deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'refs/remotes/origin/master' into jdshrs2

Browse Source
This commit is contained in:
jdeckerMS 2017-05-04 08:56:50 -07:00
commit ee12ba7be7
14 changed files with 95 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
windows/access-protection/credential-guard/credential-guard-requirements.md
View File

@ -25,7 +25,7 @@ For Credential Guard to provide protections, the computers you are protecting mu
## Hardware and software requirements
To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Manager uses:
To provide basic protection against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Guard uses:
- Support for Virtualization-based security (required)
- Secure boot (required)
- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)

2
windows/configuration/provisioning-packages/provisioning-packages.md
View File

@ -71,7 +71,7 @@ The following table describes settings that you can configure using the wizards
<table><tr><td align="left">**Step**</td><td align="left">**Description**</td><td>**Desktop</br>wizard**</td><td align="center">**Mobile</br>wizard**</td><td>**Kiosk</br>wizard**</td></tr>
<tr><td valign="top">Set up device</td><td valign="top">Assign device name,</br>enter product key to upgrade Windows,</br>configure shared used,</br>remove pre-installed software</td><td align="center" valign="top">![yes](../images/checkmark.png)</td><td align="center" valign="top">![yes](../images/checkmark.png)</br>(Only device name and upgrade key)</td><td align="center" valign="top">![yes](../images/checkmark.png)</td></tr>
<tr><td valign="top">Set up network</td><td valign="top">Connect to a Wi-Fit network</td><td align="center" valign="top">![yes](../images/checkmark.png)</td><td align="center" valign="top">![yes](../images/checkmark.png)</td><td align="center" valign="top">![yes](../images/checkmark.png)</td></tr>
<tr><td valign="top">Set up network</td><td valign="top">Connect to a Wi-Fi network</td><td align="center" valign="top">![yes](../images/checkmark.png)</td><td align="center" valign="top">![yes](../images/checkmark.png)</td><td align="center" valign="top">![yes](../images/checkmark.png)</td></tr>
<tr><td valign="top">Account management</td><td valign="top">Enroll device in Active Directory,</br>enroll device in Azure Active Directory,</br>or create a local administrator account</td><td align="center" valign="top">![yes](../images/checkmark.png)</td><td align="center" valign="top">![no](../images/crossmark.png)</td><td align="center" valign="top">![yes](../images/checkmark.png)</td></tr>
<tr><td valign="top">Bulk Enrollment in Azure AD</td><td valign="top">Enroll device in Azure Active Directory</br></br>Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](https://docs.microsoft.com/azure/active-directory/active-directory-azureadjoin-setup).</td><td align="center" valign="top">![no](../images/crossmark.png)</td><td align="center" valign="top">![yes](../images/checkmark.png)</td><td align="center" valign="top">![no](../images/crossmark.png)</td></tr>
<tr><td valign="top">Add applications</td><td valign="top">Install applications using the provisioning package.</td><td align="center" valign="top">![yes](../images/checkmark.png)</td><td align="center" valign="top">![no](../images/crossmark.png)</td><td align="center" valign="top">![yes](../images/checkmark.png)</td></tr>

26
windows/deployment/update/waas-configure-wufb.md
View File

@ -90,12 +90,6 @@ Starting with version 1703, when configuring pause through policy, a start date
In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
With version 1703, pausing through the settings app will provide a more consistent experience:
- Any active restart notification are cleared or closed
- Any pending restarts are canceled
- Any pending update installations are canceled
- Any update installation running when pause is activated will attempt to rollback
>[!IMPORTANT]
>This policy does not apply to Windows 10 Mobile Enterprise.
>
@ -123,6 +117,12 @@ The local group policy editor (GPEdit.msc) will not reflect if your Feature Upda
>[!NOTE]
>If not configured by policy, users can pause feature updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
With version 1703, pausing through the settings app will provide a more consistent experience:
- Any active restart notification are cleared or closed
- Any pending restarts are canceled
- Any pending update installations are canceled
- Any update installation running when pause is activated will attempt to rollback
## Configure when devices receive Quality Updates
Quality Updates are typically published the first Tuesday of every month, though can be released at any time by Microsoft. You can define if, and for how long, you would like to defer receiving Quality Updates following their availability. You can defer receiving these Quality Updates for a period of up to 35 days from their release by setting the **DeferQualityUpdatesPeriodinDays** value.
@ -152,12 +152,6 @@ Starting with version 1703, when configuring pause through policy, a start date
In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date.
With version 1703, pause will provide a more consistent experience:
- Any active restart notification are cleared or closed
- Any pending restarts are canceled
- Any pending update installations are canceled
- Any update installation running when pause is activated will attempt to rollback
>[!IMPORTANT]
>This policy pauses both Feature and Quality Updates on Windows 10 Mobile Enterprise.
@ -183,6 +177,12 @@ The local group policy editor (GPEdit.msc) will not reflect if your Quality Upda
>[!NOTE]
>If not configured by policy, users can pause quality updates, by going to **Settings > Update & security > Windows Update > Advanced options**.
With version 1703, pausing through the settings app will provide a more consistent experience:
- Any active restart notification are cleared or closed
- Any pending restarts are canceled
- Any pending update installations are canceled
- Any update installation running when pause is activated will attempt to rollback
## Exclude drivers from Quality Updates
In Windows 10, starting with version 1607, you can selectively option out of receiving driver update packages as part of your normal quality update cycle. This policy will not pertain to updates to inbox drivers (which will be packaged within a security or critical update) or to Feature Updates, where drivers may be dynamically installed to ensure the Feature Update process can complete.
@ -225,7 +225,7 @@ Below are quick-reference tables of the supported Windows Update for Business po
## Update devices to newer versions
Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703, is also using a few new GPO and MDM keys than those available in version 1607. However,Windows Update for Business clients running version older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, it should be noted that only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator.
Due to the changes in the Windows Update for Business feature set, Windows 10, version 1607, uses different GPO and MDM keys than those available in version 1511. Windows 10, version 1703, also uses a few GPO and MDM keys that are different to what's available in version 1607. However, Windows Update for Business clients running version older versions will still see their policies honored after they update to a newer version; the old policy keys will continue to exist with their values ported forward during the update. Following the update to a newer version, it should be noted that only the old keys will be populated and not the new version keys, until the newer keys are explicitly defined on the device by the administrator.
### How older version policies are respected on newer versions

63
windows/deployment/update/waas-manage-updates-wufb.md
View File

@ -36,54 +36,39 @@ Windows Update for Business is a free service that is available for Windows Pro,
Windows Update for Business provides three types of updates to Windows 10 devices:
- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released at a slower cadence, every 4 to 8 months.
- **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-anually.
- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates.
- **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.
Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business.
<table>
<tr>
<th>Category</th>
<th>Maximum deferral</th>
<th>Deferral increments</th>
<th>Example</th>
<th>Classification GUID</th>
</tr>
<tr>
<td>Feature Updates</td>
<td>180 days</td>
<td>Days</td>
<td>From Windows 10, version 1511 to version 1607</td>
<td>3689BDC8-B205-4AF4-8D4A-A63924C5E9D5</td>
</tr>
<tr>
<td rowspan="4">Quality Updates</td>
<td rowspan="4">30 days</td>
<td rowspan="4">Days</td>
<td>Security updates</td>
<td>0FA1201D-4330-4FA8-8AE9-B877473B6441</td>
</tr>
<tr>
<td>Drivers (optional)</td>
<td>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</td>
</tr>
<tr>
<td>Non-security updates</td>
<td>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</td>
</tr><tr><td>Microsoft updates (Office, Visual Studio, etc.)</td><td>varies</td></tr>
<tr>
<td>Non-deferrable</td>
<td>No deferral</td>
<td>No deferral</td>
<td>Definition updates</td>
<td>E0789628-CE08-4437-BE74-2495B842F43B</td>
</tr>
</table>
| Category | Maximum deferral | Deferral increments | Example | Classification GUID |
| --- | --- | --- | --- | --- |
| Feature Updates | 365 days | Days | From Windows 10, version 1511 to version 1607 maximum was 180 days</br>In Windows 10, version 1703 maximum is 365 | 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
| Quality Updates | 30 days | Days | Security updates</br>Drivers (optional)</br>Non-security updates</br>Microsoft updates (Office,Visual Studio, etc.) | 0FA1201D-4330-4FA8-8AE9-B877473B6441</br>EBFC1FC5-71A4-4F7B-9ACA-3B9A503104A0</br>CD5FFD1E-E932-4E3A-BF74-18BF0B1BBD83</br>varies |
| Non-deferrable | No deferral | No deferral | Definition updates | E0789628-CE08-4437-BE74-2495B842F43B |
>[!NOTE]
>For information about classification GUIDs, see [WSUS Classification GUIDs](https://msdn.microsoft.com/en-us/library/ff357803.aspx).
## Changes to Windows Update for Business in Windows 10, version 1703
### Options added to Settings
We have added a few controls into settings to allow users to control Windows Update for Business through an interface.
- [Configuring the device's branch readiness level](waas-configure-wufb.md#configure-devices-for-current-branch-or-current-branch-for-business), through **Settings > Update & security > Windows Update > Advanced options**
- [Pausing feature updates](waas-configure-wufb.md#pause-feature-updates), through **Settings > Update & security > Window Update > Advanced options**
### Adjusted time periods
We have adjusted the maximum pause period for both quality and feature updates to be 35 days, as opposed to 30 and 60 days previously, respectively.
We have also adjusted the maximum feature update deferral period to be 365 days, as opposed to 180 days previously.
### Additional changes
The pause period is now calculated starting from the set start date. For additional details, see [Pause Feature Updates](waas-configure-wufb.md#pause-feature-updates) and [Pause Quality Updates](waas-configure-wufb.md#pause-quality-updates). Due to that, some policy keys are now named differently. For more information, see [Comparing the version 1607 keys to the version 1703 keys](waas-configure-wufb.md#comparing-the-version-1607-keys-to-the-version-1703-keys).
## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607
Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior.

2
windows/deployment/update/waas-quick-start.md
View File

@ -36,7 +36,7 @@ Windows 10 gains new functionality with twice-per-year feature update releases.
Each Windows 10 feature update will be serviced with quality updates for 18 months from the date of the feature update release.
Windows 10 Enterprise LTSB is a separate **Long Term Servicing Branch (LTSB)** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
Windows 10 Enterprise LTSB is a separate **Long Term Servicing Channel** version. Each release is supported for a total of 10 years (five years standard support, five years extended support). New releases are expected about every three years.
See [Assign devices to servicing branches for Windows 10 updates](waas-servicing-branches-windows-10-updates.md) for more information.

4
windows/deployment/usmt/usmt-requirements.md
View File

@ -30,6 +30,7 @@ The User State Migration Tool (USMT) 10.0 does not have any explicit RAM or CPU
The following table lists the operating systems supported in USMT.
<table>
<colgroup>
<col width="33%" />
<col width="33%" />
@ -83,7 +84,8 @@ You can migrate a 32-bit operating system to a 64-bit operating system. However,
USMT does not support any of the Windows Server® operating systems, Windows 2000, Windows XP, or any of the starter editions for Windows Vista or Windows 7.
 
USMT for Windows 10 should not be used for migrating from Windows 7 to Windows 8.1. It is meant to migrate to Windows 10.
For more information about previous releases of the USMT tools, see [User State Migration Tool (USMT) 4.0 Users Guide](https://go.microsoft.com/fwlink/p/?LinkId=246564). 
## Windows PE

6
windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
View File

@ -106,7 +106,7 @@ Typically, deployment of Device Guard happens best in phases, rather than being
## Device Guard deployment in virtual machines
Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The enablement steps are the same from within the virtual machine.
Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Device Guard are the same from within the virtual machine.
Device Guard protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable Device Guard for a virtual machine:
@ -116,6 +116,10 @@ Device Guard protects against malware running in the guest virtual machine. It d
### Requirements for running Device Guard in Hyper-V virtual machines
- The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
- Device Guard and [nested virtualization](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time.
- Virtual Fibre Channel adapters are not compatible with Device Guard. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity.
- The AllowFullSCSICommandSet option for pass-through disks is not compatible with Device Guard. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using Set-VMSecurity.
## Reviewing your applications: application signing and catalog files

9
windows/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
View File

@ -29,6 +29,15 @@ There are some minimum requirements for onboarding your network and endpoints.
You must be on Windows 10, version 1607 at a minimum.
For more information, see [Windows 10 Enterprise edition](https://www.microsoft.com/en-us/WindowsForBusiness/buy).
### Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
- Windows 10 Education E5
- Secure Productive Enterprise E5 (SPE E5) which includes Windows 10 Enterprise E5
For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
### Network and data storage and configuration requirements
When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: either in a European or United States datacenter.

11
windows/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
View File

@ -23,7 +23,16 @@ localizationpriority: high
You need to onboard to Windows Defender ATP before you can use the service.
For more information, see [Onboard your Windows 10 endpoints to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
For more information, see [Onboard your Windows 10 endpoints to Windows Defender ATP](https://www.youtube.com/watch?v=JT7VGYfeRlA&feature=youtu.be).
## Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
- Windows 10 Education E5
- Secure Productive Enterprise E5 (SPE E5) which includes Windows 10 Enterprise E5
For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
## In this section
Topic | Description

8
windows/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
View File

@ -260,6 +260,14 @@ If the verification fails and your environment is using a proxy to connect to th
![Image of registry key for Windows Defender](images/atp-disableantispyware-regkey.png)
## Licensing requirements
Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
- Windows 10 Education E5
- Secure Productive Enterprise E5 (SPE E5) which includes Windows 10 Enterprise E5
For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2).
## Related topics

16
windows/threat-protection/windows-information-protection/create-wip-policy-using-intune.md
View File

@ -510,21 +510,21 @@ Optionally, if you dont want everyone in your organization to be able to shar
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
## Related topics
- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune)
- [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/)
- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
- [Deploy your Windows Information Protection (WIP) policy](deploy-wip-policy-using-intune.md)
- [Associate and deploy your Windows Information Protection (WIP) and VPN policies by using Microsoft Intune](create-vpn-and-wip-policy-using-intune.md)
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune)
- [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/)
- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

8
windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md
View File

@ -490,13 +490,21 @@ After you've finished configuring your policy, you can review all of your info o
## Deploy the WIP policy
After youve created your WIP policy, you'll need to deploy it to your organization's devices. For info about your deployment options, see these topics:
- [Operations and Maintenance for Compliance Settings in Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=708224)
- [How to Create Configuration Baselines for Compliance Settings in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708225)
- [How to Deploy Configuration Baselines in Configuration Manager]( https://go.microsoft.com/fwlink/p/?LinkId=708226)
## Related topics
- [System Center Configuration Manager and Endpoint Protection (Version 1606)](https://go.microsoft.com/fwlink/p/?LinkId=717372)
- [TechNet documentation for Configuration Manager](https://go.microsoft.com/fwlink/p/?LinkId=691623)
- [Manage mobile devices with Configuration Manager and Microsoft Intune](https://go.microsoft.com/fwlink/p/?LinkId=691624)
- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

2
windows/threat-protection/windows-information-protection/mandatory-settings-for-wip.md
View File

@ -24,7 +24,7 @@ This list provides all of the tasks and settings that are required for the opera
|Task|Description|
|----|-----------|
|Add at least one app to the **Allowed apps** list in your WIP policy.|You must have at least one app added to your **Allowed apps** list. For more info about where this area is and how to add apps, see the **Add apps to your Allowed apps list** section of the policy creation topics.|
|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Hide Overrides**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics.|
|Choose your WIP protection level.|You must choose the level of protection you want to apply to your WIP-protected content, including **Allow Overrides**, **Silent**, or **Hide Overrides**. For more info about where this area is and how to decide on your protection level, see the **Manage the WIP protection mode for your enterprise data** section of the policy creation topics. For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).|
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if its incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|

3
windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -132,6 +132,9 @@ You can set your WIP policy to use 1 of 4 protection and management modes:
|Silent |WIP runs silently, logging inappropriate data sharing, without stopping anything that wouldve been prompted for employee interaction while in Allow overrides mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.|
|Off |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isnt automatically reapplied if you turn WIP protection back on.<p>**Note**<br>For more info about setting your WIP-protection modes, see either [Create a Windows Information Protection (WIP) policy using Intune](create-wip-policy-using-intune.md) or [Create and deploy a Windows Information Protection (WIP) policy using Configuration Manager](create-wip-policy-using-sccm.md), depending on your management solution. |
>[!NOTE]
>For info about how to collect your audit logs, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
## Turn off WIP
You can turn off all Windows Information Protection and restrictions, decrypting all devices managed by WIP and reverting to where you were pre-WIP, with no data loss. However, this isnt recommended. If you choose to turn WIP off, you can always turn it back on, but your decryption and policy info wont be automatically reapplied.