Wip endpoint dlp (#81)

windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md

@@ -14,7 +14,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/26/2019
+ms.date: 04/30/2019
 ---
 
 # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager
@@ -480,7 +480,7 @@ After you've decided where your protected apps can access enterprise data on you
         
         - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions.
 
-    - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information, see [Choose to set up Azure Rights Management with WIP](create-wip-policy-using-intune-azure.md#choose-to-set-up-azure-rights-management-with-wip).
+    - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Choose to set up Azure Rights Management with WIP](create-wip-policy-using-intune-azure.md#choose-to-set-up-azure-rights-management-with-wip). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell).
 
 2. After you pick all of the settings you want to include, click **Summary**.
 

windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md

@@ -13,15 +13,20 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/15/2019
+ms.date: 04/30/2019
 ---
 
 # How Windows Information Protection (WIP) protects a file that has a sensitivity label 
 
 **Applies to:**
 
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
+- Windows 10, version 1903
 - Windows 10, version 1809
 
+>[!IMPORTANT]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 This topic explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. 
 Microsoft information protection technologies work together as an integrated solution to help enterprises:
 
@@ -38,52 +43,73 @@ Microsoft information protection technologies include:
 
 - [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) is a cloud access security broker (CASB) solution that allows you to discover, classify, protect, and monitor user data in first-party and third-party Software-as-a-Service (SaaS) apps used by your organization.
 
-End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps:
+## How WIP protects sensitivity labels with endpoint data loss prevention
+
+You can create and manage [sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) in the Microsoft 365 compliance center. 
+When you create a sensitivity label, you can specify that endpoint data loss prevention applies to content with that label. 
+
+![Endpoint data loss prevention](images/sensitivity-label-endpoint-dlp.png)
+
+Office app users can choose a sensitivity label from a menu and apply it to a file.
 
 ![Sensitivity labels](images/sensitivity-labels.png)
 
-## Default WIP behaviors for a sensitivity label
+WIP enforces default endpoint protection as follows: 
 
-Enterprises can create and manage sensitivity labels on the **Labels** page in the Office 365 Security & Compliance Center. 
-When you create a sensitivity label, you can specify that endpoint protection should apply to content with that label. 
-WIP enforces default endpoint protection depending on how the sensitivity label is configured:
+- If endpoint data loss prevention is enabled, the device enforces work protection for any file with the label
+- If endpoint data loss prevention is not enabled:
+  - The device enforces work protection to a file downloaded from a work site 
+  - The device does not enforce work protection to a file downloaded from a personal site
 
-- When the sensitivity label is configured for endpoint protection of content that includes business data, the device enforces work protection for documents with the label
-- When the sensitivity label is *not configured* for endpoint protection, the device reverts to whatever WIP policy has been defined in Intune or System Center Configuration Manager (SCCM):
-  - If the document is downloaded from a work site, the device enforces work protection
-  - If the document is downloaded from a personal site, no work protection is applied
-
-For more information about labels, see [Overview of labels](https://docs.microsoft.com/office365/securitycompliance/labels).
-
-## Use cases 
-
-This section covers how WIP works with sensitivity labels in specific use cases. 
-
-### User downloads from or creates a document on a work site
-
-If WIP policy is deployed, any document that is downloaded from a work site, or created on a work site, will have WIP protection regardless of whether the document has a sensitivity label.
-
-If the document also has a sensitivity label, which can be Office or PDF files, WIP protection is applied according to the label. 
-
-### User downloads a confidential Office or PDF document from a personal site 
-
-Windows Defender Advanced Threat Protection (Windows Defender ATP) scans for any file that gets modified or created, including files that were created on a personal site. 
-If the file has a sensitivity label, the corresponding WIP protection gets applied even though the file came from a personal site. 
-For example: 
+Here's an example where a file remains protected without any work context beyond the sensitivity label: 
 
 1. Sara creates a PDF file on a Mac and labels it as **Confidential**.
-2. She emails the PDF from her Gmail account to Laura.
-3. Laura opens the PDF file on her Windows 10 device. 
-4. WIP policy gets applied and the file is protected.
+1. She emails the PDF from her Gmail account to Laura.
+1. Laura opens the PDF file on her Windows 10 device. 
+1. Windows Defender Advanced Threat Protection (Windows Defender ATP) scans Windows 10 for any file that gets modified or created, including files that were created on a personal site. 
+1. Windows Defender ATP triggers WIP policy.
+1. WIP policy protects the file even though it came from a personal site.
 
-The PDF file doesn't need any work context beyond the sensitivity label. 
+## How WIP protects automatically classified files
+
+The next sections cover how Windows Defender ATP extends discovery and protection of sensitive information with improvements in Windows 10 version 1903. 
+
+### Discovery
+
+Windows Defender ATP can extract the content of the file itself and evaluate whether it contains sensitive information types such as credit card numbers or employee ID numbers. 
+When you create a sensitivity label, you can specify that the label be added to any file that contains a sensitive information type. 
+
+![Sensitivity labels](images/sensitivity-label-auto-label.png)
+
+A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver’s license numbers, and so on.
+You can also [create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type), which can include any keyword or expression that you want to evaluate. 
+
+### Protection
+
+When a file is created or edited on a Windows 10 endpoint, Windows Defender ATP extracts the content and evaluates if it contains any default or custom sensitive information types that have been defined. 
+If the file has a match, Windows Defender ATP applies endpoint data loss prevention even if the file had no label previously. 
+
+Windows Defender ATP is integrated with Azure Information Protection for data discovery and reports sensitive information types that were discovered. 
+Azure Information Protection aggregates the files with sensitivity labels and the sensitive information types they contain across the enterprise. 
+
+![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png)
+
+You can see sensitive information types in Microsoft 365 compliance under **Classifications**. Default sensitive information types have Microsoft as the publisher. The publisher for custom types is the tenant name.
+
+![Sensitive information types](images/sensitive-info-types.png)
+
+>[!NOTE]
+>Automatic classification does not change the file itself, but it applies protection based on the label. 
+>WIP protects a file that contains a sensitive information type as a work file.
+>Azure Information Protection works differently in that it extends a file with a new attribute so the protection persists if the file is copied. 
 
 ## Prerequisites
 
-- Windows 10, version 1809
-- [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) scans content for a label and applies corresponding WIP protection
-- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in the Office 365 Security & Compliance Center
-- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager (SCCM)](overview-create-wip-policy-sccm.md).
+- Endpoint data loss prevention requires Windows 10, version 1809
+- Auto labelling requires Windows 10, version 1903
+- Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy
+- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center
+- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager (SCCM)](overview-create-wip-policy-sccm.md)