deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-13 13:57:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://cpubwin.visualstudio.com/_git/it-client into fudgel

Browse Source
This commit is contained in:
Patti Short 2018-05-31 07:21:05 -07:00
commit f5445fcd5c
52 changed files with 292 additions and 232 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
education/index.md
View File

@ -447,7 +447,7 @@ ms.date: 10/30/2017
</div>
</li>
<li>
<a href="https://www.mepn.com" target="_blank">
<a href="https://partner.microsoft.com/solutions/education" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -457,8 +457,8 @@ ms.date: 10/30/2017
</div>
</div>
<div class="cardText">
<h3>Microsoft Education Partner Network</h3>
<p>Find out the latest news and announcements for Microsoft Education partners.</p>
<h3>Microsoft Partner Network</h3>
<p>Discover the latest news and resources for Microsoft Education products, solutions, licensing, and readiness.</p>
</div>
</div>
</div>
@ -466,7 +466,7 @@ ms.date: 10/30/2017
</a>
</li>
<li>
<a href="https://www.mepn.com/MEPN/AEPHome.aspx" target="_blank">
<a href="https://www.mepn.com" target="_blank">
<div class="cardSize">
<div class="cardPadding">
<div class="card">
@ -476,8 +476,8 @@ ms.date: 10/30/2017
</div>
</div>
<div class="cardText">
<h3>Authorized Education Partner (AEP) home page</h3>
<p>Access the essentials and find out what it takes to become an AEP.</p>
<h3>Authorized Education Partner (AEP) program</h3>
<p>Become authorized to purchase and resell academic priced offers and products to Qualified Educational Users (QEU).</p>
</div>
</div>
</div>

3
windows/configuration/change-history-for-configure-windows-10.md
View File

@ -10,7 +10,7 @@ ms.localizationpriority: high
author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.date: 05/25/2018
ms.date: 05/31/2018
---
# Change history for Configure Windows 10
@ -23,6 +23,7 @@ New or changed topic | Description
--- | ---
[Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Added note that Wi-Fi Sense is no longer available.
Topics about Windows 10 diagnostic data | Moved to [Windows Privacy](https://docs.microsoft.com/windows/privacy/).
[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | Added information on Kiosk Browser settings and URL filtering.
[Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Added details of event log entries to check for when customization is not applied as expected.
[Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | Added Active Directory domain account to provisioning method.

74
windows/configuration/guidelines-for-assigned-access-app.md
View File

@ -9,7 +9,7 @@ author: jdeckerms
ms.localizationpriority: high
ms.author: jdecker
ms.topic: article
ms.date: 04/30/2018
ms.date: 05/31/2018
---
# Guidelines for choosing an app for assigned access (kiosk mode)
@ -45,8 +45,6 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
In Windows 10, version 1803, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but arent allowed to go to a competitor's website.
>[!NOTE]
>Kiosk Browser app is coming soon to Microsoft Store for Business.
**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education).
@ -54,6 +52,76 @@ In Windows 10, version 1803, you can install the **Kiosk Browser** app from Micr
2. [Deploy **Kiosk Browser** to kiosk devices.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps)
3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](provisioning-packages/provisioning-create-package.md).
>[!NOTE]
>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE).
#### Kiosk Browser settings
Kiosk Browser settings | Use this setting to
--- | ---
Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.<br><br>For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs.
Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.<br><br>If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list.
Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL.
Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL.
Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL.
Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser.
Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction.
>[!TIP]
>To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](https://docs.microsoft.com/intune/custom-settings-windows-10) with the following information:
>- OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton
>- Data type: Integer
>- Value: 1
#### Rules for URLs in Kiosk Browser settings
Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home).
URLs can include:
- A valid port value from 1 to 65,535.
- The path to the resource.
- Query parameters.
Additional guidelines for URLs:
- If a period precedes the host, the policy filters exact host matches only.
- You cannot use user:pass fields.
- When both blocked URL and blocked URL exceptions apply with the same path length, the exception takes precedence.
- The policy searches wildcards (*) last.
- The optional query is a set of key-value and key-only tokens delimited by '&'.
- Key-value tokens are separated by '='.
- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching.
### Examples of blocked URLs and exceptions
The following table describes the results for different combinations of blocked URLs and blocked URL exceptions.
Blocked URL rule | Block URL exception rule | Result
--- | --- | ---
`*` | `contoso.com`<br>`fabrikam.com` | All requests are blocked unless it is to contoso.com, fabrikam.com, or any of their subdomains.
`contoso.com` | `mail.contoso.com`<br>`.contoso.com`<br>`.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain.
`youtube.com` | `youtube.com/watch?v=v1`<br>`youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2).
The following table gives examples for blocked URLs.
Entry | Result
--- | ---
`contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com
`https://*` | Blocks all HTTPS requests to any domain.
`mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com
<<<<<<< HEAD
`.contoso.com` | Blocks contoso.com but not its subdomains, like subdomain.contoso.com.
=======
`.contoso.com` | Blocks contoso.com but not its subdomains, like contoso.com/docs.
>>>>>>> refs/remotes/origin/master
`.www.contoso.com` | Blocks www.contoso.com but not its subdomains.
`*` | Blocks all requests except for URLs in the Blocked URL Exceptions list.
`*:8080` | Blocks all requests to port 8080.
`contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains.
`192.168.1.2` | Blocks requests to 192.168.1.2.
`youtube.com/watch?v=V1` | Blocks youtube video with id V1.
### Other browsers
>[!NOTE]

2
windows/configuration/setup-kiosk-digital-signage.md
View File

@ -38,7 +38,7 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t
>[!WARNING]
>For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account.
>
>Assigned access can be configured via Windows Mangement Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
>Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
**Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home.

1
windows/deployment/TOC.md
View File

@ -213,6 +213,7 @@
## [Update Windows 10](update/index.md)
### [Quick guide to Windows as a service](update/waas-quick-start.md)
#### [Servicing stack updates](update/servicing-stack-updates.md)
### [Overview of Windows as a service](update/waas-overview.md)
### [Prepare servicing strategy for Windows 10 updates](update/waas-servicing-strategy-windows-10-updates.md)
### [Build deployment rings for Windows 10 updates](update/waas-deployment-rings-windows-10-updates.md)

2
windows/deployment/deploy-enterprise-licenses.md
View File

@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
localizationpriority: high
ms.sitesec: library
ms.pagetype: mdt
ms.date: 10/18/2017
ms.date: 05/25/2018
author: greg-lindsay
---

39
windows/deployment/update/servicing-stack-updates.md Normal file
View File

@ -0,0 +1,39 @@
---
title: Servicing stack updates (Windows 10)
description: Servicing stack updates improve the code that installs the other updates.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
author: Jaimeo
ms.localizationpriority: high
ms.author: jaimeo
ms.date: 05/29/2018
---
# Servicing stack updates
**Applies to**
- Windows 10
## What is a servicing stack update?
The "servicing stack" is the code that installs other operating system updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
## Why should servicing stack updates be installed and kept up to date?
Having the latest servicing stack update is a prerequisite to reliably installing the latest quality updates and feature updates.
## When are they released?
Currently, the servicing stack update releases are aligned with the monthly quality update release date, though sometimes they are released on a separate date if required.
## Is there any special guidance?
Typically, the improvements are reliability, security, and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes.
## Installation notes
• Servicing stack updates contain the full servicing stack; as a result, typically administrators only need to install the latest servicing stack update for the operating system.
• Installing servicing stack update does not require restarting the device, so installation should not be disruptive.
• Servicing stack update releases are specific to the operating system version (build number), much like quality updates.

4
windows/deployment/update/waas-quick-start.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
author: Jaimeo
ms.localizationpriority: high
ms.author: jaimeo
ms.date: 02/09/2018
ms.date: 05/29/2018
---
# Quick guide to Windows as a service
@ -25,7 +25,7 @@ Windows as a service is a new concept, introduced with the release of Windows 10
Some new terms have been introduced as part of Windows as a service, so you should know what these terms mean.
- **Feature updates** will be released twice per year, around March and September. As the name suggests, these will add new features to Windows 10, delivered in bite-sized chunks compared to the previous practice of Windows releases every 3-5 years.
- **Quality updates** are released monthly, delivering both security and non-security fixes. These are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update.
- **Quality updates** deliver both security and non-security fixes. They are typically released on the second Tuesday of each month ("Patch Tuesday"), though they can be released at any time. Quality updates include security updates, critical updates, servicing stack updates, and driver updates. Quality updates are cumulative, so installing the latest quality update is sufficient to get all the available fixes for a specific Windows 10 feature update. The "servicing stack" is the code that installs other updates, so they are important to keep current. For more information, see [Servicing stack updates](servicing-stack-updates.md).
- **Insider Preview** builds are made available during the development of the features that will be shipped in the next feature update, enabling organizations to validate new features as well as compatibility with existing apps and infrastructure, providing feedback to Microsoft on any issues encountered.
- **Servicing channels** allow organizations to choose when to deploy new features.
- The **Semi-Annual Channel** receives feature updates twice per year.

84
windows/deployment/upgrade/windows-10-upgrade-paths.md
View File

@ -7,7 +7,7 @@ ms.sitesec: library
ms.localizationpriority: high
ms.pagetype: mobile
author: greg-lindsay
ms.date: 05/18/2018
ms.date: 05/29/2018
---
# Windows 10 upgrade paths
@ -28,6 +28,8 @@ This topic provides a summary of available upgrade paths to Windows 10. You can
>**Windows N/KN**: Windows "N" and "KN" SKUs follow the same upgrade paths shown below. If the pre-upgrade and post-upgrade editions are not the same type (e.g. Windows 8.1 Pro N to Windows 10 Pro), personal data will be kept but applications and settings will be removed during the upgrade process.
>**Windows 8.0**: You cannot upgrade directly from Windows 8.0 to Windows 10. To upgrade from Windows 8.0, you must first install the [Windows 8.1 update](https://support.microsoft.com/help/15356/windows-8-install-update-kb-2919355).
✔ = Full upgrade is supported including personal data, settings, and applications.<BR>
D = Edition downgrade; personal data is maintained, applications and settings are removed.
@ -114,86 +116,6 @@ D = Edition downgrade; personal data is maintained, applications and settings ar
<td></td>
<td></td>
</tr>
<tr>
<td rowspan="8" nowrap="nowrap">Windows 8</td>
</tr>
<tr>
<td>(Core)</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Professional</td>
<td>D</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Professional WMC</td>
<td>D</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Enterprise</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Embedded Industry</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Windows RT</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td>Windows Phone 8</td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
<td></td>
</tr>
<tr>
<td rowspan="10" nowrap="nowrap">Windows 8.1</td>
</tr>

4
windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
View File

@ -36,7 +36,7 @@ You can learn more about Windows functional and diagnostic data through these ar
# Common data extensions
## Common data extensions
### Common Data Extensions.App
@ -346,7 +346,7 @@ The following fields are available:
- **Programids** The unique program identifier the driver is associated with.
## Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.

4
windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
View File

@ -13,11 +13,11 @@ ms.author: jaimeo
---
# Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics
# Windows 10 enhanced diagnostic data events and fields used by Windows Analytics
**Applies to**
- Windows 10, version 1709 and later
- Windows 10, version 1709 and newer
Windows Analytics Device Health reports are powered by diagnostic data not included in the Basic level. This includes crash reports and certain OS diagnostic data events. Organizations sending Enhanced or Full level diagnostic data were able to participate in Device Health, but some organizations which required detailed event and field level documentation were unable to move from Basic to Enhanced.

11
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -1409,6 +1409,7 @@ To turn off **Let apps automatically share and sync info with wireless devices t
- **1**. Force allow
- **2**. Force deny
-or-
- Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
@ -1423,6 +1424,16 @@ To turn off **Let your apps use your trusted devices (hardware you've already co
- Set the **Select a setting** box to **Force Deny**.
-or-
- Apply the **Privacy/LetAppsAccessTrustedDevices** MDM policy from the [Policy CSP](/windows/client-management/mdm/policy-csp-privacy.md#privacy-letappsaccesstrusteddevices
), where:
- **0**. User in control
- **1**. Force allow
- **2**. Force deny
### <a href="" id="bkmk-priv-feedback"></a>17.16 Feedback & diagnostics
In the **Feedback & Diagnostics** area, you can choose how often you're asked for feedback and how much diagnostic and usage information is sent to Microsoft.

2
windows/security/identity-protection/access-control/security-identifiers.md
View File

@ -215,7 +215,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
| S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.<br/>Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.|
| S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.<br/>Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.|
| S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.|
| Users | S-1-5-32-545| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.|
| S-1-5-32-545 | Users| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.|
| S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.|
| S-1-5-32-547 | Power Users| A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. |
| S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.|

6
windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
View File

@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.pagetype: security
ms.sitesec: library
author: eross-msft
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 09/11/2017
---
# Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
@ -31,7 +31,7 @@ We strongly suggest that the only unenlightened apps you add to your allowed app
>After revoking WIP, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain encrypted.
>[!Note]
>For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](https://msdn.microsoft.com/en-us/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center.
>For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](https://msdn.microsoft.com/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center.
## Unenlightened app behavior
This table includes info about how unenlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.

6
windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
View File

@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 09/11/2017
---
# Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune
@ -24,7 +24,7 @@ Follow these steps to associate your WIP policy with your organization's existin
**To associate your policies**
1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration).
1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](https://docs.microsoft.com/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](https://docs.microsoft.com/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration).
2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.

30
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
View File

@ -6,8 +6,9 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: justinha
ms.localizationpriority: medium
ms.date: 05/09/2018
ms.date: 05/30/2018
---
# Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
@ -19,10 +20,13 @@ ms.date: 05/09/2018
Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
>[!Important]
>This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, you must follow the instructions in the [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md) topic.
>If the same user and device are targeted for both MDM policy and MAM-only (without device enrollment) policy, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined, the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**.
>Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.
## Alternative steps if you use MAM only (without device enrollment)
This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, see [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md).
If the same user and device are targeted for both MDM policy and MAM-only (without device enrollment) policy, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**.
Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.
## Add a WIP policy
Follow these steps to add a WIP policy using Intune.
@ -48,7 +52,7 @@ Follow these steps to add a WIP policy using Intune.
![Add a mobile app policy](images/add-a-mobile-app-policy.png)
>[!Important]
>Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM only (without device enrollment), you must use these instructions instead: [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune).
>Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM only (without device enrollment), see [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md).
4. Click **Protected apps** and then click **Add apps**.
@ -84,7 +88,7 @@ If you don't know the Store app publisher or product name, you can find them for
1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Power BI Mobile App*.
2. Copy the ID value from the app URL. For example, the Power BI Mobile App ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
2. Copy the ID value from the app URL. For example, the Power BI Mobile App ID URL is https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value.
@ -375,7 +379,7 @@ There are no default locations included with WIP, you must add each of your netw
<tr>
<td>Cloud Resources</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<br><br><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
</tr>
<tr>
<td>Protected domains</td>
@ -428,7 +432,7 @@ There are no default locations included with WIP, you must add each of your netw
After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees local device drive. If somehow the employees local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
>[!Important]
>Using a DRA certificate isnt mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) topic.
>Using a DRA certificate isnt mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) topic.
**To upload your DRA certificate**
1. From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
@ -473,7 +477,7 @@ After you've decided where your protected apps can access enterprise data on you
- **Off, or not configured.** Stops using Azure Rights Management encryption with WIP.
## Choose to set up Azure Rights Management with WIP
WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
@ -483,7 +487,7 @@ Optionally, if you dont want everyone in your organization to be able to shar
>Curly braces -- {} -- are required around the RMS Template ID.
>[!NOTE]
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic.
## Related topics
- [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
@ -494,9 +498,9 @@ Optionally, if you dont want everyone in your organization to be able to shar
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
- [What is Azure Rights Management?]( https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms)
- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune)
- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/intune/deploy-use/create-windows-information-protection-policy-with-intune)
- [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/)

12
windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
View File

@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 10/16/2017
---
# Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune
@ -359,7 +359,7 @@ There are no default locations included with WIP, you must add each of your netw
<tr>
<td>Enterprise Cloud Resources</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<p>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<p>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
</tr>
<tr>
<td>Enterprise Network Domain Names (Required)</td>
@ -414,7 +414,7 @@ There are no default locations included with WIP, you must add each of your netw
For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
## Choose to set up Azure Rights Management with WIP
WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
@ -424,7 +424,7 @@ Optionally, if you dont want everyone in your organization to be able to shar
>Curly braces -- {} -- are required around the RMS Template ID.
>[!NOTE]
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic.
## Choose your optional WIP-related settings
After you've decided where your protected apps can access enterprise data on your network, youll be asked to decide if you want to add any optional WIP settings.
@ -475,7 +475,7 @@ After you've decided where your protected apps can access enterprise data on you
- [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
- [What is Azure Rights Management?]( https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms)
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

33
windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
View File

@ -6,8 +6,8 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 10/13/2017
ms.author: justinha
ms.date: 05/30/2018
localizationpriority: medium
---
@ -26,15 +26,18 @@ By using Microsoft Intune with Mobile application management (MAM), organization
- Remove enterprise data from employee's devices
- Report on mobile app inventory and track usage
>[!NOTE]
>This topic covers creating a Windows Information Protection (WIP) policy for organizations using a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without device enrollment. If you are already managing devices by using a Mobile Device Management (MDM) solution, you must follow the instructions in the [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md) topic.
>If the same user and device are targeted for both MAM-only (without device enrollment) policy and MDM policy, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined, the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**.
>Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.
## Alternative steps if you already manage devices with MDM
This topic covers creating a Windows Information Protection (WIP) policy for organizations using a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without device enrollment. If you are already managing devices by using a Mobile Device Management (MDM) solution, see [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md).
If the same user and device are targeted for both MAM-only (without device enrollment) policy and MDM policy, the MDM policy (with device enrollement) will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**.
Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.
## Prerequisites to using MAM with Windows Information Protection (WIP)
Before you can create your WIP policy with MAM, you must first set up your MAM provider. For more info about how to do this, see the [Get ready to configure app protection policies for Windows 10](https://docs.microsoft.com/en-us/intune-classic/deploy-use/get-ready-to-configure-app-protection-policies-for-windows-10) topic.
Before you can create your WIP policy with MAM, you need to [set up your MAM provider](https://docs.microsoft.com/intune-classic/deploy-use/get-ready-to-configure-app-protection-policies-for-windows-10).
Additionally, you must have an [Azure AD Premium license](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-what-is) and be running at least Windows 10, version 1703 on your device.
Additionally, you must have an [Azure AD Premium license](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-what-is) and be running at least Windows 10, version 1703 on your device.
>[!Important]
>WIP doesn't support multi-identity. Only one managed identity can exist at a time.
@ -64,7 +67,7 @@ After youve set up Intune for your organization, you must create a WIP-specif
![Microsoft Intune management console: Create your new policy in the Add a policy blade](images/wip-azure-add-policy.png)
>[!Important]
>Choosing **Without enrollment** only applies for organizations using MAM. If you're using MDM, you must use these instructions, [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md), instead.
>Choosing **Without enrollment** only applies for organizations using MAM. If you're using MDM, see [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md).
4. Click **Create**.
@ -134,7 +137,7 @@ If you don't know the publisher or product name for your Store app, you can find
**To find the publisher and product name values for Store apps without installing them**
1. Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*.
2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
2. Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
3. In a browser, run the Microsoft Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value.
@ -447,7 +450,7 @@ There are no default locations included with WIP, you must add each of your netw
<tr>
<td>Cloud Resources</td>
<td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<br><br><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
<td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you dont use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows cant tell whether its attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
</tr>
<tr>
<td>Network domain names</td>
@ -552,7 +555,7 @@ After you've decided where your protected apps can access enterprise data on you
- **MDM discovery URL.** Lets the **Windows Settings** > **Accounts** > **Access work or school** sign-in offer an **Upgrade to MDM** link. Additionally, this lets you switch to another MDM provider, so that Microsoft Intune can manage MAM, while the new MDM provider manages the MDM devices. By default, this is specified to use Microsoft Intune.
#### Choose to set up Azure Rights Management with WIP
WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
@ -562,7 +565,7 @@ Optionally, if you dont want everyone in your organization to be able to shar
>Curly braces -- {} -- are required around the RMS Template ID.
>[!NOTE]
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic.
### Choose whether to use and configure Windows Hello for Business
You can turn on Windows Hello for Business, letting your employees use it as a sign-in method for their devices.
@ -645,11 +648,11 @@ After youve created your policy, you'll need to deploy it to your employees.
## Related topics
- [Implement server-side support for mobile application management on Windows](https://docs.microsoft.com/en-us/windows/client-management/mdm/implement-server-side-mobile-application-management)
- [Implement server-side support for mobile application management on Windows](https://docs.microsoft.com/windows/client-management/mdm/implement-server-side-mobile-application-management)
- [Microsoft Intune - Mobile Application Management (MAM) standalone blog post](https://blogs.technet.microsoft.com/cbernier/2016/01/05/microsoft-intune-mobile-application-management-mam-standalone/)
- [MAM-supported apps](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune-apps)
- [MAM-supported apps](https://www.microsoft.com/cloud-platform/microsoft-intune-apps)
- [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)

4
windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
View File

@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.localizationpriority: medium
ms.date: 09/11/2017
ms.date: 05/30/2018
---
# List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
@ -93,6 +93,8 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
|Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** notepad.exe<br>**App Type:** Desktop app |
|Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mspaint.exe<br>**App Type:** Desktop app |
|Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mstsc.exe<br>**App Type:** Desktop app |
|Microsoft MAPI Repair Tool |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** fixmapi.exe<br>**App Type:** Desktop app |
>[!NOTE]
>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

10
windows/security/information-protection/windows-information-protection/limitations-with-wip.md
View File

@ -7,8 +7,8 @@ ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: lizross
ms.date: 10/26/2017
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
---
@ -69,7 +69,7 @@ This table provides info about the most common problems you might encounter whil
<tr>
<td>Redirected folders with Client Side Caching are not compatible with WIP.</td>
<td>Apps might encounter access errors while attempting to read a cached, offline file.</td>
<td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<br><br><strong>Note</strong><br>For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/kb/3187045).</td>
<td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<br><br><strong>Note</strong><br>For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045).</td>
</tr>
<tr>
<td>You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.</td>
@ -79,7 +79,7 @@ This table provides info about the most common problems you might encounter whil
<tr>
<td>ActiveX controls should be used with caution.</td>
<td>Webpages that use ActiveX controls can potentially communicate with other outside processes that arent protected by using WIP.</td>
<td>We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.<br><br>For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).</td>
<td>We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.<br><br>For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).</td>
</tr>
<tr>
<td>Resilient File System (ReFS) isn't currently supported with WIP.</td>
@ -105,7 +105,7 @@ This table provides info about the most common problems you might encounter whil
</ul>
</td>
<td>WIP isnt turned on for employees in your organization.</td>
<td>Dont set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection).
<td>Dont set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection).
</td>
</tr>
</table>

6
windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
View File

@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 09/11/2017
---
# Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
@ -29,7 +29,7 @@ This list provides all of the tasks and settings that are required for the opera
|Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if its incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
|Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
|Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.<br><br>This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic.|
|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.<br><br>This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://technet.microsoft.com/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic.|
>[!NOTE]

8
windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
View File

@ -7,9 +7,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: coreyp-at-msft
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 09/11/2017
---
# Protect your enterprise data using Windows Information Protection (WIP)
@ -18,7 +18,7 @@ ms.date: 09/11/2017
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
With the increase of employee-owned devices in the enterprise, theres also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprises control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
@ -29,7 +29,7 @@ Youll need this software to run WIP in your enterprise:
|Operating system | Management solution |
|-----------------|---------------------|
|Windows 10, version 1607 or later | Microsoft Intune<br><br>-OR-<br><br>System Center Configuration Manager<br><br>-OR-<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
|Windows 10, version 1607 or later | Microsoft Intune<br><br>-OR-<br><br>System Center Configuration Manager<br><br>-OR-<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt697634.aspx) documentation.|
## What is enterprise data control?
Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people cant share anything and its all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.

6
windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
View File

@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 09/11/2017
---
# Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)
@ -18,7 +18,7 @@ ms.date: 09/11/2017
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).

6
windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
View File

@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 09/11/2017
---
# Using Outlook on the web with Windows Information Protection (WIP)
@ -17,7 +17,7 @@ ms.date: 09/11/2017
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
Because Outlook on the web can be used both personally and as part of your organization, you have the following options to configure it with Windows Information Protection (WIP):

6
windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
View File

@ -6,9 +6,9 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: eross-msft
ms.author: justinha
ms.date: 05/30/2018
ms.localizationpriority: medium
ms.date: 09/11/2017
---
# Determine the Enterprise Context of an app running in Windows Information Protection (WIP)
@ -17,7 +17,7 @@ ms.date: 09/11/2017
- Windows 10, version 1607 and later
- Windows 10 Mobile, version 1607 and later
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
Use Task Manager to check the context of your apps while running in Windows Information Protection (WIP) to make sure that your organization's policies are applied and running correctly.

7
windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 05/03/2018
ms.date: 05/29/2018
---
@ -90,13 +90,10 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec
Service location | Microsoft.com DNS record
:---|:---
Common URLs for all locations | ```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com``` ```events.data.microsoft.com```
Common URLs for all locations | ```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com``` <br>```events.data.microsoft.com```
US | ```us.vortex-win.data.microsoft.com```<br> ```us-v20.events.data.microsoft.com```<br>```winatp-gw-cus.microsoft.com``` <br>```winatp-gw-eus.microsoft.com```
Europe | ```eu.vortex-win.data.microsoft.com```<br>```eu-v20.events.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br>```winatp-gw-weu.microsoft.com```
UK | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.data.microsoft.com```<br>```winatp-gw-uks.microsoft.com```<br>```winatp-gw-ukw.microsoft.com```
AU | ```au.vortex-win.data.microsoft.com```<br>```au-v20.events.data.microsoft.com```<br>```winatp-gw-aue.microsoft.com```<br>```winatp-gw-aus.microsoft.com```
If a proxy or firewall is blocking anonymous traffic, as Windows Defender ATP sensor is connecting from system context, make sure anonymous traffic is permitted in the above listed URLs.

2
windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
View File

@ -51,7 +51,7 @@ In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wik
## Do I have the flexibility to select where to store my data?
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States.
When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the United Kingdom, Europe, or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States.
## Is my data isolated from other customer data?
Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.

9
windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
View File

@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: high
ms.date: 04/24/2018
ms.date: 05/30/2018
---
# Investigate machines in the Windows Defender ATP Machines list
@ -164,6 +164,13 @@ You can add tags on machines using the following ways:
### Add machine tags by setting a registry key value
Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list.
>[!NOTE]
> Applicable only on the following machines:
>- Windows 10, version 1709 or later
>- Windows Server, version 1803 or later
>- Windows Server 2016
>- Windows Server 2012 R2
Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines.
Use the following registry key entry to add a tag on a machine:

2
windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
View File

@ -66,7 +66,7 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.
You will need to set up your preferences for the Windows Defender ATP portal.
3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in Europe or The United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United Kingdom, Europe, or The United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
> [!WARNING]
> This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process.

1
windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
View File

@ -65,6 +65,7 @@ If you encounter an error when trying to get a refresh token when using the thre
5. Add the following URL:
- For US: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`.
- For Europe: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`
- For United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback`
6. Click **Save**.

7
windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 05/30/2018
---
@ -22,6 +22,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
- Microsoft Office 365
- Microsoft Office 2016
- Microsoft Office 2013
@ -42,7 +43,7 @@ ms.date: 05/17/2018
- Configuration service providers for mobile device management
Available in Windows 10 Enterprise E5, Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Supported in Windows 10 Enterprise E5, Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
@ -191,7 +192,7 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i
This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
>[!WARNING]
>[Only use this rule if you are managing your devices with Intune or other MDM solution. If you use this rule with SCCM, it will prevent SCCM compliance rules from working, because this rule blocks the PSExec commands in SCCM.]
>[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.]
### Rule: Block untrusted and unsigned processes that run from USB

3
windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -20,6 +20,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016

3
windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
# Collect diagnostic data for Windows Defender Exploit Guard file submissions
@ -19,6 +19,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

6
windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**
@ -51,7 +51,7 @@ All apps (any executable file, including .exe, .scr, .dll files and others) are
This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
A notification will appear on the machine where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
A notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.

6
windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 05/30/2018
---
# Customize Attack surface reduction
@ -19,7 +19,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10 Enterprise edition, version 1709 and later
- Windows Server 2016
**Audience**
@ -35,7 +35,7 @@ ms.date: 05/17/2018
- Configuration service providers for mobile device management
Available in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.

4
windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

4
windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
# Customize Exploit protection
@ -19,7 +19,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

6
windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 05/30/2018
---
@ -21,7 +21,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**
@ -36,7 +36,7 @@ ms.date: 05/17/2018
- Configuration service providers for mobile device management
Available in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

4
windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

6
windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 05/30/2018
---
@ -21,7 +21,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**
@ -36,7 +36,7 @@ ms.date: 05/17/2018
- Configuration service providers for mobile device management
Available in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic describes how to enable Network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).

6
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -20,7 +20,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**
@ -37,7 +37,7 @@ ms.date: 04/30/2018
Available in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md).
Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md).
This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.

4
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -20,7 +20,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

4
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -21,7 +21,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

6
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 05/30/2018
---
# Evaluate Network protection
@ -21,7 +21,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10 Enterprise edition, version 1709 or later
- Windows Server 2016
**Audience**
@ -36,7 +36,7 @@ ms.date: 05/17/2018
Available in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.

4
windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

4
windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
View File

@ -12,7 +12,7 @@ ms.date: 04/16/2018
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

4
windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/21/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 05/21/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

6
windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 05/17/2018
ms.date: 05/30/2018
---
@ -21,7 +21,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10, version 1709 or higher
- Windows Server 2016
**Audience**
@ -36,7 +36,7 @@ ms.date: 05/17/2018
- Configuration service providers for mobile device management
Available in Windows 10 Enterprise, Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
Supported in Windows 10 Enterprise, Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).

1
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
View File

@ -19,6 +19,7 @@ ms.date: 05/17/2018
**Applies to:**
- Windows 10, version 1709 or higher
- Windows Server 2016
**Audience**

4
windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**

4
windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
View File

@ -11,7 +11,7 @@ ms.pagetype: security
localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
ms.date: 04/30/2018
ms.date: 05/30/2018
---
@ -22,7 +22,7 @@ ms.date: 04/30/2018
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
**Audience**