**Note**
For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkID=699266) topic. |
+| Operating system |
**Note**
For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](http://go.microsoft.com/fwlink/p/?LinkID=699266) topic. |
| Memory |
-After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
+After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
## Add Desktop apps
1. Open the Local Security Policy snap-in (SecPol.msc).
2. In the left pane, expand **Application Control Policies**, expand **AppLocker**, right-click **Executable Rules**, and then click **Automatically Generate Rules**.
- The **Automatically Generate Executable Rules** wizard opens, letting you create EDP-protected app polices by analyzing the files within a specific folder.
+ The **Automatically Generate Executable Rules** wizard opens, letting you create WIP-protected app polices by analyzing the files within a specific folder.
3. In the **Folder and Permissions** screen, keep the default value of **Everyone** in the **User or security group that the rules will apply to** box.
- You want to keep this value because your EDP policy needs to apply to the device being managed, not a single user or group of users.
+ You want to keep this value because your WIP policy needs to apply to the device being managed, not a single user or group of users.
4. Type the name you’ll use to tag the rules into the **Name to identify this set of rules** box, and then click **Next**.
- This name should be easily recognizable, such as *EDP_DesktopApps_Rules*.
+ This name should be easily recognizable, such as *WIP_DesktopApps_Rules*.
5. In the **Rules Preferences** screen, keep the default settings, and then click **Next** to start generating the rules.
>**Important**
You can also use **Path** rules instead of the **File hash** if you have concerns about unsigned files potentially changing the hash value if they're updated in the future.
- >**Note**
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass enterprise data protection (EDP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
+ >**Note**
We recommend that you use **Publisher** rules because they only work with apps you've specifically defined and they can be configured to not require updating simply because a new version came out.
If you can't use **Publisher** rules, we then recommend that you use **File hash** rules. **File hash** rules are a secure alternative that can be used on unsigned code. The primary disadvantage to **File hash** is that every time a binary changes (such as, through servicing updates or upgrades), you'll need to create a new rule.
Finally, there's **Path** rules. **Path** rules are easier to set up and maintain, but can let apps bypass Windows Information Protection (WIP) by simply renaming and moving an unallowed file to match one of the apps on the **Protected App** list. For example, if your **Path** rule says to allow `%PROGRAMFILES%/NOTEPAD.EXE`, it becomes possible to rename DisallowedApp.exe to Notepad.exe, move it into the specified path above, and have it suddenly be allowed.
6. In the **Review Rules** screen, look over your rules to make sure they’re right, and then click **Create** to add them to your collection of rules.
@@ -117,12 +115,12 @@ After saving the policy, you’ll need to deploy it to your employee’s devices
15. Click **OK** to close the **Add or edit OMA-URI Setting** box, and then click **Save Policy**.
- After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md) topic.
+ After saving the policy, you’ll need to deploy it to your employee’s devices. For more info, see the [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md) topic.
##Related topics
-- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
-- [Deploy your enterprise data protection (EDP) policy](deploy-edp-policy-using-intune.md)
-- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
+- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
+- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
+- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
diff --git a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
index 5f9b52ebf2..efe9a2b7a9 100644
--- a/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/keep-secure/create-and-verify-an-efs-dra-certificate.md
@@ -1,7 +1,7 @@
---
title: Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate (Windows 10)
description: Follow these steps to create, verify, and perform a quick recovery by using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate.
-keywords: Windows Information Protection, WIP, WIP, Enterprise Data Protection
+keywords: Windows Information Protection, WIP, EDP, Enterprise Data Protection
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@@ -11,17 +11,15 @@ ms.pagetype: security
# Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate
**Applies to:**
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+- Windows 10, version 1607
+- Windows 10 Mobile
If you don’t already have an EFS DRA certificate, you’ll need to create and extract one from your system before you can use Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your organization. For the purposes of this section, we’ll use the file name EFSDRA; however, this name can be replaced with anything that makes sense to you.
The recovery process included in this topic only works for desktop devices. WIP deletes the data on Windows 10 Mobile devices.
>**Important**
-If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx).
If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy. +If you already have an EFS DRA certificate for your organization, you can skip creating a new one. Just use your current EFS DRA certificate in your policy. For more info about when to use a PKI and the general strategy you should use to deploy DRA certificates, see the [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx) article on TechNet. For more general info about EFS protection, see [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx).
If your DRA certificate has expired, you won’t be able to encrypt your files with it. To fix this, you'll need to create a new certificate, using the steps in this topic, and then deploy it through policy.
**To manually create an EFS DRA certificate**
@@ -43,7 +41,7 @@ If you already have an EFS DRA certificate for your organization, you can skip c
4. Add your EFS DRA certificate to your WIP policy using a deployment tool, such as Microsoft Intune or System Center Configuration Manager.
>**Note**
- To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) topic.
+ To add your EFS DRA certificate to your policy by using Microsoft Intune, see the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) topic. To add your EFS DRA certificate to your policy by using System Center Configuration Manager, see the [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) topic.
**To verify your data recovery certificate is correctly set up on an WIP client computer**
@@ -95,15 +93,15 @@ It's possible that you might revoke data from an unenrolled device only to later
The Windows Credential service automatically recovers the employee’s previously revoked keys from the `Recovery\Input` location.
## Related topics
-- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/en-us/magazine/2007.02.securitywatch.aspx)
+- [Security Watch Deploying EFS: Part 1](https://technet.microsoft.com/magazine/2007.02.securitywatch.aspx)
-- [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/en-us/library/cc875821.aspx)
+- [Protecting Data by Using EFS to Encrypt Hard Drives](https://msdn.microsoft.com/library/cc875821.aspx)
-- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
+- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
-- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md)
+- [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md)
-- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/en-us/library/cc875821.aspx#EJAA)
+- [Creating a Domain-Based Recovery Agent](https://msdn.microsoft.com/library/cc875821.aspx#EJAA)
diff --git a/windows/keep-secure/create-edp-policy-using-intune.md b/windows/keep-secure/create-edp-policy-using-intune.md
index 49a3959cc2..77a7c0ee85 100644
--- a/windows/keep-secure/create-edp-policy-using-intune.md
+++ b/windows/keep-secure/create-edp-policy-using-intune.md
@@ -1,513 +1,5 @@
---
title: Create an enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
description: Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
-ms.assetid: 4b307c99-3016-4d6a-9ae7-3bbebd26e721
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# Create an enterprise data protection (EDP) policy using Microsoft Intune
-**Applies to:**
-
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
-Microsoft Intune helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
-
-## Important note about the June service update
-We've received some great feedback from you, our Windows 10 Insider Preview customers, about our enterprise data protection experiences and processes. Because of that feedback, we're delighted to deliver an enhanced apps policy experience with the June service update. This means that when you open an existing enterprise data protection policy after we release the June service update in your test environment, your existing Windows 10 enterprise data protection app rules (formerly in the **Protected Apps** area) will be removed.
To prepare for this change, we recommend that you make an immediate backup of your current app rules as they are today, so you can use them to help reconfigure your app rules with the enhanced experience. When you open an existing enterprise data protection policy after we release the June service update, you'll get a dialog box telling you about this change. Click the **OK** button to close the box and to begin reconfiguring your app rules.
-
-
-
-Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list.
-
-## Add an EDP policy
-After you’ve set up Intune for your organization, you must create an EDP-specific policy.
-
-**To add an EDP policy**
-1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area.
-
-2. Go to **Windows**, click the **Enterprise data protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
-
- 
-
-3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-
- 
-
-### Add app rules to your policy
-During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
-
-The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file.
-
->**Important**
-EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your App Rules list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation. - -
->**Note**
-If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps using Microsoft Intune and custom URI](add-apps-to-protected-list-using-custom-uri.md) topic.
-
-#### Add a store app rule to your policy
-For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
-
-**To add a store app**
-1. From the **App Rules** area, click **Add**.
-
- The **Add App Rule** box appears.
-
- 
-
-2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
-
-3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
-
- Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. Instructions for exempting an app are included in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp-restrictions) section of this topic.
-
-4. Pick **Store App** from the **Rule template** drop-down list.
-
- The box changes to show the store app rule options.
-
-5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is`CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
-
-If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
-
-**To find the Publisher and Product Name values for Store apps without installing them**
-1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*.
-
- >**Note**
- If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps using Microsoft Intune and custom URI](add-apps-to-protected-list-using-custom-uri.md) topic.
-
-2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
-
-3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
-
- The API runs and opens a text editor with the app details.
-
- ``` json
- {
- "packageIdentityName": "Microsoft.Office.OneNote",
- "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
- }
- ```
-4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
-
- >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
For example:
-
- ``` json
- {
- "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
- }
- ```
-
-**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
-1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
-
- >**Note**
- Your PC and phone must be on the same wireless network.
-
-2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
-
-3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
-
-4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
-
-5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
-
-6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
-
-7. Start the app for which you're looking for the publisher and product name values.
-
-8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
-
- >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
For example:
-
- ``` json
- {
- "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
- }
- ```
-
-#### Add a desktop app rule to your policy
-For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list.
-
-**To add a desktop app**
-1. From the **App Rules** area, click **Add**.
-
- The **Add App Rule** box appears.
-
- 
-
-2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
-
-3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
-
- Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. Instructions for exempting an app are included in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp-restrictions) section of this topic.
-
-4. Pick **Desktop App** from the **Rule template** drop-down list.
-
- The box changes to show the store app rule options.
-
-5. Pick the options you want to include for the app rule (see table), and then click **OK**.
-
-
| Option | -Manages | -
|---|---|
| All fields left as “*” | -All files signed by any publisher. (Not recommended.) | -
| Publisher selected | -All files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps. |
-
| Publisher and Product Name selected | -All files for the specified product, signed by the named publisher. | -
| Publisher, Product Name, and Binary name selected | -Any version of the named file or package for the specified product, signed by the named publisher. | -
| Publisher, Product Name, Binary name, and File Version, and above, selected | -Specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened. |
-
| Publisher, Product Name, Binary name, and File Version, And below selected | -Specified version or older releases of the named file or package for the specified product, signed by the named publisher. | -
| Publisher, Product Name, Binary name, and File Version, Exactly selected | -Specified version of the named file or package for the specified product, signed by the named publisher. | -
After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.|
-
-
-
-### Define your enterprise-managed corporate identity
-Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by EDP. For example, emails using contoso.com are identified as being corporate and are restricted by your enterprise data protection policies.
-
-You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
-
-**To add your corporate identity**
-- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
-
- 
-
-### Choose where apps can access enterprise data
-After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
-
-There are no default locations included with EDP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
-
->**Important**
-- Every EDP policy should include policy that defines your enterprise network locations.
-- Classless Inter-Domain Routing (CIDR) notation isn’t supported for EDP configurations. - -**To define where your protected apps can find and send enterprise data on you network** - -1. Add additional network locations your apps can access by clicking **Add**. - - The **Add or edit corporate network definition** box appears. - -2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table. - -  -
-
| Network location type | -Format | -Description | -
|---|---|---|
| Enterprise Cloud Resources | -**With proxy:** contoso.sharepoint.com,proxy.contoso.com| contoso.visualstudio.com,proxy.contoso.com **Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by EDP. For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/` |
-
| Enterprise Network Domain Names (Required) | -corp.contoso.com,region.contoso.com | -Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks. If you have multiple resources, you must separate them using the "," delimiter. |
-
| Enterprise Proxy Servers | -proxy.contoso.com:80;proxy2.contoso.com:137 | -Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with EDP. This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for EDP-protected traffic. This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network. If you have multiple resources, you must separate them using the ";" delimiter. |
-
| Enterprise Internal Proxy Servers | -contoso.internalproxy1.com;contoso.internalproxy2.com | -Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic. If you have multiple resources, you must separate them using the ";" delimiter. |
-
| Enterprise IPv4 Range (Required, if not using IPv6) | -**Starting IPv4 Address:** 3.4.0.1 **Ending IPv4 Address:** 3.4.255.254 **Custom URI:** 3.4.0.1-3.4.255.254, 10.0.0.1-10.255.255.254 |
- Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
-
| Enterprise IPv6 Range (Required, if not using IPv4) | -**Starting IPv6 Address:** 2a01:110:: **Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff **Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff, fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
- Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
-
| Neutral Resources | -sts.contoso.com,sts.contoso2.com | -Specify your authentication redirection endpoints for your company. These locations are considered enterprise or personal, based on the context of the connection before the redirection. If you have multiple resources, you must separate them using the "," delimiter. |
-
-The **Create Configuration Item Wizard** starts.
-
- 
-
-3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-
-4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**.
-
- - **Settings for devices managed with the Configuration Manager client:** Windows 10
-
- -OR-
-
- - **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10
-
-5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
-
- 
-
-6. On the **Device Settings** screen, click **Enterprise data protection**, and then click **Next**.
-
- 
-
-The **Configure enterprise data protection settings** page appears, where you'll configure your policy for your organization.
-
-### Add app rules to your policy
-During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through EDP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
-
-The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed desktop app (also known as a Classic Windows app), or an AppLocker policy file.
-
->**Important**
-EDP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, EDP-unaware apps might not respect the corporate network boundary, and EDP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
Care must be taken to get a support statement from the software provider that their app is safe with EDP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
-
-#### Add a store app rule to your policy
-For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
-
-**To add a store app**
-
-1. From the **App rules** area, click **Add**.
-
- The **Add app rule** box appears.
-
- 
-
-2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
-
-3. Click **Allow** from the **Enterprise data protection mode** drop-down list.
-
- Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section.
-
-4. Pick **Store App** from the **Rule template** drop-down list.
-
- The box changes to show the store app rule options.
-
-5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
-
-If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
-
-**To find the Publisher and Product Name values for Store apps without installing them**
-
-1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
-
- >**Note**
- If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
-
-2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
-
-3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
-
- The API runs and opens a text editor with the app details.
-
- ``` json
- {
- "packageIdentityName": "Microsoft.Office.OneNote",
- "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
- }
- ```
-
-4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
-
- >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example:
- ```json
- {
- "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
- }
- ```
-
-**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
-1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
-
- >**Note**
- Your PC and phone must be on the same wireless network.
-
-2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
-
-3. On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
-
-4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
-
-5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
-
-6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
-
-7. Start the app for which you're looking for the publisher and product name values.
-
-8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
-
- >**Important**
- The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
For example: - ```json - { - "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d", - } - ``` - -#### Add a desktop app rule to your policy -For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list. - -**To add a desktop app to your policy** -1. From the **App rules** area, click **Add**. - - The **Add app rule** box appears. - -  - -2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*. - -3. Click **Allow** from the **Enterprise data protection mode** drop-down list. - - Allow turns on EDP, helping to protect that app’s corporate data through the enforcement of EDP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from EDP restrictions](#exempt-apps-from-edp) section. - -4. Pick **Desktop App** from the **Rule template** drop-down list. - - The box changes to show the desktop app rule options. - -5. Pick the options you want to include for the app rule (see table), and then click **OK**. - -
| Option | -Manages | -
|---|---|
| All fields left as “*” | -All files signed by any publisher. (Not recommended.) | -
| Publisher selected | -All files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps. |
-
| Publisher and Product Name selected | -All files for the specified product, signed by the named publisher. | -
| Publisher, Product Name, and Binary name selected | -Any version of the named file or package for the specified product, signed by the named publisher. | -
| Publisher, Product Name, Binary name, and File Version, and above, selected | -Specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened. |
-
| Publisher, Product Name, Binary name, and File Version, And below selected | -Specified version or older releases of the named file or package for the specified product, signed by the named publisher. | -
| Publisher, Product Name, Binary name, and File Version, Exactly selected | -Specified version of the named file or package for the specified product, signed by the named publisher. | -
After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives.|
-
-
-
-### Define your enterprise-managed identity domains
-Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by EDP. For example, emails using contoso.com are identified as being corporate and are restricted by your enterprise data protection policies.
-
-You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
-
-**To add your corporate identity**
-
-- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
-
- 
-
-### Choose where apps can access enterprise data
-After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
-
-There are no default locations included with EDP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
-
->**Important**
-- Every EDP policy should include policy that defines your enterprise network locations.
-- Classless Inter-Domain Routing (CIDR) notation isn’t supported for EDP configurations.
-
-**To define where your protected apps can find and send enterprise data on you network**
-
-1. Add additional network locations your apps can access by clicking **Add**.
-
- The **Add or edit corporate network definition** box appears.
-
-2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
-
- 
-
-
| Network location type | -Format | -Description | -
|---|---|---|
| Enterprise Cloud Resources | -**With proxy:** contoso.sharepoint.com,proxy.contoso.com| contoso.visualstudio.com,proxy.contoso.com **Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by EDP. For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/` |
-
| Enterprise Network Domain Names (Required) | -corp.contoso.com,region.contoso.com | -Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks. If you have multiple resources, you must separate them using the "," delimiter. |
-
| Enterprise Proxy Servers | -proxy.contoso.com:80;proxy2.contoso.com:137 | -Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with EDP. This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for EDP-protected traffic. This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network. If you have multiple resources, you must separate them using the ";" delimiter. |
-
| Enterprise Internal Proxy Servers | -contoso.internalproxy1.com;contoso.internalproxy2.com | -Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-EDP-protected traffic. If you have multiple resources, you must separate them using the ";" delimiter. |
-
| Enterprise IPv4 Range (Required) | -**Starting IPv4 Address:** 3.4.0.1 **Ending IPv4 Address:** 3.4.255.254 **Custom URI:** 3.4.0.1-3.4.255.254, 10.0.0.1-10.255.255.254 |
- Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
-
| Enterprise IPv6 Range | -**Starting IPv6 Address:** 2a01:110:: **Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff **Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff, fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
- Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
-
| Neutral Resources | -sts.contoso.com,sts.contoso2.com | -Specify your authentication redirection endpoints for your company. These locations are considered enterprise or personal, based on the context of the connection before the redirection. If you have multiple resources, you must separate them using the "," delimiter. |
-
-It's your choice whether you check the box to **Remember the user credentials at each logon**. - -  - -6. You can leave the rest of the default or blank settings, and then click **Save Policy**. - -## Deploy your VPN policy using Microsoft Intune -After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your enterprise data protection (EDP) policy. - -**To deploy your VPN policy** - -1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button. - -2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
-The added people move to the **Selected Groups** list on the right-hand pane. - -  - -3. After you've picked all of the employees and groups that should get the policy, click **OK**.
-The policy is deployed to the selected users' devices.
-
-## Link your EDP and VPN policies and deploy the custom configuration policy
-The final step to making your VPN configuration work with EDP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **EdpModeID** setting, and then deploying the policy to the same group you deployed your EDP and VPN policies
-
-**To link your VPN policy**
-
-1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
-
-2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
-
- 
-
-3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
-
- 
-
-4. In the **OMA-URI Settings** area, click **Add** to add your **EdpModeID** info.
-
-5. In the **OMA-URI Settings** area, type the following info:
-
- - **Setting name.** Type **EdpModeID** as the name.
-
- - **Data type.** Pick the **String** data type.
-
- - **OMA-URI.** Type `./Vendor/MSFT/VPNv2/
+It's your choice whether you check the box to **Remember the user credentials at each logon**.
+
+ 
+
+6. You can leave the rest of the default or blank settings, and then click **Save Policy**.
+
+## Deploy your VPN policy using Microsoft Intune
+After you’ve created your VPN policy, you'll need to deploy it to the same group you deployed your Windows Information Protection (WIP) policy.
+
+**To deploy your VPN policy**
+
+1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
+
+2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
+The added people move to the **Selected Groups** list on the right-hand pane.
+
+ 
+
+3. After you've picked all of the employees and groups that should get the policy, click **OK**.
+The policy is deployed to the selected users' devices.
+
+## Link your WIP and VPN policies and deploy the custom configuration policy
+The final step to making your VPN configuration work with WIP, is to link your two policies together. To do this, you must first create a custom configuration policy, setting it to use your **WIPModeID** setting, and then deploying the policy to the same group you deployed your WIP and VPN policies
+
+**To link your VPN policy**
+
+1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy**.
+
+2. Go to **Windows**, click the **Custom Configuration (Windows 10 Desktop and Mobile and later)**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
+
+ 
+
+3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+
+ 
+
+4. In the **OMA-URI Settings** area, click **Add** to add your **WIPModeID** info.
+
+5. In the **OMA-URI Settings** area, type the following info:
+
+ - **Setting name.** Type **WIPModeID** as the name.
+
+ - **Data type.** Pick the **String** data type.
+
+ - **OMA-URI.** Type `./Vendor/MSFT/VPNv2/ To prepare for this change, we recommend that you make an immediate backup of your current app rules as they are today, so you can use them to help reconfigure your app rules with the enhanced experience. When you open an existing Windows Information Protection policy after we release the June service update, you'll get a dialog box telling you about this change. Click the **OK** button to close the box and to begin reconfiguring your app rules.
+
+
+
+Note that if you exit the **Policy** page before you've saved your new policy, your existing deployments won't be affected. However, if you save the policy without reconfiguring your apps, an updated policy will be deployed to your employees with an empty app rules list.
+
+## Add an WIP policy
+After you’ve set up Intune for your organization, you must create an WIP-specific policy.
+
+**To add an WIP policy**
+1. Open the Intune administration console, and go to the **Policy** node, and then click **Add Policy** from the **Tasks** area.
+
+2. Go to **Windows**, click the **Windows Information Protection (Windows 10 Desktop and Mobile and later) policy**, click **Create and Deploy a Custom Policy**, and then click **Create Policy**.
+
+ 
+
+3. Type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+
+ 
+
+### Add app rules to your policy
+During the policy-creation process in Intune, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
+
+The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
+
+>**Important** Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App Rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+
+>**Note** For example:
+
+ ```json
+ {
+ "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+ }
+ ```
+
+**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
+1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
+
+ >**Note** For example: This might be useful if your company is the publisher and signer of internal line-of-business apps. This option is recommended for enlightened apps that weren't previously enlightened. After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.|
+
+
+
+### Define your enterprise-managed corporate identity
+Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
+
+You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (`contoso.com|newcontoso.com`). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
+
+**To add your corporate identity**
+- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
+
+ 
+
+### Choose where apps can access enterprise data
+After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
+
+There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
+
+>**Important**
+- Every WIP policy should include policy that defines your enterprise network locations.
+- Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
+
+**To define where your protected apps can find and send enterprise data on you network**
+
+1. Add additional network locations your apps can access by clicking **Add**.
+
+ The **Add or edit corporate network definition** box appears.
+
+2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
+
+ 
+
+ **Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/` This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks. If you have multiple resources, you must separate them using the "," delimiter. This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic. This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network. If you have multiple resources, you must separate them using the ";" delimiter. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic. If you have multiple resources, you must separate them using the ";" delimiter. If you have multiple ranges, you must separate them using the "," delimiter. If you have multiple ranges, you must separate them using the "," delimiter. These locations are considered enterprise or personal, based on the context of the connection before the redirection. If you have multiple resources, you must separate them using the "," delimiter.
+The **Create Configuration Item Wizard** starts.
+
+ 
+
+3. On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
+
+4. In the **Specify the type of configuration item you want to create** area, pick the option that represents whether you use System Center Configuration Manager for device management, and then click **Next**.
+
+ - **Settings for devices managed with the Configuration Manager client:** Windows 10
+
+ -OR-
+
+ - **Settings for devices managed without the Configuration Manager client:** Windows 8.1 and Windows 10
+
+5. On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
+
+ 
+
+6. On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**.
+
+ 
+
+The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
+
+### Add app rules to your policy
+During the policy-creation process in System Center Configuration Manager, you can choose the apps you want to give access to your enterprise data through WIP. Apps included in this list can protect data on behalf of the enterprise and are restricted from copying or moving enterprise data to unprotected apps.
+
+The steps to add your app rules are based on the type of rule template being applied. You can add a store app (also known as a Universal Windows Platform (UWP) app), a signed Windows desktop app, or an AppLocker policy file.
+
+>**Important** Care must be taken to get a support statement from the software provider that their app is safe with WIP before adding it to your **App rules** list. If you don’t get this statement, it’s possible that you could experience app compat issues due to an app losing the ability to access a necessary file after revocation.
+
+#### Add a store app rule to your policy
+For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
+
+**To add a store app**
+
+1. From the **App rules** area, click **Add**.
+
+ The **Add app rule** box appears.
+
+ 
+
+2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
+
+3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
+
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+
+4. Pick **Store App** from the **Rule template** drop-down list.
+
+ The box changes to show the store app rule options.
+
+5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
+
+If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
+
+**To find the Publisher and Product Name values for Store apps without installing them**
+
+1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, Microsoft OneNote.
+
+ >**Note** For example:
+
+ ```json
+ {
+ "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+ }
+ ```
+
+**To find the Publisher and Product Name values for apps installed on Windows 10 mobile phones**
+1. If you need to add mobile apps that aren't distributed through the Store for Business, you must use the **Windows Device Portal** feature.
+
+ >**Note** For example:
+
+ ```json
+ {
+ "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+ }
+ ```
+
+#### Add a desktop app rule to your policy
+For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list.
+
+**To add a desktop app to your policy**
+1. From the **App rules** area, click **Add**.
+
+ The **Add app rule** box appears.
+
+ 
+
+2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
+
+3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
+
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. If you want to exempt an app, you can follow the steps in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip) section.
+
+4. Pick **Desktop App** from the **Rule template** drop-down list.
+
+ The box changes to show the desktop app rule options.
+
+5. Pick the options you want to include for the app rule (see table), and then click **OK**.
+
+ This might be useful if your company is the publisher and signer of internal line-of-business apps. This option is recommended for enlightened apps that weren't previously enlightened. After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives.|
+
+
+
+### Define your enterprise-managed identity domains
+Corporate identity, usually expressed as your primary internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you’ve marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.
+
+You can specify multiple domains owned by your enterprise by separating them with the "|" character. For example, (contoso.com|newcontoso.com). With multiple domains, the first one is designated as your corporate identity and all of the additional ones as being owned by the first one. We strongly recommend that you include all of your email address domains in this list.
+
+**To add your corporate identity**
+
+- Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
+
+ 
+
+### Choose where apps can access enterprise data
+After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
+
+There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise’s range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).
+
+>**Important** **Without proxy:** contoso.sharepoint.com|contoso.visualstudio.com For each cloud resource, you may also optionally specify an internal proxy server that routes your traffic through your Enterprise Internal Proxy Server. If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: `URL <,proxy>|URL <,proxy>`. If Windows is unable to determine whether an app should be allowed to connect to a network resource, it will automatically block the connection. If instead you want Windows to allow the connections to happen, you can add the `/*AppCompat*/` string to this setting. For example: `URL <,proxy>|URL <,proxy>|/*AppCompat*/` This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks. If you have multiple resources, you must separate them using the "," delimiter. This list shouldn’t include any servers listed in the Enterprise Internal Proxy Servers list, which are used for WIP-protected traffic. This setting is also required if you use a proxy in your network. If you don't have a proxy server, you might find that enterprise resources are unavailable when a client is behind a proxy, such as when you’re visiting another company and not on that company’s guest network. If you have multiple resources, you must separate them using the ";" delimiter. Using this server type indicates that the cloud resources you’re connecting to are enterprise resources. This list shouldn’t include any servers listed in the Enterprise Proxy Servers list, which are used for non-WIP-protected traffic. If you have multiple resources, you must separate them using the ";" delimiter. If you have multiple ranges, you must separate them using the "," delimiter. If you have multiple ranges, you must separate them using the "," delimiter. These locations are considered enterprise or personal, based on the context of the connection before the redirection. If you have multiple resources, you must separate them using the "," delimiter.
-The added people move to the **Selected Groups** list on the right-hand pane.
-
- 
-
-3. After you've picked all of the employees and groups that should get the policy, click **OK**.
-The policy is deployed to the selected users' devices.
-
-## Related topics
-- [Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md)
--[Add multiple apps to your enterprise data protection (EDP) Protected Apps list](add-apps-to-protected-list-using-custom-uri.md)
-- [Create and deploy a VPN policy for enterprise data protection (EDP) using Microsoft Intune](create-vpn-and-edp-policy-using-intune.md)
-- [General guidance and best practices for enterprise data protection (EDP)](guidance-and-best-practices-edp.md)
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/deploy-wip-policy-using-intune
+---
\ No newline at end of file
diff --git a/windows/keep-secure/deploy-wip-policy-using-intune.md b/windows/keep-secure/deploy-wip-policy-using-intune.md
new file mode 100644
index 0000000000..757e51c6bf
--- /dev/null
+++ b/windows/keep-secure/deploy-wip-policy-using-intune.md
@@ -0,0 +1,39 @@
+---
+title: Deploy your Windows Information Protection (WIP) policy using Microsoft Intune (Windows 10)
+description: After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices.
+ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, Intune
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+---
+
+# Deploy your Windows Information Protection (WIP) policy using Microsoft Intune
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+
+After you’ve created your Windows Information Protection (WIP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
+
+**To deploy your WIP policy**
+
+1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
+
+ 
+
+2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
+The added people move to the **Selected Groups** list on the right-hand pane.
+
+ 
+
+3. After you've picked all of the employees and groups that should get the policy, click **OK**.
+The policy is deployed to the selected users' devices.
+
+## Related topics
+- [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)
+- [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
+- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
+- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
\ No newline at end of file
diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md
index bf8d546f56..c152dca1e5 100644
--- a/windows/keep-secure/enlightened-microsoft-apps-and-edp.md
+++ b/windows/keep-secure/enlightened-microsoft-apps-and-edp.md
@@ -1,89 +1,5 @@
---
title: List of enlightened Microsoft apps for use with enterprise data protection (EDP) (Windows 10)
description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list.
-ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
-keywords: EDP, Enterprise Data Protection
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# List of enlightened Microsoft apps for use with enterprise data protection (EDP)
-
-**Applies to:**
-
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
-Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list.
-
-## Enlightened versus unenlightened apps
-Apps can be enlightened (policy-aware) or unenlightened (policy unaware).
-
-- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
-
-- **Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because:
-
- - Windows Desktop shows it as always running in enterprise mode.
-
- - Windows **Save As** experiences only allow you to save your files as enterprise.
-
-## List of enlightened Microsoft apps
-Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
-
-- Microsoft Edge
-
-- Internet Explorer 11
-
-- Microsoft People
-
-- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
-
-- Microsoft Photos
-
-- Microsoft OneDrive
-
-- Groove Music
-
-- Notepad
-
-- Microsoft Paint
-
-- Microsoft Movies & TV
-
-- Microsoft Messaging
-
-## Adding enlightened Microsoft apps to the Protected Apps list
-You can add any or all of the enlightened Microsoft apps to your Protected Apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
-
-|Product name |App info |
-|-------------|---------|
-|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` After you turn off EDP, an attempt is made to decrypt any closed EDP-tagged files on the locally attached drives. |
- **Note**
- You don’t have to modify line-of-business apps that never touch personal data to list them as protected apps; just include them in the **Protected App** list.
-
- - **Deciding your level of data access.** EDP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your **Protected App** list.
-
- - **Continuous data encryption.** EDP helps protect enterprise data on local files and on removable media.
- Apps such as Microsoft Word work with EDP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens EDP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies EDP to the new document.
-
- - **Helping prevent accidental data disclosure to public spaces.** EDP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your **Protected App** list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your **Protected Apps** list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the cloud, while maintaining the encryption.
-
- - **Helping prevent accidental data disclosure to removable media.** EDP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
-
-- **Remove access to enterprise data from enterprise-protected devices.** EDP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable. **Note** We strongly recommend educating employees about how to limit or eliminate the need for this decryption. |
-|Synchronizing data to other services or public cloud storage |Synchronized files aren't protected on additional services or as part of public cloud storage. |Stop the app from synchronizing or don't add the app to your **Protected App** list. For more info about adding apps to the **Protected App** list, see either the [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md) or the [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md) topic, depending on your management solution.
-
-## Next steps
-After deciding to use EDP in your enterprise, you need to:
-
-- [Create an enterprise data protection (EDP) policy](overview-create-edp-policy.md)
\ No newline at end of file
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip
+---
\ No newline at end of file
diff --git a/windows/keep-secure/protect-enterprise-data-using-wip.md b/windows/keep-secure/protect-enterprise-data-using-wip.md
new file mode 100644
index 0000000000..a2e1d5ffd9
--- /dev/null
+++ b/windows/keep-secure/protect-enterprise-data-using-wip.md
@@ -0,0 +1,82 @@
+---
+title: Protect your enterprise data using Windows Information Protection (WIP) (Windows 10)
+description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control.
+ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+---
+
+# Protect your enterprise data using Windows Information Protection (WIP)
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+
+With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures to their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
+
+Windows Information Protection (WIP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. WIP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps. Finally, another data protection technology, Azure Rights Management also works alongside WIP to extend data protection for data that leaves the device, such as when email attachments are sent from an enterprise aware version of a rights management mail client.
+
+## Prerequisites
+You’ll need this software to run WIP in your enterprise:
+
+|Operating system | Management solution |
+|-----------------|---------------------|
+|Windows 10, version 1607 | Microsoft Intune After you turn off WIP, an attempt is made to decrypt any closed WIP-tagged files on the locally attached drives. |
+ **Note** **Note** **Note** The app shouldn't be able to access the file. If your default app association is an app not on your **Protected Apps** list, you should get an **Access Denied** error message. You should see an EDP-related warning box, asking you to click either **Got it** or **Cancel**. The content isn't pasted into the non-enterprise app. The content is pasted into the non-enterprise app. The content should copy and paste between apps without any warning messages. You should see an EDP-related warning box, asking you to click either **Drag Anyway** or **Cancel**. The content isn't dropped into the non-enterprise app. The content is dropped into the non-enterprise app. The content should move between the apps without any warning messages. You should see an EDP-related warning box, asking you to click either **Share Anyway** or **Cancel**. The content isn't shared into Facebook. The content is shared into Facebook. The content should share between the apps without any warning messages. EDP should encrypt the file to your Enterprise Identity. The file should be decrypted and the **Lock** icon should disappear. **Note** A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your **Protected Apps** list. Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files. Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files. The device should be removed and all of the enterprise content for that managed account should be gone. **Important** **Note** The app shouldn't be able to access the file. If your default app association is an app not on your allowed apps list, you should get an **Access Denied** error message. You should see an WIP-related warning box, asking you to click either **Got it** or **Cancel**. The content isn't pasted into the non-enterprise app. The content is pasted into the non-enterprise app. The content should copy and paste between apps without any warning messages. You should see an WIP-related warning box, asking you to click either **Drag Anyway** or **Cancel**. The content isn't dropped into the non-enterprise app. The content is dropped into the non-enterprise app. The content should move between the apps without any warning messages. You should see an WIP-related warning box, asking you to click either **Share Anyway** or **Cancel**. The content isn't shared into Facebook. The content is shared into Facebook. The content should share between the apps without any warning messages. WIP should encrypt the file to your Enterprise Identity. The file should be decrypted and the **Lock** icon should disappear. **Note** A few notable exceptions include some of the user-facing in-box apps, like Wordpad, Notepad, and Microsoft Paint. These apps don't have access by default, but can be added to your allowed apps list. Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files. Basic file and folder operations like copy, move, rename, delete, and so on, should work properly on encrypted files. The device should be removed and all of the enterprise content for that managed account should be gone. **Important** NOTE: Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed: NOTE:
+ Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2016
WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
+If you want to use **File hash** or **Path** rules, instead of **Publisher** rules, you must follow the steps in the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
+
+#### Add a store app rule to your policy
+For this example, we’re going to add Microsoft OneNote, a store app, to the **App Rules** list.
+
+**To add a store app**
+1. From the **App Rules** area, click **Add**.
+
+ The **Add App Rule** box appears.
+
+ 
+
+2. Add a friendly name for your app into the **Title** box. In this example, it’s *Microsoft OneNote*.
+
+3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
+
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic.
+
+4. Pick **Store App** from the **Rule template** drop-down list.
+
+ The box changes to show the store app rule options.
+
+5. Type the name of the app and the name of its publisher, and then click **OK**. For this UWP app example, the **Publisher** is `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US` and the **Product name** is `Microsoft.Office.OneNote`.
+
+If you don't know the publisher or product name, you can find them for both desktop devices and Windows 10 Mobile phones by following these steps.
+
+**To find the Publisher and Product Name values for Store apps without installing them**
+1. Go to the [Windows Store for Business](http://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft OneNote*.
+
+ >**Note**
+ If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md) topic.
+
+2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
+
+3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
+
+ The API runs and opens a text editor with the app details.
+
+ ```json
+ {
+ "packageIdentityName": "Microsoft.Office.OneNote",
+ "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+ }
+ ```
+
+4. Copy the `publisherCertificateName` value into the **Publisher Name** box and copy the `packageIdentityName` value into the **Product Name** box of Intune.
+
+ >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
Your PC and phone must be on the same wireless network.
+
+2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
+
+3. In the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
+
+4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
+
+5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
+
+6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
+
+7. Start the app for which you're looking for the publisher and product name values.
+
+8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
+
+ >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as `CN=` followed by the `windowsPhoneLegacyId`.
+
+ ``` json
+ {
+ "windowsPhoneLegacyId": "ca05b3ab-f157-450c-8c49-a1f127f5e71d",
+ }
+ ```
+
+#### Add a desktop app rule to your policy
+For this example, we’re going to add Internet Explorer, a desktop app, to the **App Rules** list.
+
+**To add a desktop app**
+1. From the **App Rules** area, click **Add**.
+
+ The **Add App Rule** box appears.
+
+ 
+
+2. Add a friendly name for your app into the **Title** box. In this example, it’s *Internet Explorer*.
+
+3. Click **Allow** from the **Windows Information Protection mode** drop-down list.
+
+ Allow turns on WIP, helping to protect that app’s corporate data through the enforcement of WIP restrictions. Instructions for exempting an app are included in the [Exempt apps from WIP restrictions](#exempt-apps-from-wip-restrictions) section of this topic.
+
+4. Pick **Desktop App** from the **Rule template** drop-down list.
+
+ The box changes to show the store app rule options.
+
+5. Pick the options you want to include for the app rule (see table), and then click **OK**.
+
+
+
+
+If you’re unsure about what to include for the publisher, you can run this PowerShell command:
+
+```ps1
+ Get-AppLockerFileInformation -Path "
+
+ Option
+ Manages
+
+
+ All fields left as “*”
+ All files signed by any publisher. (Not recommended.)
+
+
+ Publisher selected
+ All files signed by the named publisher.
+
+
+ Publisher and Product Name selected
+ All files for the specified product, signed by the named publisher.
+
+
+ Publisher, Product Name, and Binary name selected
+ Any version of the named file or package for the specified product, signed by the named publisher.
+
+
+ Publisher, Product Name, Binary name, and File Version, and above, selected
+ Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.
+
+
+ Publisher, Product Name, Binary name, and File Version, And below selected
+ Specified version or older releases of the named file or package for the specified product, signed by the named publisher.
+
+
+ Publisher, Product Name, Binary name, and File Version, Exactly selected
+ Specified version of the named file or package for the specified product, signed by the named publisher.
+
+ This is the XML file that AppLocker creates for Microsoft Photos.
+
+ ```xml
+
+
+
+3. Add as many locations as you need, and then click **OK**.
+
+ The **Add corporate network definition** box closes.
+
+4. Decide if you want to Windows to look for additional network settings:
+
+ - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
+
+ - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
+
+ - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
+
+5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
+
+ 
+
+ After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
+
+ For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
+
+### Choose your optional WIP-related settings
+After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings.
+
+
+
+**To set your optional settings**
+1. Choose to set any or all of the optional settings:
+
+ - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
+
+ - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box.
+
+ - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
+
+ - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
+
+ - **Yes (recommended).** Turns on the feature and provides the additional protection.
+
+ - **No, or not configured.** Doesn't enable this feature.
+
+ - **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
+
+ - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
+
+ - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
+
+ - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
+
+ - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
+
+ - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
+
+ - **Show the Windows Information Protection icon overlay.** Determines whether the Windows Information Protection icon overlay appears on corporate files or in the **Start** menu, on top of the tiles for your unenlightened protected apps. The options are:
+
+ - **Yes (recommended).** Allows the Windows Information Protection icon overlay to appear for files or on top of the tiles for your unenlightened protected apps in the **Start** menu.
+
+ - **No, or not configured.** Stops the Windows Information Protection icon overlay from appearing for files or on top of the tiles for your unenlightened protected apps in the **Start** menu.
+
+2. Click **Save Policy**.
+
+## Related topics
+- [Add apps to your Windows Information Protection (WIP) policy by using the Microsoft Intune custom URI functionality](add-apps-to-protected-list-using-custom-uri.md)
+- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
+- [Create and deploy a VPN policy for Windows Information Protection (WIP) using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
+- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
\ No newline at end of file
diff --git a/windows/keep-secure/create-wip-policy-using-sccm.md b/windows/keep-secure/create-wip-policy-using-sccm.md
new file mode 100644
index 0000000000..0f91219ae8
--- /dev/null
+++ b/windows/keep-secure/create-wip-policy-using-sccm.md
@@ -0,0 +1,504 @@
+---
+title: Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager (Windows 10)
+description: Configuration Manager (version 1606 or later) helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+ms.assetid: 85b99c20-1319-4aa3-8635-c1a87b244529
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection, SCCM, System Center Configuration Manager, Configuration Manager
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+---
+
+# Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+- System Center Configuration Manager
+
+System Center Configuration Manager helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection mode, and how to find enterprise data on the network.
+
+>**Important**
+
+ Network location type
+ Format
+ Description
+
+
+ Enterprise Cloud Resources
+ **With proxy:** contoso.sharepoint.com,proxy.contoso.com|
+
contoso.visualstudio.com,proxy.contoso.comSpecify the cloud resources to be treated as corporate and protected by WIP.
+
+
+ Enterprise Network Domain Names (Required)
+ corp.contoso.com,region.contoso.com
+ Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
+
+
+ Enterprise Proxy Servers
+ proxy.contoso.com:80;proxy2.contoso.com:137
+ Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.
+
+
+ Enterprise Internal Proxy Servers
+ contoso.internalproxy1.com;contoso.internalproxy2.com
+ Specify the proxy servers your devices will go through to reach your cloud resources.
+
+
+ Enterprise IPv4 Range (Required, if not using IPv6)
+ **Starting IPv4 Address:** 3.4.0.1
+
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
+
+
+ Enterprise IPv6 Range (Required, if not using IPv4)
+ **Starting IPv6 Address:** 2a01:110::
+
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffffSpecify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
+
+
+ Neutral Resources
+ sts.contoso.com,sts.contoso2.com
+ Specify your authentication redirection endpoints for your company.
+
+If you previously created an WIP policy using System Center Configuration Manager version 1511 or 1602, you’ll need to recreate it using version 1606 or later. Editing a WIP policy created in version 1511 or 1602 is not supported in later versions and there is no migration path between older and newer WIP policies.
+
+## Add an WIP policy
+After you’ve installed and set up System Center Configuration Manager for your organization, you must create a configuration item for WIP, which in turn becomes your WIP policy.
+
+**To create a configuration item for WIP**
+
+1. Open the System Center Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
+
+ 
+
+2. Click the **Create Configuration Item** button.
+WIP-aware apps are expected to prevent enterprise data from going to unprotected network locations and to avoid encrypting personal data. On the other hand, WIP-unaware apps might not respect the corporate network boundary, and WIP-unaware apps will encrypt all files they create or modify. This means that they could encrypt personal data and cause data loss during the revocation process.
+ If your app is already installed on desktop devices, you can use the AppLocker local security policy MMC snap-in to gather the info for adding the app to the protected apps list. For info about how to do this, see the steps in the [Add an AppLocker policy file](#add-an-applocker-policy-file) section.
+
+2. Copy the ID value from the app URL. For example, Microsoft OneNote's ID URL is https://www.microsoft.com/store/apps/onenote/9wzdncrfhvjl, and you'd copy the ID value, `9wzdncrfhvjl`.
+
+3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9wzdncrfhvjl/applockerdata, where `9wzdncrfhvjl` is replaced with your ID value.
+
+ The API runs and opens a text editor with the app details.
+
+ ``` json
+ {
+ "packageIdentityName": "Microsoft.Office.OneNote",
+ "publisherCertificateName": "CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+ }
+ ```
+
+4. Copy the `publisherCertificateName` value and paste them into the **Publisher Name** box, copy the `packageIdentityName` value into the **Product Name** box of Intune.
+
+ >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+ Your PC and phone must be on the same wireless network.
+
+2. On the Windows Phone, go to **Settings**, choose **Update & security**, and then choose **For developers**.
+
+3. On the **For developers** screen, turn on **Developer mode**, turn on **Device Discovery**, and then turn on **Device Portal**.
+
+4. Copy the URL in the **Device Portal** area into your device's browser, and then accept the SSL certificate.
+
+5. In the **Device discovery** area, press **Pair**, and then enter the PIN into the website from the previous step.
+
+6. On the **Apps** tab of the website, you can see details for the running apps, including the publisher and product names.
+
+7. Start the app for which you're looking for the publisher and product name values.
+
+8. Copy the `publisherCertificateName` value and paste it into the **Publisher Name** box and the `packageIdentityName` value into the **Product Name** box of Intune.
+
+ >**Important**
+ The JSON file might also return a `windowsPhoneLegacyId` value for both the **Publisher Name** and **Product Name** boxes. This means that you have an app that’s using a XAP package and that you must set the **Product Name** as `windowsPhoneLegacyId`, and set the **Publisher Name** as “CN=” followed by the `windowsPhoneLegacyId`.
+
+
+If you’re unsure about what to include for the publisher, you can run this PowerShell command:
+
+```ps1
+Get-AppLockerFileInformation -Path "
+
+ Option
+ Manages
+
+
+ All fields left as “*”
+ All files signed by any publisher. (Not recommended.)
+
+
+ Publisher selected
+ All files signed by the named publisher.
+
+
+ Publisher and Product Name selected
+ All files for the specified product, signed by the named publisher.
+
+
+ Publisher, Product Name, and Binary name selected
+ Any version of the named file or package for the specified product, signed by the named publisher.
+
+
+ Publisher, Product Name, Binary name, and File Version, and above, selected
+ Specified version or newer releases of the named file or package for the specified product, signed by the named publisher.
+
+
+ Publisher, Product Name, Binary name, and File Version, And below selected
+ Specified version or older releases of the named file or package for the specified product, signed by the named publisher.
+
+
+ Publisher, Product Name, Binary name, and File Version, Exactly selected
+ Specified version of the named file or package for the specified product, signed by the named publisher.
+
+ This is the XML file that AppLocker creates for Microsoft Photos.
+
+ ```xml
+
+- Every WIP policy should include policy that defines your enterprise network locations.
+- Classless Inter-Domain Routing (CIDR) notation isn’t supported for WIP configurations.
+
+**To define where your protected apps can find and send enterprise data on you network**
+
+1. Add additional network locations your apps can access by clicking **Add**.
+
+ The **Add or edit corporate network definition** box appears.
+
+2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
+
+ 
+
+
+
+
+3. Add as many locations as you need, and then click **OK**.
+
+ The **Add or edit corporate network definition** box closes.
+
+4. Decide if you want to Windows to look for additional network settings.
+
+ 
+
+ - **Enterprise Proxy Servers list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you clear this box, Windows will search for additional proxy servers in your immediate network.
+
+ - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Click this box if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you clear this box, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
+
+ - **Show the Windows Information Protection icon overlay on your allowed apps that are WIP-unaware in the Windows Start menu and on corporate file icons in the File Explorer.** Click this box if you want the Windows Information Protection icon overlay to appear on corporate files or in the Start menu, on top the tiles for your unenlightened protected apps.
+
+5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
+
+ 
+
+ After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data.
+
+ For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](http://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
+
+### Choose your optional WIP-related settings
+After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings.
+
+
+
+**To set your optional settings**
+1. Choose to set any or all of the optional settings:
+
+ - **Show the Personal option in the File ownership menus of File Explorer and the Save As dialog box.** Determines whether users can see the Personal option for files within File Explorer and the **Save As** dialog box. The options are:
+
+ - **Yes, or not configured (recommended).** Employees can choose whether a file is **Work** or **Personal** in File Explorer and the **Save As** dialog box.
+
+ - **No.** Hides the **Personal** option from employees. Be aware that if you pick this option, apps that use the **Save As** dialog box might encrypt new files as corporate data unless a different file path is given during the original file creation. After this happens, decryption of work files becomes more difficult.
+
+ - **Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile**. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:
+
+ - **Yes (recommended).** Turns on the feature and provides the additional protection.
+
+ - **No, or not configured.** Doesn't enable this feature.
+
+ - **Allow Windows Search to search encrypted corporate data and Store apps.** Determines whether Windows Search can search and index encrypted corporate data and Store apps. The options are:
+
+ - **Yes.** Allows Windows Search to search and index encrypted corporate data and Store apps.
+
+ - **No, or not configured (recommended).** Stops Windows Search from searching and indexing encrypted corporate data and Store apps.
+
+ - **Revoke local encryption keys during the unerollment process.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
+
+ - **Yes, or not configured (recommended).** Revokes local encryption keys from a device during unenrollment.
+
+ - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
+
+2. After you pick all of the settings you want to include, click **Summary**.
+
+### Review your configuration choices in the Summary screen
+After you've finished configuring your policy, you can review all of your info on the **Summary** screen.
+
+**To view the Summary screen**
+- Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
+
+ 
+
+ A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
+
+
+## Deploy the WIP policy
+After you’ve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
+- [Operations and Maintenance for Compliance Settings in Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=708224)
+- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708225)
+- [How to Deploy Configuration Baselines in Configuration Manager]( http://go.microsoft.com/fwlink/p/?LinkId=708226)
+
+## Related topics
+- [System Center Configuration Manager and Endpoint Protection (Version 1606)](http://go.microsoft.com/fwlink/p/?LinkId=717372)
+- [TechNet documentation for Configuration Manager](http://go.microsoft.com/fwlink/p/?LinkId=691623)
+- [Manage mobile devices with Configuration Manager and Microsoft Intune](http://go.microsoft.com/fwlink/p/?LinkId=691624)
\ No newline at end of file
diff --git a/windows/keep-secure/deploy-edp-policy-using-intune.md b/windows/keep-secure/deploy-edp-policy-using-intune.md
index 7b23a44cf2..c9528077e0 100644
--- a/windows/keep-secure/deploy-edp-policy-using-intune.md
+++ b/windows/keep-secure/deploy-edp-policy-using-intune.md
@@ -1,50 +1,5 @@
---
title: Deploy your enterprise data protection (EDP) policy using Microsoft Intune (Windows 10)
description: After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices.
-ms.assetid: 9c4a01e7-0b1c-4f15-95d0-0389f0686211
-keywords: EDP, Enterprise Data Protection, Intune
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# Deploy your enterprise data protection (EDP) policy using Microsoft Intune
-**Applies to:**
-
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
-After you’ve created your enterprise data protection (EDP) policy, you'll need to deploy it to your organization's enrolled devices. Enrollment can be done for business or personal devices, allowing the devices to use your managed apps and to sync with your managed content and information.
-
-**To deploy your EDP policy**
-
-1. On the **Configuration policies** page, locate your newly-created policy, click to select it, and then click the **Manage Deployment** button.
-
- 
-
-2. In the left pane of the **Manage Deployment** box, click the employees or groups that should get the policy, and then click **Add**.
+
+ Network location type
+ Format
+ Description
+
+
+ Enterprise Cloud Resources
+ **With proxy:** contoso.sharepoint.com,proxy.contoso.com|
+
contoso.visualstudio.com,proxy.contoso.comSpecify the cloud resources to be treated as corporate and protected by WIP.
+
+
+ Enterprise Network Domain Names (Required)
+ corp.contoso.com,region.contoso.com
+ Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
+
+
+ Enterprise Proxy Servers
+ proxy.contoso.com:80;proxy2.contoso.com:137
+ Specify your externally-facing proxy server addresses, along with the port through which traffic is allowed and protected with WIP.
+
+
+ Enterprise Internal Proxy Servers
+ contoso.internalproxy1.com;contoso.internalproxy2.com
+ Specify the proxy servers your devices will go through to reach your cloud resources.
+
+
+ Enterprise IPv4 Range (Required)
+ **Starting IPv4 Address:** 3.4.0.1
+
**Ending IPv4 Address:** 3.4.255.254
**Custom URI:** 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
+
+
+ Enterprise IPv6 Range
+ **Starting IPv6 Address:** 2a01:110::
+
**Ending IPv6 Address:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
**Custom URI:** 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffffSpecify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
+
+
+ Neutral Resources
+ sts.contoso.com,sts.contoso2.com
+ Specify your authentication redirection endpoints for your company.
+
**Product Name:** Microsoft.MicrosoftEdge
**App Type:** Universal app |
-|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** iexplore.exe
**App Type:** Desktop app |
-|Microsoft People |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.People
**App Type:** Universal app |
-|Word Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Word
**App Type:** Universal app |
-|Excel Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Excel
**App Type:** Universal app |
-|PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.PowerPoint
**App Type:** Universal app |
-|OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.OneNote
**App Type:** Universal app |
-|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.windowscommunicationsapps
**App Type:** Universal app |
-|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Windows.Photos
**App Type:** Universal app |
-|Microsoft OneDrive |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.microsoftskydrive
**App Type:** Universal app |
-|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneMusic
**App Type:** Universal app |
-|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** notepad.exe
**App Type:** Desktop app |
-|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** mspaint.exe
**App Type:** Desktop app |
-|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneVideo
**App Type:** Universal app |
-|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Messaging
**App Type:** Universal app |
-
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip
+---
\ No newline at end of file
diff --git a/windows/keep-secure/enlightened-microsoft-apps-and-wip.md b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
new file mode 100644
index 0000000000..33d2044176
--- /dev/null
+++ b/windows/keep-secure/enlightened-microsoft-apps-and-wip.md
@@ -0,0 +1,77 @@
+---
+title: List of enlightened Microsoft apps for use with Windows Information Protection (WIP) (Windows 10)
+description: Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your Protected Apps list.
+ms.assetid: 17c85ea3-9b66-4b80-b511-8f277cb4345f
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+---
+
+# List of enlightened Microsoft apps for use with Windows Information Protection(WIP)
+
+**Applies to:**
+
+- Windows 10, version 6017
+- Windows 10 Mobile
+
+Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list.
+
+## Enlightened versus unenlightened apps
+Apps can be enlightened (policy-aware) or unenlightened (policy-unaware).
+
+- **Enlightened apps** can differentiate between corporate and personal data, correctly determining which to protect, based on your policies.
+
+- **Unenlightened apps** consider all data corporate and encrypt everything. Typically, you can tell an unenlightened app because:
+
+ - Windows Desktop shows it as always running in enterprise mode.
+
+ - Windows **Save As** experiences only allow you to save your files as enterprise.
+
+## List of enlightened Microsoft apps
+Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
+
+- Microsoft Edge
+
+- Internet Explorer 11
+
+- Microsoft People
+
+- Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
+
+- Microsoft Photos
+
+- Microsoft OneDrive
+
+- Groove Music
+
+- Notepad
+
+- Microsoft Paint
+
+- Microsoft Movies & TV
+
+- Microsoft Messaging
+
+## Adding enlightened Microsoft apps to the allowed apps list
+You can add any or all of the enlightened Microsoft apps to your allowed apps list. Included here is the **Publisher name**, **Product or File name**, and **App Type** info for both Microsoft Intune and System Center Configuration Manager.
+
+|Product name |App info |
+|-------------|---------|
+|Microsoft Edge |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.MicrosoftEdge
**App Type:** Universal app |
+|IE11 |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** iexplore.exe
**App Type:** Desktop app |
+|Microsoft People |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.People
**App Type:** Universal app |
+|Word Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Word
**App Type:** Universal app |
+|Excel Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.Excel
**App Type:** Universal app |
+|PowerPoint Mobile |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.PowerPoint
**App Type:** Universal app |
+|OneNote |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Office.OneNote
**App Type:** Universal app |
+|Outlook Mail and Calendar |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.windowscommunicationsapps
**App Type:** Universal app |
+|Microsoft Photos |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Windows.Photos
**App Type:** Universal app |
+|Microsoft OneDrive |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** microsoft.microsoftskydrive
**App Type:** Universal app |
+|Groove Music |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneMusic
**App Type:** Universal app |
+|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** notepad.exe
**App Type:** Desktop app |
+|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** mspaint.exe
**App Type:** Desktop app |
+|Microsoft Movies & TV |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.ZuneVideo
**App Type:** Universal app |
+|Microsoft Messaging |**Publisher:** `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
**Product Name:** Microsoft.Messaging
**App Type:** Universal app |
\ No newline at end of file
diff --git a/windows/keep-secure/guidance-and-best-practices-edp.md b/windows/keep-secure/guidance-and-best-practices-edp.md
index fd1ffe2dcd..cfd70be3cc 100644
--- a/windows/keep-secure/guidance-and-best-practices-edp.md
+++ b/windows/keep-secure/guidance-and-best-practices-edp.md
@@ -1,39 +1,5 @@
---
title: General guidance and best practices for enterprise data protection (EDP) (Windows 10)
description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP).
-ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0
-keywords: EDP, Enterprise Data Protection
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# General guidance and best practices for enterprise data protection (EDP)
-**Applies to:**
-
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
-This section includes info about the enlightened Microsoft apps, including how to add them to your **Protected Apps** list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with enterprise data protection (EDP).
-
-## In this section
-|Topic |Description |
-|------|------------|
-|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise. |
-|[Enlightened apps for use with enterprise data protection (EDP)](enlightened-microsoft-apps-and-edp.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your **Protected Apps** list. |
-|[Testing scenarios for enterprise data protection (EDP)](testing-scenarios-for-edp.md) |We've come up with a list of suggested testing scenarios that you can use to test EDP in your company. |
-
-
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/guidance-and-best-practices-wip
+---
\ No newline at end of file
diff --git a/windows/keep-secure/guidance-and-best-practices-wip.md b/windows/keep-secure/guidance-and-best-practices-wip.md
new file mode 100644
index 0000000000..28eb875c28
--- /dev/null
+++ b/windows/keep-secure/guidance-and-best-practices-wip.md
@@ -0,0 +1,26 @@
+---
+title: General guidance and best practices for Windows Information Protection (WIP) (Windows 10)
+description: This section includes info about the enlightened Microsoft apps, including how to add them to your Protected Apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
+ms.assetid: aa94e733-53be-49a7-938d-1660deaf52b0
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+---
+
+# General guidance and best practices for Windows Information Protection (WIP)
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+
+This section includes info about the enlightened Microsoft apps, including how to add them to your allowed apps list in Microsoft Intune. It also includes some testing scenarios that we recommend running through with Windows Information Protection (WIP).
+
+## In this section
+|Topic |Description |
+|------|------------|
+|[Mandatory settings for Windows Information Protection (WIP)](mandatory-settings-for-wip.md) |A list of all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as Windows Information Protection (WIP), in your enterprise. |
+|[Enlightened apps for use with Windows Information Protection (WIP)](enlightened-microsoft-apps-and-wip.md) |Learn the difference between enlightened and unenlightened apps, and then review the list of enlightened apps provided by Microsoft along with the text you will need to use to add them to your allowed apps list. |
+|[Testing scenarios for Windows Information Protection (WIP)](testing-scenarios-for-wip.md) |We've come up with a list of suggested testing scenarios that you can use to test WIP in your company. |
\ No newline at end of file
diff --git a/windows/keep-secure/images/intune-vpn-wipmodeid.png b/windows/keep-secure/images/intune-vpn-wipmodeid.png
new file mode 100644
index 0000000000..80852af30d
Binary files /dev/null and b/windows/keep-secure/images/intune-vpn-wipmodeid.png differ
diff --git a/windows/keep-secure/images/edp-intune-app-reconfig-warning.png b/windows/keep-secure/images/wip-intune-app-reconfig-warning.png
similarity index 100%
rename from windows/keep-secure/images/edp-intune-app-reconfig-warning.png
rename to windows/keep-secure/images/wip-intune-app-reconfig-warning.png
diff --git a/windows/keep-secure/images/edp-sccm-add-network-domain.png b/windows/keep-secure/images/wip-sccm-add-network-domain.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-add-network-domain.png
rename to windows/keep-secure/images/wip-sccm-add-network-domain.png
diff --git a/windows/keep-secure/images/edp-sccm-addapplockerfile.png b/windows/keep-secure/images/wip-sccm-addapplockerfile.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-addapplockerfile.png
rename to windows/keep-secure/images/wip-sccm-addapplockerfile.png
diff --git a/windows/keep-secure/images/edp-sccm-adddesktopapp.png b/windows/keep-secure/images/wip-sccm-adddesktopapp.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-adddesktopapp.png
rename to windows/keep-secure/images/wip-sccm-adddesktopapp.png
diff --git a/windows/keep-secure/images/edp-sccm-additionalsettings.png b/windows/keep-secure/images/wip-sccm-additionalsettings.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-additionalsettings.png
rename to windows/keep-secure/images/wip-sccm-additionalsettings.png
diff --git a/windows/keep-secure/images/edp-sccm-addpolicy.png b/windows/keep-secure/images/wip-sccm-addpolicy.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-addpolicy.png
rename to windows/keep-secure/images/wip-sccm-addpolicy.png
diff --git a/windows/keep-secure/images/edp-sccm-adduniversalapp.png b/windows/keep-secure/images/wip-sccm-adduniversalapp.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-adduniversalapp.png
rename to windows/keep-secure/images/wip-sccm-adduniversalapp.png
diff --git a/windows/keep-secure/images/edp-sccm-appmgmt.png b/windows/keep-secure/images/wip-sccm-appmgmt.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-appmgmt.png
rename to windows/keep-secure/images/wip-sccm-appmgmt.png
diff --git a/windows/keep-secure/images/edp-sccm-corp-identity.png b/windows/keep-secure/images/wip-sccm-corp-identity.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-corp-identity.png
rename to windows/keep-secure/images/wip-sccm-corp-identity.png
diff --git a/windows/keep-secure/images/edp-sccm-devicesettings.png b/windows/keep-secure/images/wip-sccm-devicesettings.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-devicesettings.png
rename to windows/keep-secure/images/wip-sccm-devicesettings.png
diff --git a/windows/keep-secure/images/edp-sccm-dra.png b/windows/keep-secure/images/wip-sccm-dra.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-dra.png
rename to windows/keep-secure/images/wip-sccm-dra.png
diff --git a/windows/keep-secure/images/edp-sccm-generalscreen.png b/windows/keep-secure/images/wip-sccm-generalscreen.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-generalscreen.png
rename to windows/keep-secure/images/wip-sccm-generalscreen.png
diff --git a/windows/keep-secure/images/edp-sccm-network-domain.png b/windows/keep-secure/images/wip-sccm-network-domain.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-network-domain.png
rename to windows/keep-secure/images/wip-sccm-network-domain.png
diff --git a/windows/keep-secure/images/edp-sccm-optsettings.png b/windows/keep-secure/images/wip-sccm-optsettings.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-optsettings.png
rename to windows/keep-secure/images/wip-sccm-optsettings.png
diff --git a/windows/keep-secure/images/edp-sccm-summaryscreen.png b/windows/keep-secure/images/wip-sccm-summaryscreen.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-summaryscreen.png
rename to windows/keep-secure/images/wip-sccm-summaryscreen.png
diff --git a/windows/keep-secure/images/edp-sccm-supportedplat.png b/windows/keep-secure/images/wip-sccm-supportedplat.png
similarity index 100%
rename from windows/keep-secure/images/edp-sccm-supportedplat.png
rename to windows/keep-secure/images/wip-sccm-supportedplat.png
diff --git a/windows/keep-secure/mandatory-settings-for-wip.md b/windows/keep-secure/mandatory-settings-for-wip.md
index 56b79bc283..97d8e1c456 100644
--- a/windows/keep-secure/mandatory-settings-for-wip.md
+++ b/windows/keep-secure/mandatory-settings-for-wip.md
@@ -11,22 +11,20 @@ ms.pagetype: security
# Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
**Applies to:**
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
+- Windows 10, version 1607
+- Windows 10 Mobile
This list provides all of the tasks and settings that are required for the operating system to turn on Windows Information Protection (WIP), formerly known as enterprise data protection (EDP), in your enterprise.
>**Important**
-All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-edp-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md), based on the tool you're using in your enterprise.
+All sections provided for more info appear in either the [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) or [Create a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md), based on the tool you're using in your enterprise.
|Task |Description |
|------------------------------------|--------------------------|
|Add at least one app rule in the **App Rules** area in your WIP policy. |You must have at least one app rule specified in the **App Rules** area of your WIP policy. For more info about where this area is and how to add an app rule, see the **Add individual apps to your Protected App list** section of the policy creation topics.|
-|Pick your WIP protection level. |You must choose the level of protection level you want to apply to your WIP-protected content, including Override, Silent, or Block. For more info about where this area is and how to decide on your protection level, see the **Manage the EDP protection level for your enterprise data** section of the policy creation topics.|
+|Pick your WIP protection level. |You must choose the level of protection level you want to apply to your WIP-protected content, including Override, Silent, or Block. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection level for your enterprise data** section of the policy creation topics.|
|Specify your corporate identity. |You must specify your corporate identity, usually expressed as your primary Internet domain (for example, contoso.com). For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
|Specify your Enterprise Network Domain Names. |You must specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics. |
|Specify your Enterprise IPv4 or IPv6 Ranges. |Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics. |
-|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate for EDP** section of the policy creation topics. |
\ No newline at end of file
+|Include your Data Recovery Agent (DRA) certificate. |This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the **Create and verify an Encrypting File System (EFS) DRA certificate** section of the policy creation topics. |
\ No newline at end of file
diff --git a/windows/keep-secure/overview-create-edp-policy.md b/windows/keep-secure/overview-create-edp-policy.md
index abd098560f..74ca414ed7 100644
--- a/windows/keep-secure/overview-create-edp-policy.md
+++ b/windows/keep-secure/overview-create-edp-policy.md
@@ -1,37 +1,5 @@
---
title: Create an enterprise data protection (EDP) policy (Windows 10)
description: Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
-ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# Create an enterprise data protection (EDP) policy
-**Applies to:**
-
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
-Microsoft Intune and System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your enterprise data protection (EDP) policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network.
-
-## In this section
-|Topic |Description |
-|------|------------|
-|[Create an enterprise data protection (EDP) policy using Microsoft Intune](create-edp-policy-using-intune.md) |Intune helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
-|[Create and deploy an enterprise data protection (EDP) policy using System Center Configuration Manager](create-edp-policy-using-sccm.md) |System Center Configuration Manager Technical Preview version 1605 or later helps you create and deploy your EDP policy, including letting you choose your protected apps, your EDP-protection level, and how to find enterprise data on the network. |
-|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
-
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/overview-create-wip-policy
+---
\ No newline at end of file
diff --git a/windows/keep-secure/overview-create-wip-policy.md b/windows/keep-secure/overview-create-wip-policy.md
new file mode 100644
index 0000000000..786a59475d
--- /dev/null
+++ b/windows/keep-secure/overview-create-wip-policy.md
@@ -0,0 +1,25 @@
+---
+title: Create a Windows Information Protection (WIP) policy (Windows 10)
+description: Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+ms.assetid: d2059e74-94bd-4e54-ab59-1a7b9b52bdc6
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+---
+
+# Create a Windows Information Protection (WIP) policy
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+
+Microsoft Intune and System Center Configuration Manager helps you create and deploy your enterprise data protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
+
+## In this section
+|Topic |Description |
+|------|------------|
+|[Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md) |Intune helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
+|[Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager](create-wip-policy-using-sccm.md) |System Center Configuration Manager helps you create and deploy your WIP policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network. |
+|[Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md)] |Steps to create, verify, and perform a quick recovery using a Encrypting File System (EFS) Data Recovery Agent (DRA) certificate. |
\ No newline at end of file
diff --git a/windows/keep-secure/protect-enterprise-data-using-edp.md b/windows/keep-secure/protect-enterprise-data-using-edp.md
index 9e052274d5..3f8df3ef51 100644
--- a/windows/keep-secure/protect-enterprise-data-using-edp.md
+++ b/windows/keep-secure/protect-enterprise-data-using-edp.md
@@ -1,92 +1,5 @@
---
title: Protect your enterprise data using enterprise data protection (EDP) (Windows 10)
description: With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control.
-ms.assetid: 6cca0119-5954-4757-b2bc-e0ea4d2c7032
-keywords: EDP, Enterprise Data Protection
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# Protect your enterprise data using enterprise data protection (EDP)
-**Applies to:**
-
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
-With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
-
-Enterprise data protection (EDP) helps to protect against this potential data leakage without otherwise interfering with the employee experience. EDP also helps to protect enterprise apps and data against accidental data leak on enterprise-owned devices and personal devices that employees bring to work without requiring changes to your environment or other apps.
-
-## Prerequisites
-You’ll need this software to run EDP in your enterprise:
-
-|Operating system | Management solution |
-|-----------------|---------------------|
-|Windows 10 Insider Preview | Microsoft Intune
-OR-
System Center Configuration Manager Technical Preview version 1605 or later
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
-
-## How EDP works
-EDP helps address your everyday challenges in the enterprise. Including:
-
-- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
-
-- Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices.
-
-- Helping to maintain the ownership and control of your enterprise data.
-
-- Helping control the network and data access and data sharing for apps that aren’t enterprise aware.
-
-### EDP-protection modes
-You can set EDP to 1 of 4 protection and management modes:
-
-|Mode|Description|
-|----|-----------|
-|Block |EDP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
-|Override |EDP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
-|Silent |EDP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or EDP-protected data, are still blocked.|
-|Off |EDP is turned off and doesn't help to protect or audit your data.
For more info about setting your EDP-protection modes, see either [Create an enterprise data protection (EDP) policy using Intune](create-edp-policy-using-intune.md) or [Create and deploy an enterprise data protection (EDP) policy using Configuration Manager](create-edp-policy-using-sccm.md), depending on your management solution.
-
-## Why use EDP?
-EDP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
-
-- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. EDP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
-
-- **Manage your enterprise documents, apps, and encryption modes.**
-
- - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an EDP-protected device, EDP encrypts the data on the device.
-
- - **Using allowed apps.** Managed apps (apps that you've included on the protected apps list in your EDP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if EDP management is set to **Block**, your employees can copy and paste from one protected app to another protected app, but not to personal apps. Imagine an HR person wants to copy a job description from a protected app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
-
- - **Managed apps and restrictions.** With EDP you can control which apps can access and use your enterprise data. After adding an app to your **Protected App** list, the app is trusted with enterprise data. All apps that aren’t on this list are blocked from accessing your enterprise network resources and your EDP-protected data.
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
-
-## Current limitations with EDP
-EDP is still in development and is not yet integrated with Azure Rights Management. This means that while you can deploy an EDP-configured policy to a protected device, that protection is restricted to a single user on the device. Additionally, the EDP-protected data must be stored on NTFS, FAT, or ExFAT file systems.
-
-Use the following table to identify the scenarios that require Azure Rights Management, the behavior when Azure Rights Management is not used with EDP, and the recommended workarounds.
-
-|EDP scenario |Without Azure Rights Management |Workaround |
-|-------------|--------------------------------|-----------|
-|Saving enterprise data to USB drives |Data in the new location remains encrypted, but becomes inaccessible on other devices or for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.
-OR-
System Center Configuration Manager
-OR-
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
+
+## How WIP works
+WIP helps address your everyday challenges in the enterprise. Including:
+
+- Helping to prevent enterprise data leaks, even on employee-owned devices that can't be locked down.
+
+- Reducing employee frustrations because of restrictive data management policies on enterprise-owned devices.
+
+- Helping to maintain the ownership and control of your enterprise data.
+
+- Helping control the network and data access and data sharing for apps that aren’t enterprise aware
+
+### WIP-protection modes
+You can set WIP to 1 of 4 protection and management modes:
+
+|Mode|Description|
+|----|-----------|
+|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing enterprise data to non-enterprise-protected apps in addition to sharing enterprise data between apps or attempting to share outside of your organization’s network.|
+|Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log, accessible through the [Reporting CSP](http://go.microsoft.com/fwlink/p/?LinkID=746459). |
+|Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
+|Off |WIP is turned off and doesn't help to protect or audit your data.
For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution.
+
+## Why use WIP?
+WIP gives you a new way to manage data policy enforcement for apps and documents, along with the ability to remove access to enterprise data from both enterprise and personal devices (after enrollment in an enterprise management solution, like Intune).
+
+- **Change the way you think about data policy enforcement.** As an enterprise admin, you need to maintain compliance in your data policy and data access. WIP helps make sure that your enterprise data is protected on both corporate and employee-owned devices, even when the employee isn’t using the device. When employees create content on an enterprise-protected device, they can choose to save it as a work document. If it's a work document, it becomes locally-maintained as enterprise data.
+
+- **Manage your enterprise documents, apps, and encryption modes.**
+
+ - **Copying or downloading enterprise data.** When an employee or an app downloads content from a location like SharePoint, a network share, or an enterprise web location, while using an WIP-protected device, WIP encrypts the data on the device.
+
+ - **Using allowed apps.** Managed apps (apps that you've included on the Allowed Apps list in your WIP policy) are allowed to access your enterprise data and will interact differently when used with unallowed, non-enterprise aware, or personal-only apps. For example, if WIP management is set to **Block**, your employees can copy and paste from one protected app to another allowed app, but not to personal apps. Imagine an HR person wants to copy a job description from an allowed app to the internal career website, an enterprise-protected location, but goofs and tries to paste into a personal app instead. The paste action fails and a notification pops up, saying that the app couldn’t paste because of a policy restriction. The HR person then correctly pastes to the career website without a problem.
+
+ - **Managed apps and restrictions.** With WIP you can control which apps can access and use your enterprise data. After adding an app to your allowed apps list, the app is trusted with enterprise data. All apps not on this list are blocked from accessing your enterprise data, depending on your WIP management-mode.
+
+ You don’t have to modify line-of-business apps that never touch personal data to list them as allowed apps; just include them in the allowed apps list.
+
+ - **Deciding your level of data access.** WIP lets you block, allow overrides, or audit employees' data sharing actions. Blocking the action stops it immediately. Allowing overrides let the employee know there's a risk, but lets him or her continue to share the data while recording and auditing the action. Silent just logs the action without blocking anything that the employee could've overridden while using that setting; collecting info that can help you to see patterns of inappropriate sharing so you can take educative action or find apps that should be added to your allowed apps list.
+
+ - **Data encryption at rest.** WIP helps protect enterprise data on local files and on removable media.
+
+ Apps such as Microsoft Word work with WIP to help continue your data protection across local files and removable media. These apps are being referred to as, enterprise aware. For example, if an employee opens WIP-encrypted content from Word, edits the content, and then tries to save the edited version with a different name, Word automatically applies WIP to the new document.
+
+ - **Helping prevent accidental data disclosure to public spaces.** WIP helps protect your enterprise data from being accidentally shared to public spaces, such as public cloud storage. For example, if Dropbox™ isn’t on your allowed apps list, employees won’t be able to sync encrypted files to their personal cloud storage. Instead, if the employee stores the content to an app on your allowed apps list, like Microsoft OneDrive for Business, the encrypted files can sync freely to the business cloud, while maintaining the encryption locally.
+
+ - **Helping prevent accidental data disclosure to removable media.** WIP helps prevent enterprise data from leaking when it's copied or transferred to removable media. For example, if an employee puts enterprise data on a Universal Serial Bus (USB) drive that also has personal data, the enterprise data remains encrypted while the personal data doesn’t.
+
+- **Remove access to enterprise data from enterprise-protected devices.** WIP gives admins the ability to revoke enterprise data from one or many MDM-enrolled devices, while leaving personal data alone. This is a benefit when an employee leaves your company, or in the case of a stolen device. After determining that the data access needs to be removed, you can use Microsoft Intune to unenroll the device so when it connects to the network, the user's encryption key for the device is revoked and the enterprise data becomes unreadable.
System Center Configuration Manager also allows you to revoke enterprise data. However, it does it by performing a factory reset of the device.
+
+## Next steps
+After deciding to use WIP in your enterprise, you need to:
+
+- [Create a Windows Information Protection (WIP) policy](overview-create-wip-policy.md)
\ No newline at end of file
diff --git a/windows/keep-secure/testing-scenarios-for-edp.md b/windows/keep-secure/testing-scenarios-for-edp.md
index e2187af349..3d16ef00df 100644
--- a/windows/keep-secure/testing-scenarios-for-edp.md
+++ b/windows/keep-secure/testing-scenarios-for-edp.md
@@ -1,49 +1,5 @@
---
title: Testing scenarios for enterprise data protection (EDP) (Windows 10)
description: We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company.
-ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2
-keywords: EDP, Enterprise Data Protection
-ms.prod: w10
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-author: eross-msft
----
-
-# Testing scenarios for enterprise data protection (EDP)
-**Applies to:**
-
-- Windows 10 Insider Preview
-- Windows 10 Mobile Preview
-
-[Some information relates to pre-released product, which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]
-
-We've come up with a list of suggested testing scenarios that you can use to test enterprise data protection (EDP) in your company.
-
-## Testing scenarios
-You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization.
-
-|Scenario |Processes |
-|---------|----------|
-|Automatically encrypt files from enterprise apps |
|
-|Block enterprise data from non-enterprise apps |
Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.
|
-|Copy and paste from enterprise apps to non-enterprise apps |
|
-|Drag and drop from enterprise apps to non-enterprise apps |
|
-|Share between enterprise apps and non-enterprise apps |
|
-|Use the **Encrypt to** functionality |
|
-|Verify that Windows system components can use EDP |
|
-|Use EDP on FAT/exFAT systems |
Most Windows-signed components like Windows Explorer (when running in the user’s context), should have access to enterprise data.
|
-|Use EDP on NTFS systems |
|
-|Unenroll client devices from EDP |
|
-|Verify that app content is protected when a Windows 10 Mobile phone is locked |
Unenrolling a device revokes and erases all of the enterprise data for the managed account.
|
-
-
-
-
-
-
-
-
-
-
-
+redirect_url: https://technet.microsoft.com/itpro/windows/keep-secure/testing-scenarios-for-wip
+---
\ No newline at end of file
diff --git a/windows/keep-secure/testing-scenarios-for-wip.md b/windows/keep-secure/testing-scenarios-for-wip.md
new file mode 100644
index 0000000000..125cf80953
--- /dev/null
+++ b/windows/keep-secure/testing-scenarios-for-wip.md
@@ -0,0 +1,36 @@
+---
+title: Testing scenarios for Windows Information Protection (WIP) (Windows 10)
+description: We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
+ms.assetid: 53db29d2-d99d-4db6-b494-90e2b3962ca2
+keywords: WIP, Windows Information Protection, EDP, Enterprise Data Protection
+ms.prod: w10
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+---
+
+# Testing scenarios for Windows Information Protection (WIP)
+**Applies to:**
+
+- Windows 10, version 1607
+- Windows 10 Mobile
+
+We've come up with a list of suggested testing scenarios that you can use to test Windows Information Protection (WIP) in your company.
+
+## Testing scenarios
+You can try any of the processes included in these scenarios, but you should focus on the ones that you might encounter in your organization.
+
+|Scenario |Processes |
+|---------|----------|
+|Automatically encrypt files from enterprise apps |
|
+|Block enterprise data from non-enterprise apps |
Some file types, like .exe and .dll, along with some file paths, like `%windir%` and `%programfiles%`, are excluded from automatic encryption.
|
+|Copy and paste from enterprise apps to non-enterprise apps |
|
+|Drag and drop from enterprise apps to non-enterprise apps |
|
+|Share between enterprise apps and non-enterprise apps |
|
+|Use the **Encrypt to** functionality |
|
+|Verify that Windows system components can use WIP |
|
+|Use WIP on FAT/exFAT systems |
Most Windows-signed components like Windows Explorer (when running in the user’s context), should have access to enterprise data.
|
+|Use WIP on NTFS systems |
|
+|Unenroll client devices from WIP |
|
+|Verify that app content is protected when a Windows 10 Mobile phone is locked |
Unenrolling a device revokes and erases all of the enterprise data for the managed account.
|
\ No newline at end of file
diff --git a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
index 5f67f61c7a..a53f073958 100644
--- a/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
+++ b/windows/keep-secure/troubleshoot-windows-defender-in-windows-10.md
@@ -1013,8 +1013,8 @@ Result code associated with threat status. Standard HRESULT values.
Description of the error.
+
[Update Windows Store for Business account settings](update-windows-store-for-business-account-settings.md)
The Account information page in Windows Store for Business shows information about your organization that you can update, including: country or region, organization name, default domain, and language preference. These are settings in the Azure AD directory that you used when signing up for Store for Business
The Account information page in Windows Store for Business shows information about your organization that you can update, including: organization information, payment options, and offline licensing settings.
[Manage user accounts in Windows Store for Business](manage-users-and-groups-windows-store-for-business.md)