windows-itpro-docs/windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md

title, description, keywords, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.localizationpriority, author, ms.author, manager, audience, ms.collection, ms.topic, ms.date

title	description	keywords	ms.prod	ms.mktglfcycl	ms.sitesec	ms.pagetype	ms.localizationpriority	author	ms.author	manager	audience	ms.collection	ms.topic	ms.date
How Windows Information Protection (WIP) protects files with a sensitivity label (Windows 10)	Explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label.	sensitivity, labels, WIP, Windows Information Protection, EDP, Enterprise Data Protection	w10	explore	library	security	medium	justinha	justinha	dansimp	ITPro	M365-security-compliance	conceptual	02/26/2019

How Windows Information Protection (WIP) protects a file that has a sensitivity label

Applies to:

• Windows 10, version 1809

This topic explains how Windows Information Protection works with other Microsoft information protection technologies to protect files that have a sensitivity label. Microsoft information protection technologies work together as an integrated solution to help enterprises:

• Discover corporate data on endpoint devices
• Classify and label information based on its content and context
• Protect corporate data from unintentionally leaving to non-business environments
• Enable audit reports of user interactions with corporate data on endpoint devices

Microsoft information protection technologies include:

• Windows Information Protection (WIP) is built in to Windows 10 and protects local data at rest on endpoint devices, and manages apps to protect local data in use. Data that leaves the endpoint device, such as email attachment, is not protected by WIP.

• Office 365 Information Protection is a solution to classify, protect, and monitor personal data in Office 365.

• Azure Information Protection is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. Azure Information Protection is applied directly to content, and roams with the content as it's moved between locations and cloud services.

• Microsoft Cloud App Security is a cloud access security broker (CASB) solution that allows you to discover, classify, protect, and monitor user data in first-party and third-party Software-as-a-Service (SaaS) apps used by your organization.

End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps:

Default WIP behaviors for a sensitivity label

Enterprises can create and manage sensitivity labels on the Labels page in the Office 365 Security & Compliance Center. When you create a sensitivity label, you can specify that endpoint protection should apply to content with that label. WIP enforces default endpoint protection depending on how the sensitivity label is configured:

• When the sensitivity label is configured for endpoint protection of content that includes business data, the device enforces work protection for documents with the label
• When the sensitivity label is not configured for endpoint protection, the device reverts to whatever WIP policy has been defined in Intune or System Center Configuration Manager (SCCM):
  • If the document is downloaded from a work site, the device enforces work protection
  • If the document is downloaded from a personal site, no work protection is applied

For more information about labels, see Overview of labels.

Use cases

This section covers how WIP works with sensitivity labels in specific use cases.

User downloads from or creates a document on a work site

If WIP policy is deployed, any document that is downloaded from a work site, or created on a work site, will have WIP protection regardless of whether the document has a sensitivity label.

If the document also has a sensitivity label, which can be Office or PDF files, WIP protection is applied according to the label.

User downloads a confidential Office or PDF document from a personal site

Windows Defender Advanced Threat Protection (Windows Defender ATP) scans for any file that gets modified or created, including files that were created on a personal site. If the file has a sensitivity label, the corresponding WIP protection gets applied even though the file came from a personal site. For example:

1. Sara creates a PDF file on a Mac and labels it as Confidential.
2. She emails the PDF from her Gmail account to Laura.
3. Laura opens the PDF file on her Windows 10 device.
4. WIP policy gets applied and the file is protected.

The PDF file doesn't need any work context beyond the sensitivity label.

Prerequisites

• Windows 10, version 1809
• Windows Defender ATP scans content for a label and applies corresponding WIP protection
• Sensitivity labels need to be configured in the Office 365 Security & Compliance Center
• WIP policy needs to be applied to endpoint devices by using Intune or System Center Configuration Manager (SCCM).