list-using-custom-uri.md) topic.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
The API runs and opens a text editor with the app details.
``` json
{
"packageIdentityName": "Microsoft.Office.OneNote",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
}
```
4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
>**Important**<br>
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<p>For example:<br>
``` json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
>**Note**<br>
Your PC and phone must be on the same wireless network.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
7. Start the app for which you're looking for the publisher and product name values.
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
>**Important**<br>
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<p>For example:<br>
``` json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
#### Add a desktop app rule to your policy
For this example, were going to add Internet Explorer, a desktop app, to the **App Rules** list.
**To add a desktop app**
1. From the **App Rules** area, click **Add**.
The **Add App Rule** box appears.
![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Internet Explorer*.
3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
Allow turns on EDP, helping to protect that apps corporate data through the enforcement of EDP restrictions. Instructions for exempting an app are included in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp-restrictions) section of this topic.
4. Pick **Desktop App** from the **Rule template** drop-down list.
The box changes to show the store app rule options.
5. Pick the options you want to include for the app rule (see table), and then click **OK**.
<table>
<tr>
<th>Option</th>
<th>Manages</th>
</tr>
<tr>
<td>All fields left as “*”</td>
<td>All files signed by any publisher. (Not recommended.)</td>
</tr>
<tr>
<td><strong>Publisher</strong> selected</td>
<td>All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
</tr>
<tr>
<td><strong>Publisher</strong> and <strong>Product Name</strong> selected</td>
<td>All files for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>Binary name</strong> selected</td>
<td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, and above</strong>, selected</td>
<td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, And below</strong> selected</td>
<td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, Exactly</strong> selected</td>
<td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
</table>
If youre unsure about what to include for the publisher, you can run this PowerShell command:
```ps1
Get-AppLockerFileInformation -Path "<path of the exe>"
```
Where `"<path of the exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
In this example, you'd get the following info:
``` json
Path Publisher
---- ---------
%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
#### Add an AppLocker policy file
For this example, were going to add an AppLocker XML file to the **App Rules** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview) content.
**To create an app rule and xml file using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png)
3. Right-click in the right-hand pane, and then click **Create New Rule**.
The **Create Packaged app Rules** wizard appears.
4. On the **Before You Begin** page, click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png)
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png)
6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png)
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, were using Microsoft Photos.
![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png)
8. On the updated **Publisher** page, click **Create**.
![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png)
9. Review the Local Security Policy snap-in to make sure your rule is correct.
![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png)
10. In the left pane, right-click on **AppLocker**, and then click **Export policy**.
The **Export policy** box opens, letting you export and save your new policy as XML.
![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png)
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
The policy is saved and youll see a message that says 1 rule was exported from the policy.
**Example XML file**<br>
This is the XML file that AppLocker creates for Microsoft Photos.
```xml
<AppLockerPolicy Version="1">
<RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Script" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Appx" EnforcementMode="NotConfigured">
<FilePublisherRule Id="5e0c752b-5921-4f72-8146-80ad5f582110" Name="Microsoft.Windows.Photos, version 16.526.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Photos" BinaryName="*">
<BinaryVersionRange LowSection="16.526.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
</AppLockerPolicy>
```
12. After youve created your XML file, you need to import it by using Microsoft Intune.
**To import your Applocker policy file app rule using Microsoft Intune**
1. From the **App Rules** area, click **Add**.
The **Add App Rule** box appears.
![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Allowed app list*.
3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
Allow turns on EDP, helping to protect that apps corporate data through the enforcement of EDP restrictions. Instructions for exempting an app are included in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp-restrictions) section of this topic.
4. Pick **AppLocker policy file** from the **Rule template** drop-down list.
The box changes to let you import your AppLocker XML policy file.
5. Click **Import**, browse to your AppLocker XML file, click **Open**, and then click **OK** to close the **Add App Rule** box.
The file is imported and the apps are added to your **App Rules** list.
#### Exempt apps from EDP restrictions
If you're running into compatibility issues where your app is incompatible with EDP, but still needs to be used with enterprise data, you can exempt the app from the EDP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
1. From the **App Rules** area, click **Add**.
The **Add App Rule** box appears.
2. Add a friendly name for your app into the **Title** box. In this example, its *Exempt apps list*.
3. Click **Exempt** from the **Enterprise data protection mode** drop-down list.
Be aware that when you exempt apps, theyre allowed to bypass the EDP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
4. Fill out the rest of the app rule info, based on the type of rule youre adding:
- **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
- **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic.
- **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps.
5. Click **OK**.
### Manage the EDP protection mode for your enterprise data
After you've added the apps you want to protect with EDP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
|Mode |Description |
|-----|------------|
|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.|
|Off (not recommended) |EDP is turned off and doesn't help to protect or audit your data.<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.|
![Microsoft Intune, Set the protection mode for your data](images/intune-protection-mode.png)
### Define your enterprise-managed corporate identity
Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps youve marked as protected by EDP. For example, emails using contoso.com are identified as being corporate and are restricted by your enterprise data protection policies.
You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
**To add your corporate identity**
- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png)
### Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
There are no default locations included with EDP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprises range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
>**Important**<br>
- Every EDP policy should include policy that defines your enterprise network locations.<p>
- Classless Inter-Domain Routing (CIDR) notation isnt supported for EDP configurations.
**To define where your protected apps can find and send enterprise data on you network**
1. Add additional network locations your apps can access by clicking **Add**.
The **Add or edit corporate network definition** box appears.
2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png)
<p>
<table>
<tr>
<th>Network location type</th>
<th>Format</th>
<th>Description</th>
</tr>
<tr>
<td>Enterprise Cloud Resources</td>
<td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by EDP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
</tr>
<tr>
<td>Enterprise Network Domain Names (Required)</td>
<td>corp.contoso.com,region.contoso.com</td>
<td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Enterprise Proxy Servers</td>
<td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with EDP.<p>This list shouldnt include any servers listed in the Enterprise Internal Proxy Servers list, which are used for EDP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when youre visiting another company and not on that companys guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>Enterprise Internal Proxy Servers</td>
<td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
<td>Specify the proxy servers your devices will go through to reach your cloud resources.<p>Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<p>This list shouldnt include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>Enterprise IPv4 Range (Required, if not using IPv6)</td>
<td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
<td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Enterprise IPv6 Range (Required, if not using IPv4)</td>
<td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
<td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Neutral Resources</td>
<td>sts.contoso.com,sts.contoso2.com</td>
<td>Specify your authentication redirection endpoints for your company.<p>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
</table>
3. Add as many locations as you need, and then click **OK**.
The **Add corporate network definition** box closes.
4. Decide if you want to Windows to look for additional network settings:
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
- **Show the enterprise data protection icon overlay on your allowed apps that are EDP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the enterprise data protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png)
After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
#### Create and verify an Encrypting File System (EFS) DRA certificate for EDP
If you dont already have an EFS DRA certificate, youll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, well use the file name *EFSDRA*; however, this name can be replaced with anything that makes sense to you.
>**Important**<br>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy.
**To manually create an EFS DRA certificate**
1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
2. Run this command:
`cipher /r:<EFSDRA>`<br>Where `<EFSDRA>` is the name of the .cer and .pfx files that you want to create.
3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file.
The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
>**Important**<br>Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location.
4. Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic.
**To verify your data recovery certificate is correctly set up on an EDP client computer**
1. Open an app on your protected app list, and then create and save a file so that its encrypted by EDP.
2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
`cipher /c <filename>`<br>Where `<filename>` is the name of the file you created in Step 1.
3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
**To recover your data using the EFS DRA certificate in a test environment**
1. Copy your EDP-encrypted file to a location where you have admin access.
2. Install the EFSDRA.pfx file, using your password.
3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
`cipher /d <encryptedfile.extension>`<br>Where `<encryptedfile.extension>` is the name of your encrypted file. For example, corporatedata.docx.
### Choose your optional EDP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional EDP settings.
![Microsoft Intune, Choose any additional, optional settings](images/intune-optional-settings.png)
**To set your optional settings**
1. Choose to set any or all of the optional settings:
- **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
- **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box.
- **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether apps can show corporate data on a Windows 10 Mobile device **Lock** screen. The options are:
- **Yes (recommended).** Stop apps from reading corporate data on Windows 10 Mobile device when the screen is locked.
- **No, or not configured.** Allows apps to read corporate data on Windows 10 Mobile device when the screen is locked.
- **Revoke encryption keys on unenroll.** Determines whether to revoke a users local encryption keys from a device when its unenrolled from enterprise data protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if youre migrating between Mobile Device Management (MDM) solutions.
- **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
- **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
- **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
- **Show the enterprise data protection icon overlay.** Determines whether the enterprise data protection icon overlay appears on corporate files or in the **Start** menu, on top of the tiles for your unenlightened protected apps. The options are:
- **Yes (recommended).** Allows the enterprise data protection icon overlay to appear for files or on top of the tiles for your unenlightened protected apps in the **Start** menu.
- **No, or not configured.** Stops the enterprise data protection icon overlay from appearing for files or on top of the tiles for your unenlightened protected apps in the **Start** menu.
2. Click **Save Policy**.
## Related topics
- [Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)
- [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-intune
---

540
windows/keep-secure/create-edp-policy-using-sccm.md
View File

@ -1,541 +1,5 @@
---
title: Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager (Windows 10)
description: Configuration Manager (version 1606 or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
keywords: EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
- System Center Configuration Manager (version 1605 Tech Preview or later)
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
System Center Configuration Manager (version 1605 Tech Preview or later) helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection mode, and how to find enterprise data on the network.
>**Important**<br>
If you previously created an EDP policy using System Center Configuration Manager version 1511 or 1602, youll need to recreate it using version 1605 Tech Preview or later. Editing an EDP policy created in version 1511 or 1602 is not supported in version 1605 Tech Preview. There is no migration path between EDP policies across these versions.
## Add an EDP policy
After youve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for EDP, which in turn becomes your EDP policy.
**To create a configuration item for EDP**
1. Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
![System Center Configuration Manager, Configuration Items screen](images/edp-sccm-addpolicy.png)
2. Click the **Create Configuration Item** button.<p>
The **Create Configuration Item Wizard** starts.
![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/edp-sccm-generalscreen.png)
3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**.
- **Settings for devices managed with the Configuration Manager client:** Windows 10
-OR-
- **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10
5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
![Create Configuration Item wizard, choose the supported platforms for the policy](images/edp-sccm-supportedplat.png)
6. On the **Device Settings** screen, click **Enterprise data protection**, and then click **Next**.
![Create Configuration Item wizard, choose the enterprise data protection settings](images/edp-sccm-devicesettings.png)
The **Configure enterprise data protection settings** page appears, where you'll configure your policy for your organization.
### Add app rules to your policy
During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file.
>**Important**<br>
EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process. <p>Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **App rules** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
#### Add a store app rule to your policy
For this example, were going to add Microsoft OneNote, a store app, to the **App Rules** list.
**To add a store app**
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
![Create Configuration Item wizard, add a universal store app](images/edp-sccm-adduniversalapp.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Microsoft OneNote*.
3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
Allow turns on EDP, helping to protect that apps corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
4. Pick **Store App** from the **Rule template** drop-down list.
The box changes to show the store app rule options.
5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
**To find the Publisher and Product Name values for Store apps without installing them**
1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
>**Note**<br>
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
The API runs and opens a text editor with the app details.
``` json
{
"packageIdentityName": "Microsoft.Office.OneNote",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
}
```
4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
>**Important**<br>
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:
```json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
>**Note**<br>
Your PC and phone must be on the same wireless network.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
3. On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
7. Start the app for which you're looking for the publisher and product name values.
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
>**Important**<br>
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:
```json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
#### Add a desktop app rule to your policy
For this example, were going to add Internet Explorer, a desktop app, to the **App Rules** list.
**To add a desktop app to your policy**
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
![Create Configuration Item wizard, add a classic desktop app](images/edp-sccm-adddesktopapp.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Internet Explorer*.
3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
Allow turns on EDP, helping to protect that apps corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
4. Pick **Desktop App** from the **Rule template** drop-down list.
The box changes to show the desktop app rule options.
5. Pick the options you want to include for the app rule (see table), and then click **OK**.
<table>
<tr>
<th>Option</th>
<th>Manages</th>
</tr>
<tr>
<td>All fields left as “*”</td>
<td>All files signed by any publisher. (Not recommended.)</td>
</tr>
<tr>
<td><strong>Publisher</strong> selected</td>
<td>All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
</tr>
<tr>
<td><strong>Publisher</strong> and <strong>Product Name</strong> selected</td>
<td>All files for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>Binary name</strong> selected</td>
<td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, and above</strong>, selected</td>
<td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, And below</strong> selected</td>
<td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, Exactly</strong> selected</td>
<td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
</table>
If youre unsure about what to include for the publisher, you can run this PowerShell command:
```ps1
Get-AppLockerFileInformation -Path "<path of the exe>"
```
Where `"<path of the exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
In this example, you'd get the following info:
``` json
Path Publisher
---- ---------
%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
#### Add an AppLocker policy file
For this example, were going to add an AppLocker XML file to the **App Rules** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/applocker-overview) content.
**To create an app rule and xml file using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png)
3. Right-click in the right-hand pane, and then click **Create New Rule**.
The **Create Packaged app Rules** wizard appears.
4. On the **Before You Begin** page, click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png)
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png)
6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png)
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, were using Microsoft Photos.
![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png)
8. On the updated **Publisher** page, click **Create**.
![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png)
9. Review the Local Security Policy snap-in to make sure your rule is correct.
![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png)
10. In the left pane, right-click on **AppLocker**, and then click **Export policy**.
The **Export policy** box opens, letting you export and save your new policy as XML.
![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png)
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
The policy is saved and youll see a message that says 1 rule was exported from the policy.
**Example XML file**<br>
This is the XML file that AppLocker creates for Microsoft Photos.
```xml
<AppLockerPolicy Version="1">
<RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Script" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Appx" EnforcementMode="NotConfigured">
<FilePublisherRule Id="5e0c752b-5921-4f72-8146-80ad5f582110" Name="Microsoft.Windows.Photos, version 16.526.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Photos" BinaryName="*">
<BinaryVersionRange LowSection="16.526.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
</AppLockerPolicy>
```
12. After youve created your XML file, you need to import it by using System Center Configuration Manager.
**To import your Applocker policy file app rule using 1System Center Configuration Manager**
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
![Create Configuration Item wizard, add an AppLocker policy](images/edp-sccm-addapplockerfile.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Allowed app list*.
3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
Allow turns on EDP, helping to protect that apps corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
4. Pick the **AppLocker policy file** from the **Rule template** drop-down list.
The box changes to let you import your AppLocker XML policy file.
5. Click the ellipsis (...) to browse for your AppLocker XML file, click **Open**, and then click **OK** to close the **Add app rule** box.
The file is imported and the apps are added to your **App Rules** list.
#### Exempt apps from EDP restrictions
If you're running into compatibility issues where your app is incompatible with EDP, but still needs to be used with enterprise data, you can exempt the app from the EDP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
2. Add a friendly name for your app into the **Title** box. In this example, its *Exempt apps list*.
3. Click **Exempt** from the **Enterprise data protection mode** drop-down list.
Be aware that when you exempt apps, theyre allowed to bypass the EDP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
4. Fill out the rest of the app rule info, based on the type of rule youre adding:
- **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
- **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic.
- **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps.
5. Click **OK**.
### Manage the EDP-protection level for your enterprise data
After you've added the apps you want to protect with EDP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
|Mode |Description |
|-----|------------|
|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.|
|Off (not recommended) |EDP is turned off and doesn't help to protect or audit your data.<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.|
![Create Configuration Item wizard, choose your EDP-protection level](images/edp-sccm-appmgmt.png)
### Define your enterprise-managed identity domains
Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps youve marked as protected by EDP. For example, emails using contoso.com are identified as being corporate and are restricted by your enterprise data protection policies.
You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
**To add your corporate identity**
- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/edp-sccm-corp-identity.png)
### Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
There are no default locations included with EDP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprises range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
>**Important**<br>
- Every EDP policy should include policy that defines your enterprise network locations.
- Classless Inter-Domain Routing (CIDR) notation isnt supported for EDP configurations.
**To define where your protected apps can find and send enterprise data on you network**
1. Add additional network locations your apps can access by clicking **Add**.
The **Add or edit corporate network definition** box appears.
2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
![Add or edit corporate network definition box, Add your enterprise network locations](images/edp-sccm-add-network-domain.png)
<table>
<tr>
<th>Network location type</th>
<th>Format</th>
<th>Description</th>
</tr>
<tr>
<td>Enterprise Cloud Resources</td>
<td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by EDP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
</tr>
<tr>
<td>Enterprise Network Domain Names (Required)</td>
<td>corp.contoso.com,region.contoso.com</td>
<td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Enterprise Proxy Servers</td>
<td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with EDP.<p>This list shouldnt include any servers listed in the Enterprise Internal Proxy Servers list, which are used for EDP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when youre visiting another company and not on that companys guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>Enterprise Internal Proxy Servers</td>
<td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
<td>Specify the proxy servers your devices will go through to reach your cloud resources.<p>Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<p>This list shouldnt include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>Enterprise IPv4 Range (Required)</td>
<td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
<td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Enterprise IPv6 Range</td>
<td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
<td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Neutral Resources</td>
<td>sts.contoso.com,sts.contoso2.com</td>
<td>Specify your authentication redirection endpoints for your company.<p>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
</table>
3. Add as many locations as you need, and then click **OK**.
The **Add or edit corporate network definition** box closes.
4. Decide if you want to Windows to look for additional network settings.
![Create Configuration Item wizard, Add whether to search for additional network settings](images/edp-sccm-optsettings.png)
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
- **Show the enterprise data protection icon overlay on your allowed apps that are EDP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the enterprise data protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/edp-sccm-dra.png)
After you create and deploy your EDP policy to your employees, Windows will begin to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic.
#### Create and verify an Encrypting File System (EFS) DRA certificate for EDP
If you dont already have an EFS DRA certificate, youll need to create and extract one from your system before you can use EDP in your organization. For the purposes of this section, well use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
>**Important**<br>If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy.
**To manually create an EFS DRA certificate**
1. On a computer without an EFS DRA certificate installed, open a command prompt with elevated rights, and then navigate to where you want to store the certificate.
2. Run this command:
`cipher /r:<EFSDRA>`<br>Where `<EFSDRA>` is the name of the .cer and .pfx files that you want to create.
3. When prompted, type and confirm a password to help protect your new Personal Information Exchange (.pfx) file.
The EFSDRA.cer and EFSDRA.pfx files are created in the location you specified in Step 1.
>**Important**<br>Because these files can be used to decrypt any EDP file, you must protect them accordingly. We highly recommend storing them as a public key (PKI) on a smart card with strong protection, stored in a secured physical location.
4. Add your EFS DRA certificate to your EDP policy by using Step 3 of the [Choose where apps can access enterprise data](#choose-where-apps-can-access-enterprise-data) section of this topic.
**To verify your data recovery certificate is correctly set up on an EDP client computer**
1. Open an app on your protected app list, and then create and save a file so that its encrypted by EDP.
2. Open a command prompt with elevated rights, navigate to where you stored the file you just created, and then run this command:
`cipher /c <filename>`<br>Where `<filename>` is the name of the file you created in Step 1.
3. Make sure that your data recovery certificate is listed in the **Recovery Certificates** list.
**To recover your data using the EFS DRA certificate in a test environment**
1. Copy your EDP-encrypted file to a location where you have admin access.
2. Install the EFSDRA.pfx file, using your password.
3. Open a command prompt with elevated rights, navigate to the encrypted file, and then run this command:
`cipher /d <encryptedfile.extension>`<br>Where `<encryptedfile.extension>` is the name of your encrypted file. For example, corporatedata.docx.
### Choose your optional EDP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional EDP settings.
![Create Configuration Item wizard, Choose any additional, optional settings](images/edp-sccm-additionalsettings.png)
**To set your optional settings**
1. Choose to set any or all of the optional settings:
- **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
- **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box.
- **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether apps can show corporate data on a Windows 10 Mobile device **Lock** screen. The options are:
- **Yes (recommended).** Stop apps from reading corporate data on Windows 10 Mobile device when the screen is locked.
- **No, or not configured.** Allows apps to read corporate data on Windows 10 Mobile device when the screen is locked.
- **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
- **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
- **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
- **Revoke local encryption keys during the unerollment process.** Determines whether to revoke a users local encryption keys from a device when its unenrolled from enterprise data protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if youre migrating between Mobile Device Management (MDM) solutions.
2. After you pick all of the settings you want to include, click **Summary**.
### Review your configuration choices in the Summary screen
After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
**To view the Summary screen**
- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
![Create Configuration Item wizard, Summary screen for all of your policy choices](images/edp-sccm-summaryscreen.png)
A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
## Deploy the EDP policy
After youve created your EDP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
- [Operations and Maintenance for Compliance Settings in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=708224)
- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708225)
- [How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708226)
## Related topics
- [System Center Configuration Manager and Endpoint Protection (Version 1606)](http://go.microsoft.com/fwlink/p/?LinkId=717372)
- [TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=691623)
- [Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624)
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/create-wip-policy-using-sccm
---

118
windows/keep-secure/create-vpn-and-edp-policy-using-intune.md
View File

@ -1,119 +1,5 @@
---
title: Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune (Windows 10)
description: After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy.
ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b
keywords: EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
After you've created and deployed your enterprise data protection (EDP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your EDP policy.
## Create your VPN policy using Microsoft Intune
Follow these steps to create the VPN policy you want to use with EDP.
**To create your VPN policy**
1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
2. Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
![Microsoft Intune: Create a new policy using the New Policy screen](images/intune-vpn-createpolicy.png)
3. Type *EdpModeID* into the **Name** box, along with an optional description for your policy into the **Description** box.
![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-titledescription.png)
4. In the **VPN Settings** area, type the following info:
- **VPN connection name.** This name is also what appears to your employees, so it's important that it be clear and understandable.
- **Connection type.** Pick the connection type that matches your infrastructure. The options are **Pulse Secure**, **F5 Edge Client**, **Dell SonicWALL Mobile Connect**, or **Check Point Capsule VPN**.
- **VPN server description.** A descriptive name for this connection. Only you will see it, but it should be unique and readable.
- **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN).
![Microsoft Intune: Fill in the VPN Settings area](images/intune-vpn-vpnsettings.png)
5. In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.<p>
It's your choice whether you check the box to **Remember the user credentials at each logon**.
![Microsoft Intune: Choose the Authentication Method for your VPN system](images/intune-vpn-authentication.png)
6. You can leave the rest of the default or blank settings, and then click **Save Policy**.
## Deploy your VPN policy using Microsoft Intune
After youve created your VPN policy, you'll need to deploy it to the same group you deployed your enterprise data protection (EDP) policy.
**To deploy your VPN policy**
1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.<p>
The added people move to the **Selected Groups** list on the right-hand pane.
![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-deploy-vpn.png)
3. After you've picked all of the employees and groups that should get the policy, click **OK**.<p>
The policy is deployed to the selected users' devices.
## Link your EDP and VPN policies and deploy the custom configuration policy
The final step to making your VPN configuration work with EDP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EdpModeID** setting, and then deploying the policy to the same group you deployed your EDP and VPN policies
**To link your VPN policy**
1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
![Microsoft Intune: Create a new policy from the New Policy screen](images/intune-vpn-customconfig.png)
3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-edpmodeid.png)
4. In the **OMA-URI Settings** area, click **Add** to add your **EdpModeID** info.
5. In the **OMA-URI Settings** area, type the following info:
- **Setting name.** Type **EdpModeID** as the name.
- **Data type.** Pick the **String** data type.
- **OMA-URI.** Type `./Vendor/MSFT/VPNv2/<your_edp_policy_name>/EdpModeId`, replacing *&lt;your\_edp\_policy\_name&gt;* with the name you gave to your EDP policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/EdpModeId`.
- **Value.** Your fully-qualified domain that should be used by the OMA-URI setting.
![Microsoft Intune: Fill in the OMA-URI Settings for the EdpModeID setting](images/intune-vpn-omaurisettings.png)
6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.**
**To deploy your linked policy**
1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. The added people move to the **Selected Groups** list on the right-hand pane.
3. After you've picked all of the employees and groups that should get the policy, click **OK**. The policy is deployed to the selected users' devices.
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/create-vpn-and-wip-policy-using-intune
---

113
windows/keep-secure/create-vpn-and-wip-policy-using-intune.md Normal file
View File

@ -0,0 +1,113 @@
---
title: Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune (Windows 10)
description: After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
ms.assetid: d0eaba4f-6d7d-4ae4-8044-64680a40cf6b
keywords: WIP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune
**Applies to:**
- Windows 10, version 1607
- Windows 10 Mobile
After you've created and deployed your Windows Information Protection (WIP) policy, you can use Microsoft Intune to create and deploy your Virtual Private Network (VPN) policy, linking it to your WIP policy.
## Create your VPN policy using Microsoft Intune
Follow these steps to create the VPN policy you want to use with WIP.
**To create your VPN policy**
1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
2. Go to **Windows**, click the **VPN Profile (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
![Microsoft Intune: Create a new policy using the New Policy screen](images/intune-vpn-createpolicy.png)
3. Type *WIPModeID* into the **Name** box, along with an optional description for your policy into the **Description** box.
![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-titledescription.png)
4. In the **VPN Settings** area, type the following info:
- **VPN connection name.** This name is also what appears to your employees, so it's important that it be clear and understandable.
- **Connection type.** Pick the connection type that matches your infrastructure. The options are **Pulse Secure**, **F5 Edge Client**, **Dell SonicWALL Mobile Connect**, or **Check Point Capsule VPN**.
- **VPN server description.** A descriptive name for this connection. Only you will see it, but it should be unique and readable.
- **Server IP address or FQDN.** The server's IP address or fully-qualified domain name (FQDN).
![Microsoft Intune: Fill in the VPN Settings area](images/intune-vpn-vpnsettings.png)
5. In the **Authentication** area, choose the authentication method that matches your VPN infrastructure, either **Username and Password** or **Certificates**.<p>
It's your choice whether you check the box to **Remember the user credentials at each logon**.
![Microsoft Intune: Choose the Authentication Method for your VPN system](images/intune-vpn-authentication.png)
6. You can leave the rest of the default or blank settings, and then click **Save Policy**.
## Deploy your VPN policy using Microsoft Intune
After youve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
**To deploy your VPN policy**
1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.<p>
The added people move to the **Selected Groups** list on the right-hand pane.
![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-deploy-vpn.png)
3. After you've picked all of the employees and groups that should get the policy, click **OK**.<p>
The policy is deployed to the selected users' devices.
## Link your WIP and VPN policies and deploy the custom configuration policy
The final step to making your VPN configuration work with WIP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **WIPModeID** setting, and then deploying the policy to the same group you deployed your WIP and VPN policies
**To link your VPN policy**
1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
![Microsoft Intune: Create a new policy from the New Policy screen](images/intune-vpn-customconfig.png)
3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
![Microsoft Intune: Fill in the required Name and optional Description for your policy](images/intune-vpn-wipmodeid.png)
4. In the **OMA-URI Settings** area, click **Add** to add your **WIPModeID** info.
5. In the **OMA-URI Settings** area, type the following info:
- **Setting name.** Type **WIPModeID** as the name.
- **Data type.** Pick the **String** data type.
- **OMA-URI.** Type `./Vendor/MSFT/VPNv2/<your_wip_policy_name>/WIPModeId`, replacing *&lt;your\_wip\_policy\_name&gt;* with the name you gave to your WIP policy. For example, `./Vendor/MSFT/VPNv2/W10-Checkpoint-VPN1/WIPModeId`.
- **Value.** Your fully-qualified domain that should be used by the OMA-URI setting.
![Microsoft Intune: Fill in the OMA-URI Settings for the WIPModeID setting](images/intune-vpn-omaurisettings.png)
6. Click **OK** to save your new OMA-URI setting, and then click **Save Policy.**
**To deploy your linked policy**
1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**. The added people move to the **Selected Groups** list on the right-hand pane.
3. After you've picked all of the employees and groups that should get the policy, click **OK**. The policy is deployed to the selected users' devices.

471
windows/keep-secure/create-wip-policy-using-intune.md Normal file
View File

@ -0,0 +1,471 @@
---
title: Create a Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
description: Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# Create a Windows Information Protection (WIP) policy using Microsoft Intune
**Applies to:**
- Windows 10, version 1607
- Windows 10 Mobile
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your allowed apps, your WIP-protection level, and how to find enterprise data on the network.
## Important note about the June service update for Insider Preview
We've received some great feedback from you, our Windows 10 Insider Preview customers, about our Windows Information Protection experiences and processes. Because of that feedback, we're delighted to deliver an enhanced apps policy experience with the June service update. This means that when you open an existing Windows Information Protection policy after we release the June service update in your test environment, your existing Windows 10 Windows Information Protection app rules (formerly in the **Protected Apps** area) will be removed.<p>To prepare for this change, we recommend that you make an immediate backup of your current app rules as they are today, so you can use them to help reconfigure your app rules with the enhanced experience. When you open an existing Windows Information Protection policy after we release the June service update, you'll get a dialog box telling you about this change. Click the **OK** button to close the box and to begin reconfiguring your app rules.
![Microsoft Intune: Reconfigure app rules list dialog box](images/wip-intune-app-reconfig-warning.png)
Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list.
## Add an WIP policy
After youve set up Intune for your organization, you must create an WIP-specific policy.
**To add an WIP policy**
1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area.
2. Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
![Microsoft Intune: Create your new policy from the New Policy screen](images/intune-createnewpolicy.png)
3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
![Microsoft Intune: Fill out the required Name and optional Description fields](images/intune-generalinfo.png)
### Add app rules to your policy
During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
>**Important**<br>WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.<p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
>**Note**<br>
If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
#### Add a store app rule to your policy
For this example, were going to add Microsoft OneNote, a store app, to the **App Rules** list.
**To add a store app**
1. From the **App Rules** area, click **Add**.
The **Add App Rule** box appears.
![Microsoft Intune, Add a store app to your policy](images/intune-add-uwp-apps.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Microsoft OneNote*.
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic.
4. Pick **Store App** from the **Rule template** drop-down list.
The box changes to show the store app rule options.
5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
**To find the Publisher and Product Name values for Store apps without installing them**
1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*.
>**Note**<br>
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
The API runs and opens a text editor with the app details.
```json
{
"packageIdentityName": "Microsoft.Office.OneNote",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
}
```
4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
>**Important**<br>
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<p>For example:
```json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
>**Note**<br>Your PC and phone must be on the same wireless network.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
7. Start the app for which you're looking for the publisher and product name values.
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
>**Important**<br>
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.<p>For example:<br>
``` json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
#### Add a desktop app rule to your policy
For this example, were going to add Internet Explorer, a desktop app, to the **App Rules** list.
**To add a desktop app**
1. From the **App Rules** area, click **Add**.
The **Add App Rule** box appears.
![Microsoft Intune, Add a desktop app to your policy](images/intune-add-classic-apps.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Internet Explorer*.
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic.
4. Pick **Desktop App** from the **Rule template** drop-down list.
The box changes to show the store app rule options.
5. Pick the options you want to include for the app rule (see table), and then click **OK**.
<table>
<tr>
<th>Option</th>
<th>Manages</th>
</tr>
<tr>
<td>All fields left as “*”</td>
<td>All files signed by any publisher. (Not recommended.)</td>
</tr>
<tr>
<td><strong>Publisher</strong> selected</td>
<td>All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
</tr>
<tr>
<td><strong>Publisher</strong> and <strong>Product Name</strong> selected</td>
<td>All files for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>Binary name</strong> selected</td>
<td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, and above</strong>, selected</td>
<td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, And below</strong> selected</td>
<td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, Exactly</strong> selected</td>
<td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
</table>
If youre unsure about what to include for the publisher, you can run this PowerShell command:
```ps1
Get-AppLockerFileInformation -Path "<path of the exe>"
```
Where `"<path of the exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
In this example, you'd get the following info:
``` json
Path Publisher
---- ---------
%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
#### Add an AppLocker policy file
For this example, were going to add an AppLocker XML file to the **App Rules** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
**To create an app rule and xml file using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png)
3. Right-click in the right-hand pane, and then click **Create New Rule**.
The **Create Packaged app Rules** wizard appears.
4. On the **Before You Begin** page, click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png)
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png)
6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png)
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, were using Microsoft Photos.
![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png)
8. On the updated **Publisher** page, click **Create**.
![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png)
9. Review the Local Security Policy snap-in to make sure your rule is correct.
![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png)
10. In the left pane, right-click on **AppLocker**, and then click **Export policy**.
The **Export policy** box opens, letting you export and save your new policy as XML.
![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png)
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
The policy is saved and youll see a message that says 1 rule was exported from the policy.
**Example XML file**<br>
This is the XML file that AppLocker creates for Microsoft Photos.
```xml
<AppLockerPolicy Version="1">
<RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Script" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Appx" EnforcementMode="NotConfigured">
<FilePublisherRule Id="5e0c752b-5921-4f72-8146-80ad5f582110" Name="Microsoft.Windows.Photos, version 16.526.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Photos" BinaryName="*">
<BinaryVersionRange LowSection="16.526.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
</AppLockerPolicy>
```
12. After youve created your XML file, you need to import it by using Microsoft Intune.
**To import your Applocker policy file app rule using Microsoft Intune**
1. From the **App Rules** area, click **Add**.
The **Add App Rule** box appears.
![Microsoft Intune, Importing your AppLocker policy file using Intune](images/intune-add-applocker-xml-file.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Allowed app list*.
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic.
4. Pick **AppLocker policy file** from the **Rule template** drop-down list.
The box changes to let you import your AppLocker XML policy file.
5. Click **Import**, browse to your AppLocker XML file, click **Open**, and then click **OK** to close the **Add App Rule** box.
The file is imported and the apps are added to your **App Rules** list.
#### Exempt apps from WIP restrictions
If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
1. From the **App Rules** area, click **Add**.
The **Add App Rule** box appears.
2. Add a friendly name for your app into the **Title** box. In this example, its *Exempt apps list*.
3. Click **Exempt** from the **Windows Information Protection mode** drop-down list.
Be aware that when you exempt apps, theyre allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
4. Fill out the rest of the app rule info, based on the type of rule youre adding:
- **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
- **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic.
- **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps.
5. Click **OK**.
### Manage the WIP protection mode for your enterprise data
After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
|Mode |Description |
|-----|------------|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.|
![Microsoft Intune, Set the protection mode for your data](images/intune-protection-mode.png)
### Define your enterprise-managed corporate identity
Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps youve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
**To add your corporate identity**
- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
![Microsoft Intune, Set your primary Internet domains](images/intune-corporate-identity.png)
### Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprises range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
>**Important**
- Every WIP policy should include policy that defines your enterprise network locations.
- Classless Inter-Domain Routing (CIDR) notation isnt supported for WIP configurations.
**To define where your protected apps can find and send enterprise data on you network**
1. Add additional network locations your apps can access by clicking **Add**.
The **Add or edit corporate network definition** box appears.
2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
![Microsoft Intune, Add your corporate network definitions](images/intune-networklocation.png)
<p>
<table>
<tr>
<th>Network location type</th>
<th>Format</th>
<th>Description</th>
</tr>
<tr>
<td>Enterprise Cloud Resources</td>
<td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
</tr>
<tr>
<td>Enterprise Network Domain Names (Required)</td>
<td>corp.contoso.com,region.contoso.com</td>
<td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Enterprise Proxy Servers</td>
<td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.<p>This list shouldnt include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when youre visiting another company and not on that companys guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>Enterprise Internal Proxy Servers</td>
<td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
<td>Specify the proxy servers your devices will go through to reach your cloud resources.<p>Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<p>This list shouldnt include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>Enterprise IPv4 Range (Required, if not using IPv6)</td>
<td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
<td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Enterprise IPv6 Range (Required, if not using IPv4)</td>
<td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
<td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Neutral Resources</td>
<td>sts.contoso.com,sts.contoso2.com</td>
<td>Specify your authentication redirection endpoints for your company.<p>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
</table>
3. Add as many locations as you need, and then click **OK**.
The **Add corporate network definition** box closes.
4. Decide if you want to Windows to look for additional network settings:
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
- **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
![Microsoft Intune, Add your Data Recovery Agent (DRA) certificate](images/intune-data-recovery.png)
After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
### Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional WIP settings.
![Microsoft Intune, Choose any additional, optional settings](images/intune-optional-settings.png)
**To set your optional settings**
1. Choose to set any or all of the optional settings:
- **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
- **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box.
- **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
- **Yes (recommended).** Turns on the feature and provides the additional protection.
- **No, or not configured.** Doesn't enable this feature.
- **Revoke encryption keys on unenroll.** Determines whether to revoke a users local encryption keys from a device when its unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if youre migrating between Mobile Device Management (MDM) solutions.
- **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
- **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
- **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
- **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files or in the **Start** menu, on top of the tiles for your unenlightened protected apps. The options are:
- **Yes (recommended).** Allows the Windows Information Protection icon overlay to appear for files or on top of the tiles for your unenlightened protected apps in the **Start** menu.
- **No, or not configured.** Stops the Windows Information Protection icon overlay from appearing for files or on top of the tiles for your unenlightened protected apps in the **Start** menu.
2. Click **Save Policy**.
## Related topics
- [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)

504
windows/keep-secure/create-wip-policy-using-sccm.md Normal file
View File

@ -0,0 +1,504 @@
---
title: Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10)
description: Configuration Manager (version 1606 or later) helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
**Applies to:**
- Windows 10, version 1607
- Windows 10 Mobile
- System Center Configuration Manager
System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
>**Important**<br>
If you previously created an WIP policy using System Center Configuration Manager version 1511 or 1602, youll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies.
## Add an WIP policy
After youve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
**To create a configuration item for WIP**
1. Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
![System Center Configuration Manager, Configuration Items screen](images/wip-sccm-addpolicy.png)
2. Click the **Create Configuration Item** button.<p>
The **Create Configuration Item Wizard** starts.
![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-sccm-generalscreen.png)
3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**.
- **Settings for devices managed with the Configuration Manager client:** Windows 10
-OR-
- **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10
5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-sccm-supportedplat.png)
6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**.
![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-sccm-devicesettings.png)
The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
### Add app rules to your policy
During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
>**Important**<br>
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process. <p>Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you dont get this statement, its possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
#### Add a store app rule to your policy
For this example, were going to add Microsoft OneNote, a store app, to the **App Rules** list.
**To add a store app**
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
![Create Configuration Item wizard, add a universal store app](images/wip-sccm-adduniversalapp.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Microsoft OneNote*.
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
4. Pick **Store App** from the **Rule template** drop-down list.
The box changes to show the store app rule options.
5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
**To find the Publisher and Product Name values for Store apps without installing them**
1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
>**Note**<br>
If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
The API runs and opens a text editor with the app details.
``` json
{
"packageIdentityName": "Microsoft.Office.OneNote",
"publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
}
```
4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
>**Important**<br>
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:<p>
```json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
>**Note**<br>
Your PC and phone must be on the same wireless network.
2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
3. On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
7. Start the app for which you're looking for the publisher and product name values.
8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
>**Important**<br>
The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app thats using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.<p>For example:<p>
```json
{
"windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
}
```
#### Add a desktop app rule to your policy
For this example, were going to add Internet Explorer, a desktop app, to the **App Rules** list.
**To add a desktop app to your policy**
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
![Create Configuration Item wizard, add a classic desktop app](images/wip-sccm-adddesktopapp.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Internet Explorer*.
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
4. Pick **Desktop App** from the **Rule template** drop-down list.
The box changes to show the desktop app rule options.
5. Pick the options you want to include for the app rule (see table), and then click **OK**.
<table>
<tr>
<th>Option</th>
<th>Manages</th>
</tr>
<tr>
<td>All fields left as “*”</td>
<td>All files signed by any publisher. (Not recommended.)</td>
</tr>
<tr>
<td><strong>Publisher</strong> selected</td>
<td>All files signed by the named publisher.<p>This might be useful if your company is the publisher and signer of internal line-of-business apps.</td>
</tr>
<tr>
<td><strong>Publisher</strong> and <strong>Product Name</strong> selected</td>
<td>All files for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, and <strong>Binary name</strong> selected</td>
<td>Any version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, and above</strong>, selected</td>
<td>Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.<p>This option is recommended for enlightened apps that weren't previously enlightened.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, And below</strong> selected</td>
<td>Specified version or older releases of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
<tr>
<td><strong>Publisher</strong>, <strong>Product Name</strong>, <strong>Binary name</strong>, and <strong>File Version, Exactly</strong> selected</td>
<td>Specified version of the named file or package for the specified product, signed by the named publisher.</td>
</tr>
</table>
If youre unsure about what to include for the publisher, you can run this PowerShell command:
```ps1
Get-AppLockerFileInformation -Path "<path of the exe>"
```
Where `"<path of the exe>"` goes to the location of the app on the device. For example, `Get-AppLockerFileInformation -Path "C:\Program Files\Internet Explorer\iexplore.exe"`.
In this example, you'd get the following info:
``` json
Path Publisher
---- ---------
%PROGRAMFILES%\INTERNET EXPLORER\IEXPLORE.EXE O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US\INTERNET EXPLOR...
```
Where the text, `O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US` is the publisher name to enter in the **Publisher Name** box.
#### Add an AppLocker policy file
For this example, were going to add an AppLocker XML file to the **App Rules** list. Youll use this option if you want to add multiple apps at the same time. For more info about AppLocker, see the [AppLocker](https://technet.microsoft.com/itpro/windows/keep-secure/applocker-overview) content.
**To create an app rule and xml file using the AppLocker tool**
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png)
3. Right-click in the right-hand pane, and then click **Create New Rule**.
The **Create Packaged app Rules** wizard appears.
4. On the **Before You Begin** page, click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-before-begin.png)
5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
![Create Packaged app Rules wizard, showing the Before You Begin page](images/intune-applocker-permissions.png)
6. On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
![Create Packaged app Rules wizard, showing the Publisher](images/intune-applocker-publisher.png)
7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, were using Microsoft Photos.
![Create Packaged app Rules wizard, showing the Select applications page](images/intune-applocker-select-apps.png)
8. On the updated **Publisher** page, click **Create**.
![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png)
9. Review the Local Security Policy snap-in to make sure your rule is correct.
![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png)
10. In the left pane, right-click on **AppLocker**, and then click **Export policy**.
The **Export policy** box opens, letting you export and save your new policy as XML.
![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png)
11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
The policy is saved and youll see a message that says 1 rule was exported from the policy.
**Example XML file**<br>
This is the XML file that AppLocker creates for Microsoft Photos.
```xml
<AppLockerPolicy Version="1">
<RuleCollection Type="Exe" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Msi" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Script" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Dll" EnforcementMode="NotConfigured" />
<RuleCollection Type ="Appx" EnforcementMode="NotConfigured">
<FilePublisherRule Id="5e0c752b-5921-4f72-8146-80ad5f582110" Name="Microsoft.Windows.Photos, version 16.526.0.0 and above, from Microsoft Corporation" Description="" UserOrGroupSid="S-1-1-0" Action="Allow">
<Conditions>
<FilePublisherCondition PublisherName="CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US" ProductName="Microsoft.Windows.Photos" BinaryName="*">
<BinaryVersionRange LowSection="16.526.0.0" HighSection="*" />
</FilePublisherCondition>
</Conditions>
</FilePublisherRule>
</RuleCollection>
</AppLockerPolicy>
```
12. After youve created your XML file, you need to import it by using System Center Configuration Manager.
**To import your Applocker policy file app rule using System Center Configuration Manager**
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
![Create Configuration Item wizard, add an AppLocker policy](images/wip-sccm-addapplockerfile.png)
2. Add a friendly name for your app into the **Title** box. In this example, its *Allowed app list*.
3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
Allow turns on WIP, helping to protect that apps corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
4. Pick the **AppLocker policy file** from the **Rule template** drop-down list.
The box changes to let you import your AppLocker XML policy file.
5. Click the ellipsis (...) to browse for your AppLocker XML file, click **Open**, and then click **OK** to close the **Add app rule** box.
The file is imported and the apps are added to your **App Rules** list.
#### Exempt apps from WIP restrictions
If you're running into compatibility issues where your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.
**To exempt a store app, a desktop app, or an AppLocker policy file app rule**
1. From the **App rules** area, click **Add**.
The **Add app rule** box appears.
2. Add a friendly name for your app into the **Title** box. In this example, its *Exempt apps list*.
3. Click **Exempt** from the **Windows Information Protection mode** drop-down list.
Be aware that when you exempt apps, theyre allowed to bypass the WIP restrictions and access your corporate data. To allow apps, see the [Add app rules to your policy](#add-app-rules-to-your-policy) section of this topic.
4. Fill out the rest of the app rule info, based on the type of rule youre adding:
- **Store app.** Follow the **Publisher** and **Product name** instructions in the [Add a store app rule to your policy](#add-a-store-app-rule-to-your-policy) section of this topic.
- **Desktop app.** Follow the **Publisher**, **Product name**, **Binary name**, and **Version** instructions in the [Add a desktop app rule to your policy](#add-a-desktop-app-rule-to-your-policy) section of this topic.
- **AppLocker policy file.** Follow the **Import** instructions in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section of this topic, using a list of exempted apps.
5. Click **OK**.
### Manage the WIP-protection level for your enterprise data
After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
|Mode |Description |
|-----|------------|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
|Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.|
![Create Configuration Item wizard, choose your WIP-protection level](images/wip-sccm-appmgmt.png)
### Define your enterprise-managed identity domains
Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps youve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
**To add your corporate identity**
- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-sccm-corp-identity.png)
### Choose where apps can access enterprise data
After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprises range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
>**Important**<br>
- Every WIP policy should include policy that defines your enterprise network locations.
- Classless Inter-Domain Routing (CIDR) notation isnt supported for WIP configurations.
**To define where your protected apps can find and send enterprise data on you network**
1. Add additional network locations your apps can access by clicking **Add**.
The **Add or edit corporate network definition** box appears.
2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-sccm-add-network-domain.png)
<table>
<tr>
<th>Network location type</th>
<th>Format</th>
<th>Description</th>
</tr>
<tr>
<td>Enterprise Cloud Resources</td>
<td>**With proxy:** contoso.sharepoint.com,proxy.contoso.com|<br>contoso.visualstudio.com,proxy.contoso.com<p>**Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`.<p>If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/`</td>
</tr>
<tr>
<td>Enterprise Network Domain Names (Required)</td>
<td>corp.contoso.com,region.contoso.com</td>
<td>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.<p>This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Enterprise Proxy Servers</td>
<td>proxy.contoso.com:80;proxy2.contoso.com:137</td>
<td>Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.<p>This list shouldnt include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic.<p>This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when youre visiting another company and not on that companys guest network.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>Enterprise Internal Proxy Servers</td>
<td>contoso.internalproxy1.com;contoso.internalproxy2.com</td>
<td>Specify the proxy servers your devices will go through to reach your cloud resources.<p>Using this server type indicates that the cloud resources youre connecting to are enterprise resources.<p>This list shouldnt include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic.<p>If you have multiple resources, you must separate them using the ";" delimiter.</td>
</tr>
<tr>
<td>Enterprise IPv4 Range (Required)</td>
<td>**Starting IPv4 Address:** 3.4.0.1<br>**Ending IPv4 Address:** 3.4.255.254<br>**Custom URI:** 3.4.0.1-3.4.255.254,<br>10.0.0.1-10.255.255.254</td>
<td>Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Enterprise IPv6 Range</td>
<td>**Starting IPv6 Address:** 2a01:110::<br>**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff<br>**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,<br>fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff</td>
<td>Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.<p>If you have multiple ranges, you must separate them using the "," delimiter.</td>
</tr>
<tr>
<td>Neutral Resources</td>
<td>sts.contoso.com,sts.contoso2.com</td>
<td>Specify your authentication redirection endpoints for your company.<p>These locations are considered enterprise or personal, based on the context of the connection before the redirection.<p>If you have multiple resources, you must separate them using the "," delimiter.</td>
</tr>
</table>
3. Add as many locations as you need, and then click **OK**.
The **Add or edit corporate network definition** box closes.
4. Decide if you want to Windows to look for additional network settings.
![Create Configuration Item wizard, Add whether to search for additional network settings](images/wip-sccm-optsettings.png)
- **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
- **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
- **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-sccm-dra.png)
After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
### Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional WIP settings.
![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-sccm-additionalsettings.png)
**To set your optional settings**
1. Choose to set any or all of the optional settings:
- **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
- **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box.
- **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
- **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
- **Yes (recommended).** Turns on the feature and provides the additional protection.
- **No, or not configured.** Doesn't enable this feature.
- **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
- **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
- **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
- **Revoke local encryption keys during the unerollment process.** Determines whether to revoke a users local encryption keys from a device when its unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
- **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
- **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if youre migrating between Mobile Device Management (MDM) solutions.
2. After you pick all of the settings you want to include, click **Summary**.
### Review your configuration choices in the Summary screen
After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
**To view the Summary screen**
- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-sccm-summaryscreen.png)
A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
## Deploy the WIP policy
After youve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
- [Operations and Maintenance for Compliance Settings in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=708224)
- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708225)
- [How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708226)
## Related topics
- [System Center Configuration Manager and Endpoint Protection (Version 1606)](http://go.microsoft.com/fwlink/p/?LinkId=717372)
- [TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=691623)
- [Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624)

49
windows/keep-secure/deploy-edp-policy-using-intune.md
View File

@ -1,50 +1,5 @@
---
title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
description: After youve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices.
ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
keywords: EDP, Enterprise Data Protection, Intune
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# Deploy your enterprise data protection (EDP) policy using Microsoft Intune
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
After youve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
**To deploy your EDP policy**
1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
![Microsoft Intune: Click the Manage Deployment link from the Configuration Policies screen](images/intune-managedeployment.png)
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.<p>
The added people move to the **Selected Groups** list on the right-hand pane.
![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-groupselection.png)
3. After you've picked all of the employees and groups that should get the policy, click **OK**.<p>
The policy is deployed to the selected users' devices.
## Related topics
- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
-[Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)
- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/deploy-wip-policy-using-intune
---

39
windows/keep-secure/deploy-wip-policy-using-intune.md Normal file
View File

@ -0,0 +1,39 @@
---
title: Deploy your Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
description: After youve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# Deploy your Windows Information Protection (WIP) policy using Microsoft Intune
**Applies to:**
- Windows 10, version 1607
- Windows 10 Mobile
After youve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
**To deploy your WIP policy**
1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
![Microsoft Intune: Click the Manage Deployment link from the Configuration Policies screen](images/intune-managedeployment.png)
2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.<p>
The added people move to the **Selected Groups** list on the right-hand pane.
![Microsoft Intune: Pick the group of employees that should get the policy](images/intune-groupselection.png)
3. After you've picked all of the employees and groups that should get the policy, click **OK**.<p>
The policy is deployed to the selected users' devices.
## Related topics
- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
- [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)

88
windows/keep-secure/enlightened-microsoft-apps-and-edp.md
View File

@ -1,89 +1,5 @@
---
title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10)
description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list.
ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
keywords: EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# List of enlightened Microsoft apps for use with enterprise data protection (EDP)
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list.
## Enlightened versus unenlightened apps
Apps can be enlightened (policy-aware) or unenlightened (policy unaware).
- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
- **Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because:
- Windows Desktop shows it as always running in enterprise mode.
- Windows **Save As** experiences only allow you to save your files as enterprise.
## List of enlightened Microsoft apps
Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
- Microsoft Edge
- Internet Explorer 11
- Microsoft People
- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
- Microsoft Photos
- Microsoft OneDrive
- Groove Music
- Notepad
- Microsoft Paint
- Microsoft Movies & TV
- Microsoft Messaging
## Adding enlightened Microsoft apps to the Protected Apps list
You can add any or all of the enlightened Microsoft apps to your Protected Apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
|Product name |App info |
|-------------|---------|
|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.MicrosoftEdge<br>**App Type:** Universal app |
|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** iexplore.exe<br>**App Type:** Desktop app |
|Microsoft People |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.People<br>**App Type:** Universal app |
|Word Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Word<br>**App Type:** Universal app |
|Excel Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Excel<br>**App Type:** Universal app |
|PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.PowerPoint<br>**App Type:** Universal app |
|OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.OneNote<br>**App Type:** Universal app |
|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.windowscommunicationsapps<br>**App Type:** Universal app |
|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Windows.Photos<br>**App Type:** Universal app |
|Microsoft OneDrive |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.microsoftskydrive<br>**App Type:** Universal app |
|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneMusic<br>**App Type:** Universal app |
|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** notepad.exe<br>**App Type:** Desktop app |
|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** mspaint.exe<br>**App Type:** Desktop app |
|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneVideo<br>**App Type:** Universal app |
|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Messaging<br>**App Type:** Universal app |
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip
---

77
windows/keep-secure/enlightened-microsoft-apps-and-wip.md Normal file
View File

@ -0,0 +1,77 @@
---
title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10)
description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list.
ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# List of enlightened Microsoft apps for use with Windows Information Protection(WIP)
**Applies to:**
- Windows 10, version 6017
- Windows 10 Mobile
Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
## Enlightened versus unenlightened apps
Apps can be enlightened (policy-aware) or unenlightened (policy-unaware).
- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
- **Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because:
- Windows Desktop shows it as always running in enterprise mode.
- Windows **Save As** experiences only allow you to save your files as enterprise.
## List of enlightened Microsoft apps
Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
- Microsoft Edge
- Internet Explorer 11
- Microsoft People
- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
- Microsoft Photos
- Microsoft OneDrive
- Groove Music
- Notepad
- Microsoft Paint
- Microsoft Movies & TV
- Microsoft Messaging
## Adding enlightened Microsoft apps to the allowed apps list
You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
|Product name |App info |
|-------------|---------|
|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.MicrosoftEdge<br>**App Type:** Universal app |
|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** iexplore.exe<br>**App Type:** Desktop app |
|Microsoft People |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.People<br>**App Type:** Universal app |
|Word Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Word<br>**App Type:** Universal app |
|Excel Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.Excel<br>**App Type:** Universal app |
|PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.PowerPoint<br>**App Type:** Universal app |
|OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Office.OneNote<br>**App Type:** Universal app |
|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.windowscommunicationsapps<br>**App Type:** Universal app |
|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Windows.Photos<br>**App Type:** Universal app |
|Microsoft OneDrive |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** microsoft.microsoftskydrive<br>**App Type:** Universal app |
|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneMusic<br>**App Type:** Universal app |
|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** notepad.exe<br>**App Type:** Desktop app |
|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** mspaint.exe<br>**App Type:** Desktop app |
|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.ZuneVideo<br>**App Type:** Universal app |
|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Product Name:** Microsoft.Messaging<br>**App Type:** Universal app |

38
windows/keep-secure/guidance-and-best-practices-edp.md
View File

@ -1,39 +1,5 @@
---
title: General guidance and best practices for enterprise data protection (EDP) (Windows 10)
description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP).
ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0
keywords: EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# General guidance and best practices for enterprise data protection (EDP)
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
This section includes info about the enlightened Microsoft apps, including how to add them to your **Protected Apps** list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP).
## In this section
|Topic |Description |
|------|------------|
|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. |
|[Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list. |
|[Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) |We've come up with a list of suggested testing scenarios that you can use to test EDP in your company. |
 
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip
---

26
windows/keep-secure/guidance-and-best-practices-wip.md Normal file
View File

@ -0,0 +1,26 @@
---
title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10)
description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# General guidance and best practices for Windows Information Protection (WIP)
**Applies to:**
- Windows 10, version 1607
- Windows 10 Mobile
This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
## In this section
|Topic |Description |
|------|------------|
|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as Windows Information Protection (WIP), in your enterprise. |
|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. |

BIN
windows/keep-secure/images/intune-vpn-wipmodeid.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 25 KiB

0
windows/keep-secure/images/edp-intune-app-reconfig-warning.png → windows/keep-secure/images/wip-intune-app-reconfig-warning.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 11 KiB

After

Width:  |  Height:  |  Size: 11 KiB

0
windows/keep-secure/images/edp-sccm-add-network-domain.png → windows/keep-secure/images/wip-sccm-add-network-domain.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 65 KiB

After

Width:  |  Height:  |  Size: 65 KiB

0
windows/keep-secure/images/edp-sccm-addapplockerfile.png → windows/keep-secure/images/wip-sccm-addapplockerfile.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 43 KiB

After

Width:  |  Height:  |  Size: 43 KiB

0
windows/keep-secure/images/edp-sccm-adddesktopapp.png → windows/keep-secure/images/wip-sccm-adddesktopapp.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 50 KiB

After

Width:  |  Height:  |  Size: 50 KiB

0
windows/keep-secure/images/edp-sccm-additionalsettings.png → windows/keep-secure/images/wip-sccm-additionalsettings.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 42 KiB

After

Width:  |  Height:  |  Size: 42 KiB

0
windows/keep-secure/images/edp-sccm-addpolicy.png → windows/keep-secure/images/wip-sccm-addpolicy.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 68 KiB

After

Width:  |  Height:  |  Size: 68 KiB

0
windows/keep-secure/images/edp-sccm-adduniversalapp.png → windows/keep-secure/images/wip-sccm-adduniversalapp.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 46 KiB

After

Width:  |  Height:  |  Size: 46 KiB

0
windows/keep-secure/images/edp-sccm-appmgmt.png → windows/keep-secure/images/wip-sccm-appmgmt.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 42 KiB

After

Width:  |  Height:  |  Size: 42 KiB

0
windows/keep-secure/images/edp-sccm-corp-identity.png → windows/keep-secure/images/wip-sccm-corp-identity.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 1.4 KiB

After

Width:  |  Height:  |  Size: 1.4 KiB

0
windows/keep-secure/images/edp-sccm-devicesettings.png → windows/keep-secure/images/wip-sccm-devicesettings.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 35 KiB

After

Width:  |  Height:  |  Size: 35 KiB

0
windows/keep-secure/images/edp-sccm-dra.png → windows/keep-secure/images/wip-sccm-dra.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 2.9 KiB

After

Width:  |  Height:  |  Size: 2.9 KiB

0
windows/keep-secure/images/edp-sccm-generalscreen.png → windows/keep-secure/images/wip-sccm-generalscreen.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 38 KiB

After

Width:  |  Height:  |  Size: 38 KiB

0
windows/keep-secure/images/edp-sccm-network-domain.png → windows/keep-secure/images/wip-sccm-network-domain.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 40 KiB

0
windows/keep-secure/images/edp-sccm-optsettings.png → windows/keep-secure/images/wip-sccm-optsettings.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 39 KiB

After

Width:  |  Height:  |  Size: 39 KiB

0
windows/keep-secure/images/edp-sccm-summaryscreen.png → windows/keep-secure/images/wip-sccm-summaryscreen.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 56 KiB

After

Width:  |  Height:  |  Size: 56 KiB

0
windows/keep-secure/images/edp-sccm-supportedplat.png → windows/keep-secure/images/wip-sccm-supportedplat.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 26 KiB

After

Width:  |  Height:  |  Size: 26 KiB

12
windows/keep-secure/mandatory-settings-for-wip.md
View File

@ -11,22 +11,20 @@ ms.pagetype: security
# Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
- Windows 10, version 1607
- Windows 10 Mobile
This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.
>**Important**<br>
All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md), based on the tool you're using in your enterprise.
All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your enterprise.
|Task |Description |
|------------------------------------|--------------------------|
|Add at least one app rule in the **App Rules** area in your WIP policy. |You must have at least one app rule specified in the **App Rules** area of your WIP policy. For more info about where this area is and how to add an app rule, see the **Add individual apps to your Protected App list** section of the policy creation topics.|
|Pick your WIP protection level. |You must choose the level of protection level you want to apply to your WIP-protected content, including Override, Silent, or Block. For more info about where this area is and how to decide on your protection level, see the **Manage the EDP protection level for your enterprise data** section of the policy creation topics.|
|Pick your WIP protection level. |You must choose the level of protection level you want to apply to your WIP-protected content, including Override, Silent, or Block. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection level for your enterprise data** section of the policy creation topics.|
|Specify your corporate identity. |You must specify your corporate identity, usually expressed as your primary Internet domain (for example, contoso.com). For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
|Specify your Enterprise Network Domain Names. |You must specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics. |
|Specify your Enterprise IPv4 or IPv6 Ranges. |Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate for EDP** section of the policy creation topics. |
|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate** section of the policy creation topics. |

36
windows/keep-secure/overview-create-edp-policy.md
View File

@ -1,37 +1,5 @@
---
title: Create an enterprise data protection (EDP) policy (Windows 10)
description: Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# Create an enterprise data protection (EDP) policy
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
## In this section
|Topic |Description |
|------|------------|
|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
|[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
 
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy
---

25
windows/keep-secure/overview-create-wip-policy.md Normal file
View File

@ -0,0 +1,25 @@
---
title: Create a Windows Information Protection (WIP) policy (Windows 10)
description: Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# Create a Windows Information Protection (WIP) policy
**Applies to:**
- Windows 10, version 1607
- Windows 10 Mobile
Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
## In this section
|Topic |Description |
|------|------------|
|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |

91
windows/keep-secure/protect-enterprise-data-using-edp.md
View File

@ -1,92 +1,5 @@
---
title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10)
description: With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control.
ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
keywords: EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# Protect your enterprise data using enterprise data protection (EDP)
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
## Prerequisites
Youll need this software to run EDP in your enterprise:
|Operating system | Management solution |
|-----------------|---------------------|
|Windows 10 Insider Preview | Microsoft Intune<br>-OR-<br>System Center Configuration Manager Technical Preview version 1605 or later<br>-OR-<br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
## How EDP works
EDP helps address your everyday challenges in the enterprise. Including:
- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
- Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices.
- Helping to maintain the ownership and control of your enterprise data.
- Helping control the network and data access and data sharing for apps that arent enterprise aware.
### EDP-protection modes
You can set EDP to 1 of 4 protection and management modes:
|Mode|Description|
|----|-----------|
|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organizations network.|
|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.|
|Off |EDP is turned off and doesn't help to protect or audit your data.<p>After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |
<p>**Note**<br>For more info about setting your EDP-protection modes, see either [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md) or [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md), depending on your management solution.
## Why use EDP?
EDP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. EDP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isnt using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
- **Manage your enterprise documents, apps, and encryption modes.**
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an EDP-protected device, EDP encrypts the data on the device.
- **Using allowed apps.** Managed apps (apps that you've included on the protected apps list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your **Protected App** list, the app is trusted with enterprise data. All apps that arent on this list are blocked from accessing your enterprise network resources and your EDP-protected data.<p>
You dont have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the **Protected App** list.
- **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your **Protected App** list.
- **Continuous data encryption.** EDP helps protect enterprise data on local files and on removable media.<p>
Apps such as Microsoft Word work with EDP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document.
- **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isnt on your **Protected App** list, employees wont be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your **Protected Apps** list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the cloud, while maintaining the encryption.
- **Helping prevent accidental data disclosure to removable media.** EDP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesnt.
- **Remove access to enterprise data from enterprise-protected devices.** EDP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.<p>**Note**<br>System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
## Current limitations with EDP
EDP is still in development and is not yet integrated with Azure Rights Management. This means that while you can deploy an EDP-configured policy to a protected device, that protection is restricted to a single user on the device. Additionally, the EDP-protected data must be stored on NTFS, FAT, or ExFAT file systems.
Use the following table to identify the scenarios that require Azure Rights Management, the behavior when Azure Rights Management is not used with EDP, and the recommended workarounds.
|EDP scenario |Without Azure Rights Management |Workaround |
|-------------|--------------------------------|-----------|
|Saving enterprise data to USB drives |Data in the new location remains encrypted, but becomes inaccessible on other devices or for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.<p>We strongly recommend educating employees about how to limit or eliminate the need for this decryption. |
|Synchronizing data to other services or public cloud storage |Synchronized files aren't protected on additional services or as part of public cloud storage. |Stop the app from synchronizing or don't add the app to your **Protected App** list.<p>For more info about adding apps to the **Protected App** list, see either the [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md) or the [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md) topic, depending on your management solution.
## Next steps
After deciding to use EDP in your enterprise, you need to:
- [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md)
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip
---

82
windows/keep-secure/protect-enterprise-data-using-wip.md Normal file
View File

@ -0,0 +1,82 @@
---
title: Protect your enterprise data using Windows Information Protection (WIP) (Windows 10)
description: With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control.
ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# Protect your enterprise data using Windows Information Protection (WIP)
**Applies to:**
- Windows 10, version 1607
- Windows 10 Mobile
With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
## Prerequisites
Youll need this software to run WIP in your enterprise:
|Operating system | Management solution |
|-----------------|---------------------|
|Windows 10, version 1607 | Microsoft Intune<br>-OR-<br>System Center Configuration Manager<br>-OR-<br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
## How WIP works
WIP helps address your everyday challenges in the enterprise. Including:
- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
- Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices.
- Helping to maintain the ownership and control of your enterprise data.
- Helping control the network and data access and data sharing for apps that arent enterprise aware
### WIP-protection modes
You can set WIP to 1 of 4 protection and management modes:
|Mode|Description|
|----|-----------|
|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organizations network.|
|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that wouldve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
|Off |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives. |
<p>**Note**<br>For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution.
## Why use WIP?
WIP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isnt using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
- **Manage your enterprise documents, apps, and encryption modes.**
- **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an WIP-protected device, WIP encrypts the data on the device.
- **Using allowed apps.** Managed apps (apps that you've included on the Allowed Apps list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldnt paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
- **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your WIP management-mode.
You dont have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list.
- **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list.
- **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document.
- **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isnt on your allowed apps list, employees wont be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your allowed apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
- **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesnt.
- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.<p>**Note**<br>System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
## Next steps
After deciding to use WIP in your enterprise, you need to:
- [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)

48
windows/keep-secure/testing-scenarios-for-edp.md
View File

@ -1,49 +1,5 @@
---
title: Testing scenarios for enterprise data protection (EDP) (Windows 10)
description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company.
ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2
keywords: EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# Testing scenarios for enterprise data protection (EDP)
**Applies to:**
- Windows 10 Insider Preview
- Windows 10 Mobile Preview
<span style="color:#ED1C24;">[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]</span>
We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company.
## Testing scenarios
You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization.
|Scenario |Processes |
|---------|----------|
|Automatically encrypt files from enterprise apps |<ol><li>Start an unmodified (for example, EDP-unaware) line-of-business app that's on your **Protected Apps** list and then create, edit, write, and save files.</li><li>Make sure that all of the files you worked with from the EDP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li><li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon.<p>**Note**<br>Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.</li></ol> |
|Block enterprise data from non-enterprise apps |<ol><li>Start an app that doesn't appear on your **Protected Apps** list, and then try to open an enterprise-encrypted file.<p>The app shouldn't be able to access the file.</li><li>Try double-clicking or tapping on the enterprise-encrypted file.<p>If your default app association is an app not on your **Protected Apps** list, you should get an **Access Denied** error message.</li></ol> |
|Copy and paste from enterprise apps to non-enterprise apps |<ol><li>Copy (CTRL+C) content from an app on your **Protected Apps** list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your **Protected Apps** list.<p>You should see an EDP-related warning box, asking you to click either **Got it** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't pasted into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Got it**, and try to paste the content again.<p>The content is pasted into the non-enterprise app.</li><li>Try copying and pasting content between apps on your **Protected Apps** list.<p>The content should copy and paste between apps without any warning messages.</li></ol> |
|Drag and drop from enterprise apps to non-enterprise apps |<ol><li>Drag content from an app on your **Protected Apps** list, and then try to drop the content into an app that doesn't appear on your **Protected Apps** list.<p>You should see an EDP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't dropped into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.<p>The content is dropped into the non-enterprise app.</li><li>Try dragging and dropping content between apps on your **Protected Apps** list.<p>The content should move between the apps without any warning messages.</li></ol> |
|Share between enterprise apps and non-enterprise apps |<ol><li>Open an app on your **Protected Apps** list, like Microsoft Photos, and try to share content with an app that doesn't appear on your **Protected Apps** list, like Facebook.<p>You should see an EDP-related warning box, asking you to click either **Share Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't shared into Facebook.</li><li>Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.<p>The content is shared into Facebook.</li><li>Try sharing content between apps on your **Protected Apps** list.<p>The content should share between the apps without any warning messages.</li></ol> |
|Use the **Encrypt to** functionality |<ol><li>Open File Explorer on the desktop, right-click a decrypted file, and then click **Encrypt to** from the **Encrypt to** menu.<p>EDP should encrypt the file to your Enterprise Identity.</li><li>Make sure that the newly encrypted file has a **Lock** icon.</li><li>In the **Encrypted to** column of File Explorer on the desktop, look for the enterprise ID value.</li><li>Right-click the encrypted file, and then click **Not encrypted** from the **Encrypt to** menu.<p>The file should be decrypted and the **Lock** icon should disappear.</li></ol> |
|Verify that Windows system components can use EDP |<ol><li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.</li><li>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li><li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon</li><li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the **Protected Apps** list.<p>**Note**<br>Most Windows-signed components like Windows Explorer (when running in the users context), should have access to enterprise data.<p>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your **Protected Apps** list.</li></ol> |
|Use EDP on FAT/exFAT systems |<ol><li>Start an app that uses the FAT or exFAT file system and appears on your **Protected Apps** list.</li><li>Create, edit, write, save, and move files.<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li><li>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</li></ol> |
|Use EDP on NTFS systems |<ol><li>Start an app that uses the NTFS file system and appears on your **Protected Apps** list.</li><li>Create, edit, write, save, and move files.<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li><li>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</li></ol> |
|Unenroll client devices from EDP |<ul><li>Unenroll a device from EDP by going to **Settings**, click **Accounts**, click **Work**, click the name of the device you want to unenroll, and then click **Remove**.<p>The device should be removed and all of the enterprise content for that managed account should be gone.<p>**Important**<br>Unenrolling a device revokes and erases all of the enterprise data for the managed account.</li></ul> |
|Verify that app content is protected when a Windows 10 Mobile phone is locked |<ul><li>Check that protected app data doesn't appear on the **Lock** screen of a Windows 10 Mobile phone</li></ul> |
 
 
 
redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/testing-scenarios-for-wip
---

36
windows/keep-secure/testing-scenarios-for-wip.md Normal file
View File

@ -0,0 +1,36 @@
---
title: Testing scenarios for Windows Information Protection (WIP) (Windows 10)
description: We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2
keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
---
# Testing scenarios for Windows Information Protection (WIP)
**Applies to:**
- Windows 10, version 1607
- Windows 10 Mobile
We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
## Testing scenarios
You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization.
|Scenario |Processes |
|---------|----------|
|Automatically encrypt files from enterprise apps |<ol><li>Start an unmodified (for example, WIP-unaware) line-of-business app that's on your allowed apps list and then create, edit, write, and save files.</li><li>Make sure that all of the files you worked with from the WIP-unaware app are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li><li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon.<p>**Note**<br>Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.</li></ol> |
|Block enterprise data from non-enterprise apps |<ol><li>Start an app that doesn't appear on your allowed apps list, and then try to open an enterprise-encrypted file.<p>The app shouldn't be able to access the file.</li><li>Try double-clicking or tapping on the enterprise-encrypted file.<p>If your default app association is an app not on your allowed apps list, you should get an **Access Denied** error message.</li></ol> |
|Copy and paste from enterprise apps to non-enterprise apps |<ol><li>Copy (CTRL+C) content from an app on your allowed apps list, and then try to paste (CTRL+V) the content into an app that doesn't appear on your allowed apps list.<p>You should see an WIP-related warning box, asking you to click either **Got it** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't pasted into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Got it**, and try to paste the content again.<p>The content is pasted into the non-enterprise app.</li><li>Try copying and pasting content between apps on your allowed apps list.<p>The content should copy and paste between apps without any warning messages.</li></ol> |
|Drag and drop from enterprise apps to non-enterprise apps |<ol><li>Drag content from an app on your allowed apps list, and then try to drop the content into an app that doesn't appear on your allowed apps list.<p>You should see an WIP-related warning box, asking you to click either **Drag Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't dropped into the non-enterprise app.</li><li>Repeat Step 1, but this time click **Drag Anyway**, and try to drop the content again.<p>The content is dropped into the non-enterprise app.</li><li>Try dragging and dropping content between apps on your allowed apps list.<p>The content should move between the apps without any warning messages.</li></ol> |
|Share between enterprise apps and non-enterprise apps |<ol><li>Open an app on your allowed apps list, like Microsoft Photos, and try to share content with an app that doesn't appear on your allowed apps list, like Facebook.<p>You should see an WIP-related warning box, asking you to click either **Share Anyway** or **Cancel**.</li><li>Click **Cancel**.<p>The content isn't shared into Facebook.</li><li>Repeat Step 1, but this time click **Share Anyway**, and try to share the content again.<p>The content is shared into Facebook.</li><li>Try sharing content between apps on your allowed apps list.<p>The content should share between the apps without any warning messages.</li></ol> |
|Use the **Encrypt to** functionality |<ol><li>Open File Explorer on the desktop, right-click a decrypted file, and then click **Encrypt to** from the **Encrypt to** menu.<p>WIP should encrypt the file to your Enterprise Identity.</li><li>Make sure that the newly encrypted file has a **Lock** icon.</li><li>In the **Encrypted to** column of File Explorer on the desktop, look for the enterprise ID value.</li><li>Right-click the encrypted file, and then click **Not encrypted** from the **Encrypt to** menu.<p>The file should be decrypted and the **Lock** icon should disappear.</li></ol> |
|Verify that Windows system components can use WIP |<ol><li>Start Windows Journal and Internet Explorer 11, creating, editing, and saving files in both apps.</li><li>Make sure that all of the files you worked with are encrypted to your configured Enterprise Identity. In some cases, you might need to close the file and wait a few moments for it to be automatically encrypted.</li><li>Open File Explorer and make sure your modified files are appearing with a **Lock** icon</li><li>Try copying and pasting, dragging and dropping, and sharing using these apps with other apps that appear both on and off the allowed apps list.<p>**Note**<br>Most Windows-signed components like Windows Explorer (when running in the users context), should have access to enterprise data.<p>A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list.</li></ol> |
|Use WIP on FAT/exFAT systems |<ol><li>Start an app that uses the FAT or exFAT file system and appears on your allowed apps list.</li><li>Create, edit, write, save, and move files.<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li><li>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</li></ol> |
|Use WIP on NTFS systems |<ol><li>Start an app that uses the NTFS file system and appears on your allowed apps list.</li><li>Create, edit, write, save, and move files.<p>Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files.</li><li>Try copying and moving files or folders between apps that use NTFS, FAT and exFAT file systems.</li></ol> |
|Unenroll client devices from WIP |<ul><li>Unenroll a device from WIP by going to **Settings**, click **Accounts**, click **Work**, click the name of the device you want to unenroll, and then click **Remove**.<p>The device should be removed and all of the enterprise content for that managed account should be gone.<p>**Important**<br>Unenrolling a device revokes and erases all of the enterprise data for the managed account.</li></ul> |
|Verify that app content is protected when a Windows 10 Mobile phone is locked |<ul><li>Check that protected app data doesn't appear on the **Lock** screen of a Windows 10 Mobile phone</li></ul> |

7
windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
View File

@ -1013,8 +1013,8 @@ Result code associated with threat status. Standard HRESULT values.</dt>
Description of the error. </dt>
<dt>Signature Version: &lt;Definition version&gt;</dt>
<dt>Engine Version: &lt;Antimalware Engine version&gt;</dt>
</dl>
<p>NOTE: Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:<ul>
<p>NOTE:
<p>Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:<ul>
<li>Default Internet Explorer or Edge setting</li>
<li>User Access Control settings</li>
<li>Chrome settings</li>
@ -1044,9 +1044,9 @@ The above context applies to the following client and server versions:
<p>Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016</p>
</td>
</tr>
</table>
</p>
</dl>
</p>
</td>
</tr>
<tr>
@ -2695,6 +2695,7 @@ Description of the error. </dt>
</td>
</tr>
</table>
## Windows Defender client error codes
If Windows Defender experiences any issues it will usually give you an error code to help you troubleshoot the issue. Most often an error means there was a problem installing an update.
This section provides the following information about Windows Defender client errors.

19
windows/manage/app-inventory-management-windows-store-for-business.md
View File

@ -19,7 +19,7 @@ author: TrudyHa
You can manage all apps that you've acquired on your **Inventory** page.
The **Inventory** page in Windows Store for Business shows all apps in your inventory. This includes all apps that you've acquired from Store for Business, and the line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Inventory** page. On the **New line-of-business apps** page, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md).
The **Inventory** page in Windows Store for Business shows all apps in your inventory. This includes all apps that you've acquired from Store for Business, and the line-of-business (LOB) apps that you've accepted into your inventory. After LOB apps are submitted to your organization, you'll see a notification on your **Inventory** page. On the **New line-of-business apps** page, you can accept, or reject the LOB apps. For more information on LOB apps, see [Working with line-of-business apps](working-with-line-of-business-apps.md). The inventory page includes apps acquired by all people in your organization with the Store for Business Admin role.
All of these apps are treated the same once they are in your inventory and you can perform app lifecycle tasks for them: distribute apps, add apps to private store, review license details, and reclaim app licenses.
@ -28,15 +28,20 @@ All of these apps are treated the same once they are in your inventory and you c
Store for Business shows this info for each app in your inventory:
- Name
- Access to actions for the app
- Last modified date
- Supported devices
- Last modified
- Available licenses
- Private store status
The last modified date tracks changes about the app as an item in your inventory. The last modified date changes when one of the following happens:
- First purchase (the date you acquire the app from Windows Store for Business)
- Purchase additional licenses
- Assign license
- Reclaim license
- Refund order (applies to purchased apps, not free apps)
The last modified date does not correspond to when an app was last updated in the Store. It tracks activity for that app, as an item in your inventory.
### Find apps in your inventory
There are a couple of ways to find specific apps, or groups of apps in your inventory.

8
windows/manage/distribute-apps-from-your-private-store.md
View File

@ -25,15 +25,13 @@ You can make an app available in your private store when you acquire the app, or
1. Sign in to the [Store for Business](https://businessstore.microsoft.com).
2. Click an app and then click **Get the app** to acquire the app for your organization.
3. You'll have a few options for distributing the app -- choose **Add to your private store where all people in your organization can find and install it.**
2. Click an app, choose the license type, and then click **Get the app** to acquire the app for your organization.
![Image showing Distribute options for app in the Windows Store for Business.](images/wsfb-distribute.png)
It will take approximately twelve hours before the app is available in the private store.
Windows Store for Business add the app to your **Inventory**. Click **Manage**, **Inventory** for app distribution options.
**To make an app in inventory available in your private store**
**To make an app in Inventory available in your private store**
1. Sign in to the [Store for Business](https://businessstore.microsoft.com).

BIN
windows/manage/images/wsfb-distribute.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 46 KiB

After

Width:  |  Height:  |  Size: 52 KiB

BIN
windows/manage/images/wsfb-inventory.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 27 KiB

BIN
windows/manage/images/wsfb-inventoryaddprivatestore.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 24 KiB

After

Width:  |  Height:  |  Size: 34 KiB

2
windows/manage/manage-settings-windows-store-for-business.md
View File

@ -37,7 +37,7 @@ You can add users and groups, as well as update some of the settings associated
<tbody>
<tr class="odd">
<td align="left"><p>[Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)</p></td>
<td align="left"><p>The <strong>Account information</strong> page in Windows Store for Business shows information about your organization that you can update, including: country or region, organization name, default domain, and language preference. These are settings in the Azure AD directory that you used when signing up for Store for Business</p></td>
<td align="left"><p>The <strong>Account information</strong> page in Windows Store for Business shows information about your organization that you can update, including: organization information, payment options, and offline licensing settings.</p></td>
</tr>
<tr class="even">
<td align="left"><p>[Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)</p></td>

2
windows/manage/roles-and-permissions-windows-store-for-business.md
View File

@ -97,7 +97,7 @@ This table lists the global user accounts and the permissions they have in the S
### Store for Business roles and permissions
Store for Businesshas a set of roles that help IT admins and employees manage access to apps and tasks for the Store for Business. Employees with these roles will need to use their Azure AD account to access the Store for Business.
Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for the Store for Business. Employees with these roles will need to use their Azure AD account to access the Store for Business.
This table lists the roles and their permissions.

20
windows/manage/update-windows-store-for-business-account-settings.md
View File

@ -110,7 +110,7 @@ Not all cards available in all countries. When you add a payment option, Store f
**To add a new payment option**
1. Sign in to[Store for Business](http://businessstore.microsoft.com).
2. Click **Settings**, and then click **Account information**.
2. Click **Manage**, and then click **Account information**.
3. Under **My payment options**, tap or click**Show my payment options**, and then select the type of credit card that you want to add.
4. Add information to any required fields, and then click**Next**.
@ -118,13 +118,13 @@ Once you clickNext, the information you provided will be validated with a tes
**Note**:<br>When adding credit or debit cards, you may be prompted to enter a CVV . The CVV is only used for verification purposes and is not stored in our systems after validation.
**To update a payment option**:
**To update a payment option**
1. Sign in to[Store for Business](http://businessstore.microsoft.com).
2. Click **Settings**, and then click **Account information**.
3. Under My payment options > Credit Cards, select the payment option that you want to update, and then clickUpdate.
4. Enter any updated information in the appropriate fields, and then clickNext.
Once you clickNext, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
2. Click **Manage**, and then click **Account information**.
3. Under **My payment options** > **Credit Cards**, select the payment option that you want to update, and then click**Update**.
4. Enter any updated information in the appropriate fields, and then click**Next**.
Once you click**Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
**Note**:<br>Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time or have a low balance.
@ -132,6 +132,14 @@ Once you clickNext, the information you provided will be validated with a tes
Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store.
Admins can decide whether or not offline licenses are shown for apps in Windows Store for Business.
**To set offline license visibility**
1. Sign in to[Store for Business](http://businessstore.microsoft.com).
2. Click **Manage**, and then click **Account information**.
3. Under **Offline licensing**, click **Show offline licensed apps to people shopping in the store** to show availability for both online and offline licenses.
You have the following distribution options for offline-licensed apps:
- Include the app in a provisioning package, and then use it as part of imaging a device.
- Distribute the app through a management tool.

1
windows/plan/windows-10-servicing-options.md
View File

@ -72,6 +72,7 @@ Windows 10 enables organizations to fulfill the desire to provide users with the
## Related topics
[Windows 10 release information](https://technet.microsoft.com/windows/release-info)<BR>
[Windows 10 deployment considerations](windows-10-deployment-considerations.md)<BR>
[Windows 10 compatibility](windows-10-compatibility.md)<BR>
[Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)