25 Years ConfigMgr Special Microsoft MVP Summit at Redmond SCCM Configuration Manager. It’s a great experience to work with the Microsoft SCCM product group and fellow MVPs to brainstorm and enhance SCCM/ConfigMgr. Microsoft MVP Summit 2017 is special for SCCM MVPs because ConfigMgr reached its 25th anniversary.
SMS’s (the previous version of SCCM) device management journey started in 1992. This post will give us more details about the “25 Years ConfigMgr and Special Microsoft MVP Summit at Redmond.”
I started working with SMS 2003 back in 2005, which was the early stages of my IT career. I enjoyed my career as an SCCM admin, which changed my life.
SCCM has evolved over the years, and so has my career. I switched cities and jobs, but not the product I love.
25 Years ConfigMgr Special Microsoft MVP Summit at Redmond SCCM Configuration Manager
It’s a great experience working very closely with the SCCM product group (developers) and understanding their side of the story. The SCCM product team is developing new, exciting features and getting ready for the next SCCM CB preview release. Loads of innovations are also planned for the SCCM CB 1802 release.
25 Years ConfigMgr Special Microsoft MVP Summit at Redmond SCCM Configuration Manager – Fig.1
This is my third trip to Redmond, and it’s always exciting to learn more about the insides of SCCM products. It was also great to participate in brainstorming sessions with the SCCM product group. The SCCM product team is always ready to listen to MVPs’ real-world challenges and provide solutions for those challenges.
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes a
Let’s discuss how to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection. Endpoint Protection is the new solution that will replace Windows Information Protection (WIP).
In this post, I’ll overview the Windows Information Protection (WIP)/Enterprise Data Protection (EDP) policy configuration and Windows 10 EDP End User Experience.
WIP/EDP is fully supported in the recently released Windows 10 anniversary edition (1607),y. We can use Intune standalone and SCCM CB 1606 to configure Windows Information Protection policies. Endpoint Protection policies?
Before implementing the WIP in your organization, it’s essential to find out which WIP-enabled applications are available, and we have to define which WIP mode the applications will be in, Allow or Exempt.
Before I go into details, here is a video tutorial explaining the configurations and a Windows 10 end-user experience demo. I used Windows 10 Insider Build 14342 with Microsoft Intune.
It is essential to understand that WIP is a Microsoft accidental Data Leakage protection solution. Windows 10 enterprise has loads of security enhancements. I think Microsoft invested heavily mainly in 3 pieces, and those are
1. Secure Identities 2. Information Protection 3. Threat Resistance.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Data Protection Options? Endpoint Protection
Windows Information Protection/EDP is part of Information Protection. For information protection, Microsoft recommends having the following.
Data Protection Options? Endpoint Protection
Encryption (Bit locker),
WIP/EDP
Azure Information Protection (or RMS).
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Table 1
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.1
How to Create – Deploy WIP EDP Using SCCM CB 1606 and End-User Experience of WIP
I’ll give an overview of the Windows Information Protection (WIP)/Enterprise Data Protection (EDP) policy configuration and Windows 10 EDP End User Experience through this video.
Endpoint ProtectionHow to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Video 1
Following are the Quick Steps to Configure (Intune Console) the Windows 10 EDP Policies
Configure the list of Windows 10 Apps (Universal/Store or Desktop) that you want to protect through EDP Select the EDP/WIP Mode of protection, Configure the Network locations/IP Range, and Upload the Data Recovery certificates and EDP settings.
Configure the List of Windows 10 Apps (Universal/Store or Desktop) that You Want to Protect through WIP
There are two types of Apps in the Intune console, which we can configure Universal/Store and Desktop apps. To configure Windows 10 EDP/WIP policies, we must first identify the applications you want to protect via EDP policies.
First, we need to obtain the publisher details and app product names. We do this through the Intune Console.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.2
SCCM Console
Specify app rules for applying the enterprise data EDP policy. Only apps that meet these rules will be allowed to access enterprise resources, and all other apps will be blocked from doing so.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.3
The store’s publisher, product name, and desktop apps are found using Local Security Policy –> Application Control Policies –> App Locker –> Package app Rules.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.4
Select the WIP/EDP Mode of Protection
Which mode of protection did you want to select for the EDP policy – I selected the block mode !! The protection modes available in the EDP policy are listed in the below table. 1. Block 2. Override 3. Silent 4. Off
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.5
Configure the Network Locations through EDP/WIP Policies
Network locations that the apps you configure can access. No other apps can access these locations. These network location settings are critical for EDP/WIP policy to work on Windows 10 machines!! Below 4 network location settings are mandatory settings (I think):-
Primary Domain (my primary domain is trail tenant)
Outlook.office.com|outlook.office365.com Enterprise Network Domain (The Dummy URL is fine, I think – it worked for me)
blogs.anoopcnair.com Enterprise IPv4 Range (Any IP range is fine, I think – Hyper-V lab IP Range worked for me) Internal IP range 192.0.0.1-192.255.255.254Intune Console.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.6
SCCM Console
Define your corporate network boundary to be protected by Enterprise data protection. Access to these network locations will be restricted to only the apps that meet the app criteria defined in the App rules.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.7
Configure WIP/EDP Data Recovery Agent Cert
Configuring the WIP/EDP Data recovery agent cert is mandatory now !! The recommended way is to re-use the EFS DRA from your domain when you have one. There are some other ways to create a test cert !! I have uploaded one, as you can see in the below picture.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.8
Configure WIP/EDP Policy Settings
WIP/EDP Settings – The last WIP/EDP configuration in Intune. By default, none of these settings are enabled !! Allow user to edit or decrypt data –> NO. Protect App content when the device is in a locked state –> Yes.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.9
Windows 10 WIP/EDP – End User Experience
In my example here – WordPad is NOT a protected APP – I tried to copy the enterprise mail content to an unprotected app, and it gave me the following error: “This is work content only – your organization, PuneITPro.onmicrosoft.com, doesn’t allow you to change the ownership of this content from work to Personal”
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.10
Notepad is an EDP-protected app. I tried to copy the enterprise mail content to a WIP/EDP-protected app (NOTEPAD), which allowed me to do so. You should notice the EDP lock symbol.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.11
Internet Explorer(IE) provides an EDP Lock Symbol when you browse an Enterprise location.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.12
Microsoft Edge provides an EDP Lock Symbol when you browse an Enterprise location.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.13
OneDrive universal application provides an EDP Lock Symbol for enterprise OneDrive accounts but not personal OneDrive accounts.
How to Create Configure Deploy Windows 10 WIP Policies Using SCCM Intune Endpoint Protection – Fig.14
We are on WhatsApp now. To get the latest step-by-step guides, news, and updates, Join our Channel. Click here. HTMD WhatsApp.
Author
Anoop C Nair is Microsoft MVP! He is a Device Management Admin with more than 20 years of experience (calculation done in 2021) in IT. He is a Blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. He writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc.
