How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection

How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection? Endpoint Protection is the new solution that is going to replace Windows Information Protection (WIP).

In this post, I’ll give an overview of Windows Information Protection (WIP)/Enterprise Data Protection (EDP) policy configuration and Windows 10  EDP End User Experience.

What is WIP/EDP? Endpoint Protection

It is very important to understand that WIP is an accidental Data Leakage protection solution by Microsoft. Windows 10 enterprise has loads of security enhancements. I think Microsoft invested heavily mainly on 3 pieces and those are

  • 1. Secure Identities
  • 2. Information Protection
  • 3. Threat Resistance.  

Data Protection Options? Endpoint Protection

Windows Information Protection/EDP is part of Information Protection. Within information protection, Microsoft recommends having

1. Encryption (Bit locker),

2. WIP/EDP

3. Azure Information Protection (or RMS).

Endpoint Protection
Endpoint Protection

WIP/EDP is fully supported in Windows 10 anniversary edition (1607) which is released recently. We can use Intune standalone and SCCM CB 1606 to configure Windows Information Protection policies. Endpoint Protection policies?

Before implementing the WIP in your organization, it’s very important to find out which are the WIP enabled applications and we have to define which WIP mode the applications will be in Allow and Exempt.

Before I go into details, here is video tutorial to explain the configurations along with Windows 10 end user experience demo.   I used Windows 10 Insider Build 14342 with Microsoft Intune.

How to Create – Deploy WIP EDP Using SCCM CB 1606 and End-user experience of WIP :-

httpv://www.youtube.com/watch?v=embed/ogylLn18C10
Endpoint Protection

How to start Implementing Windows 10 Windows Information Protection Using Intune

httpv://www.youtube.com/watch?v=embed/k2shaV2Kj3Q
Endpoint Protection

Following are the quick steps to configure (Intune console) the Windows 10 EDP policies:-

Configure the list of Windows 10 Apps (Universal/Store or Desktop) which you wanted to protect through EDP
Select the EDP/WIP Mode of protection
Configure the Network locations/IP Range
Upload the Data Recovery certificates
EDP settings

Configure the list of Windows 10 Apps (Universal/store or Desktop) which you wanted to protect through WIP

There are two types of Apps in Intune console which we can configure Universal/Store and Desktop apps. To configure Windows 10 EDP/WIP policies, we need to first identify the applications which you wanted to protect via EDP policies. For that First thing we need to get the Publisher details and product name of the apps.  How to get those information ? Intune Console:-

Windows10_Intune_EDP_Policies_1
Endpoint Protection

SCCM Console :-

WIP_How_to_Add_App_Rules

You can find the publisher and product name of store, desktop apps using Local Security Policy – > Application Control Policies – > App Locker – > Package app Rules.

WIP_App_Publisher_Details_Package_Name_1
Endpoint Protection

Select the WIP/EDP Mode of protection – Endpoint Protection

Which mode of protection you wanted select for EDP polciy – I selected the block mode !! The protection modes available in EDP policy are  1. Block 2.Override 3. Silent 4.Off

Windows10_Intune_EDP_Policies_4
Endpoint Protection

Configure the Network locations through EDP/WIP Policies

Network locations that the apps you configured can access. No other apps can access these locations. These network location settings are very important for EDP/WIP policy to work on Windows 10 machine !! Below 4 network location settings are mandatory settings (I think):-

Primary Domain (my primary domain is trail tenant)
PuneITPro.onmicrosoft.com Enterprise Cloud Domain (Exchange Online)
outlook.office.com|outlook.office365.com Enterprise Network Domain (Dummy URL is fine I think – it worked for me)

blogs.anoopcnair.com Enterprise IPv4 Range (Any IP range is fine I think – Hyper-V lab IP Range worked for me)
Internal IP range 192.0.0.1-192.255.255.254 Intune Console :-

Windows10_Intune_EDP_Policies_5

SCCM Console :-

WIP_Corporate_Network_Definition

Configure WIP/EDP Data recovery agent cert

Configure WIP/EDP Data recovery agent cert is mandatory now !! The recommended way is to re-use the EFS DRA from your domain, when you have one. There are some other ways to create a test cert !!I have uploaded one as you can see in the below picture :-

Windows10_Intune_EDP_Policies_6
Endpoint Protection

Configure WIP/EDP Policy settings

WIP/EDP Settings – Last piece of WIP/EDP configuration in Intune. By default none of these settings are not enabled !! Allow user to edit or decrypt data – > NO
Protect App content when the device is in locked state – > Yes

Windows10_Intune_EDP_Policies_7

Windows 10 WIP/EDP – End User Experience

In my example here :-

WordPad is NOT EDP protected APP – I tried to copy the enterprise mail content to an unprotected app and it gave me the following error “This is work content only – your organization, PuneITPro.onmicrosoft.com, doesn’t allow you to change the ownership of this content from work to Personal”

Windows10_Intune_EDP_Policies_9


Notepad is EDP Protected APP – I tried to copy the enterprise mail content to an WIP/EDP protected app  (NOTEPAD) and it allowed me to copy the content.  And you should notice the EDP lock symbol.

Windows10_Intune_EDP_Policies_10

Internet Explorer(IE) provides a EDP Lock Symbol when you browse an Enterprise location :-

Windows10_Intune_EDP_Policies_8

Microsoft Edge provides an EDP Lock Symbol when you browse an Enterprise location :-

Windows10_Intune_EDP_Policies_11

OneDrive universal application provides an EDP Lock Symbol for enterprise OneDrive account but not for personal OneDrive account

Windows10_Intune_EDP_Policies

Reference

:- Here

Endpoint security – Microsoft Security

How to Migrate SCCM CB Primary server to New Hardware Configuration Manager ConfigMgr Best Guide

How to Migrate SCCM CB Primary server to New Hardware Configuration Manager ConfigMgr? How to Migrate SCCM CB 1606 primary server to new hardware or new virtual server?

How to restore SCCM CB primary server from the full SCCM backup? I’ll try to answer these two questions in this blog post and the video. 

I used SCCM CB full backup to migrate the primary server into a virtual server. In this scenario, I’ve SCCM CB primary site server and Database server on the same box.

After the migration, Intune/cloud communication was not working and all the logs (CloudUserSync.log, DMPUploader.log, and DMPDownloader.log) filled with “Certmgr has not installed certificate yet, sleep for 1 minute.“.

The resolution was to remove Intune subscription and add it back. More details about “Migrate SCCM CB Primary server to New Hardware or to new virtual server”. How to Migrate SCCM CB Primary server to New Hardware Configuration Manager ConfigMgr.

Prerequisites Migrate SCCM CB Primary server to New Hardware

Following are the prerequisites which we need to follow while migrating SCCM CB primary server to new hardware:- How to SCCM CB Primary server to New Hardware Configuration Manager ConfigMgr.

  • FQDN Hostname Should be same :
  • Drive Letters should be same :
  • Installation Path should be same:
  • Should have same patch level:
  • Better to have the same IP:
How to Migrate SCCM CB Primary server to New Hardware Configuration Manager ConfigMgr
How to Migrate SCCM CB Primary server to New Hardware Configuration Manager ConfigMgr

Tips – Migrate SCCM CB Primary server to New Hardware

  • The following steps will help to complete the migration steps easily  
  • 1. Document local SMS group memberships of existing server 
  • 2. Perform differential Robocopy of the backup folders to the new server (Package Source\DP files\WSUS) 
  • 3. Shutdown Current SCCM CB Server 
  • 4. Delete AD object of existing SCCM Server from Active Directory Users and Computers 
  • 5. Rename the new server to the old SCCM CB server name 
  • 6. Give New Server OLD IP address (Optional) 
  • 7.  Perform Domain Join of new SCCM CB server. Provide FULL ACCESS to new SCCM CB computer object in System Management container and also add to respective AD groups wherever required. 
  • 8. Install all the prerequisites – ADK, WSUS, SQL, etc…. 
  • 9. Run the setup from CD.Latest folder to get the latest binaries of the existing CB site.

Video

(1) How to Migrate ConfigMgr SCCM CB Primary Server to New Hardware – YouTube

References

SCCM Related Posts Real World Experiences Of SCCM Admins (anoopcnair.com)

SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options

SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options? What are the changes therein backup and recovery options in SCCM ConfigMgr CB 1606? Nothing much changed in terms of backup apart from taking backup of CD.Latest folder.

CD.LATEST folder is also getting backed up as part of SCCM CB full backup. Why do we need the CD.LATEST as part of SCCM CB full backup? It’s because this is a source file when you want to recover an SCCM CB site server!

Why can’t we use the baseline version which can be downloaded from MSDN/Volume Licensing sites? Those binaries can’t be used because that is not the same version of SCCM CB which is installed in your primary server/CAS.

The baseline version of SCCM CB production is 1511 and if you upgraded/updated the site to SCCM CB 1606 using Updates and Servicing then you can’t use 1511 version source files to recover the primary site.

When do you want to Run SCCM CB Setup from CD.LATEST Folder?

Only when you are trying to recover a site !! In the following video, I try to explain the process of the back and restore. Also, when to select which option during the recovery process.

There is always a question of whether to use SCCM full backup or just use SQL backup to restore the functionality of SCCM sites. So my answer to that question would be “it depends”.

SCCM CB supports both the scenarios mentioned above however in some of the scenarios you may need full SCCM CB backup to complete the restore. The SCCM restore and recovery come with loads of permutations and combinations as I explained in the below table and the above video.

SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options

I hope, you will get some clarity about those scenarios after watching the video. What are the changes in SCCM CB 1606 Backup and Recovery options – YouTube.. SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options?

SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options
SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options

Table 1 : SCCM CB Site Server and Site Database Recovery options

SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options
SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options
 Installation      Site Server                               Site Database
 Setup only part of recoveryRecover Site ServerReinstall the site serverRecover DB using CM backupCreate a new DBManually Recovered DBSkip DB Recovery
CASInstall setup from CD.LATEST FolderOnly when you’ve SCCM Full BackupReconfigure the settingsOnly when you’ve SCCM Full BackupOnly When you’ve a hierarchyUse SQL Backup or any other backup. Changes made retrieved from PrimaryOnly valid when the site DB is on a different computer
Stand-Alone PrimaryInstall setup from CD.LATEST FolderOnly when you’ve SCCM Full BackupReconfigure the settingsOnly when you’ve SCCM Full BackupNot ApplicableUse SQL Backup or any other backup. Lose site changes after the last backupOnly valid when the site DB is on a different computer
Child PrimaryInstall setup from CD.LATEST FolderOnly when you’ve SCCM Full BackupReconfigure the settingsOnly when you’ve SCCM Full BackupOnly When you’ve a hierarchyUse SQL Backup or any other backup. Changes made retrieved from CASOnly valid when the site DB is on a different computer
SecondaryUse CM Console to recover Secondary SiteNo recoveryNo recoveryNo recoveryNo recoveryNo recoveryNo recovery
SCCM ConfigMgr CB How to Plan Backup Recovery | Configuration Manager Best Options

Reference :-

here