Step 7. Implement data loss prevention (DLP) with information protection capabilities

If your organization has already put the time into understanding your data, developing a data sensitivity schema, and applying the schema, you might be ready to extend elements of this schema to endpoints by using Microsoft Purview data loss prevention (DLP) policies.

Endpoint data loss prevention (Endpoint DLP) currently applies to:

  • Windows 10, Windows 11
  • macOS

DLP policies are created by your information protection and governance team. Each DLP policy defines what elements within a data set to look for, like sensitive information types or labels, and how to protect this data.

For example, a DLP policy can look for personal data like a passport number. The DLP policy will include a condition that triggers the policy to take action, such as when a passport number is shared with people outside your organization. The action the policy takes can be configured as well. Options range from simply reporting the action to admins, warning users, or even preventing the data from being shared.

The DLP policy also specifies the location to apply the policy to, such as Exchange email and SharePoint sites. One of the locations available to admins is devices. If devices is selected, you can specify which users and user groups to apply the policy to. You can also specify users and user groups to exclude from the policy.

If your information protection and governance team is ready to extend DLP policies to endpoints, you’ll need to coordinate with them to enable devices for Endpoint DLP, test and tune DLP policies, train users, and monitor the results.

Endpoint DLP steps for the device admin

Use the following steps to work with your information protection team.

Step Description
1 Learn about Endpoint data loss prevention.
2 Enable devices for Endpoint DLP. If you onboarded devices to Microsoft Defender for Endpoint, your devices are already enabled for Endpoint DLP. If your devices are not onboarded to Defender for Endpoint, see Get started with Endpoint data loss prevention for instructions.
3 Work with your information protection and governance team to define, test, and tune policies. This includes monitoring the results. See these resources:
- Using Endpoint data loss prevention
- View the reports for data loss prevention