EnterpriseDataProtection 云解决方案提供商EnterpriseDataProtection CSP

EnterpriseDataProtection 配置服务提供程序 (CSP) 用于配置 Windows 信息保护 (WIP) (以前称为企业数据保护)的设置。The EnterpriseDataProtection configuration service provider (CSP) is used to configure settings for Windows Information Protection (WIP), formerly known as Enterprise Data Protection. 有关 WIP 详细信息,请参阅使用 Windows 信息保护或 WIP (保护) 。 For more information about WIP, see Protect your enterprise data using Windows Information Protection (WIP).

备注

若要使 WIP 正常工作,还必须配置 AppLocker CSP 和网络隔离特定设置。To make WIP functional, the AppLocker CSP and the network isolation-specific settings must also be configured. 有关详细信息,请参阅策略 CSP 中的 AppLocker CSP 和 NetworkIsolation 策略For more information, see AppLocker CSP and NetworkIsolation policies in Policy CSP.

  • 此 CSP 已添加到 Windows 10 版本 1607 中。This CSP was added in Windows 10, version 1607.

虽然 WIP 对 VPN 没有硬依赖关系,但为了获得最佳效果,应在配置 WIP 策略之前先配置 VPN 配置文件。While WIP has no hard dependency on VPN, for best results you should configure VPN profiles first before you configure the WIP policies. 有关 VPN 最佳实践建议,请参阅 VPNv2 CSPFor VPN best practice recommendations, see VPNv2 CSP.

若要了解有关 WIP 的更多信息,请参阅以下文章:To learn more about WIP, see the following articles:

下面以树格式显示 EnterpriseDataProtection CSP。The following shows the EnterpriseDataProtection CSP in tree format.

./Device/Vendor/MSFT
EnterpriseDataProtection
----Settings
--------EDPEnforcementLevel
--------EnterpriseProtectedDomainNames
--------AllowUserDecryption
--------RequireProtectionUnderLockConfig
--------DataRecoveryCertificate
--------RevokeOnUnenroll
--------RMSTemplateIDForEDP
--------AllowAzureRMSForEDP
--------EDPShowIcons
----Status

./Device/Vendor/MSFT/EnterpriseDataProtection./Device/Vendor/MSFT/EnterpriseDataProtection
CSP 的根节点。The root node for the CSP.

“设置”Settings
Windows 信息保护的根节点 (WIP) 配置设置。The root node for the Windows Information Protection (WIP) configuration settings.

Settings/EDPEnforcementLevelSettings/EDPEnforcementLevel
设置 WIP 强制级别。Set the WIP enforcement level. 请注意,设置此值不足以在设备上启用 WIP。Note that setting this value is not sufficient to enable WIP on the device. 当 WIP 清理正在运行时,尝试更改此值将失败。Attempts to change this value will fail when the WIP cleanup is running.

以下列表显示支持的值:The following list shows the supported values:

  • 0 (默认) – 关闭/无保护 (解密以前受保护的) 。0 (default) – Off / No protection (decrypts previously protected data).
  • 1 – 静默 (仅加密和审核) 。1 – Silent mode (encrypt and audit only).
  • 2 – 允许覆盖模式 (加密、提示和允许覆盖以及审核) 。2 – Allow override mode (encrypt, prompt and allow overrides, and audit).
  • 3 – 隐藏 (、提示但隐藏覆盖和审核) 。3 – Hides overrides (encrypt, prompt but hide overrides, and audit).

支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete. 值类型为整数。Value type is integer.

Settings/EnterpriseProtectedDomainNamesSettings/EnterpriseProtectedDomainNames
企业用于其用户标识的域列表,这些域由管道 " | " () 。列表中的第一个域必须是主企业 ID,即代表 WIP 的管理机构的域。A list of domains used by the enterprise for its user identities separated by pipes ("|").The first domain in the list must be the primary enterprise ID, that is, the one representing the managing authority for WIP. 将其中一个域的用户身份视为企业托管的帐户,与之相关联的数据应受到保护。User identities from one of these domains is considered an enterprise managed account and data associated with it should be protected. 例如,企业拥有的所有电子邮件帐户的域应显示在此列表中。For example, the domains for all email accounts owned by the enterprise would be expected to appear in this list. 当 WIP 清理正在运行时,尝试更改此值将失败。Attempts to change this value will fail when the WIP cleanup is running.

不支持更改主企业 ID,并且可能会导致客户端出现意外行为。Changing the primary enterprise ID is not supported and may cause unexpected behavior on the client.

备注

客户端要求域名是规范的,否则该设置将被客户端拒绝。The client requires domain name to be canonical, otherwise the setting will be rejected by the client.

以下是创建规范域名的步骤:Here are the steps to create canonical domain names:

  1. 仅将 A-Z (ASCII 字符) 小写。Transform the ASCII characters (A-Z only) to lowercase. 例如,Microsoft.COM -> microsoft.com。For example, Microsoft.COM -> microsoft.com.
  2. 调用 IdnToAscii, 将 IDN_USE_STD3_ASCII_RULES 作为标志。Call IdnToAscii with IDN_USE_STD3_ASCII_RULES as the flags.
  3. 调用 IdnToUnicode, ( dwFlags = 0) 。Call IdnToUnicode with no flags set (dwFlags = 0).

支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete. 值类型为字符串。Value type is string.

Settings/AllowUserDecryptionSettings/AllowUserDecryption
允许用户解密文件。Allows the user to decrypt files. 如果设置为 0 (不允许) ,则用户将无法通过操作系统或应用程序用户体验从企业内容中删除保护。If this is set to 0 (Not Allowed), then the user will not be able to remove protection from enterprise content through the operating system or the application user experiences.

重要

从 Windows 10 版本 1703 开始,AllowUserDecryption 不再受支持。Starting in Windows 10, version 1703, AllowUserDecryption is no longer supported.

以下列表显示支持的值:The following list shows the supported values:

  • 0 – 不允许。0 – Not allowed.
  • 1(默认值)– 允许。1 (default) – Allowed.

最受限制的值为 0。Most restricted value is 0.

支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete. 值类型为整数。Value type is integer.

Settings/RequireProtectionUnderLockConfigSettings/RequireProtectionUnderLockConfig
指定是否应该配置锁定功能下 (也称为 pin 下加密) 保护。Specifies whether the protection under lock feature (also known as encrypt under pin) should be configured. 必须先在设备上配置 PIN,然后才能应用此策略。A PIN must be configured on the device before you can apply this policy.

以下列表显示支持的值:The following list shows the supported values:

  • 0 (默认) – 不是必需的。0 (default) – Not required.
  • 1 – 必需。1 – Required.

最受限制的值为 1。Most restricted value is 1.

CSP 检查 TPM (的当前版本) ,如果设备没有所需的硬件,则返回错误消息。The CSP checks the current edition and hardware support (TPM), and returns an error message if the device does not have the required hardware.

备注

此设置仅在 Windows 10 移动版中受支持。This setting is only supported in Windows 10 Mobile.

支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete. 值类型为整数。Value type is integer.

Settings/DataRecoveryCertificateSettings/DataRecoveryCertificate
指定可用于加密文件的数据恢复的恢复证书。Specifies a recovery certificate that can be used for data recovery of encrypted files. 这一点与用于加密文件系统 (EFS) 的数据恢复代理 (DRA) 证书相同,仅通过移动设备管理 (MDM) 而不是组策略提供。This is the same as the data recovery agent (DRA) certificate for encrypting file system (EFS), only delivered through mobile device management (MDM) instead of Group Policy.

备注

如果同时配置了此策略和相应的组策略设置,则强制执行组策略设置。If this policy and the corresponding Group Policy setting are both configured, the Group Policy setting is enforced.

MDM 策略中的 DRA 信息必须是序列化的二进制 blob,与我们在 GP 中预期相同。DRA information from MDM policy must be a serialized binary blob identical to what we expect from GP. 二进制 blob 是以下结构的序列化版本:The binary blob is the serialized version of following structure:

//
//  Recovery Policy Data Structures
//
 
typedef struct _RECOVERY_POLICY_HEADER {
    USHORT      MajorRevision;
    USHORT      MinorRevision;
    ULONG       RecoveryKeyCount;
} RECOVERY_POLICY_HEADER, *PRECOVERY_POLICY_HEADER;
 
typedef struct _RECOVERY_POLICY_1_1    {
        RECOVERY_POLICY_HEADER  RecoveryPolicyHeader;
        RECOVERY_KEY_1_1        RecoveryKeyList[1];
}   RECOVERY_POLICY_1_1, *PRECOVERY_POLICY_1_1;
 
#define EFS_RECOVERY_POLICY_MAJOR_REVISION_1   (1)
#define EFS_RECOVERY_POLICY_MINOR_REVISION_0   (0)
 
#define EFS_RECOVERY_POLICY_MINOR_REVISION_1   (1)
 
///////////////////////////////////////////////////////////////////////////////
//                                                                            /
//  RECOVERY_KEY Data Structure                                               /
//                                                                            /
///////////////////////////////////////////////////////////////////////////////
 
//
// Current format of recovery data.
//
 
typedef struct _RECOVERY_KEY_1_1   {
        ULONG               TotalLength;
        EFS_PUBLIC_KEY_INFO PublicKeyInfo;
} RECOVERY_KEY_1_1, *PRECOVERY_KEY_1_1;
 
 
typedef struct _EFS_PUBLIC_KEY_INFO {
 
    //
    // The length of this entire structure, including string data
    // appended to the end. The length should be a multiple of 8 for
    // 64 bit alignment
    //
 
    ULONG Length;
 
    //
    // Sid of owner of the public key (regardless of format).
   // This field is to be treated as a hint only.
    //
 
    ULONG PossibleKeyOwner;
 
    //
    // Contains information describing how to interpret
    // the public key information
    //
 
    ULONG KeySourceTag;
 
    union {
 
        struct {
 
            //
            // The following fields contain offsets based at the
            // beginning of the structure.  Each offset is to
            // a NULL terminated WCHAR string.
            //
 
            ULONG ContainerName;
            ULONG ProviderName;
 
            //
            // The exported public key used to encrypt the FEK.
            // This field contains an offset from the beginning of the
            // structure.
            //
 
            ULONG PublicKeyBlob;
 
            //
            // Length of the PublicKeyBlob in bytes
            //
 
            ULONG PublicKeyBlobLength;
 
        } ContainerInfo;
 
        struct {
 
            ULONG CertificateLength;       // in bytes
            ULONG Certificate;             // offset from start of structure
 
        } CertificateInfo;
 
 
        struct {
 
            ULONG ThumbprintLength;        // in bytes
            ULONG CertHashData;            // offset from start of structure
 
        } CertificateThumbprint;
    };
 
 
 
} EFS_PUBLIC_KEY_INFO, *PEFS_PUBLIC_KEY_INFO;
 
//
// Possible KeyTag values
//
 
typedef enum _PUBLIC_KEY_SOURCE_TAG {
    EfsCryptoAPIContainer = 1,
    EfsCertificate,
    EfsCertificateThumbprint
} PUBLIC_KEY_SOURCE_TAG, *PPUBLIC_KEY_SOURCE_TAG;
 

对于 EFSCertificate KeyTag,它应该是 DER 编码的二进制证书。For EFSCertificate KeyTag, it is expected to be a DER ENCODED binary certificate.

支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete. 值类型是 Base64 编码的证书。Value type is base-64 encoded certificate.

Settings/RevokeOnUnenrollSettings/RevokeOnUnenroll
此策略控制设备从管理服务注销时是否吊销 WIP 密钥。This policy controls whether to revoke the WIP keys when a device unenrolls from the management service. 如果设置为 0 (请勿'吊销密钥) ,密钥不会吊销,注销后用户将继续有权访问受保护的文件。If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after unenrollment. 如果未吊销密钥,则后续不会撤消文件清理。If the keys are not revoked, there will be no revoked file cleanup subsequently. 发送注销命令之前,当你希望设备在注销时执行选择性擦除时,应明确将此策略设置为 1。Prior to sending the unenroll command, when you want a device to do a selective wipe when it is unenrolled, then you should explicitly set this policy to 1.

以下列表显示支持的值:The following list shows the supported values:

  • 0 – 不撤销密钥。0 – Don't revoke keys.
  • 1 (默认) – 撤销密钥。1 (default) – Revoke keys.

支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete. 值类型为整数。Value type is integer.

Settings/RevokeOnMDMHandoffSettings/RevokeOnMDMHandoff
已添加到 Windows 10 版本 1703。Added in Windows 10, version 1703. 此策略控制当设备从移动应用管理或 MAM 升级到 MDM 时 () WIP 密钥。This policy controls whether to revoke the WIP keys when a device upgrades from mobile application management (MAM) to MDM. 如果设置为 0 (不要'吊销) ,将不会吊销这些密钥,并且用户将继续在升级后访问受保护的文件。If set to 0 (Don't revoke keys), the keys will not be revoked and the user will continue to have access to protected files after upgrade. 如果 MDM 服务配置了与 MAM 服务相同的 WIP EnterpriseID,则建议这样做。This is recommended if the MDM service is configured with the same WIP EnterpriseID as the MAM service.

  • 0 - 不撤销密钥0 - Don't revoke keys
  • 1 (默认) - 撤销密钥1 (default) - Revoke keys

支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete. 值类型为整数。Value type is integer.

Settings/RMSTemplateIDForEDPSettings/RMSTemplateIDForEDP
TemplateID 用于权限管理服务的 GUID (RMS) 加密。TemplateID GUID to use for Rights Management Service (RMS) encryption. RMS 模板允许 IT 管理员配置有关谁有权访问受 RMS 保护的文件及其访问时间的详细信息。The RMS template allows the IT admin to configure the details about who has access to RMS-protected file and how long they have access.

支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete. 值类型是字符串 (GUID) 。Value type is string (GUID).

Settings/AllowAzureRMSForEDPSettings/AllowAzureRMSForEDP
指定是否允许对 WIP 使用 Azure RMS 加密。Specifies whether to allow Azure RMS encryption for WIP.

  • 0 (默认) – 不使用 RMS。0 (default) – Don't use RMS.
  • 1 – 使用 RMS。1 – Use RMS.

支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete. 值类型为整数。Value type is integer.

Settings/SMBAutoEncryptedFileExtensionsSettings/SMBAutoEncryptedFileExtensions
已添加到 Windows 10 版本 1703。Added in Windows 10, version 1703. 指定文件扩展名列表,以便从企业边界的服务器消息块 (SMB) 复制时加密具有这些扩展名的文件,如 NetworkIsolation/EnterpriseIPRange 和 NetworkIsolation/EnterpriseNetworkDomainNames 的策略 CSP 节点中的定义。 Specifies a list of file extensions, so that files with these extensions are encrypted when copying from an Server Message Block (SMB) share within the corporate boundary as defined in the Policy CSP nodes for NetworkIsolation/EnterpriseIPRange and NetworkIsolation/EnterpriseNetworkDomainNames. 使用分号 (;) 列表中的分隔符。Use semicolon (;) delimiter in the list. 如果未指定此策略,则应用现有的自动加密行为。When this policy is not specified, the existing auto-encryption behavior is applied. 配置此策略后,将仅加密列表中具有扩展名的文件。When this policy is configured, only files with the extensions in the list will be encrypted. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace and Delete. 值类型为字符串。Value type is string.

Settings/EDPShowIconsSettings/EDPShowIcons
确定是否将覆盖添加到"开始"菜单上的资源管理器和仅企业应用磁贴中 WIP 保护文件的 图标Determines whether overlays are added to icons for WIP protected files in Explorer and enterprise only app tiles on the Start menu. 从 Windows 10 版本 1703 开始,此设置还配置 WIP 图标在受 WIP 保护的应用的标题栏中的可见性。Starting in Windows 10, version 1703 this setting also configures the visibility of the WIP icon in the title bar of a WIP-protected app. 以下列表显示支持的值:The following list shows the supported values:

  • 0 (默认) - 图标或磁贴上没有 WIP 覆盖。0 (default) - No WIP overlays on icons or tiles.
  • 1 - 在只能创建企业内容的受保护文件和应用上显示 WIP 覆盖。1 - Show WIP overlays on protected files and apps that can only create enterprise content.

支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete. 值类型为整数。Value type is integer.

状态Status
一个只读位掩码,指示设备上 WIP 的当前状态。A read-only bit mask that indicates the current state of WIP on the Device. MDM 服务可以使用此值来确定 WIP 的当前总体状态。The MDM service can use this value to determine the current overall state of WIP. WIP 仅在配置 WIP (0 = 1) WIP 强制策略和 WIP AppLocker 设置时。WIP is only on (bit 0 = 1) if WIP mandatory policies and WIP AppLocker settings are configured.

建议的值:Suggested values:

保留以供将来使用Reserved for future use

WIP 强制设置WIP mandatory settings

Set = 1Set = 1

未设置 = 0Not set = 0

保留以供将来使用Reserved for future use

AppLocker 已配置AppLocker configured

是 = 1Yes = 1

否 = 0No = 0

WIP on = 1WIP on = 1

WIP off = 0WIP off = 0

44

33

22

11

00

位 0 指示 WIP 是打开还是关闭。Bit 0 indicates whether WIP is on or off.

第 1 位指示是否已设置 AppLocker WIP 策略。Bit 1 indicates whether AppLocker WIP policies are set.

第 3 位指示是否配置必需的 WIP 策略。Bit 3 indicates whether the mandatory WIP policies are configured. 如果未配置一个或多个必需的 WIP 策略,则第 3 位设置为 0, (0) 。If one or more of the mandatory WIP policies are not configured, the bit 3 is set to 0 (zero).

下面是'WIP 策略的列表:Here's the list of mandatory WIP policies:

  • EnterpriseDataProtection CSP 中的 EDPEnforcementLevelEDPEnforcementLevel in EnterpriseDataProtection CSP
  • EnterpriseDataProtection CSP 中的 DataRecoveryCertificateDataRecoveryCertificate in EnterpriseDataProtection CSP
  • EnterpriseDataProtection CSP 中的 EnterpriseProtectedDomainNamesEnterpriseProtectedDomainNames in EnterpriseDataProtection CSP
  • 策略 CSP 中的 NetworkIsolation/EnterpriseIPRangeNetworkIsolation/EnterpriseIPRange in Policy CSP
  • 策略 CSP 中的 NetworkIsolation/EnterpriseNetworkDomainNamesNetworkIsolation/EnterpriseNetworkDomainNames in Policy CSP

保留第 2 位和 4 位以供将来使用。Bits 2 and 4 are reserved for future use.

支持的操作为 Get。Supported operation is Get. 值类型为整数。Value type is integer.