Networker Advanced Network Information App 3 2 2

1. Networker Advanced Network Information App 3 2 2019
2. Networker Advanced Network Information App 3 2 2018
3. Networker Advanced Network Information App 3 2 2017

I've checked the advanced network settings on all of the PCs in control panel and all are set to Private Network and to allow other PCs to recognize it and to allow file sharing. I even removed password protection thinking that might help, it did not. Why can't 2 out of the 3 PCs on my network recognize the other computers on the network? NetWorker server 8.2.3 or later and NMM 18.2.56 Creating a client resource by using the Client Backup Configuration wizard. 57 Manually creating a client resource by using the Client Properties dialog box. Hi, Please answer a few questions. If a network adapter has #2 after it, it means that the first network adapter is hidden. This is because the system registry still retains the information of the previous NIC. Therefore, while the previous command actually returns the network connection status of all network adapters, the Netsh command only returns the ones that are connected. If I filter on a netconnectionstatus of 2, I can return only the connected network adapters. The command becomes this one (this is a single-line command that I broke at the.

NetWorker shows network information conveniently in the menu bar. It also features a window that shows additional information about the currently active network adapter. NetWorker features:. Fully customizable view - you can choose which information is shown and select many different, pre-defined widgets.

NETWORK ENGINEER Interview Questions :-

A) Tell me something about yourself.
Tell about your eductaion, place you belong to, some struggle in life which shows that you have positive attitude and will to fight the odds.

B) Technical Questions :-

1) What is a LAN?
LAN is short for Local Area Network. It refers to the connection between computers and other network devices that are located within a small physical location.

2) What is the difference between a normal LAN cable and cross cable? What could be the maximum length of the LAN cable?

• The way the paired wires are connected to the connector (RJ45) is different in cross cable and normal LAN cable.
• The theoritical length is 100 meters but after 80 meters you may see drop in speed due to loss of signal.

3) What id DHCP? Why it is used? What are scopes and super scopes?

1. DHCP: Dynamic host configuration protocol. Its used to allocate IP addresses to large number of PCs in a network environment. This makes the IP management very easy.
2. Scope: Scope contains IP address like subnet mask, gateway IP, DNS server IP and exclusion range which a client can use to communicate with the other PCs in the network.
3. Superscope: When we combine two or more scopes together its called super scope.

4) What are the types of LAN cables used? What is a cross cable?
Types of LAN cables that are in use are 'Cat 5' and 'Cat 6'. 'Cat 5' can support 100 Mbps of speed and 'CAT 6' can support 1Gbps of speed.
Cross cable: Its used to connect same type of devices without using a switch/hub so that they can communicate.

5) What is Active Directory?
A central component of the Windows platform, Active Directory directory service provides the means to manage the identities and relationships that make up network environments. For example we can create, manage and administor users, computers and printers in the network from active directory.

6) What is DNS? Why it is used? What is 'forward lookup' and 'reverse lookup' in DNS? What are A records and mx records?
DNS is domain naming service and is used for resolving names to IP address and IP addresses to names. The computer understands only numbers while we can easily remember names. So to make it easier for us what we do is we assign names to computers and websites. When we use these names (Like yahoo.com) the computer uses

• DNS to convert to IP address (number) and it executes our request.
• Forward lookup: Converting names to IP address is called forward lookup.
• Reverse lookup: Resolving IP address to names is called reverse lookup.
• ‘A' record: Its called host record and it has the mapping of a name to IP address. This is the record in DNS with the help of which DNS can find out the IP address of a name.
• ‘MX' Record: its called mail exchanger record. Its the record needed to locate the mail servers in the network. This record is also found in DNS.

7) What is IPCONFIG command? Why it is used?
IPCONFIG command is used to display the IP information assigned to a computer. Fromthe output we can find out the IP address, DNS IP address, gateway IP address assigned to that computer.

8) What is APIPA IP address? Or what IP address is assigned to the computer when the DHCP server is not available?
When DHCP server is not available the Windows client computer assignes an automatic IP address to itself so that it can communicate with the network cmputers. This ip address is called APIPA. ITs in the range of 169.254.X.X.
APIPA stands for Automatic private IP addressing. Its in the range of 169.254.X.X.

9) What is a DOMAIN? What is the difference between a domain and a workgroup? Domain is created when we install Active Directory. It's a security boundary which is used to manage computers inside the boundary. Domain can be used to centrally administor computers and we can govern them using common policies called group policies.
We can't do the same with workgroup.

10) Do you know how to configure outlook 2000 and outlook 2003 for a user?
Please visit the link below to find out how to configure outlook 2000 and outlook 2003.http://www.it.cmich.edu/quickguides/qg_outlook2003_server.asp

11) What is a PST file and what is the difference between a PST file and OST file? What file is used by outlook express?
PST file is used to store the mails locally when using outlook 2000 or 2003. OST file is used when we use outlook in cached exchanged mode. Outlook express useds odb file.

12) What is BSOD? What do you do when you get blue screen in a computer? How do you troubleshoot it?
BSOD stands for blue screen of Death. when there is a hardware or OS fault due to which the windows OS can run it give a blue screen with a code. Best way to resolve it is to boot the computer is 'LAst known good configuration'. If this doesn't work than boot the computer in safe mode. If it boots up than the problemis with one of the devices or drivers.

13) What is RIS? What is Imaging/ghosting?
RIS stands for remote installation services. You save the installed image on a windows server and then we use RIS to install the configured on in the new hardware. We can use it to deploy both server and client OS. Imaging or ghosting also does the same job of capturing an installed image and then install it on a new hardware when there is a need. We go for RIS or iamging/ghosting because installing OS everytime using a CD can be a very time consuming task. So to save that time we can go for RIS/Ghosting/imaging.

14) What is VPN and how to configure it?
VPN stands for Virtual private network. VPN is used to connect to the corporate network to access the resources like mail and files in the LAN. VPN can be configured using the stepsmentioned in the KB: http://support.microsoft.com/kb/305550

15) Your computer slowly drops out of network. A reboot of the computer fixes the problem. What to do to resolve this issue?
Update the network card driver.

16) Your system is infected with Virus? How to recover the data?
Install another system. Insall the OS with the lates pathces, Antivirus with latest updates. Connect the infected HDD as secondary drive in the system. Once done scan and clean the secondary HDD. Once done copy the files to the new system.

17) What is a Link?
A link refers to the connectivity between two devices. It includes the type of cables and protocols used in order for one device to be able to communicate with the other.

18) What is the difference between a switch and a hub?
Switch sends the traffic to the port to which its meant for. Hub sends the traffic to all the ports.

19) What is a router? Why we use it?
Router is a switch which uses routing protocols to process and send the traffic. It also receives the traffic and sends it across but it uses the routing protocols to do so.

20) What are manageable and non manageable switches?
Switches which can be administered are calledmanageable switches. For example we can create VLAN for on such switch. On no manageable swiches we can't do so.

21) What is NIC?
A network card, network adapter or NIC (network interface controller) is a piece of computer hardware designed to allow computers to communicate over a computer network

22) What is USB?
Universal Serial Bus (USB) is a serial bus standard to interface devices. Devices like Modem, Mouse, Keyboard etc can be connected.

23) Dialup vs. Broadband
A broadband connection (ADSL) provides high-speed Internet access over a standard phone line. The advantage of a broadband connection over a standard dialup service, is that Broadband is considerably faster, and is 'always-on', meaning that once you're logged on, your PC is online until the PC is turned off again.

Broadband offer high-speed Internet access and allows telephone calls and a permanent Internet connection to share a single phone line simultaneously whereas in Dialup connection either Internet connection or telephone call can made at given time.

24) LAN and WAN
A local area network is a computer network covering a small geographic area, like a home, office, or group of buildings

Wide Area Network (WAN) is a computer network that covers a broad area (i.e., any network whose communications links cross metropolitan, regional, or national boundaries). Or, less formally, a network that uses routers and public communications links

25) Microsoft Access
Microsoft Office Access, previously known as Microsoft Access, is a relational database management system from Microsoft.

26) What is RAS?
Remote Access Services (RAS) refers to any combination of hardware and software to enable the remote access to tools or information that typically reside on a network of IT devices.

27) Difference between Client Mail and Web Mail?
Email clients download your emails onto your computer. Using a specialized email program such as Outlook Express or Apple Mail has the advantage of giving you complete control over your email; every email you receive is placed on your computer and you can keep as many large file attachments as you want.
Checking your email through our webmail is similar to using Hotmail or Yahoo! Mail. You never actually copy your messages to your computer; in fact, you are looking at them through your web browser on somebody else's computer. When you are not online, you are not able to see your email.

28) RAM and ROM
random access memory, a type of computer memory that can be accessed randomly; that is, any byte of memory can be accessed without touching the preceding bytes. RAM is the most common type of memory found in computers and other devices, such as printers.

Pronounced rahm, acronym for read-only memory, computer memory on which data has been prerecorded. Once data has been written onto a ROM chip, it cannot be removed and can only be read. Unlike main memory (RAM), ROM retains its contents even when the computer is turned off. ROM is referred to as being nonvolatile, whereas RAM is volatile.

29) Spamguard
Spam Guard is an Outlook add-in that filters email that arrives in your inbox. If the sender of any message cannot be identified then the message is moved into a spam quarantine folder. Messages deposited in the spam quarantine folder can be inspected and either deleted or approved at your leisure.

30) Firewall and Antivirus
A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Antivirus is a software program which helps protect a computer against being infected by a virus.

31) DNS
Short for Domain Name System (or Service or Server), an Internet service that translates domain names into IP addresses. Because domain names are alphabetic, they're easier to remember. The Internet however, is really based on IP addresses. Every time you use a domain name, therefore, a DNS service must translate the name into the corresponding IP address. For example, the domain name www.example.com might translate to 198.105.232.4.

32) IPConfig
IPConfig is a command line tool used to control the network connections on Windows NT/2000/XP machines. There are three main commands: 'all', 'release', and 'renew'. IPConfig displays all current TCP/IP network configuration values and refreshes Dynamic Host Configuration Protocol (DHCP) and Domain Name System (DNS) settings. Used without parameters, IPConfig displays the IP address, subnet mask, and default gateway for all adapters.

33) Trace route
Trace route is the program that shows you the route over the network between two systems, listing all the intermediate routers a connection must pass through to get to its destination. It can help you determine why your connections to a given server might be poor, and can often help you figure out where exactly the problem is. It also shows you how systems are connected to each other, letting you see how your ISP connects to the Internet as well as how the target system is connected.

34) What is the equivalent layer or layers of the TCP/IP Application layer in terms of OSI reference model?

The TCP/IP Application layer actually has three counterparts on the OSI model: the Session layer, Presentation Layer and Application Layer.

35) How can you identify the IP class of a given IP address?

By looking at the first octet of any given IP address, you can identify whether it's Class A, B or C. If the first octet begins with a 0 bit, that address is Class A. If it begins with bits 10 then that address is a Class B address. If it begins with 110, then it's a Class C network.

36) What is the main purpose of OSPF?

OSPF, or Open Shortest Path First, is a link-state routing protocol that uses routing tables to determine the best possible path for data exchange.

37) What are firewalls?

Firewalls serve to protect an internal network from external attacks. These external threats can be hackers who want to steal data or computer viruses that can wipe out data in an instant. It also prevents other users from external networks from gaining access to the private network.

38) Describe star topology

Star topology consists of a central hub that connects to nodes. This is one of the easiest to setup and maintain.

39) What are gateways?

Gateways provide connectivity between two or more network segments. It is usually a computer that runs the gateway software and provides translation services. This translation is a key in allowing different systems to communicate on the network.

40) What is the disadvantage of a star topology?

One major disadvantage of star topology is that once the central hub or switch get damaged, the entire network becomes unusable.

41) What is SLIP?

SLIP, or Serial Line Interface Protocol, is actually an old protocol developed during the early UNIX days. This is one of the protocols that are used for remote access.

42) Give some examples of private network addresses.

1. 10.0.0.0 with a subnet mask of 255.0.0.0
2. 172.16.0.0 with subnet mask of 255.240.0.0
3. 192.168.0.0 with subnet mask of 255.255.0.0

43) What is tracert?

Tracert is a Windows utility program that can used to trace the route taken by data from the router to the destination network. It also shows the number of hops taken during the entire transmission route.

44) What are the functions of a network administrator?

A network administrator has many responsibilities that can be summarize into 3 key functions: installation of a network, configuration of network settings, and maintenance/troubleshooting of networks.

45) Describe at one disadvantage of a peer to peer network.

When you are accessing the resources that are shared by one of the workstations on the network, that workstation takes a performance hit.

46) What is Hybrid Network?

A hybrid network is a network setup that makes use of both client-server and peer-to-peer architecture.

47) What is DHCP?

DHCP is short for Dynamic Host Configuration Protocol. Its main task is to automatically assign an IP address to devices across the network. It first checks for the next available address not yet taken by any device, then assigns this to a network device.

48) What is the main job of the ARP?

The main task of ARP or Address Resolution Protocol is to map a known IP address to a MAC layer address.

49) What is TCP/IP?

TCP/IP is short for Transmission Control Protocol / Internet Protocol. This is a set of protocol layers that is designed to make data exchange possible on different types of computer networks, also known as heterogeneous network.

50) How can you manage a network using a router?

Routers have built in console that lets you configure different settings, like security and data logging. You can assign restrictions to computers, such as what resources it is allowed access, or what particular time of the day they can browse the internet. You can even put restrictions on what websites are not viewable across the entire network.

51) What protocol can be applied when you want to transfer files between different platforms, such between UNIX systems and Windows servers?

Use FTP (File Transfer Protocol) for file transfers between such different servers. This is possible because FTP is platform independent.

52) What is the use of a default gateway?

Default gateways provide means for the local networks to connect to the external network. The default gateway for connecting to the external network is usually the address of the external router port.

53) One way of securing a network is through the use of passwords. What can be considered as good passwords?

Good passwords are made up of not just letters, but by combining letters and numbers. A password that combines uppercase and lowercase letters is favorable than one that uses all upper case or all lower case letters. Passwords must be not words that can easily be guessed by hackers, such as dates, names, favorites, etc. Longer passwords are also better than short ones.

54) What is the proper termination rate for UTP cables?

The proper termination for unshielded twisted pair network cable is 100 ohms.

55) What is netstat?

Netstat is a command line utility program. It provides useful information about the current TCP/IP settings of a connection.

56) What is the number of network IDs in a Class C network?

For a Class C network, the number of usable Network ID bits is 21. The number of possible network IDs is 2 raised to 21 or 2,097,152. The number of host IDs per network ID is 2 raised to 8 minus 2, or 254.

57) What happens when you use cables longer than the prescribed length?

Cables that are too long would result in signal loss. This means that data transmission and reception would be affected, because the signal degrades over length.

58) What common software problems can lead to network defects?

Software related problems can be any or a combination of the following:

• client server problems
• application conflicts
• error in configuration
• protocol mismatch
• security issues
• user policy and rights issues

59) What is ICMP?

ICMP is Internet Control Message Protocol. It provides messaging and communication for protocols within the TCP/IP stack. This is also the protocol that manages error messages that are used by network tools such as PING.

60) What is Ping?

Ping is a utility program that allows you to check connectivity between network devices on the network. You can ping a device by using its IP address or device name, such as a computer name.

61) What is peer to peer?

Peer to peer are networks that does not reply on a server. All PCs on this network act as individual workstations.

62) What is DNS?

DNS is Domain Name System. The main function of this network service is to provide host names to TCP/IP address resolution.

63) What advantages does fiber optics have over other media?

One major advantage of fiber optics is that is it less susceptible to electrical interference. It also supports higher bandwidth, meaning more data can be transmitted and received. Signal degrading is also very minimal over long distances.

64) What is the difference between a hub and a switch?

A hub acts as a multiport repeater. However, as more and more devices connect to it, it would not be able to efficiently manage the volume of traffic that passes through it. A switch provides a better alternative that can improve the performance especially when high traffic volume is expected across all ports.

65) What are the different network protocols that are supported by Windows RRAS services?

There are three main network protocols supported: NetBEUI, TCP/IP, and IPX.

66) What are the maximum networks and hosts in a class A, B and C network?

• For Class A, there are 126 possible networks and 16,777,214 hosts
• For Class B, there are 16,384 possible networks and 65,534 hosts
• For Class C, there are 2,097,152 possible networks and 254 hosts

67) What is the standard color sequence of a straight-through cable?

orange/white, orange, green/white, blue, blue/white, green, brown/white, brown.

68) What protocols fall under the Application layer of the TCP/IP stack?

The following are the protocols under TCP/IP Application layer: FTP, TFTP, Telnet and SMTP.

69) You need to connect two computers for file sharing. Is it possible to do this without using a hub or router?

Yes, you can connect two computers together using only one cable. A crossover type cable can be use in this scenario. In this setup, the data transmit pin of one cable is connected to the data receive pin of the other cable, and vice versa.

70) What is ipconfig?

Ipconfig is a utility program that is commonly used to identify the addresses information of a computer on a network. It can show the physical address as well as the IP address.

71) What is the difference between a straight-through and crossover cable?

A straight-through cable is used to connect computers to a switch, hub or router. A crossover cable is used to connect two similar devices together, such as a PC to PC or Hub to hub.

72) What is client/server?

Client/server is a type of network wherein one or more computers act as servers. Servers provide a centralized repository of resources such as printers and files. Clients refers to workstation that access the server.

73) Describe networking.

Networking refers to the inter connection between computers and peripherals for data communication. Networking can be done using wired cabling or through wireless link.

74) When you move the NIC cards from one PC to another PC, does the MAC address gets transferred as well?

Yes, that's because MAC addresses are hard-wired into the NIC circuitry, not the PC. This also means that a PC can have a different MAC address when the NIC card was replace by another one.

75) Define clustering support

Clustering support refers to the ability of a network operating system to connect multiple servers in a fault-tolerant group. The main purpose of this is the in the event that one server fails, all processing will continue on with the next server in the cluster.

76) In a network that contains two servers and twenty workstations, where is the best place to install an Anti-virus program?

An anti-virus program must be installed on all servers and workstations to ensure protection. That's because individual users can access any workstation and introduce a computer virus when plugging in their removable hard drives or flash drives.

77) Describe Ethernet.

Ethernet is one of the popular networking technologies used these days. It was developed during the early 1970s and is based on specifications as stated in the IEEE. Ethernet is used in local area networks.

78) What are some drawbacks of implementing a ring topology?

In case one workstation on the network suffers a malfunction, it can bring down the entire network. Another drawback is that when there are adjustments and reconfigurations needed to be performed on a particular part of the network, the entire network has to be temporarily brought down as well.

79) What is the difference between CSMA/CD and CSMA/CA?

CSMA/CD, or Collision Detect, retransmits data frames whenever a collision occurred. CSMA/CA, or Collision Avoidance, will first broadcast intent to send prior to data transmission.

80) What is SMTP?

SMTP is short for Simple Mail Transfer Protocol. This protocol deals with all Internal mail, and provides the necessary mail delivery services on the TCP/IP protocol stack.

81) What is multicast routing?

Multicast routing is a targeted form of broadcasting that sends message to a selected group of user, instead of sending it to all users on a subnet.

82) What is the importance of Encryption on a network?

Encryption is the process of translating information into a code that is unreadable by the user. It is then translated back or decrypted back to its normal readable format using a secret key or password. Encryption help ensure that information that is intercepted halfway would remain unreadable because the user has to have the correct password or key for it.

83) How are IP addresses arranged and displayed?

IP addresses are displayed as a series of four decimal numbers that are separated by period or dots. Another term for this arrangement is the dotted decimal format. An example is 192.168.101.2

84) Explain the importance of authentication.

Authentication is the process of verifying a user's credentials before he can log into the network. It is normally performed using a username and password. This provides a secure means of limiting the access from unwanted intruders on the network.

85) What do mean by tunnel mode?

This is a mode of data exchange wherein two communicating computers do not use IPSec themselves. Instead, the gateway that is connecting their LANs to the transit network creates a virtual tunnel that uses the IPSec protocol to secure all communication that passes through it.

86) What are the different technologies involved in establishing WAN links?

Analog connections – using conventional telephone lines; Digital connections – using digital-grade telephone lines; switched connections – using multiple sets of links between sender and receiver to move data.

87) What is one advantage of mesh topology?

In the event that one link fails, there will always be another available. Mesh topology is actually one of the most fault-tolerant network topology.

88) When troubleshooting computer network problems, what common hardware-related problems can occur?

A large percentage of a network is made up of hardware. Problems in these areas can range from malfunctioning hard drives, broken NICs and even hardware startups. Incorrectly hardware configuration is also one of those culprits to look into.

89) What can be done to fix signal attenuation problems?

A common way of dealing with such a problem is to use repeaters and hub, because it will help regenerate the signal and therefore prevent signal loss. Checking if cables are properly terminated is also a must.

90) How does dynamic host configuration protocol aid in network administration?

Instead of having to visit each client computer to configure a static IP address, the network administrator can apply dynamic host configuration protocol to create a pool of IP addresses known as scopes that can be dynamically assigned to clients.

91) Explain profile in terms of networking concept?

Profiles are the configuration settings made for each user. A profile may be created that puts a user in a group, for example.

92) What is sneakernet?

Sneakernet is believed to be the earliest form of networking wherein data is physically transported using removable media, such as disk, tapes.

93) What is the role of IEEE in computer networking?

IEEE, or the Institute of Electrical and Electronics Engineers, is an organization composed of engineers that issues and manages standards for electrical and electronic devices. This includes networking devices, network interfaces, cablings and connectors.

94) What protocols fall under the TCP/IP Internet Layer?

There are 4 protocols that are being managed by this layer. These are ICMP, IGMP, IP and ARP.

95) When it comes to networking, what are rights?

Rights refer to the authorized permission to perform specific actions on the network. Each user on the network can be assigned individual rights, depending on what must be allowed for that user.

96) What is one basic requirement for establishing VLANs?

A VLAN is required because at switch level there is only one broadcast domain, it means whenever new user is connected to switch this information is spread throughout the network. VLAN on switch helps to create separate broadcast domain at switch level. It is used for security purpose.

97) What is IPv6?

IPv6 , or Internet Protocol version 6, was developed to replace IPv4. At present, IPv4 is being used to control internet traffic, butis expected to get saturated in the near future. IPv6 was designed to overcome this limitation.

98) What is RSA algorithm?

RSA is short for Rivest-Shamir-Adleman algorithm. It is the most commonly used public key encryption algorithm in use today.

99) What is mesh topology?

Mesh topology is a setup wherein each device is connected directly to every other device on the network. Consequently, it requires that each device have at least two network connections.

100) what is the maximum segment length of a 100Base-FX network?

The maximum allowable length for a network segment using 100Base-FX is 412 meters. The maximum length for the entire network is 5 kilometers.

NETWORK ENGINEER Questions pdf free download ::

Networker Advanced Network Information App 3 2 2019

Applies to:

• Windows 10, version 1607 and later
• Windows 10 Mobile, version 1607 and later (except Microsoft Azure Rights Management, which is only available on the desktop)

Microsoft Intune has an easy way to create and deploy a Windows Information Protection (WIP) policy. You can choose which apps to protect, the level of protection, and how to find enterprise data on the network. The devices can be fully managed by Mobile Device Management (MDM), or managed by Mobile Application Management (MAM), where Intune manages only the apps on a user's personal device.

Differences between MDM and MAM for WIP

You can create an app protection policy in Intune either with device enrollment for MDM or without device enrollment for MAM. The process to create either policy is similar, but there are important differences:

• MAM has additional Access settings for Windows Hello for Business.
• MAM can selectively wipe company data from a user's personal device.
• MAM requires an Azure Active Directory (Azure AD) Premium license.
• An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery depends on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.
• MAM supports only one user per device.
• MAM can only manage enlightened apps.
• Only MDM can use BitLocker CSP policies.
• If the same user and device are targeted for both MDM and MAM, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using Settings > Email & accounts > Add a work or school account), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in Settings. Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access.

Prerequisites

Before you can create a WIP policy using Intune, you need to configure an MDM or MAM provider in Azure Active Directory (Azure AD). MAM requires an Azure Active Directory (Azure AD) Premium license. An Azure AD Premium license is also required for WIP auto-recovery, where a device can re-enroll and re-gain access to protected data. WIP auto-recovery relies on Azure AD registration to back up the encryption keys, which requires device auto-enrollment with MDM.

Configure the MDM or MAM provider

1. Sign in to the Azure portal.

2. Click Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune.

3. Click Restore Default URLs or enter the settings for MDM or MAM user scope and click Save:

Create a WIP policy

1. Sign in to the Azure portal.

2. Open Microsoft Intune and click Client apps > App protection policies > Create policy.

3. In the App policy screen, click Add a policy, and then fill out the fields:

   • Name. Type a name (required) for your new policy.

   • Description. Type an optional description.

   • Platform. Choose Windows 10.

   • Enrollment state. Choose Without enrollment for MAM or With enrollment for MDM.

4. Click Protected apps and then click Add apps.

   You can add these types of apps:

Note

An application might return access denied errors after removing it from the list of protected apps. Rather than remove it from the list, uninstall and reinstall the application or exempt it from WIP policy.

Add recommended apps

Select Recommended apps and select each app you want to access your enterprise data or select them all, and click OK.

Add Store apps

Select Store apps, type the app product name and publisher, and click OK. For example, to add the Power BI Mobile App from the Store, type the following:

• Name: Microsoft Power BI
• Publisher: CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Product Name: Microsoft.MicrosoftPowerBIForWindows

To add multiple Store apps, click the ellipsis ….

If you don't know the Store app publisher or product name, you can find them by following these steps.

1. Go to the Microsoft Store for Business website, and find your app. For example, Power BI Mobile App.

2. Copy the ID value from the app URL. For example, the Power BI Mobile App ID URL is https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, 9nblgggzlxn1.

3. In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where 9nblgggzlxn1 is replaced with your ID value.

   The API runs and opens a text editor with the app details.

4. Copy the publisherCertificateName value into the Publisher box and copy the packageIdentityName value into the Name box of Intune.

   Important

   The JSON file might also return a windowsPhoneLegacyId value for both the Publisher Name and Product Name boxes. This means that you have an app that's using a XAP package and that you must set the Product Name as windowsPhoneLegacyId, and set the Publisher Name as CN= followed by the windowsPhoneLegacyId.
   For example:
   {
'windowsPhoneLegacyId': 'ca05b3ab-f157-450c-8c49-a1f127f5e71d',
}

If you need to add Windows 10 mobile apps that aren't distributed through the Store for Business, you must use the Windows Device Portal feature.

Note

Your PC and phone must be on the same wireless network.

1. On the Windows Phone, go to Settings, choose Update & security, and then choose For developers.

2. In the For developers screen, turn on Developer mode, turn on Device Discovery, and then turn on Device Portal.

3. Copy the URL in the Device Portal area into your device's browser, and then accept the SSL certificate.

4. In the Device discovery area, press Pair, and then enter the PIN into the website from the previous step.

5. On the Apps tab of the website, you can see details for the running apps, including the publisher and product names.

6. Start the app for which you're looking for the publisher and product name values.

7. Copy the publisherCertificateName value and paste it into the Publisher Name box and the packageIdentityName value into the Product Name box of Intune.

   Important

   The JSON file might also return a windowsPhoneLegacyId value for both the Publisher Name and Product Name boxes. This means that you have an app that's using a XAP package and that you must set the Product Name as windowsPhoneLegacyId, and set the Publisher Name as CN= followed by the windowsPhoneLegacyId.
   For example:
   {
'windowsPhoneLegacyId': 'ca05b3ab-f157-450c-8c49-a1f127f5e71d',
}

Add Desktop apps

To add Desktop apps, complete the following fields, based on what results you want returned.

To add another Desktop app, click the ellipsis …. After you've entered the info into the fields, click OK.

If you're unsure about what to include for the publisher, you can run this PowerShell command:

Where '' goes to the location of the app on the device. For example:

In this example, you'd get the following info:

Where O=MICROSOFT CORPORATION, L=REDMOND, S=WASHINGTON, C=US is the Publisher name and WORDPAD.EXE is the File name.

Regarding to how to get the Product Name for the Apps you wish to Add, please reach out to our Windows Support Team to request the guidelines

Import a list of apps

This section covers two examples of using an AppLocker XML file to the Protected apps list. You'll use this option if you want to add multiple apps at the same time.

For more info about AppLocker, see the AppLocker content.

Create a Packaged App rule for Store apps

1. Open the Local Security Policy snap-in (SecPol.msc).

2. In the left blade, expand Application Control Policies, expand AppLocker, and then click Packaged App Rules.

3. Right-click in the right-hand blade, and then click Create New Rule.

   The Create Packaged app Rules wizard appears.

4. On the Before You Begin page, click Next.

5. On the Permissions page, make sure the Action is set to Allow and the User or group is set to Everyone, and then click Next.

6. On the Publisher page, click Select from the Use an installed packaged app as a reference area.

7. In the Select applications box, pick the app that you want to use as the reference for your rule, and then click OK. For this example, we're using Microsoft Dynamics 365.

8. On the updated Publisher page, click Create.

9. Click No in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy.

10. Review the Local Security Policy snap-in to make sure your rule is correct.

11. In the left blade, right-click on AppLocker, and then click Export policy.

    The Export policy box opens, letting you export and save your new policy as XML.

12. In the Export policy box, browse to where the policy should be stored, give the policy a name, and then click Save.

    The policy is saved and you'll see a message that says 1 rule was exported from the policy.

    Example XML file
    This is the XML file that AppLocker creates for Microsoft Dynamics 365.

13. After you've created your XML file, you need to import it by using Microsoft Intune.

Create an Executable rule for unsigned apps

The executable rule helps to create an AppLocker rule to sign any unsigned apps. It enables adding the file path or the app publisher contained in the file's digital signature needed for the WIP policy to be applied.

1. Open the Local Security Policy snap-in (SecPol.msc).

2. In the left pane, click Application Control Policies > AppLocker > Executable Rules.

3. Right-click Executable Rules > Create New Rule.

4. On the Before You Begin page, click Next.

5. On the Permissions page, make sure the Action is set to Allow and the User or group is set to Everyone, and then click Next.

6. On the Conditions page, click Path and then click Next.

7. Click Browse Folders.. and select the path for the unsigned apps. For this example, we're using 'C:Program Files'.

8. On the Exceptions page, add any exceptions and then click Next.

9. On the Name page, type a name and description for the rule and then click Create.

10. In the left pane, right-click AppLocker > Export policy.

11. In the Export policy box, browse to where the policy should be stored, give the policy a name, and then click Save.

    The policy is saved and you'll see a message that says 1 rule was exported from the policy.

12. Farrago 1 2 7. After you've created your XML file, you need to import it by using Microsoft Intune.

To import a list of protected apps using Microsoft Intune

1. In Protected apps, click Import apps.

   Then import your file.

2. Browse to your exported AppLocker policy file, and then click Open.

   The file imports and the apps are added to your Protected apps list.

Exempt apps from a WIP policy

If your app is incompatible with WIP, but still needs to be used with enterprise data, you can exempt the app from the WIP restrictions. This means that your apps won't include auto-encryption or tagging and won't honor your network restrictions. It also means that your exempted apps might leak.

1. In Client apps - App protection policies, click Exempt apps.

2. In Exempt apps, click Add apps.

   Be aware that when you exempt apps, they're allowed to bypass the WIP restrictions and access your corporate data.

3. Fill out the rest of the app info, based on the type of app you're adding:

4. Click OK.

Manage the WIP protection mode for your enterprise data

After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.

We recommend that you start with Silent or Allow Overrides while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, Block.

1. From the App protection policy blade, click the name of your policy, and then click Required settings.

   Mode	Description
   Block	WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.
   Allow Overrides	WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. For info about how to collect your audit log files, see How to collect Windows Information Protection (WIP) audit event logs.
   Silent	WIP runs silently, logging inappropriate data sharing, without blocking anything that would've been prompted for employee interaction while in Allow Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still stopped.
   Off (not recommended)	WIP is turned off and doesn't help to protect or audit your data. After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn't automatically reapplied if you turn WIP protection back on.

2. Click Save.

Define your enterprise-managed corporate identity

Corporate identity, usually expressed as your primary Internet domain (for example, contoso.com), helps to identify and tag your corporate data from apps you've marked as protected by WIP. For example, emails using contoso.com are identified as being corporate and are restricted by your Windows Information Protection policies.

Starting with Windows 10, version 1703, Intune automatically determines your corporate identity and adds it to the Corporate identity field.

To change your corporate identity

1. From the App policy blade, click the name of your policy, and then click Required settings.

2. If the auto-defined identity isn't correct, you can change the info in the Corporate identity field.

3. To add domains, such your email domain names, click Configure Advanced settings > Add network boundary and select Protected domains.

Choose where apps can access enterprise data

After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations.

There are no default locations included with WIP, you must add each of your network locations. This area applies to any network endpoint device that gets an IP address in your enterprise's range and is also bound to one of your enterprise domains, including SMB shares. Local file system locations should just maintain encryption (for example, on local NTFS, FAT, ExFAT).

To define the network boundaries, click App policy > the name of your policy > Advanced settings > Add network boundary.

Select the type of network boundary to add from the Boundary type box. Type a name for your boundary into the Name box, add your values to the Value box, based on the options covered in the following subsections, and then click OK.

Cloud resources

Specify the cloud resources to be treated as corporate and protected by WIP.For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource.Be aware that all traffic routed through your Internal proxy servers is considered enterprise.

Separate multiple resources with the '|' delimiter.If you don't use proxy servers, you must also include the ',' delimiter just before the '|'.For example:

Personal applications will be able to access a cloud resource that has a blank space or an invalid character, such as a trailing dot in the URL.

To add a subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example, to add all subdomains within Office.com, use '.office.com' (without the quotation marks).

In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site.In this case, Windows blocks the connection by default.To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting.For example:

When you use this string, we recommend that you also turn on Azure Active Directory Conditional Access, using the Domain joined or marked as compliant option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.

Value format with proxy:

Value format without proxy:

Protected domains

Specify the domains used for identities in your environment.All traffic to the fully-qualified domains appearing in this list will be protected.Separate multiple domains with the '|' delimiter.

Network domains

Specify the DNS suffixes used in your environment.All traffic to the fully-qualified domains appearing in this list will be protected.Separate multiple resources with the ',' delimiter.

Proxy servers

Specify the proxy servers your devices will go through to reach your cloud resources.Using this server type indicates that the cloud resources you're connecting to are enterprise resources.

This list shouldn't include any servers listed in your Internal proxy servers list.Internal proxy servers must be used only for WIP-protected (enterprise) traffic.Separate multiple resources with the ';' delimiter.

Networker Advanced Network Information App 3 2 2018

Internal proxy servers

Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.

This list shouldn't include any servers listed in your Proxy servers list.Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.Separate multiple resources with the ';' delimiter.

IPv4 ranges

Starting with Windows 10, version 1703, this field is optional.

Specify the addresses for a valid IPv4 value range within your intranet.These addresses, used with your Network domain names, define your corporate network boundaries.Classless Inter-Domain Routing (CIDR) notation isn't supported.

Separate multiple ranges with the ',' delimiter.

Starting IPv4 Address: 3.4.0.1Ending IPv4 Address: 3.4.255.254Custom URI: 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254

IPv6 ranges

Starting with Windows 10, version 1703, this field is optional.

Specify the addresses for a valid IPv6 value range within your intranet.These addresses, used with your network domain names, define your corporate network boundaries.Classless Inter-Domain Routing (CIDR) notation isn't supported.

Separate multiple ranges with the ',' delimiter.

Starting IPv6 Address: 2a01:110::Ending IPv6 Address: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffffCustom URI: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff

Neutral resources

Specify your authentication redirection endpoints for your company.These locations are considered enterprise or personal, based on the context of the connection before the redirection.Separate multiple resources with the ',' delimiter.

Decide if you want Windows to look for additional network settings:

• Enterprise Proxy Servers list is authoritative (do not auto-detect). Turn on if you want Windows to treat the proxy servers you specified in the network boundary definition as the complete list of proxy servers available on your network. If you turn this off, Windows will search for additional proxy servers in your immediate network.

• Enterprise IP Ranges list is authoritative (do not auto-detect). Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for additional IP ranges on any domain-joined devices connected to your network.

Upload your Data Recovery Agent (DRA) certificate

After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.

Important

Using a DRA certificate isn't mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the Data Recovery and Encrypting File System (EFS) topic. For more info about creating and verifying your EFS DRA certificate, see the Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate topic.

To upload your DRA certificate

1. From the App policy blade, click the name of your policy, and then click Advanced settings from the menu that appears.

   The Advanced settings blade appears.

2. In the Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data box, click Browse to add a data recovery certificate for your policy.

Choose your optional WIP-related settings

After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings.

Prevent corporate data from being accessed by apps when the device is locked. Applies only to Windows 10 Mobile. Determines whether to encrypt enterprise data using a key that's protected by an employee's PIN code on a locked device. Apps won't be able to read corporate data when the device is locked. The options are:

• On. Turns on the feature and provides the additional protection.

• Off, or not configured. Doesn't enable this feature.

Revoke encryption keys on unenroll. Determines whether to revoke a user's local encryption keys from a device when it's unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:

• On, or not configured (recommended). Revokes local encryption keys from a device during unenrollment.

• Off. Stop local encryption keys from being revoked from a device during unenrollment. For example if you're migrating between Mobile Device Management (MDM) solutions.

Show the enterprise data protection icon. Determines whether the Windows Information Protection icon overlay appears on corporate files in the Save As and File Explorer views. The options are:

• On. Allows the Windows Information Protection icon overlay to appear on corporate files in the Save As and File Explorer views. Additionally, for unenlightened but protected apps, the icon overlay also appears on the app tile and with Managed text on the app name in the Start menu.

• Off, or not configured (recommended). Stops the Windows Information Protection icon overlay from appearing on corporate files or unenlightened, but protected apps. Not configured is the default option.

Use Azure RMS for WIP. Determines whether WIP uses Microsoft Azure Rights Management to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. In other words, WIP uses Azure Rights Management 'machinery' to apply EFS encryption to files when they are copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template's license. Only users with permission to that template will be able to read it from the removable drive. WIP can also integrate with Azure RMS by using the AllowAzureRMSForEDP and the RMSTemplateIDForEDP MDM settings in the EnterpriseDataProtection CSP.

• On. Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn't actually apply Azure Information Protection to the files.

  If you don't specify an RMS template, it's a regular EFS file using a default RMS template that all users can access.

• Off, or not configured. Stops WIP from encrypting Azure Rights Management files that are copied to a removable drive.

  Note

  Regardless of this setting, all files in OneDrive for Business will be encrypted, including moved Known Folders.

Allow Windows Search Indexer to search encrypted files. Determines whether to allow the Windows Search Indexer to index items that are encrypted, such as WIP protected files.

• On. Starts Windows Search Indexer to index encrypted files.

• Off, or not configured. Stops Windows Search Indexer from indexing encrypted files.

Encrypted file extensions

You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied.

Related topics

Networker Advanced Network Information App 3 2 2017

Note

Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see Editing Windows IT professional documentation.