Using Endpoint data loss prevention

To help familiarize you with Endpoint DLP features and how they surface in DLP policies, we've put together some scenarios for you to follow.

Important

These Endpoint DLP scenarios are not the official procedures for creating and tuning DLP policies. Refer to the below topics when you need to work with DLP policies in general situations:

Tip

If you're not an E5 customer, you can try all the premium features in Microsoft Purview for free. Use the 90-day Purview solutions trial to explore how robust Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you begin

SKU/subscriptions licensing

For full licensing details, see Microsoft 365 licensing guidance for information protection.

Scenario 1: Create a policy from a template, audit only

These scenarios require that you already have devices onboarded and reporting into Activity explorer. If you haven't onboarded devices yet, see Get started with Endpoint data loss prevention.

  1. Open the Data loss prevention page.

  2. Choose Create policy.

  3. For this scenario, choose Privacy, then U.S. Personally Identifiable Information (PII) Data and choose Next.

  4. Toggle the Status field to off for all locations except Devices. Choose Next.

  5. Accept the default Review and customize settings from the template selection and choose Next.

  6. Accept the default Protection actions values and choose Next.

  7. Select Audit or restrict activities on Windows devices and leave the actions set to Audit only. Choose Next.

  8. Accept the default I'd like to test it out first value and choose Show policy tips while in test mode. Choose Next.

  9. Review your settings and choose Submit.

  10. The new DLP policy will appear in the policy list.

  11. Check Activity explorer for data from the monitored endpoints. Set the location filter for devices and add the policy, then filter by policy name to see the impact of this policy; see Get started with activity explorer, if needed.

  12. Attempt to share a test item that contains content that will trigger the U.S. Personally Identifiable Information (PII) Data condition with someone outside your organization. This should trigger the policy.

  13. Check Activity explorer for the event.

Scenario 2: Modify the existing policy, set an alert

  1. Open the Data loss prevention page.

  2. Choose the U.S. Personally Identifiable Information (PII) Data policy that you created in scenario 1.

  3. Choose edit policy.

  4. Go to the Advanced DLP rules page and edit the Low volume of content detected U.S. Personally Identifiable Inf.

  5. Scroll down to the Incident reports section and set Send an alert to admins when a rule match occurs to On. Email alerts will be automatically sent to the administrator and anyone else you add to the list of recipients.

turn-on-incident-reports.

  1. For the purposes of this scenario, choose Send alert every time an activity matches the rule.

  2. Choose Save.

  3. Retain all your previous settings by choosing Next and then Submit the policy changes.

  4. Attempt to share a test item that contains content that will trigger the U.S. Personally Identifiable Information (PII) Data condition with someone outside your organization. This should trigger the policy.

  5. Check Activity explorer for the event.

Scenario 3: Modify the existing policy, block the action with allow override

  1. Open the Data loss prevention page.

  2. Choose the U.S. Personally Identifiable Information (PII) Data policy that you created in scenario 1.

  3. Choose edit policy.

  4. Go to the Advanced DLP rules page and edit the Low volume of content detected U.S. Personally Identifiable Inf.

  5. Scroll down to the Audit or restrict activities on Windows device section and for each activity set the corresponding action to Block with override.

    set block with override action.

  6. Choose Save.

  7. Repeat steps 4-7 for the High volume of content detected U.S. Personally Identifiable Inf.

  8. Retain all your previous settings by choosing Next and then Submit the policy changes.

  9. Attempt to share a test item that contains content that will trigger the U.S. Personally Identifiable Information (PII) Data condition with someone outside your organization. This should trigger the policy.

    You'll see a popup like this on the client device:

    endpoint dlp client blocked override notification.

  10. Check Activity explorer for the event.

Scenario 4: Avoid looping DLP notifications from cloud synchronization apps with auto-quarantine (preview)

Before you begin scenario 4

In this scenario, synchronizing files with the Highly Confidential sensitivity label to OneDrive is blocked. This is a complex scenario with multiple components and procedures. You will need:

There are three procedures.

  1. Configure the Endpoint DLP Auto-quarantine settings.
  2. Create a policy that blocks sensitive items that have the Highly Confidential sensitivity label.
  3. Create a Word document on the Windows 10 device that the policy is targeted to, apply the label, and copy it to the user accounts local OneDrive folder that is being synchronized.

Configure Endpoint DLP unallowed app and Auto-quarantine settings

  1. Open Endpoint DLP settings

  2. Expand Unallowed apps.

  3. Choose Add or edit unallowed apps and add OneDrive as a display name and the executable name onedrive.exe to disallow onedrive.exe from accessing items the Highly Confidential label.

  4. Select Auto-quarantine and Save.

  5. Under Auto-quarantine settings choose Edit auto-quarantine settings.

  6. Enable Auto-quarantine for unallowed apps.

  7. Enter the path to the folder on local machines where you want the original sensitive files to be moved to. For example:

    '%homedrive%%homepath%\Microsoft DLP\Quarantine' for the username Isaiah Langer will place the moved items in a folder named:

    C:\Users\IsaiahLanger\Microsoft DLP\Quarantine\OneDrive

    and append a date and time stamp to the original file name.

    Note

    DLP Auto-quarantine will create sub-folders for the files for each unallowed app. So if you have both Notepad and OneDrive in your unallowed apps list, a sub-folder will be created for \OneDrive and another sub-folder for \Notepad.

  8. Choose Replace the files with a .txt file that contains the following text and enter the text you want in the placeholder file. For example for a file named auto quar 1.docx:

    %%FileName%% contains sensitive info that your organization is protecting with the data loss prevention (DLP) policy %%PolicyName%% and was moved to the quarantine folder: %%QuarantinePath%%

    will leave a text file that contains this message:

    auto quar 1.docx contains sensitive info that your organization is protecting with the data loss prevention (DLP) policy and was moved to the quarantine folder: C:\Users\IsaiahLanger\Microsoft DLP\Quarantine\OneDrive\auto quar 1_20210728_151541.docx.

  9. Choose Save

Configure a policy to block OneDrive synchronization of files with the sensitivity label Highly Confidential

  1. Open the Data loss prevention page.

  2. Choose Create policy.

  3. For this scenario, choose Custom, then Custom policy and choose Next.

  4. Fill in the Name and Description fields, choose Next.

  5. Toggle the Status field to off for all locations except Devices. If you have a specific end user account that you want to test this from, be sure to select it in the scope. Choose Next.

  6. Accept the default Create or customize advanced DLP rules selection and choose Next.

  7. Create a rule with these values:

    1. Name > Scenario 4 Auto-quarantine.
    2. Conditions > Content contains > Sensitivity labels > Highly Confidential.
    3. Actions > Audit or restrict activities on Windows devices > Access by unallowed apps > Block. For the purposes of this scenario, clear all the other activities.
    4. User notifications > On.
    5. Endpoint devices > Choose Show users a policy tip notification when an activity if not already enabled.
  8. Choose Save and Next.

  9. Choose Turn it on right away. Choose Next.

  10. Review your settings and choose Submit.

    Note

    Allow at least an hour for the new policy to be replicated and applied to the target Windows 10 computer.

  11. The new DLP policy will appear in the policy list.

Test Auto-quarantine on the Windows 10 device

  1. Log in to the Windows 10 computer with the user account you specified in Configure a policy to block OneDrive synchronization of files with the sensitivity label Highly Confidential step 5.

  2. Create a folder whose contents will not be synchronized to OneDrive. For example:

    C:\auto-quarantine source folder

  3. Open Microsoft Word and create a file in the auto-quarantine source folder. Apply the Highly confidential sensitivity label; see Apply sensitivity labels to your files and email in Office.

  4. Copy the file you just created to your OneDrive synchronization folder. A user notification toast should appear telling you that the action is not allowed and that the file will be quarantined. For example, for user name Isaiah Langer, and a document titled auto-quarantine doc 1.docx you would see this message:

    Data loss prevention user notification popup stating that the OneDrive synchronization action is not allowed for the specified file and that the file will be quarantined.

    The message reads:

    Opening autoquarantine doc 1.docx with this app is not allowed. The file will be quarantined to 'C:\Users\IsaiahLanger\Microsoft DLP\OneDrive'

  5. Choose Dismiss.

  6. Open the place holder text file. It will be named auto-quarantine doc 1.docx_date_time.txt.

  7. Open the quarantine folder and confirm that the original file is there.

  8. Check Activity explorer for data from the monitored endpoints. Set the location filter for devices and add the policy, then filter by policy name to see the impact of this policy; see Get started with activity explorer, if needed.

  9. Check Activity explorer for the event.

Scenario 5: Restrict unintentional sharing to unallowed cloud apps and services

With Endpoint DLP and Microsoft Edge Web browser, you can restrict unintentional sharing of sensitive items to unallowed cloud apps and services. Edge understands when an item is restricted by an Endpoint DLP policy and enforces access restrictions.

When you select Devices as a location in a properly configured DLP policy and use the Microsoft Edge browser, the unallowed browsers that you've defined in these settings will be prevented from accessing the sensitive items that match your DLP policy controls. Instead, users will be redirected to use Microsoft Edge which, with its understanding of DLP imposed restrictions, can block or restrict activities when the conditions in the DLP policy are met.

To use this restriction, you’ll need to configure three important pieces:

  1. Specify the places – services, domains, IP addresses – that you want to prevent sensitive items from being shared to.

  2. Add the browsers that aren’t allowed to access certain sensitive items when a DLP policy match occurs.

  3. Configure DLP policies to define the kinds of sensitive items for which upload should be restricted to these places by turning on Upload to cloud services and Access from unallowed browser.

You can continue to add new services, apps, and policies to extend and augment your restrictions to meet your business needs and protect sensitive data.

This configuration will help ensure your data remains safe while also avoiding unnecessary restrictions that prevent or restrict users from accessing and sharing non-sensitive items.

You can also audit, block with override, or block these user upload sensitive items to cloud apps and services through Sensitive service domains.

  1. In the Microsoft Purview compliance portal open Data loss prevention > Endpoint DLP settings > Browser and domain restrictions to sensitive data > Sensitive service domains.
  2. Select Add a new group of sensitive service domains.
  3. Name the group.
  4. Select the Match type you want. You can select from URL, IP address, IP address range.
  5. Type in the appropriate value in the Add new service domains to this group. You can add multiple websites to a group and use wildcards to cover subdomains. For example, www.contoso.com for just the top level website or *.contoso.com for corp.contoso.com, hr.contoso.com, fin.contoso.com
  6. Select Save.
  7. Select Policies.
  8. Create and scope a policy that is applied only to Devices. See, Create, test, and tune a DLP policy for more information on how to create a policy.
  9. Create a rule that uses the The user accessed a sensitive site from Edge, and the action Audit or restrict activities on devices.
  10. In Service domain and browser activities select Upload to a restricted cloud service domain or access from an unallowed browser and set the action to Audit only. This sets the overall action for all the site groups.
  11. Select the Sensitive site groups you want.
  12. Select Add.
  13. OPTIONAL: If you want to create an exception (usually an allowlist) to the overall action for one or more site groups, select Configure sensitive service domain exceptions, add the site group you want the exception for, configure the desired action and Save the configuration.
  14. Select the user activities you want to monitor or restrict and the actions you DLP to take in response to those activities.
  15. Finish configuring the rule and policy and apply it.

Scenario 6 Monitor or restrict user activities on sensitive service domains

Use this scenario when you want to audit or block these user activities on a website.

  • print from a website
  • copy data from a website
  • save a website as local files

The user must be accessing the website through Microsoft Edge.

Configure Sensitive service domains

  1. In the Microsoft Purview compliance portal open Data loss prevention > Endpoint DLP settings > Browser and domain restrictions to sensitive data > Sensitive service domains.
  2. Select Add a new group of sensitive service domains.
  3. Name the group.
  4. Select the Match type you want. You can select from URL, IP address, IP address range.
  5. Type in the appropriate value in the Add new service domains to this group. You can add multiple websites to a group and use wildcards to cover subdomains. For example, www.contoso.com for just the top level website or *.contoso.com for corp.contoso.com, hr.contoso.com, fin.contoso.com
  6. Select Save.
  7. Select Policies.
  8. Create and scope a policy that is applied only to Devices. See, Create, test, and tune a DLP policy for more information on how to create a policy.
  9. Create a rule that uses the the user accessed a sensitive site from Edge, and the action Audit or restrict activities when users access sensitive sites in Microsoft Edge browser on Windows devices.
  10. In the action select Add or remove Sensitive site groups.
  11. Select the Sensitive site groups you want. Any website under the group(s) you select here will be redirected to Edge when opened in Chrome browser (with Purview extension installed).
  12. Select Add.
  13. Select the user activities you want to monitor or restrict and the actions you DLP to take in response to those activities.
  14. Finish configuring the rule and policy and apply it.

Scenario 7 Authorization groups (preview)

Important

Before you can use Printer groups, Removable storage device groups, Network share groups, and Network exceptions/VPN you must register here.

These scenarios require that you already have devices onboarded and reporting into Activity explorer. If you haven't onboarded devices yet, see Get started with Endpoint data loss prevention.

Authorization groups are mostly used as allow lists. You assigned policy actions to the group that are different than the global policy actions. In this scenario, we'll go through defining a printer group and then configuring a policy with block actions for all print activities except for the printers in the group. These procedures are essentially the same for Removeable storage device groups, and Network share groups.

In this scenario, we'll define a group of printers that the legal department uses for printing contracts. Printing contracts to any other printers is blocked.

Create and use printer groups

  1. In the Microsoft Purview compliance portal open Data loss prevention > Endpoint DLP settings > Printer groups.
  2. Select Create printer group and give the group a name. In this scenario, we'll use Legal printers.
  3. Select Add printer and provide a name. You can define printers by:
    1. Friendly printer name
    2. USB product ID
    3. USB vendor ID
    4. IP range
    5. Print to file
    6. Universal print deployed on a printer
    7. Corporate printer
    8. Print to local
  4. Select Close.

Configure policy printing actions

  1. Open the Policies tab.

  2. Select Create policy and select the custom policy template.

  3. Scope the location to only Devices.

  4. Create a rule where:

    1. Content contains = Trainable classifiers, Legal Affairs
    2. Actions = Audit or restrict activities on devices
    3. Then pick File activities on all apps
    4. The select Apply restrictions to specific activity
    5. Select Print = Block
  5. Select Choose different print restrictions

  6. Under Printer group restrictions, select Add group and select Legal printers.

  7. Set Action = Allow.

    Tip

    The Allow action wil record and audit event to the audit log, but not generate an alert or notification.

  8. Save.

  9. Accept the default I'd like to test it out first value and choose Show policy tips while in test mode. Choose Next.

  10. Review your settings and choose Submit.

  11. The new DLP policy will appear in the policy list.

Scenario 8 Network exceptions (preview)

Important

Before you can use Printer groups, Removable storage device groups, Network share groups, and Network exceptions/VPN you must register here.

These scenarios require that you already have devices onboarded and reporting into Activity explorer. If you haven't onboarded devices yet, see Get started with Endpoint data loss prevention.

In this scenario, we'll define a list of VPNs that hybrid workers use for accessing organization resources.

Create and use a Network exception

Network exceptions enables you to configure Allow, Audit only, Block with override, and Block actions to the file activities based on the network that users are accessing the file from. You can select from the VPN settings list you defined and Corporate network option. The actions can be applied individually or collectively to these user activities:

  • Copy to clipboard
  • Copy to a USB removable device
  • Copy to a network share
  • Print
  • Copy or move using unallowed Bluetooth app
  • Copy or move using RDP

Get the Server address or Network address

  1. On a DLP monitored Windows device, open a Windows PowerShell window as an administrator.
  2. Run this cmdlet
Get-VpnConnection
  1. Running this cmdlet returns multiple fields and values.
  2. Find the ServerAddress field and record that value. You'll use this when you create a VPN entry in the VPN list.
  3. Find the Name field and record that value. The Name field maps to the Network address field when you create a VPN entry in the VPN list.

Add a VPN

  1. Open Microsoft Purview compliance portal > Data loss prevention > Endpoint DLP settings > VPN settings.
  2. Select Add or edit VPN addresses.
  3. Provide either the Server address or Network address from running Get-VpnConnection.
  4. Select Save.
  5. Close the item.

Configure policy actions

  1. Open the Policies tab.

  2. Select Create policy and select the custom policy template.

  3. Scope the location to only Devices.

  4. Create a rule where:

    1. Content contains = Trainable classifiers, Legal Affairs
    2. Actions = Audit or restrict activities on devices
    3. Then pick File activities on all apps
    4. The select Apply restrictions to specific activity
    5. Select the actions that you want to configure Network exceptions for.
  5. Select Copy to clipboard and the Audit only action

  6. Select Choose different copy to clipboard restrictions.

  7. Select VPN and set the action to Block with override.

Important

When you want to control the activities of a user when they're connected through a VPN you must select the VPN and make the VPN the top priority in the Network exceptions configuration. Otherwise, if the Corporate network option is selected, then that action defined for the Corporate network entry will be enforced.

Caution

The Apply to all activities option will copy the network exceptions that are defined here and apply them to all the other configured specific activities, like Print, and Copy to a network share. This will overwrite the network exceptions on the other activities The last saved configuration wins.

  1. Save.

  2. Accept the default I'd like to test it out first value and choose Show policy tips while in test mode. Choose Next.

  3. Review your settings and choose Submit.

  4. The new DLP policy will appear in the policy list.

See also