diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md index 5df397e284..6edf443eb3 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-sccm.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/26/2019 +ms.date: 04/30/2019 --- # Create and deploy a Windows Information Protection (WIP) policy using System Center Configuration Manager @@ -480,7 +480,7 @@ After you've decided where your protected apps can access enterprise data on you - **No.** Stop local encryption keys from being revoked from a device during unenrollment. For example, if you’re migrating between Mobile Device Management (MDM) solutions. - - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information, see [Choose to set up Azure Rights Management with WIP](create-wip-policy-using-intune-azure.md#choose-to-set-up-azure-rights-management-with-wip). + - **Allow Azure RMS.** Enables secure sharing of files by using removable media such as USB drives. For more information about how RMS works with WIP, see [Choose to set up Azure Rights Management with WIP](create-wip-policy-using-intune-azure.md#choose-to-set-up-azure-rights-management-with-wip). To confirm what templates your tenant has, run [Get-AadrmTemplate](https://docs.microsoft.com/powershell/module/aadrm/get-aadrmtemplate) from the [AADRM PowerShell module](https://docs.microsoft.com/azure/information-protection/administer-powershell). 2. After you pick all of the settings you want to include, click **Summary**. diff --git a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md index cfcae5b9de..02d2fe3e81 100644 --- a/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md +++ b/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md @@ -13,15 +13,20 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/15/2019 +ms.date: 04/30/2019 --- # How Windows Information Protection (WIP) protects a file that has a sensitivity label **Applies to:** +- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) +- Windows 10, version 1903 - Windows 10, version 1809 +>[!IMPORTANT] +>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. + This topic explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. Microsoft information protection technologies work together as an integrated solution to help enterprises: @@ -38,52 +43,73 @@ Microsoft information protection technologies include: - [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security) is a cloud access security broker (CASB) solution that allows you to discover, classify, protect, and monitor user data in first-party and third-party Software-as-a-Service (SaaS) apps used by your organization. -End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps: +## How WIP protects sensitivity labels with endpoint data loss prevention + +You can create and manage [sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) in the Microsoft 365 compliance center. +When you create a sensitivity label, you can specify that endpoint data loss prevention applies to content with that label. + +![Endpoint data loss prevention](images/sensitivity-label-endpoint-dlp.png) + +Office app users can choose a sensitivity label from a menu and apply it to a file. ![Sensitivity labels](images/sensitivity-labels.png) -## Default WIP behaviors for a sensitivity label +WIP enforces default endpoint protection as follows: -Enterprises can create and manage sensitivity labels on the **Labels** page in the Office 365 Security & Compliance Center. -When you create a sensitivity label, you can specify that endpoint protection should apply to content with that label. -WIP enforces default endpoint protection depending on how the sensitivity label is configured: +- If endpoint data loss prevention is enabled, the device enforces work protection for any file with the label +- If endpoint data loss prevention is not enabled: + - The device enforces work protection to a file downloaded from a work site + - The device does not enforce work protection to a file downloaded from a personal site -- When the sensitivity label is configured for endpoint protection of content that includes business data, the device enforces work protection for documents with the label -- When the sensitivity label is *not configured* for endpoint protection, the device reverts to whatever WIP policy has been defined in Intune or System Center Configuration Manager (SCCM): - - If the document is downloaded from a work site, the device enforces work protection - - If the document is downloaded from a personal site, no work protection is applied - -For more information about labels, see [Overview of labels](https://docs.microsoft.com/office365/securitycompliance/labels). - -## Use cases - -This section covers how WIP works with sensitivity labels in specific use cases. - -### User downloads from or creates a document on a work site - -If WIP policy is deployed, any document that is downloaded from a work site, or created on a work site, will have WIP protection regardless of whether the document has a sensitivity label. - -If the document also has a sensitivity label, which can be Office or PDF files, WIP protection is applied according to the label. - -### User downloads a confidential Office or PDF document from a personal site - -Windows Defender Advanced Threat Protection (Windows Defender ATP) scans for any file that gets modified or created, including files that were created on a personal site. -If the file has a sensitivity label, the corresponding WIP protection gets applied even though the file came from a personal site. -For example: +Here's an example where a file remains protected without any work context beyond the sensitivity label: 1. Sara creates a PDF file on a Mac and labels it as **Confidential**. -2. She emails the PDF from her Gmail account to Laura. -3. Laura opens the PDF file on her Windows 10 device. -4. WIP policy gets applied and the file is protected. +1. She emails the PDF from her Gmail account to Laura. +1. Laura opens the PDF file on her Windows 10 device. +1. Windows Defender Advanced Threat Protection (Windows Defender ATP) scans Windows 10 for any file that gets modified or created, including files that were created on a personal site. +1. Windows Defender ATP triggers WIP policy. +1. WIP policy protects the file even though it came from a personal site. -The PDF file doesn't need any work context beyond the sensitivity label. +## How WIP protects automatically classified files + +The next sections cover how Windows Defender ATP extends discovery and protection of sensitive information with improvements in Windows 10 version 1903. + +### Discovery + +Windows Defender ATP can extract the content of the file itself and evaluate whether it contains sensitive information types such as credit card numbers or employee ID numbers. +When you create a sensitivity label, you can specify that the label be added to any file that contains a sensitive information type. + +![Sensitivity labels](images/sensitivity-label-auto-label.png) + +A default set of [sensitive information types](https://docs.microsoft.com/office365/securitycompliance/what-the-sensitive-information-types-look-for) in Microsoft 365 compliance center includes credit card numbers, phone numbers, driver’s license numbers, and so on. +You can also [create a custom sensitive information type](https://docs.microsoft.com/office365/securitycompliance/create-a-custom-sensitive-information-type), which can include any keyword or expression that you want to evaluate. + +### Protection + +When a file is created or edited on a Windows 10 endpoint, Windows Defender ATP extracts the content and evaluates if it contains any default or custom sensitive information types that have been defined. +If the file has a match, Windows Defender ATP applies endpoint data loss prevention even if the file had no label previously. + +Windows Defender ATP is integrated with Azure Information Protection for data discovery and reports sensitive information types that were discovered. +Azure Information Protection aggregates the files with sensitivity labels and the sensitive information types they contain across the enterprise. + +![Image of Azure Information Protection - Data discovery](images/azure-data-discovery.png) + +You can see sensitive information types in Microsoft 365 compliance under **Classifications**. Default sensitive information types have Microsoft as the publisher. The publisher for custom types is the tenant name. + +![Sensitive information types](images/sensitive-info-types.png) + +>[!NOTE] +>Automatic classification does not change the file itself, but it applies protection based on the label. +>WIP protects a file that contains a sensitive information type as a work file. +>Azure Information Protection works differently in that it extends a file with a new attribute so the protection persists if the file is copied. ## Prerequisites -- Windows 10, version 1809 -- [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) scans content for a label and applies corresponding WIP protection -- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in the Office 365 Security & Compliance Center -- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager (SCCM)](overview-create-wip-policy-sccm.md). +- Endpoint data loss prevention requires Windows 10, version 1809 +- Auto labelling requires Windows 10, version 1903 +- Devices need to be onboarded to [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection), which scans content for a label and applies WIP policy +- [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in Microsoft 365 compliance center +- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager (SCCM)](overview-create-wip-policy-sccm.md) diff --git a/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png b/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png new file mode 100644 index 0000000000..0148a800b2 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/azure-data-discovery.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png b/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png new file mode 100644 index 0000000000..58f675399a Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/sensitive-info-types.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png new file mode 100644 index 0000000000..dd6450af37 Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-auto-label.png differ diff --git a/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png new file mode 100644 index 0000000000..3dbbb4e09b Binary files /dev/null and b/windows/security/information-protection/windows-information-protection/images/sensitivity-label-endpoint-dlp.png differ