Get started with Endpoint data loss prevention
Endpoint data loss prevention (Endpoint DLP) is part of the Microsoft Purview Data Loss Prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. For more information about all of Microsoft’s DLP offerings, see Learn about data loss prevention. To learn more about Endpoint DLP, see Learn about Endpoint data loss prevention
Microsoft Endpoint DLP allows you to monitor onboarded Windows 10, and Windows 11 and onboarded macOS devices running three latest released versions. Once a device is onboarded, DLP will detect when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they are used and protected properly, and to help prevent risky behavior that might compromise them.
If you're not an E5 customer, you can try all the premium features in Microsoft Purview for free. Use the 90-day Purview solutions trial to explore how robust Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.
Before you begin
Before you get started with Endpoint DLP, you should confirm your Microsoft 365 subscription and any add-ons. To access and use Endpoint DLP functionality, you must have one of these subscriptions or add-ons.
- Microsoft 365 E5
- Microsoft 365 A5 (EDU)
- Microsoft 365 E5 compliance
- Microsoft 365 A5 compliance
- Microsoft 365 E5 information protection and governance
- Microsoft 365 A5 information protection and governance
for full licensing details, see Microsoft 365 licensing guidance for information protection
Configure proxy on the Windows 10 or Windows 11 device
If you are onboarding Windows 10 or Windows 11 devices, check to make sure that the device can communicate with the cloud DLP service. For more information see, Configure device proxy and internet connection settings for Information Protection.
Windows 10 and Windows 11 Onboarding procedures
For a general introduction to onboarding Windows devices, see:
For specific guidance to onboarding Windows devices, see:
|Onboard Windows 10 or 11 devices using Group Policy||Use Group Policy to deploy the configuration package on devices.|
|Onboard Windows 10 or 11 devices using Microsoft Endpoint Configuration Manager||You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.|
|Onboard Windows 10 or 11 devices using Microsoft Intune||Use Microsoft Intune to deploy the configuration package on device.|
|Onboard Windows 10 or 11 devices using a local script||Learn how to use the local script to deploy the configuration package on endpoints.|
|Onboard non-persistent virtual desktop infrastructure (VDI) devices||Learn how to use the configuration package to configure VDI devices.|
macOS onboarding procedures
For a general introduction to onboarding macOS devices, see:
For specific guidance to onboarding macOS devices, see:
|Intune||For macOS devices that are managed through Intune|
|Intune for Microsoft Defender for Endpoint customers||For macOS devices that are managed through Intune and that have Microsoft Defender for Endpoint (MDE) deployed to them|
|JAMF Pro)||For macOS devices that are managed through JAMF Pro|
|JAMF Pro for Microsoft Defender for Endpoint customers)||For macOS devices that are managed through JAMF Pro and that have Microsoft Defender for Endpoint (MDE) deployed to them|
Once a device is onboarded, it should be visible in the devices list and also start reporting audit activity to Activity explorer.
Submit and view feedback for