Explore Endpoint data loss prevention

  • 9 minutes

An organization can use Microsoft Purview Data Loss Prevention (DLP) to monitor the actions that its users take on items it classified as sensitive. It can also use DLP to prevent the unintentional sharing of those items. Endpoint data loss prevention (Endpoint DLP) is part of the Microsoft Purview Data Loss Prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services.

Microsoft Endpoint DLP extends the activity monitoring and protection capabilities of DLP to sensitive items that users physically store on Windows 10, Windows 11, and macOS (Catalina 10.15 and higher) devices. Endpoint DLP allows you to monitor onboarded Windows 10, and Windows 11 and onboarded macOS devices running any of the three latest released versions.

Once a device is onboarded, Endpoint DLP detects when sensitive items are used and shared. In turn, Activity Explorer displays the information about user activity with sensitive items. This service gives you the visibility and control you need to ensure that sensitive items used and protected properly. Organizations can then enforce protective actions on those items through DLP policies to help prevent risky behavior that might compromise them.

Tip

If you're looking for device control for removable storage, see Microsoft Defender for Endpoint Device Control Removable Storage Access Control.

In Microsoft Purview, DLP policy evaluation of sensitive items occurs centrally. As such, there's no time lag for policies and policy updates that an organization must distribute to individual devices. When you update a policy in the Microsoft Purview compliance portal, it generally takes about an hour for those updates to synchronize across the service. Once you synchronize policy updates, the DLP policies automatically reevaluate the sensitive items on targeted devices the next time users access or modify the items.

Microsoft Endpoint DLP requirements

Before you get started with Endpoint DLP, you should confirm your Microsoft 365 subscription and any add-ons. To access and use Endpoint DLP functionality, you must have one of the following subscriptions or add-ons:

  • Microsoft 365 E5
  • Microsoft 365 A5 (EDU)
  • Microsoft 365 E5 compliance
  • Microsoft 365 A5 compliance
  • Microsoft 365 E5 information protection and governance
  • Microsoft 365 A5 information protection and governance

If you're onboarding Windows 10 or Windows 11 devices, check to make sure that the device can communicate with the cloud DLP service. For more information, see, Configure device proxy and internet connection settings for Information Protection.

Endpoint activities you can monitor and take action on

Endpoint DLP enables organizations to audit and manage the following types of activities users take on sensitive items that are physically stored Windows 10, Windows 11, or macOS devices.

Activity Description Windows 10 1809 and later / Windows 11 macOS Catalina 10.15 Auditable/restrictable
Upload to cloud service, or access by unallowed browsers. Detects when a user attempts to upload an item to a restricted service domain or access an item through a browser. If they're using a browser listed in Microsoft Purview DLP as an unallowed browser, DLP blocks the upload activity. It then redirects the user to use Microsoft Edge. In turn, Microsoft Edge either allows or blocks the upload or access based on the DLP policy configuration. Supported Supported Auditable and restrictable
Copy to another app, process, or item. Detects when a user attempts to copy information from a protected item and then paste it into another app, process, or item. This activity doesn't detect copying and pasting of information within the same app, process, or item. Supported Supported Auditable and restrictable
Copy to USB removable media. Detects when a user attempts to copy an item or information to removable media or USB device. Supported Supported Auditable and restrictable
Copy to a network share. Detects when a user attempts to copy an item to a network share or mapped network drive. Supported Supported Auditable and restrictable
Print a document. Detects when a user attempts to print a protected item to a local or network printer. Supported Supported Auditable and restrictable
Copy to a remote session. Detects when a user attempts to copy an item to a remote desktop session. Supported Not supported Auditable and restrictable
Copy to a Bluetooth device. Detects when a user attempts to copy an item to an unallowed Bluetooth app (as defined in the list of unallowed Bluetooth apps in the Endpoint DLP settings). Supported Not supported Auditable and restrictable
Create an item. Detects when a user attempts to create an item. Supported Auditable
Rename an item. Detects when a user attempts to rename an item. Supported Auditable

Using Endpoint DLP

Consider the scenario in which an organization wants to block all items that contain credit card numbers from leaving the endpoints of Finance department users. In this example, Microsoft would recommend the organization:

  1. Create a policy and scope it to endpoints and to that group of users.
  2. Create a rule in the policy that detects the type of information that it wants to protect. In this case, you should set the content contains field to Sensitive information type, and you should select Credit Card as the type of sensitive information.
  3. Set the actions for each activity to Block.

Creating Endpoint DLP policies to address various security and compliance issues is beyond the scope of this training. However, if you're interested in learning how to implement Endpoint DLP, see Use Endpoint data loss prevention. This article provides step-by-step instruction in how to address the following scenarios:

  • Scenario 1: Create a policy from a template, audit only
  • Scenario 2: Modify the existing policy, set an alert
  • Scenario 3: Modify the existing policy, block the action with allow override
  • Scenario 4: Avoid looping DLP notifications from cloud synchronization apps with autoquarantine
  • Scenario 5: Restrict unintentional sharing to unallowed cloud apps and services
  • Scenario 6: Monitor or restrict user activities on sensitive service domains
  • Scenario 7: Restrict pasting sensitive content into a browser
  • Scenario 8: Authorization groups
  • Scenario 9: Network exceptions

Monitored files

Endpoint DLP supports monitoring of the following file types. Microsoft Purview DLP audits the activities for these file types, even if there isn't a policy match.

  • Word files
  • PowerPoint files
  • Excel files
  • PDF files
  • .csv files
  • .tsv files
  • .txt files
  • .rtf files
  • .c files
  • .class files
  • .cpp files
  • .cs files
  • .h files
  • .java files

If an organization only wants to monitor data from policy matches, it can turn off the Always audit file activity for devices option in the Endpoint DLP global settings.

Note

If the Always audit file activity for devices setting is on, the DLP policy audits activities on every Word, PowerPoint, Excel, PDF, and .csv file, even if no policy targets the device.

Tip

To ensure that you audit activities for all supported file types, create a custom DLP policy.

File types and file extensions

File Types are a grouping of file formats. Each file type protects specific workflows or areas of business. Organizations can use one or more File types as conditions in their DLP policies.

File type App Monitored file extensions
word processing Word, PDF .doc, .docx, .docm, .dot, .dotx, .dotm, .docb, .pdf
spreadsheet Excel, CSV, TSV .xls, .xlsx, .xlt, .xlm, .xlsm, .xltx, .xltm, .xlsb, .xlw, .csv, .tsv
presentation PowerPoint .ppt, .pptx, .pos, .pps, .pptm, .potx, .potm, .ppam, .ppsx
archive file archive and compression tools .zip, .zipx, .rar, .7z, .tar, .gz
email Outlook .pst, .ost, .msg

If the File types don't cover the file extensions an organization needs to list as a condition in a policy, it can use file extensions separated by commas instead.

Important

You can't use the file extensions options and file types options as conditions in the same rule. If you want to use them as conditions in the same policy, they must be in separate rules.

The following Windows versions support File types and File extension features:

  • Windows 10 versions 20H1/20H2/21H1 (KB 5006738)
  • Windows 10 versions 19H1/19H2 (KB 5007189)
  • Windows 10 RS5 (KB 5006744)

Enabling Device management

Device management enables the collection of customer data from devices. This data includes any information that users create, store, process, or transmit within an organization. Data types include text, images, audio, video, and other types of digital content. This information can reside on or pass through user devices such as laptops, desktops, tablets, and mobile phones.

Device management then brings this collected data into Microsoft Purview solutions like Endpoint DLP and Insider risk management. To enable device management, organizations must onboard all devices they want to include as locations in DLP policies.

You can download scripts from the Device Management center to handle the onboarding and offboarding of devices. The center has custom scripts for each of the following deployment methods:

  • Local script (up to 10 machines)
  • Group policy
  • System Center Configuration Manager (version 1610 or later)
  • Mobile Device Management/Microsoft Intune
  • VDI onboarding scripts for non-persistent machines

Tip

Use the procedures in Getting started with Microsoft 365 Endpoint DLP to onboard devices.

If you onboard devices through Microsoft Defender for Endpoint, those devices automatically appear in the list of devices. You can then turn on device monitoring to use Endpoint DLP.

Screenshot of the Device Management center showing the list of devices with monitoring enabled.

Windows 10 and Windows 11 Onboarding procedures

For a general introduction to onboarding Windows devices, see Onboard Windows devices into Microsoft 365 overview.

The following table provided specific guidance to onboarding Windows devices.

Article Description
Onboard Windows 10 or 11 devices using Group Policy Use Group Policy to deploy the configuration package on devices.
Onboard Windows 10 or 11 devices using Microsoft Endpoint Configuration Manager You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
Onboard Windows 10 or 11 devices using Microsoft Intune Use Microsoft Intune to deploy the configuration package on device.
Onboard Windows 10 or 11 devices using a local script Learn how to use the local script to deploy the configuration package on endpoints.
Onboard non-persistent virtual desktop infrastructure (VDI) devices Learn how to use the configuration package to configure VDI devices.

macOS onboarding procedures

For a general introduction to onboarding macOS devices, see Onboard macOS devices into Microsoft Purview.

The following table provided specific guidance to onboarding macOS devices.

Article Description
Intune For macOS devices that are managed through Intune.
Intune for Microsoft Defender for Endpoint customers For macOS devices that are managed through Intune and that have Microsoft Defender for Endpoint (MDE) deployed to them.
JAMF Pro For macOS devices that are managed through JAMF Pro.
JAMF Pro for Microsoft Defender for Endpoint customers For macOS devices that are managed through JAMF Pro and that have Microsoft Defender for Endpoint (MDE) deployed to them.

Once a device is onboarded, it should be visible in the devices list. It should also start reporting audit activity to Activity explorer.

Viewing Endpoint DLP data

Organizations can view alerts related to DLP policies enforced on endpoint devices by going to the DLP Alerts Management Dashboard. You can also view details of the associated event with rich metadata in the same dashboard.

Screenshot of the Device Management center showing the event data for an alert.

Once you onboard a device, information about audited activities performed on that device flows into Activity Explorer. Microsoft 365 audits this information even before an organization configures and deploys any DLP policies that have devices as a location.

Screenshot of Activity Explorer showing a bar chart of summarized audited activity for a time period.

Endpoint DLP collects extensive information on audited activity. For example, if you copy a file to removable USB media, the system displays the following attributes in the activity details:

  • Activity type
  • Client IP
  • Target file path
  • Happened timestamp
  • File name
  • User
  • File extension
  • File size
  • Sensitive information type (if applicable)
  • Sha1 value
  • Sha256 value
  • Previous file name
  • Location
  • Parent
  • Filepath
  • Source location type
  • Platform
  • Device name
  • Destination location type
  • Application that performed the copy
  • Microsoft Defender for Endpoint device ID (if applicable)
  • Removable media device manufacturer
  • Removable media device model
  • Removable media device serial number