Endpoint data loss prevention (Endpoint DLP) is part of the Microsoft Purview Data Loss Prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. For more information about all of Microsoft's DLP offerings, see Learn about data loss prevention. To learn more about Endpoint DLP, see Learn about Endpoint data loss prevention
Microsoft Endpoint DLP allows you to monitor onboarded Windows 10, and Windows 11 and onboarded macOS devices running any of the three latest released versions. Once a device is onboarded, DLP detects when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they're used and protected properly, and to help prevent risky behavior that might compromise them.
Before you get started with Endpoint DLP, you should confirm your Microsoft 365 subscription and any add-ons. To access and use Endpoint DLP functionality, you must have one of these subscriptions or add-ons.
Microsoft 365 E5
Microsoft 365 A5 (EDU)
Microsoft 365 E5 compliance
Microsoft 365 A5 compliance
Microsoft 365 E5 information protection and governance
Microsoft 365 A5 information protection and governance
You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
Learn how to use the configuration package to configure VDI devices.
Endpoint DLP support for virtualized environments
You can onboard virtual machines as monitored devices in Microsoft Purview compliance portal. There's no change to the onboarding procedures listed above.
The table that follows lists the virtual operating systems that are supported by virtualization environments.
Virtualization platform
Windows 10
Windows 11
Windows Server 2019
Windows Server 2022 21H2, 22H2, Data Center
Azure virtual desktop (AVD)
Single session supported for 21H2, 22H2
Multi session supported for 21H2, 22H2
Single session supported for 21H2, 22H2
Multi session supported for 21H2, 22H2
Single session and Multi session supported.
Supported
Windows 365
Supported for 21H2, 22H2
Supported for 21H2, 22H2
Not applicable
Not applicable
Citrix Virtual Apps and Desktops 7 (2209 and higher)
Single session supported for 21H2, 22H2
Multi session supported for 21H2, 22H2
Single session supported for 21H2, 22H2
Multi session supported for 21H2, 22H2
Supported
Supported
Amazon workspaces
Single session supported for 21H2, 22H2
Not applicable
Windows 10 powered by Windows Server 2019
Not applicable
Hyper-V
Single session supported for 21H2, 22H2
Multi session with Hybrid AD join supported for 21H2, 22H2
Single session supported for 21H2, 22H2
Multi session with Hybrid AD join supported for 21H2, 22H2
Supported with Hybrid AD join
Supported with Hybrid AD join
Known issues
You can't monitor Copy to Clipboard and Enforcing Endpoint DLP on Azure Virtual Desktop environments via browsers. However, the same egress operation will be monitored by Endpoint DLP for actions via Remote Desktop Session (RDP).
Citrix XenApp doesn't support access by restricted app monitoring.
Limitations
Handling of USBs in virtualized environments: USB storage devices are treated as network shares. You need to include the Copy to network share activity to monitor Copy to a USB device. All activity explorer events for virtual devices and incident alerts show the Copy to a network share activity for all copy to USB events.
macOS onboarding procedures
For a general introduction to onboarding macOS devices, see: