Merge pull request #252 from MicrosoftDocs/master

PR 251

microsoft-365/enterprise/TOC.md

@@ -32,7 +32,9 @@
 #### [Step 1: Define security and information protection levels](infoprotect-define-sec-infoprotect-levels.md)
 #### [Step 2: Configure classification for your environment](infoprotect-configure-classification.md)
 #### [Step 3: Configure increased security for Microsoft 365](infoprotect-configure-increased-security-office-365.md)
-#### [Step 4: Configure privileged access management for Office 365](infoprotect-configure-privileged-access-management.md)
+#### [Step 4: Configure Windows Information Protection](infoprotect-deploy-windows-information-protection.md)
+#### [Step 5: Configure Office 365 Data Loss Prevention](infoprotect-data-loss-prevention.md)
+#### [Step 6: Configure privileged access management for Office 365](infoprotect-configure-privileged-access-management.md)
 #### [Information protection exit criteria](infoprotect-exit-criteria.md)
 ### [Deployment strategies](deployment-strategies-microsoft-365-enterprise.md)
 ### [Deploy with existing infrastructure](deploy-with-existing-infrastructure.md)
@@ -58,8 +60,8 @@
 #### [Azure AD Identity Protection](azure-ad-identity-protection-microsoft-365-test-environment.md)
 #### [Identity and device access](identity-device-access-m365-test-environment.md)
 ##### [Cloud-only](cloud-only-prereqs-m365-test-environment.md)
-##### [Password hash sync (PHS)](phs-prereqs-m365-test-environment.md)
-##### [Pass-through authentication (PTA)](pta-prereqs-m365-test-environment.md)
+##### [Password hash sync](phs-prereqs-m365-test-environment.md)
+##### [Pass-through authentication](pta-prereqs-m365-test-environment.md)
 ### [Mobile device management]()
 #### [Enroll iOS and Android devices](enroll-ios-and-android-devices-in-your-microsoft-enterprise-365-dev-test-environ.md)
 #### [Device compliance policies](mam-policies-for-your-microsoft-365-enterprise-dev-test-environment.md)

microsoft-365/enterprise/cloud-only-prereqs-m365-test-environment.md

@@ -79,7 +79,7 @@ Follow the instructions in [Phase 2 of the Azure AD Identity Protection Test Lab
 
 ## Phase 7: Enable modern authentication for Exchange Online and Skype for Business Online
 
-For Exchange Online, follow [these instructions](https://docs.microsoft.com/en-us/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online#enable-or-disable-modern-authentication-in-exchange-online-for-client-connections-in-outlook-2013-or-later). 
+For Exchange Online, follow [these instructions](https://docs.microsoft.com/Exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online#enable-or-disable-modern-authentication-in-exchange-online-for-client-connections-in-outlook-2013-or-later). 
 
 For Skype for Business Online:
 

microsoft-365/enterprise/deploy-microsoft-365-enterprise.md

@@ -37,7 +37,7 @@ There are three main ways to deploy Microsoft 365 Enterprise:
 
 FastTrack is an ongoing and repeatable benefit—available as part of your subscription—that is delivered by Microsoft engineers to help you move to the cloud at your own pace. FastTrack also gives you access to qualified partners for additional services. With over 40,000 customers enabled to date, FastTrack helps maximize ROI, accelerate deployment, and increase adoption across your organization. See [FastTrack for Microsoft 365](https://fasttrack.microsoft.com/microsoft365).
 
-If you want to take advantage of FastTrack to deploy Microsoft 365 Enterprise, you can use the FastTrack [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide) for guidance on how to deploy and set up your foundation infrastructure. Note that you must be signed on as a global administrator in an Office 365 or Microsoft 365 tenant in order to access this page.
+If you want to take advantage of FastTrack to deploy Microsoft 365 Enterprise, you can use the FastTrack [Microsoft 365 deployment advisor](https://aka.ms/microsoft365setupguide) for guidance on how to deploy and set up your foundation infrastructure. You must be signed in as a global administrator in an Office 365 or Microsoft 365 tenant to access this page.
 
 Get started on your end-to-end deployment journey with FastTrack [here](https://fasttrack.microsoft.com/microsoft365).
 

microsoft-365/enterprise/includes/deployment-exit-criteria-infoprotect.md

@@ -11,21 +11,21 @@ At a minimum, you are using three security levels:
 
 If needed, [Step 1](../infoprotect-define-sec-infoprotect-levels.md) can help you meet this requirement. 
 
-<a name="crit-infoprotect-step4"></a>
+<a name="crit-infoprotect-step3"></a>
 ### Required: Increased security for Microsoft 365 is configured
 
 You've configured the following settings for [Office 365 increased security](https://docs.microsoft.com/office365/securitycompliance/tenant-wide-setup-for-increased-security):
 
 - Threat management policies in the Microsoft 365 security Center
 - Additional Exchange Online tenant-wide settings
-- Tenant-wide sharing policies in SharePoint admin center
+- Tenant-wide sharing policies in SharePoint Online admin center
 - Settings in Azure Active Directory (Azure AD)
 
-You've also [enabled Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams](https://docs.microsoft.com/en-us/office365/securitycompliance/turn-on-atp-for-spo-odb-and-teams).
+You've also [enabled Office 365 Advanced Threat Protection (ATP) for SharePoint, OneDrive, and Microsoft Teams](https://docs.microsoft.com/office365/securitycompliance/turn-on-atp-for-spo-odb-and-teams).
 
 If needed, [Step 3](../infoprotect-configure-increased-security-office-365.md) can help you meet this requirement. 
 
-<a name="crit-infoprotect-step3"></a>
+<a name="crit-infoprotect-step2"></a>
 ### Optional: Classification is configured across your environment
 
 You've worked with your legal and compliance teams to develop an appropriate classification and labeling scheme for your organization’s data governance and security policies. 
@@ -39,9 +39,31 @@ Those policies correspond to the configuration and deployment of:
 
 If needed, [Step 2](../infoprotect-configure-classification.md) can help you meet this requirement. 
 
+
+<a name="crit-infoprotect-step4"></a>
+### Optional: Windows Information Protection is deployed across your environment
+
+Your enrolled Windows 10 Enterprise devices have an Intune policy deployed and applied that defines:
+
+- Which apps to protect.
+- The level of protection.
+- Where the protection extends.
+
+If needed, [Step 4](../infoprotect-deploy-windows-information-protection.md) can help you meet this requirement. 
+
 <a name="crit-infoprotect-step5"></a>
+### Optional: Office 365 Data Loss Prevention (DLP) is deployed
+
+You have analyzed, tested, and then rolled out the set of DLP policies—with locations and rules with conditions and actions—that your organization requires to protect customer and other types of private data and to adhere to industry and regional regulations and requirements.
+
+Your data compliance and security staff are using the Office 365 Security & Compliance dashboard to monitor DLP incidents.
+
+If needed, [Step 5](../infoprotect-data-loss-prevention.md) can help you meet this requirement. 
+
+
+<a name="crit-infoprotect-step6"></a>
 ### Optional: Configure privileged access management in Office 365
 
 You've used the information in the [Configure privileged access management in Office 365](https://docs.microsoft.com/office365/securitycompliance/privileged-access-management-configuration) topic to enable privileged access and create one or more privileged access policies in your organization. You've configured these policies and just-in-time access is enabled for access to sensitive data or access to critical configuration settings.
 
-If needed, [Step 4](../infoprotect-configure-privileged-access-management.md) can help you meet this requirement. 
+If needed, [Step 6](../infoprotect-configure-privileged-access-management.md) can help you meet this requirement. 

microsoft-365/enterprise/infoprotect-configure-classification.md

@@ -3,7 +3,7 @@ title: "Step 2: Configure classification for your environment"
 ms.author: josephd
 author: JoeDavies-MSFT
 manager: laurawi
-ms.date: 04/10/2019
+ms.date: 04/25/2019
 ms.audience: ITPro
 ms.topic: article
 ms.service: o365-solutions
@@ -42,38 +42,31 @@ Sensitive information types are especially helpful for meeting compliance and re
 
 Part of defining a data governance strategy is deciding how long specific types of documents or documents with specific contents should be retained in compliance with organization policies and regional regulations. For example, some types of documents should be retained for a set amount of time and then deleted and others must be retained indefinitely.
 
-For documents stored in Microsoft 365, you define and apply retention labels to documents and data stored in Exchange email, SharePoint Online, OneDrive for Business, and Teams chat and channel messages. For more information, including how to create them, see [Overview of retention labels](https://docs.microsoft.com/office365/securitycompliance/labels).
+For documents stored in Microsoft 365, you define and apply retention labels to documents and data stored in Exchange email, SharePoint Online, OneDrive for Business, and Teams chat and channel messages. 
 
 If you use retention labels, you should configure a label for each category of file that needs to have a retention policy applied. Within the retention label, you can specify:
 
 - A set of descriptors for the files (for example, by business department, file category, or regulation).
-
 - The retention settings for the files that have the retention label attached, such as retain times and behaviors after the retain time has been reached.
 
 You can also apply a retention label to files automatically by configuring a SharePoint Online site to apply a default retention label to all new documents in the site. 
 
-For more information, see this [overview of retention labels](https://docs.microsoft.com/office365/securitycompliance/labels).
+For more information, see the [overview of retention labels](https://docs.microsoft.com/office365/securitycompliance/labels).
 
 ### Sensitivity labels
 
 Part of protecting and implementing security for specific types of documents or documents with specific contents is marking them with a label so that the additional security can be applied. With sensitivity labels in Microsoft 365, you can:
 
 - Enforce protection settings such as encryption, permissions, or adding a watermark.
-
 - Prevent sensitive content from leaving your organization on devices running Windows, by using endpoint protection in Microsoft Intune. 
-
 - Use Windows Information Protection (WIP) endpoint protection to prevent that content from being copied to a third-party app, such as Twitter or Gmail, or being copied to removable storage, such as a USB drive.
-
 - Use Microsoft Cloud App Security to protect content in third-party apps and services. 
-
 - Classify content without using any protection settings.
 
 If you use sensitivity labels, you should configure a label for each security and information protection level. For example, create three sensitivity labels for:
 
 - Baseline
-
 - Sensitive
-
 - Highly regulated
 
 For more information, see this [overview of sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/sensitivity-labels).
@@ -97,12 +90,14 @@ If you have both sensitivity and Azure Information Protection labels, you should
 
 For an example classification scheme that includes personal data for GDPR, see [Architect a classification schema for personal data](https://docs.microsoft.com/office365/enterprise/architect-a-classification-schema-for-personal-data).
 
+## Take it for a test drive
+
 |||
 |:-------|:-----|
 |![Test Lab Guides for the Microsoft cloud](media/m365-enterprise-test-lab-guides/cloud-tlg-icon-small.png)| [Test Lab Guide: Data classification](data-classification-microsoft-365-enterprise-dev-test-environment.md) |
 |||
 
-As an interim checkpoint, see the [exit criteria](infoprotect-exit-criteria.md#crit-infoprotect-step3) corresponding to this step.
+As an interim checkpoint, see the [exit criteria](infoprotect-exit-criteria.md#crit-infoprotect-step2) corresponding to this step.
 
 ## Next step
 

microsoft-365/enterprise/infoprotect-configure-increased-security-office-365.md

@@ -45,13 +45,13 @@ Office 365 ATP is only available with Microsoft 365 Enterprise E5.
 |![Test Lab Guides for the Microsoft cloud](media/m365-enterprise-test-lab-guides/cloud-tlg-icon-small.png)| [Test Lab Guide: Configure increased Microsoft 365 security](increased-o365-security-microsoft-365-enterprise-dev-test-environment.md) |
 |||
 
-As an interim checkpoint, see the [exit criteria](infoprotect-exit-criteria.md#crit-infoprotect-step4) corresponding to this step.
+As an interim checkpoint, see the [exit criteria](infoprotect-exit-criteria.md#crit-infoprotect-step3) corresponding to this step.
 
 ## Next step
 
 
 |||
 |:-------|:-----|
-|![](./media/stepnumbers/Step4.png)|[Configure privileged access management](infoprotect-configure-privileged-access-management.md)|
+|![](./media/stepnumbers/Step4.png)|[Configure Windows Information Protection](infoprotect-deploy-windows-information-protection.md)|
 
 

microsoft-365/enterprise/infoprotect-configure-privileged-access-management.md

@@ -1,5 +1,5 @@
 ---
-title: "Step 4: Configure privileged access management for Office 365"
+title: "Step 6: Configure privileged access management for Office 365"
 ms.author: robmazz
 author: robmazz
 manager: laurawi
@@ -15,7 +15,7 @@ ms.custom:
 description: Understand and configure privileged access management for Office 365.
 ---
 
-# Step 4: Configure privileged access management for Office 365
+# Step 6: Configure privileged access management for Office 365
 
 *This step is optional and applies only to the E5 and Advanced Compliance versions of Microsoft 365 Enterprise*
 
@@ -38,7 +38,7 @@ For more information, see the [Privileged access management in Office 365](https
 
 The result of this step is that you've increased the security of Office 365 by enabling just-in-time access control for key data and configuration settings for your organization.
 
-As an interim checkpoint, see the [exit criteria](infoprotect-exit-criteria.md#crit-infoprotect-step5) corresponding to this step.
+As an interim checkpoint, see the [exit criteria](infoprotect-exit-criteria.md#crit-infoprotect-step6) corresponding to this step.
 
 ## Next Step
 

microsoft-365/enterprise/infoprotect-data-loss-prevention.md

@@ -0,0 +1,59 @@
+---
+title: "Step 5: Configure Office 365 Data Loss Prevention"
+ms.author: josephd
+author: JoeDavies-MSFT
+manager: laurawi
+ms.date: 04/25/2019
+ms.audience: ITPro
+ms.topic: article
+ms.service: o365-solutions
+localization_priority: Priority
+ms.collection: 
+- M365-security-compliance
+- Strat_O365_Enterprise
+ms.custom:
+description: Understand and deploy Office 365 Data Loss Prevention in Microsoft 365.
+---
+
+# Step 5: Configure Office 365 Data Loss Prevention
+
+*This step is optional and applies to both the E3 and E5 versions of Microsoft 365 Enterprise*
+
+![](./media/deploy-foundation-infrastructure/infoprotection_icon-small.png)
+
+With data loss prevention (DLP) policies in the Office 365 Security & Compliance center, you can identify, monitor, and automatically protect sensitive information across Microsoft 365. With DLP policies, you can:
+
+- Identify sensitive information across many locations, such as Exchange Online, SharePoint Online, OneDrive for Business, and Microsoft Teams.
+- Prevent the accidental sharing of sensitive information by blocking access to a document or blocking the email that contains it.
+- Monitor and protect sensitive information in the desktop versions of Excel, PowerPoint, and Word.
+- Help users learn how to stay compliant without interrupting their workflow with email notifications and policy tips. 
+- View DLP reports showing content that matches your organization's DLP policies.
+
+A DLP policy specifies:
+
+- **Where:** Locations such as Exchange Online, SharePoint Online, and OneDrive for Business sites, as well as Microsoft Teams chats and channels.
+- **When:** Conditions the content must match within a specific policy rule.
+- **How:** Actions within that matching policy rule to take automatically for the matching conditions.
+
+In other words:
+
+- For a document in this location (where), if the content matches the conditions of a rule (when), then automatically take the actions specified in the rule (how).
+
+To determine the set of DLP policies you need, you must analyze your documents and the types of data within them that need protection from data loss. For example, if you are a financial organization in the United States of America, you would create a DLP policy that prevents documents with social security numbers from being shared outside the organization or sent in email to locations outside the organization.
+
+Next, you configure and test the policies with test locations to ensure the correct DLP behavior and to minimize false positives.
+
+Finally, you roll it out to your organization by informing the employees of the new policies and their desired behavior and widening the scope of the locations.
+
+For more information, see [Get started with DLP policy recommendations](https://docs.microsoft.com/office365/securitycompliance/get-started-with-dlp-policy-recommendations).
+
+As an interim checkpoint, see the [exit criteria](infoprotect-exit-criteria.md#crit-infoprotect-step5) corresponding to this step.
+
+## Next step
+
+
+|||
+|:-------|:-----|
+|![](./media/stepnumbers/Step6.png)|[Configure privileged access management for Office 365](infoprotect-configure-privileged-access-management.md)|
+
+

microsoft-365/enterprise/infoprotect-deploy-windows-information-protection.md

@@ -0,0 +1,50 @@
+---
+title: "Step 4: Configure Windows Information Protection"
+ms.author: josephd
+author: JoeDavies-MSFT
+manager: laurawi
+ms.date: 04/25/2019
+ms.audience: ITPro
+ms.topic: article
+ms.service: o365-solutions
+localization_priority: Priority
+ms.collection: 
+- M365-security-compliance
+- Strat_O365_Enterprise
+ms.custom:
+description: Understand and deploy Windows Information Protection in Microsoft 365.
+---
+
+# Step 4: Configure Windows Information Protection
+
+*This step is optional and applies to both the E3 and E5 versions of Microsoft 365 Enterprise*
+
+![](./media/deploy-foundation-infrastructure/infoprotection_icon-small.png)
+
+With more personal devices being used for work, there’s increased risk for apps and devices to leak private organization data. For example, an employee inadvertently sends a picture of a marketing plan for a future product to a social media site or saves a file containing highly confidential information to their public cloud storage. 
+
+Windows Information Protection (WIP) helps protect against these types of data leakage on Windows 10 devices. For more information, see [Protect your enterprise data using WIP](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip).
+
+In Microsoft 365 Enterprise, WIP is a combination of Windows 10 Enterprise and Microsoft Intune, which is included with Enterprise Mobility + Security (EMS) in your subscription. 
+
+To deploy WIP in your organization with Microsoft 365 Enterprise:
+
+1. Enroll your Windows devices in Intune. You should have done this in [Phase 4: Mobile Device Management](mobility-infrastructure.md).
+2. Create an [Intune policy for WIP](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure).
+  -	Ensure that you have filled out your Protected apps list.
+  - Choose your WIP protection level.
+
+You can also use WIP with [System Center Configuration Manager](https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/overview-create-wip-policy-sccm). 
+
+See [WIP best practices]( https://docs.microsoft.com/windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip) for more information.
+
+As an interim checkpoint, see the [exit criteria](infoprotect-exit-criteria.md#crit-infoprotect-step4) corresponding to this step.
+
+## Next step
+
+
+|||
+|:-------|:-----|
+|![](./media/stepnumbers/Step5.png)|[Configure Office 365 Data Loss Prevention](infoprotect-data-loss-prevention.md)|
+
+