Is it possible to use Microsoft Endpoint DLP without using Defender? We want to use Endpoint DLP and Data Discovery, classification but not Defender for antivirus.

Question

We would like to use Microsoft Endpoint DLP features and policies like block snapshot, prevent copy paste print etc on Endpoints but do not want to use defender for Antivirus(use another product instead). Is it possible to use Endpoint DLP features without using defender features or policies?

Answer 1

Some of the information above might be inaccurate as of October 2024. A traditional path to onboard devices into Purview has been to first onboard them into Defender for Endpoint, which (when Purview device onboarding is turned on) automatically onboards them also into Purview.

Before June 2024, the local service for Defender for Endpoint (MsMpEnd.exe) also handled tasks related to Purview Endpoint DLP. After June 2024, Microsoft separated Endpoint DLP functionalities into their own dedicated local process MpDlpService.exe. This change was communicated in the Message Center item MC793918.

Do note that Defender for Endpoint (MDE) is not the same here as Defender Antivirus.

As to whether onboarding to MDE is a hard requirement, it's a bit murky - but leaning towards yes for now. If you grab the device onboarding scripts from the portals for Purview and Defender for Endpoint and compare them with a diff tool, there is almost no variation between the two.

In fact, the only significant alteration between them is the geoLocationUrl entry written into registry during onboarding, with the script provided by my Purview portal writing the value "https://edr-neu3.eu.endpoint.security.microsoft.com/edr/" and my Defender for Endpoint portal's script using "https://winatp-gw-neu3.microsoft.com" instead. The two are otherwise identical.

We'll see if truly separate onboarding to Purview without any MDE tie-ins becomes a thing eventually with the Endpoint DLP application now separated in Windows already. That said, I'm not aware of Defender Antivirus being a requirement at all.

Endpoint DLP (like all Purview workloads) uses an array of different methods to classify sensitive information. Classifiers based on RegEx, keywords and functions are called Sensitive Information Types (SITs) and there are hundreds of them built-in. That said, there are also built-in machine learning classifiers available, alongside other methods like Document Fingerprint based SITs and Exact Data Match classifiers. All of these largely work in Endpoint DLP as well but in some cases require Advanced classification scanning and protection to be configured as well.

Answer 2

Hello Naveen Kumar,

Welcome to the MS Q&A platform.

Endpoint DLP is a feature of Microsoft Endpoint Manager that allows you to create policies to protect sensitive data on your endpoints. These policies can be used to block actions like taking screenshots, copying and pasting, and printing, as well as to discover and classify sensitive data on your endpoints.

Defender Antivirus is a separate feature of Microsoft Endpoint Manager that provides antivirus and antimalware protection for your endpoints. While Endpoint DLP and Defender Antivirus are separate features, some Endpoint DLP policies may require Defender Antivirus to be installed and running on the endpoint to function correctly.

For example, the "File Classification Infrastructure" policy requires Defender Antivirus to be installed and running on the endpoint to classify files based on their content. This is because Defender Antivirus uses machine learning models to classify files based on their content, and the File Classification Infrastructure policy uses these models.

So, while it is possible to use Endpoint DLP without using Defender Antivirus, some policies may require it to be installed and running on the endpoint.

I hope this helps. Please let me know if you have any further questions.