How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection 1

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection

Let’s discuss how to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection. Endpoint Protection is the new solution that will replace Windows Information Protection (WIP).

In this post, I’ll overview the Windows Information Protection (WIP)/Enterprise Data Protection (EDP) policy configuration and Windows 10 EDP End User Experience.

WIP/EDP is fully supported in the recently released Windows 10 anniversary edition (1607),y. We can use Intune standalone and SCCM CB 1606 to configure Windows Information Protection policies. Endpoint Protection policies?

Before implementing the WIP in your organization, it’s essential to find out which WIP-enabled applications are available, and we have to define which WIP mode the applications will be in, Allow or Exempt.

Before I go into details, here is a video tutorial explaining the configurations and a Windows 10 end-user experience demo. I used Windows 10 Insider Build 14342 with Microsoft Intune.

What is WIP/EDP? Endpoint Protection

It is essential to understand that WIP is a Microsoft accidental Data Leakage protection solution. Windows 10 enterprise has loads of security enhancements. I think Microsoft invested heavily mainly in 3 pieces, and those are

1. Secure Identities
2. Information Protection
3. Threat Resistance

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Data Protection Options? Endpoint Protection

Windows Information Protection/EDP is part of Information Protection. For information protection, Microsoft recommends having the following.

Data Protection Options? Endpoint Protection
Encryption (Bit locker),
WIP/EDP
Azure Information Protection (or RMS).
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Table 1
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection - Fig.1
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.1

How to Create – Deploy WIP EDP Using SCCM CB 1606 and End-User Experience of WIP

I’ll give an overview of the Windows Information Protection (WIP)/Enterprise Data Protection (EDP) policy configuration and Windows 10 EDP End User Experience through this video.

Endpoint ProtectionHow to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Video 1

Following are the Quick Steps to Configure (Intune Console) the Windows 10 EDP Policies

Configure the list of Windows 10 Apps (Universal/Store or Desktop) that you want to protect through EDP
Select the EDP/WIP Mode of protection, Configure the Network locations/IP Range, and Upload the Data Recovery certificates and EDP settings.

Configure the List of Windows 10 Apps (Universal/Store or Desktop) that You Want to Protect through WIP

There are two types of Apps in the Intune console, which we can configure Universal/Store and Desktop apps. To configure Windows 10 EDP/WIP policies, we must first identify the applications you want to protect via EDP policies.

First, we need to obtain the publisher details and app product names. We do this through the Intune Console.

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection - Fig.2
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.2

SCCM Console

Specify app rules for applying the enterprise data EDP policy. Only apps that meet these rules will be allowed to access enterprise resources, and all other apps will be blocked from doing so.

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection - Fig.3
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.3

The store’s publisher, product name, and desktop apps are found using Local Security Policy –> Application Control Policies –> App Locker –> Package app Rules.

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection - Fig.4
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.4

Select the WIP/EDP Mode of Protection

Which mode of protection did you want to select for the EDP policy – I selected the block mode !! The protection modes available in the EDP policy are listed in the below table. 1. Block 2. Override 3. Silent 4. Off

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection - Fig.5
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.5

Configure the Network Locations through EDP/WIP Policies

Network locations that the apps you configure can access. No other apps can access these locations. These network location settings are critical for EDP/WIP policy to work on Windows 10 machines!! Below 4 network location settings are mandatory settings (I think):-

  • Primary Domain (my primary domain is trail tenant)
  • PuneITPro.onmicrosoft.com Enterprise Cloud Domain (Exchange Online)
  • Outlook.office.com|outlook.office365.com Enterprise Network Domain (The Dummy URL is fine, I think – it worked for me)

blogs.anoopcnair.com Enterprise IPv4 Range (Any IP range is fine, I think – Hyper-V lab IP Range worked for me) Internal IP range 192.0.0.1-192.255.255.254 Intune Console.

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection - Fig.6
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.6

SCCM Console

Define your corporate network boundary to be protected by Enterprise data protection. Access to these network locations will be restricted to only the apps that meet the app criteria defined in the App rules.

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection - Fig.7
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.7

Configure WIP/EDP Data Recovery Agent Cert

Configuring the WIP/EDP Data recovery agent cert is mandatory now !! The recommended way is to re-use the EFS DRA from your domain when you have one. There are some other ways to create a test cert !! I have uploaded one, as you can see in the below picture.

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection - Fig.8
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.8

Configure WIP/EDP Policy Settings

WIP/EDP Settings – The last WIP/EDP configuration in Intune. By default, none of these settings are enabled !! Allow user to edit or decrypt data –> NO.
Protect App content when the device is in a locked state –> Yes.

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection - Fig.9
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.9

Windows 10 WIP/EDP – End User Experience

In my example here – WordPad is NOT a protected APP – I tried to copy the enterprise mail content to an unprotected app, and it gave me the following error: “This is work content only – your organization, PuneITPro.onmicrosoft.com, doesn’t allow you to change the ownership of this content from work to Personal”

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection - Fig.10
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.10


Notepad is an EDP-protected app. I tried to copy the enterprise mail content to a WIP/EDP-protected app (NOTEPAD), which allowed me to do so. You should notice the EDP lock symbol.

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection - Fig.11
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.11

Internet Explorer(IE) provides an EDP Lock Symbol when you browse an Enterprise location.

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection - Fig.12
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.12

Microsoft Edge provides an EDP Lock Symbol when you browse an Enterprise location.

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection - Fig.13
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.13

OneDrive universal application provides an EDP Lock Symbol for enterprise OneDrive accounts but not personal OneDrive accounts.

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection - Fig.14
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.14

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

How to Migrate SCCM CB Primary Server to New Hardware Configuration Manager ConfigMgr Best Guide 2

How to Migrate SCCM CB Primary Server to New Hardware Configuration Manager ConfigMgr Best Guide

How to Migrate SCCM CB Primary Server to New Hardware Configuration Manager ConfigMgr? How do we Migrate the SCCM CB 1606 primary server to new hardware or a new virtual server?

How can I restore the SCCM CB primary server from the full SCCM backup? I’ll try to answer these two questions in this blog post and the video

I used SCCM CB full backup to migrate the primary server into a virtual server. In this scenario, the SCCM CB primary site server and Database server are on the same box.

After the migration, Intune/cloud communication was not working, and all the logs (CloudUserSync.log, DMPUploader.log, and DMPDownloader.log) filled with “Certmgr has not installed certificate yet, sleep for 1 minute.”.

The resolution was to remove the Intune subscription and add it back. More details about “Migrate SCCM CB Primary server to New Hardware or new virtual server“. How to Migrate SCCM CB Primary server to New Hardware Configuration Manager ConfigMgr.

Prerequisites Migrate SCCM CB Primary server to New Hardware – How to Migrate SCCM CB Primary Server to New Hardware Configuration Manager ConfigMgr Best Guide

The prerequisites we must follow while migrating the SCCM CB primary server to new hardware are: How to SCCM CB Primary server to New Hardware Configuration Manager ConfigMgr.

  • FQDN Hostname Should be the same
  • Drive Letters should be the same
  • The installation path should be the same
  • Should have the same patch level
  • Better to have the same IP
How to Migrate SCCM CB Primary Server to New Hardware Configuration Manager ConfigMgr Best Guide - Fig.1
How to Migrate SCCM CB Primary Server to New Hardware Configuration Manager ConfigMgr Best Guide – Fig.1

Tips – Migrate the SCCM CB Primary server to New Hardware

Let’s discuss the following steps to help you complete the migration steps efficiently.

Migrate the SCCM CB Primary server to New Hardware
1. Document local SMS group memberships of existing server 
2. Perform differential Robocopy of the backup folders to the new server (Package Source\DP files\WSUS) 
3. Shutdown Current SCCM CB Server 
4. Delete the AD object of the existing SCCM Server from Active Directory Users and Computers 
5. Rename the new server to the old SCCM CB server name 
6. Give the New Server an OLD IP address (Optional) 
7.  Perform Domain Join of the new SCCM CB server. Provide FULL ACCESS to new SCCM CB computer object in the System Management container and also add to respective AD groups wherever required. 
8. Install all the prerequisites – ADK, WSUS, SQL, etc… 
9. Run the setup from CD.Latest folder to get the latest binaries of the existing CB site.
How to Migrate SCCM CB Primary Server to New Hardware Configuration Manager ConfigMgr Best Guide – Table 1

Video

(1) How to Migrate ConfigMgr SCCM CB Primary Server to New Hardware – YouTube

Resources

SCCM Related Posts Real World Experiences Of SCCM Admins (anoopcnair.com)

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.

SCCM ConfigMgr CB How to Plan Backup Recovery Configuration Manager Best Options 3

SCCM ConfigMgr CB How to Plan Backup Recovery Configuration Manager Best Options

Let’s discuss SCCM ConfigMgr CB: How to Plan Backup Recovery Configuration Manager Best Options. What are the backup and recovery options changes in SCCM ConfigMgr CB 1606? Nothing much changed in terms of backup apart from taking a backup of the CD.Latest folder.

The CD.LATEST folder is also backed up as part of the SCCM CB full backup. Why do we need the CD.LATEST as part of the SCCM CB full backup? This is because it is a source file for when you want to recover an SCCM CB site server!

Why can’t we use the baseline version, which can be downloaded from MSDN/Volume Licensing sites? Those binaries can’t be used because they are not the same version of SCCM CB that is installed in your primary server/CAS.

The baseline version of SCCM CB production is 1511, and if you upgraded/updated the site to SCCM CB 1606 using Updates and Servicing, you can’t use the 1511 version source files to recover the primary site.

When Do You Want to Run SCCM CB Setup from CD.LATEST Folder? – SCCM ConfigMgr CB How to Plan Backup Recovery Configuration Manager Best Options

Only when you are trying to recover a site !! In the following video, I try to explain the process of back and restore. Also, when to select which option during the recovery process.

There is always a question of whether to use SCCM full backup or just SQL backup to restore the functionality of SCCM sites. My answer is, “It depends.”

SCCM CB supports both the scenarios mentioned above; however, in some of the scenarios, you may need a full SCCM CB backup to complete the restore. The SCCM restore and recovery come with loads of permutations and combinations, as I explained in the table below and the video above.

SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options

After watching the video, I hope you will gain some clarity about those scenarios. What are the changes in SCCM CB 1606 Backup and Recovery options—YouTube? SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options?

SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options
SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options

Table 1: SCCM CB Site Server and Site Database Recovery Options

The screenshot below shows the SCCM CB Site Server and Site Database Recovery Options. It shows the SCCM CB Site Server options such as the CAS, Stand-Alone Primary, Child Primary and Secondary Remote Site.

SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options
SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options
Installation      Site Server Site Database
 Setup only part of recoveryRecover Site ServerReinstall the site serverRecover DB using CM backupCreate a new DBManually Recovered DBSkip DB Recovery
CASInstall setup from CD.LATEST FolderOnly when you’ve SCCM Full BackupReconfigure the settingsOnly when you’ve SCCM Full BackupOnly When you’ve a hierarchyUse SQL Backup or any other backup. Changes made retrieved from PrimaryOnly valid when the site DB is on a different computer
Stand-Alone PrimaryInstall setup from CD.LATEST FolderOnly when you’ve SCCM Full BackupReconfigure the settingsOnly when you’ve SCCM Full BackupNot ApplicableUse SQL Backup or any other backup. Lose site changes after the last backupOnly valid when the site DB is on a different computer
Child PrimaryInstall setup from CD.LATEST FolderOnly when you’ve SCCM Full BackupReconfigure the settingsOnly when you’ve SCCM Full BackupOnly When you’ve a hierarchyUse SQL Backup or any other backup. Changes made retrieved from CASOnly valid when the site DB is on a different computer
SecondaryUse CM Console to recover Secondary SiteNo recoveryNo recoveryNo recoveryNo recoveryNo recoveryNo recovery
SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options

We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.

Author

Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.