deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Moved text from table to bullets

Browse Source
This commit is contained in:
Mandi Ohlinger 2021-12-07 16:03:25 -05:00 committed by GitHub
parent b6c7c0c1a2
commit ec06595acb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 128 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

148
windows/security/information-protection/windows-information-protection/limitations-with-wip.md
View File

@ -22,30 +22,134 @@ ms.localizationpriority: medium
**Applies to:**
- Windows 10, version 1607 and later
This table provides info about the most common problems you might encounter while running WIP in your organization.
This following list provides info about the most common problems you might encounter while running WIP in your organization.
|Limitation|How it appears|Workaround|
|--- |--- |--- |
|Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.|**If youre using Azure RMS:** Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.**If youre not using Azure RMS:** Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.|Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.We strongly recommend educating employees about how to limit or eliminate the need for this decryption.|
|Direct Access is incompatible with WIP.|Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isnt a corporate network resource.|We recommend that you use VPN for client access to your intranet resources. <p>**Note** VPN is optional and isnt required by WIP.|
|**NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings.|The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.|If you use both Group Policy and MDM to configure your **NetworkIsolation** settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.|
|Cortana can potentially allow data leakage if its on the allowed apps list.|If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.|We dont recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.|
|WIP is designed for use by a single user per device.|A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled users content can be revoked during the unenrollment process.|We recommend only having one user per managed device.|
|Installers copied from an enterprise network file share might not work properly.|An app might fail to properly install because it cant read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.|To fix this, you can:<li>Start the installer directly from the file share.<p>-OR-<li>Decrypt the locally copied files needed by the installer.<p>-OR-<li>Mark the file share with the installation media as “personal”. To do this, youll need to set the Enterprise IP ranges as **Authoritative** and then exclude the IP address of the file server, or youll need to put the file server on the Enterprise Proxy Server list.|
|Changing your primary Corporate Identity isnt supported.|You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.|Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.|
|Redirected folders with Client-Side Caching are not compatible with WIP.|Apps might encounter access errors while attempting to read a cached, offline file.|Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<p>**Note** For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/)". If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045).|
|An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.|Data copied from the WIP-managed device is marked as **Work**.Data copied to the WIP-managed device is not marked as **Work**.Local **Work** data copied to the WIP-managed device remains **Work** data.**Work** data that is copied between two apps in the same session remains ** data.|Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default.|
|You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.|A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.|Open File Explorer and change the file ownership to **Personal** before you upload.|
|ActiveX controls should be used with caution.|Webpages that use ActiveX controls can potentially communicate with other outside processes that arent protected by using WIP.|We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).|
|Resilient File System (ReFS) isn't currently supported with WIP.|Trying to save or transfer WIP files to ReFS will fail.|Format drive for NTFS, or use a different drive.|
|WIP isnt turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:<li>AppDataRoaming<li>Desktop<li>StartMenu<li>Documents<li>Pictures<li>Music<li>Videos<li>Favorites<li>Contacts<li>Downloads<li>Links<li>Searches<li>SavedGames|WIP isnt turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.|Dont set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders. You can configure this parameter, as described [here](/windows-server/storage/folder-redirection/disable-offline-files-on-folders)".If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection)".|
|Only enlightened apps can be managed without device enrollment|If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintentionally encrypted by unenlighted apps. Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment.|If all apps need to be managed, enroll the device for MDM.|
|By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encrypted by one user, other users can't access it.|Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner.|If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.|
|OneNote notebooks on OneDrive for Business must be properly configured to work with WIP.|OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it.|"OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps:<ol><li> Close the notebook in OneNote.<li>Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop.<li>Copy the notebook folder and Paste it back into the OneDrive for Business folder.</ol><p>Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button.|
|Microsoft Office Outlook offline data files (PST and OST files) are not marked as **Work** files, and are therefore not protected.|If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected.|It is recommended to use Microsoft Office Outlook in Online mode, or to use encryption to protect OST and PST files manually.|
- **Limitation**: Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration.
- **How it appears**:
- If youre using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703.
- If youre not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text.
- **Workaround**: Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited.
We strongly recommend educating employees about how to limit or eliminate the need for this decryption.
- **Limitation**: Direct Access is incompatible with WIP.
- **How it appears**: Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isnt a corporate network resource.
- **Workaround**: We recommend that you use VPN for client access to your intranet resources.
> [!NOTE]
> When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files.
> VPN is optional and isnt required by WIP.
- **Limitation**: **NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings.
- **How it appears**: The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.
- **Workaround**: If you use both Group Policy and MDM to configure your **NetworkIsolation** settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.
- **Limitation**: Cortana can potentially allow data leakage if its on the allowed apps list.
- **How it appears**: If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.
- **Workaround**: We dont recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.
- **Limitation**: WIP is designed for use by a single user per device.
- **How it appears**: A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled users content can be revoked during the unenrollment process.
- **Workaround**: We recommend only having one user per managed device.
- **Limitation**: Installers copied from an enterprise network file share might not work properly.
- **How it appears**: An app might fail to properly install because it cant read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.
- **Workaround**: To fix this, you can:
- Start the installer directly from the file share.
OR
- Decrypt the locally copied files needed by the installer.
OR
- Mark the file share with the installation media as “personal”. To do this, youll need to set the Enterprise IP ranges as **Authoritative** and then exclude the IP address of the file server, or youll need to put the file server on the Enterprise Proxy Server list.
- **Limitation**: Changing your primary Corporate Identity isnt supported.
- **How it appears**: You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access.
- **Workaround**: Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying.
- **Limitation**: Redirected folders with Client-Side Caching are not compatible with WIP.
- **How it appears**: Apps might encounter access errors while attempting to read a cached, offline file.
- **Workaround**: Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.
> [!NOTE]
> Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
> For more info about Work Folders and Offline Files, see the [Work Folders and Offline Files support for Windows Information Protection blog](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/)". If you're having trouble opening files offline while using Offline Files and WIP, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
- **Limitation**: An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.
- **How it appears**:
- Data copied from the WIP-managed device is marked as **Work**.
- Data copied to the WIP-managed device is not marked as **Work**.
- Local **Work** data copied to the WIP-managed device remains **Work** data.
- **Work** data that is copied between two apps in the same session remains ** data.
- **Workaround**: Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default.
- **Limitation**: You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.
- **How it appears**: A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.
- **Workaround**: Open File Explorer and change the file ownership to **Personal** before you upload.
- **Limitation**: ActiveX controls should be used with caution.
- **How it appears**: Webpages that use ActiveX controls can potentially communicate with other outside processes that arent protected by using WIP.
- **Workaround**: We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.
For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).
- **Limitation**: Resilient File System (ReFS) isn't currently supported with WIP.
- **How it appears**:Trying to save or transfer WIP files to ReFS will fail.
- **Workaround**: Format drive for NTFS, or use a different drive.
- **Limitation**: WIP isnt turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:
- AppDataRoaming
- Desktop
- StartMenu
- Documents
- Pictures
- Music
- Videos
- Favorites
- Contacts
- Downloads
- Links
- Searches
- SavedGames
<br/>
- **How it appears**: WIP isnt turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager.
- **Workaround**: Dont set the **MakeFolderAvailableOfflineDisabled** option to **False** for any of the specified folders. You can configure this parameter, as described [here](/windows-server/storage/folder-redirection/disable-offline-files-on-folders)".
If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline.
For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](/troubleshoot/windows-client/networking/error-open-files-offline-offline-files-wip).
- **Limitation**: Only enlightened apps can be managed without device enrollment
- **How it appears**: If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintentionally encrypted by unenlighted apps.
Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment.
- **Workaround**: If all apps need to be managed, enroll the device for MDM.
- **Limitation**: By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encrypted by one user, other users can't access it.
- **How it appears**: Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner.
- **Workaround**: If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it.
- **Limitation**: OneNote notebooks on OneDrive for Business must be properly configured to work with WIP.
- **How it appears**: OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it.
- **Workaround**: OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps:
1. Close the notebook in OneNote.
2. Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop.
3. Copy the notebook folder and Paste it back into the OneDrive for Business folder.
Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button.
- **Limitation**: Microsoft Office Outlook offline data files (PST and OST files) are not marked as **Work** files, and are therefore not protected.
- **How it appears**: If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected.
- **Workaround**: It is recommended to use Microsoft Office Outlook in Online mode, or to use encryption to protect OST and PST files manually.
> [!NOTE]
>
> - When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files.
>
> - Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).