Use Endpoint data loss prevention

To help familiarize you with Endpoint DLP features and how they surface in DLP policies, we've put together some scenarios for you to follow.

Important

These Endpoint DLP scenarios are not the official procedures for creating and tuning DLP policies. Refer to the below topics when you need to work with DLP policies in general situations:

Tip

If you're not an E5 customer, use the 90-day Microsoft Purview solutions trial to explore how additional Purview capabilities can help your organization manage data security and compliance needs. Start now at the Microsoft Purview compliance portal trials hub. Learn details about signing up and trial terms.

Before you begin

SKU/subscriptions licensing

For full licensing details, see Microsoft 365 licensing guidance for information protection.

These scenarios require that you already have devices onboarded and reporting into Activity explorer. If you haven't onboarded devices yet, see Get started with Endpoint data loss prevention.

Important

Be sure you understand the difference between an unrestricted administrator and an administrative unit restricted administrator Administrative units before you start.

Scenario 1: Create a policy from a template, audit only

This scenario is for an unrestricted admin creating and full directory policy.

  1. Open the Data loss prevention page.

  2. Choose + Create policy.

  3. For this scenario, choose Privacy, then U.S. Personally Identifiable Information (PII) Data Enhanced, and then choose Next.

  4. Give your new policy a Name and Description.

  5. Under Admin units, ensure the selection is for Full directory and then Next.

  6. Toggle the Status field off for all locations except Devices. Choose Next.

  7. On the Define policy settings page, accept the default Review and customize settings from the template selection and choose Next.

  8. On the Info to protect page, accept the default values and choose Next.

  9. Accept the default Protection actions and choose Next.

  10. On the Customize access and override settings page, choose Audit or restrict activities on Devices. Accept the remaining default values and choose Next.

  11. On the Policy mode page, accept the default Run the policy in simulation mode and select Show policy tips while in simulation mode. Choose Next.

  12. Review your policy and choose Submit to create it, then choose Done. The new policy appears in the DLP Policies list.

  13. In the left navigation pane, choose Data loss prevention and then Activity explorer.

  14. Try to share a test item containing content that will trigger the U.S. Personally Identifiable Information (PII) Data condition. This should trigger the policy.

  15. Check Activity explorer for the event.

Scenario 2: Modify the existing policy, set an alert

This scenario is for an unrestricted admin modifying a full directory scoped policy.

  1. Navigate to the data loss prevention Policies page.

  2. Choose the U.S. Personally Identifiable Information (PII) Data Enhanced policy that you created in Scenario 1.

  3. Choose Edit policy.

  4. Go to the Customize advanced DLP rules page and edit the Low volume of content detected U.S. Personally Identifiable Inf.

  5. Scroll down to the Incident reports section and toggle Send an alert to admins when a rule match occurs to On. Email alerts are automatically sent to the administrator and anyone else you add to the list of recipients.

    This screenshot shows the option to turn on incident reports.

  6. For the purposes of this scenario, choose Send alert every time an activity matches the rule.

  7. Choose Save.

  8. Retain all your previous settings by choosing Next throughout the rest of the wizard, then Submit the policy changes.

  9. Try to share a test item containing content that will trigger the U.S. Personally Identifiable Information (PII) Data condition. This should trigger the policy.

  10. Check the activity explorer for the event.

Scenario 3: Modify the existing policy, block the action with allow override

This scenario is for an unrestricted admin modifying a full directory policy.

  1. Open the data loss prevention Policies page.

  2. Choose the U.S. Personally Identifiable Information (PII) Data policy that you created in Scenario 1.

  3. Choose Edit policy.

  4. Go to the Customize advanced DLP rules page and edit the Low volume of content detected U.S. Personally Identifiable Inf.

  5. Scroll down to the Audit or restrict activities on Windows device section and set both options under the Service domain and browser activities to Block with override.

    The screenshot shows the set block with override action options.

  6. Choose **Save**.
  7. Repeat steps 4-6 for the High volume of content detected U.S. Personally Identifiable Inf.

  8. Retain all your previous settings by choosing Next through the rest of the wizard,and then Submit the policy changes.

  9. Attempt to share a test item that contains content that will trigger the U.S. Personally Identifiable Information (PII) Data condition with someone outside your organization. This should trigger the policy.

    You see a popup like this on the client device:

     This screenshot shows the endpoint dlp client blocked override notification.

  10. Check the activity explorer for the event.

Scenario 4: Avoid looping DLP notifications from cloud synchronization apps with autoquarantine

This scenario is for an unrestricted admin creating a full directory policy.

Before you begin Scenario 4

In this scenario, synchronizing files with the Highly Confidential sensitivity label to OneDrive is blocked. This is a complex scenario with multiple components and procedures. You need:

There are three procedures.

  1. Configure the Endpoint DLP Autoquarantine settings.
  2. Create a policy that blocks sensitive items that have the Highly Confidential sensitivity label.
  3. Create a Word document on the Windows 10/11 device that the policy is targeted to, apply the label, and copy it to the user accounts local OneDrive folder that is being synchronized.

Configure Endpoint DLP unallowed app and Autoquarantine settings

  1. Open Endpoint DLP settings

  2. Expand Restricted apps and app groups.

  3. Under Restricted app groups, choose Add restricted app group. Enter Cloud Sync apps as the group name.

  4. Select the Auto-quarantine box.

  5. For the App name, enter OneDrive. For the Executable name, enter onedrive.exe, then choose the + button. This disallows onedrive.exe from accessing items with the Highly Confidential label.

  6. Choose Save.

  7. Under Auto-quarantine settings choose Edit auto-quarantine settings.

  8. Enable Auto-quarantine for unallowed apps.

  9. Enter the path to the folder on local machines where you want the original sensitive files to be moved to. For example:

'%homedrive%%homepath%\Microsoft DLP\Quarantine' for the username Isaiah Langer will place the moved items in a folder named:

C:\Users\IsaiahLanger\Microsoft DLP\Quarantine\OneDrive

  1. Append a date and time stamp to the original file name.

    Note

    DLP auto-quarantine will create sub-folders for the files for each unallowed app. So if you have both Notepad and OneDrive in your unallowed apps list, a sub-folder will be created for \OneDrive and another sub-folder for \Notepad.

  2. Choose Replace the files with a .txt file that contains the following text and enter the text you want in the placeholder file. For example for a file named auto quar 1.docx, you could enter:

    %%FileName%% contains sensitive info that your organization is protecting with the data loss prevention (DLP) policy %%PolicyName%%. It was moved to the quarantine folder: %%QuarantinePath%%

    will leave a text file that contains this message:

    auto quar 1.docx contains sensitive info that your organization is protecting with the data loss prevention (DLP) policy. It was moved to the quarantine folder: C:\Users\IsaiahLanger\Microsoft DLP\Quarantine\OneDrive\auto quar 1.docx.

  3. Choose Save.

Configure a policy to block OneDrive synchronization of files with the sensitivity label "Highly Confidential"

  1. Open the Data loss prevention page.

  2. Navigate to Data loss prevention" Policies > Create policy.

  3. For this scenario, choose Custom, then Custom policy. Choose Next.

  4. Fill in the Name and Description fields, choose Next.

  5. Select Full directory under Admin units.

  6. Toggle the Status field to off for all locations except Devices. If you have a specific end user account that you want to test this from, be sure to select it in the scope. Choose Next.

  7. Accept the default Create or customize advanced DLP rules selection and choose Next.

  8. Create a rule with these values:

    1. Name > Scenario 4 Autoquarantine.
    2. Under Conditions choose Add condition and then Content Contains.
    3. Enter a group name, for example Highly Confidential Sensitivity Labels and then choose Add.
    4. Select Sensitivity labels then Highly Confidential and choose Add.
    5. Under Actions choose Add an action.
    6. Select Audit or restrict activities on Windows devices > File activities for apps in restricted app groups.
    7. Choose Add restricted app group then choose the Cloud Sync Apps group you created previously.
    8. Choose Apply a restriction to all activity > Block. For the purposes of this scenario, clear all the other activities.
    9. Under User notifications, toggle User notifications to On and under Endpoint devices choose Show users a policy tip notification when an activity if not already enabled.
  9. Choose Save and Next.

  10. Choose Turn it on right away. Choose Next.

  11. Review your settings and choose Submit.

    Note

    Allow at least an hour for the new policy to be replicated and applied to the target Windows 10 computer.

  12. The new DLP policy appears in the policy list.

Test Autoquarantine on the Windows 10/11 device

  1. Sign in to the Windows 10/11 computer with the user account you specified in [Configure a policy to block OneDrive synchronization of files with the sensitivity label Highly Confidential](#configure-a-policy-to-block-onedrive-synchronization-of-files-with-the-sensitivity-label-highly-confidential, step 5.

  2. Create a folder whose contents won't be synchronized to OneDrive. For example:

    C:\auto-quarantine source folder

  3. Open Microsoft Word and create a file in the autoquarantine source folder. Apply the Highly confidential sensitivity label; see Apply sensitivity labels to your files and email in Office.

  4. Copy the file you created to your OneDrive synchronization folder. A user notification toast should appear telling you that the action isn't allowed and that the file will be quarantined. For example, for user name Isaiah Langer, and a document titled autoquarantine doc 1.docx you would see this message:

    This screenshot shows the Data loss prevention user notification message that the OneDrive synchronization action isn't allowed for the specified file and that the file will be quarantined.

    The message reads:

    Opening auto-quarantine doc 1.docx with this app is not allowed. The file will be quarantined to 'C:\Users\IsaiahLanger\Microsoft DLP\OneDrive'

  5. Choose Dismiss.

  6. Open the place holder text file. It is named auto-quarantine doc 1.docx_date_time.txt.

  7. Open the quarantine folder and confirm that the original file is there.

  8. Check Activity explorer for data from the monitored endpoints. Set the location filter for devices and add the policy, then filter by policy name to see the effect of this policy. For information on using activity explorer, see Get started with activity explorer.

  9. Check Activity explorer for the event.

Scenario 5: Restrict unintentional sharing to unallowed cloud apps and services

This scenario is for an unrestricted admin creating a full directory policy.

With Endpoint DLP and a supported web browser, you can restrict unintentional sharing of sensitive items to unallowed cloud apps and services. Microsoft Edge understands when an item is restricted by an Endpoint DLP policy and enforces access restrictions.

Note

The following web browsers are supported:

  • Microsoft Edge
  • Chrome (with the Microsoft Purview extension for Chrome installed)
  • Firefox (with the Microsoft Purview extension for Firefox installed)

When you select Devices as a location in a properly configured DLP policy and use a supported web browser, the unallowed browsers that you've defined in these settings will be prevented from accessing the sensitive items that match your DLP policy controls. Instead, users are redirected to use Microsoft Edge, which, with its understanding of DLP imposed restrictions, can block or restrict activities when the conditions in the DLP policy are met.

To use this restriction, you need to configure three important pieces:

  1. Specify the places – services, domains, IP addresses – that you want to prevent sensitive items from being shared to.

  2. Add the browsers that aren’t allowed to access certain sensitive items when a DLP policy match occurs.

  3. Configure DLP policies to define the kinds of sensitive items for which upload should be restricted to these places by turning on Upload to cloud services and Access from unallowed browser.

You can continue to add new services, apps, and policies to extend and augment your restrictions to meet your business needs and protect sensitive data.

This configuration helps ensure your data remains safe while also avoiding unnecessary restrictions that prevent or restrict users from accessing and sharing nonsensitive items.

You can also audit, block with override, or block these user-upload sensitive items to cloud apps and services through Sensitive service domains.

  1. In the Microsoft Purview compliance portal, navigate to Data loss prevention > Policies > Settings > Endpoint DLP settings > Browser and domain restrictions to sensitive data > Sensitive service domain groups.

  2. Select Create sensitive service domain group.

  3. Name the group.

  4. Enter the Sensitive service domain for the group. You can add multiple websites to a group and use wildcards to cover subdomains. For example, www.contoso.com for just the top level website, or: *.contoso.com for corp.contoso.com, hr.contoso.com, fin.contoso.com.

  5. Select the Match type you want. You can select from URL, IP address, IP address range.

  6. Select Save.

  7. In the left navigation pane, select Data loss prevention > Policies.

  8. Create and scope a policy that is applied only to the Devices location. For more information on how to create a policy, see Create and Deploy data loss prevention policies. Be sure to scope the Admin units to Full directory.

  9. On the Define policy settings page, select Create or customize advanced DLP rules and choose Next.

  10. Create a rule, as follows:

    1. Under Conditions, select + Add condition and select Content contains from the drop-down menu.
    2. Give the group a name and select a Group operation option.
    3. Choose Add and then select Sensitive info types.
    4. Select a Sensitive info type from the flyout pane, then choose Add.
    5. Add the action Audit or restrict activities on devices.
    6. Under Service domain and browser activities, choose Upload to a restricted cloud service domain or access from an unallowed browser and set the action to Audit only.
    7. Select + Choose different restrictions for sensitive service domains and then choose Add group.
    8. On the Choose sensitive service domain groups flyout, select the sensitive service domain group(s) you want, choose Add and then choose Save.
    9. Under File activities for all apps, select the user activities you want to monitor or restrict and the actions for DLP to take in response to those activities.
    10. Finish creating the rule and choose Save and then Next.
    11. On the confirmation page, choose Done.
    12. On the Policy mode page, choose Turn it on right away. Choose Next and then Submit.

Scenario 6: Monitor or restrict user activities on sensitive service domains

This scenario is for an unrestricted admin creating a full directory policy.

Use this scenario when you want to audit or block the following user activities on a website.

  • print from a website
  • copy data from a website
  • save a website as local files

Note

The following web browsers are supported:

  • Microsoft Edge
  • Chrome (with the Microsoft Purview extension for Chrome installed)
  • Firefox (with the Microsoft Purview extension for Firefox installed)

Configure Sensitive service domains

  1. In the Microsoft Purview compliance portal open Data loss prevention > Settings > Endpoint settings > Browser and domain restrictions to sensitive data > Sensitive service domains.

  2. To control whether sensitive files can be uploaded to specific domains, select Add cloud service domain.

  3. Enter the domain that you want to audit or block and choose the + button. Repeat for any additional domains. Choose Save.

  4. Under Sensitive service domain groups, choose Create sensitive service domain group.

  5. Give the group a name, select the Match type you want (you can select from URL, IP address, IP address range), and enter the URL, IP address, or IP address range to be audited or blocked. When matching a URL, you can add multiple websites to a group and use wildcards to cover subdomains. For example, www.contoso.com for just the top level website or *.contoso.com for corp.contoso.com, hr.contoso.com, fin.contoso.com.

  6. Select Save.

  7. In the left navigation pane, select Data loss prevention > Policies.

  8. Create and scope a policy that is applied only to the Devices location. See, Create and Deploy data loss prevention policies for more information on how to create a policy. Be sure to scope the Admin units to Full directory.

  9. Create a rule that uses the condition the user accessed a sensitive site from Edge, and the action Audit or restrict activities when users access sensitive sites in Microsoft Edge browser on Windows devices.

  10. In the action, under Sensitive Site Restrictions, select Add or remove Sensitive site groups.

  11. Create and/or select the Sensitive site groups you want. Any website under the group(s) you select here will be redirected to Microsoft Edge when opened in Chrome or Firefox (so long as the Microsoft Purview extension is installed).

  12. Select Add.

  13. Select the user activities you want to monitor or restrict and the actions you want Microsoft Purview to take in response to those activities.

  14. Finish configuring the rule and policy and choose Submit and then Done.

Scenario 7: Restrict pasting sensitive content into a browser

This scenario is for restricting users from pasting sensitive content into a browser web form or field on browsers including Microsoft Edge, Google Chrome (with the Microsoft Purview extension), and Mozilla Firefox (with the Microsoft Purview extension).

Important

If you have configured evidence collection for file activities on devices and your Antimalware Client Version on the device is older than 4.18.23110, when you implement this scenario, Restrict pasting sensitive content into a browser, you will see random characters when you attempt to view the source file in Alert details. To see the actual source file text, you should download the file.

Create your DLP policy

You can set up different levels of enforcement when it comes to blocking data from being pasted into a browser. To do this, create different URL groups. For instance, you can create a policy that warns users against posting U.S. Social Security Numbers (SSN) to any website, and that triggers an audit action for websites in Group A. You can create another policy that completely blocks the paste action--without giving a warning--for all of the websites in Group B.

Create a URL group

  1. Open the Microsoft Purview compliance portal and navigate to Data loss prevention > Settings > Endpoint settings, and scroll down to Browser and domain restrictions to sensitive data. Expand the section.

  2. Scroll down to Sensitive service domain groups.

  3. Choose Create sensitive service domain group.

    1. Enter a Group name.
    2. In the Sensitive service domain field, enter the URL for the first website you want to monitor and then choose Add site.
    3. Continue adding URLs for the rest of the websites you want to monitor in this group.
    4. When you are finished adding all URLs to your group, choose Save.
  4. Create as many separate groups of URLs as you need.

Restrict pasting content into a browser

  1. Create a DLP policy scoped to Devices. For information on how to create a DLP policy, see Create and Deploy data loss prevention policies.

  2. On the Define policy settings page in the DLP policy creation flow, select Create or customize advanced DLP rules and then choose Next.

  3. On the Customize advanced DLP rules page, choose Create rule.

  4. Enter a name and description for the rule.

  5. Expand Conditions, choose Add condition, and then select the Sensitive info types.

  6. Under Content Contains, scroll down and select the new sensitive information type that you previously chose or created.

  7. Scroll down to the Actions section, and choose Add an action.

  8. Choose Audit or restrict activities on devices

  9. In the Actions section, under Service domain and browser activities, select Paste to supported browsers.1.

  10. Set the restriction to Audit, Block with override, or Block, and then choose Add.

  11. Choose Save.

  12. Choose Next

  13. Choose whether you want to test your policy, turn it on right away, or keep it off, and then choose Next.

  14. Choose Submit.

Important

There may be a brief time lag between when the user attempts to paste text into a web page and when the system finishes classifying it and responds. If this classification latency happens, you may see both policy-evaluation and check-complete notifications in Edge or policy-evaluation toast on Chrome and Firefox. Here are some tips for minimizing the number of notifications:

  1. Notifications are triggered when policy for the target website is configured to Block or Block with override paste to browser for that user. You can configure setting the overall action to Audit and then list the target websites using the exceptions as Block. Alternately, you can set the overall action to Block and then list secure websites using the exceptions as Audit.
  2. Use latest Antimalware client version.
  3. Use latest Edge browser version, especially Edge 120.
  4. Install these Windows KBs

Scenario 8: Authorization groups

This scenario is for an unrestricted admin creating a full directory policy.

These scenarios require that you already have devices onboarded and reporting into Activity explorer. If you haven't onboarded devices yet, see Get started with Endpoint data loss prevention.

Authorization groups are mostly used as allowlists. You assigned policy actions to the group that are different than the global policy actions. In this scenario, we go through defining a printer group and then configuring a policy with block actions for all print activities except for the printers in the group. These procedures are essentially the same for Removeable storage device groups, and Network share groups.

In this scenario, we define a group of printers that the legal department uses for printing contracts. Printing contracts to any other printers is blocked.

Create and use printer groups

  1. In the Microsoft Purview compliance portal open Data loss prevention > Settings > Endpoint settings > Printer groups.

  2. Select Create printer group and enter a Group a name. In this scenario, we use Legal printers.

  3. Select Add printer and provide a name. You can define printers by:

    1. Friendly printer name
    2. USB product ID
    3. USB vendor ID
    4. IP range
    5. Print to file
    6. Universal print deployed on a printer
    7. Corporate printer
    8. Print to local
  4. Select Close.

Configure policy printing actions

  1. Navigate to Data loss prevention > Policies.

  2. Select Create policy and select the custom policy template.

  3. Select Full directory under Admin units.

  4. Scope the location to only the Devices location.

  5. Create a rule with the following values:

    1. Add a Condition: Content contains = Trainable classifiers, Legal Affairs
    2. Actions = Audit or restrict activities on devices
    3. Then pick File activities on all apps
    4. The select Apply restrictions to specific activity
    5. Select Print = Block
  6. Select Choose different print restrictions

  7. Under Printer group restrictions, select Add group and select Legal printers.

  8. Set Action = Allow.

    Tip

    The Allow action wil record and audit event to the audit log, but not generate an alert or notification.

  9. Select Save and then Next.

  10. Accept the default Run the policy in simulation mode value and choose Show policy tips while in simulaiton mode. Choose Next.

  11. Review your settings and choose Submit.

  12. The new DLP policy appears in the policy list.

Scenario 9: Network exceptions

This scenario is for an unrestricted admin creating a full directory policy.

These scenarios require that you already have devices onboarded and reporting into Activity explorer. If you haven't onboarded devices yet, see Get started with Endpoint data loss prevention.

In this scenario, we define a list of VPNs that hybrid workers use for accessing organization resources.

Create and use a Network exception

Network exceptions enable you to configure Allow, Audit only, Block with override, and Block actions to the file activities based on the network that users are accessing the file from. You can select from the VPN settings list you've defined and use the Corporate network option. The actions can be applied individually or collectively to these user activities:

  • Copy to clipboard
  • Copy to a USB removable device
  • Copy to a network share
  • Print
  • Copy or move using unallowed Bluetooth app
  • Copy or move using RDP

Get the Server address or Network address

  1. On a DLP monitored Windows device, open a Windows PowerShell window as an administrator.

  2. Run this cmdlet:

    Get-VpnConnection
    
  3. Running this cmdlet returns multiple fields and values.

  4. Find the ServerAddress field and record that value. You use this when you create a VPN entry in the VPN list.

  5. Find the Name field and record that value. The Name field maps to the Network address field when you create a VPN entry in the VPN list.

Add a VPN

  1. Open Microsoft Purview compliance portal > Data loss prevention > Settings > Endpoint settings > VPN settings.

  2. Select Add or edit VPN addresses.

  3. Provide either the Server address or Network address from running Get-VpnConnection.

  4. Select Save.

  5. Close the item.

Configure policy actions

  1. Open Data loss prevention > Policies.

  2. Select Create policy and select the custom policy template.

  3. Select Full directory under Admin units.

  4. Scope the location to Devices only.

  5. Create a rule where:

    1. Content contains = Trainable classifiers, Legal Affairs
    2. Actions = Audit or restrict activities on devices
    3. Then pick File activities on all apps
    4. The select Apply restrictions to specific activity
    5. Select the actions that you want to configure Network exceptions for.
  6. Select Copy to clipboard and the Audit only action

  7. Select Choose different copy to clipboard restrictions.

  8. Select VPN and set the action to Block with override.

    Important

    When you want to control the activities of a user when they're connected through a VPN you must select the VPN and make the VPN the top priority in the Network exceptions configuration. Otherwise, if the Corporate network option is selected, then that action defined for the Corporate network entry will be enforced.

    Caution

    The Apply to all activities option will copy the network exceptions that are defined here and apply them to all the other configured specific activities, like Print, and Copy to a network share. This will overwrite the network exceptions on the other activities The last saved configuration wins.

  9. Save.

  10. Accept the default Run the policy in simulation mode value and choose Show policy tips while in simulation mode. Choose Next.

  11. Review your settings and choose Submit and then Done.

  12. The new DLP policy appears in the policy list.

See also