Get started with endpoint data loss prevention
Endpoint data loss prevention (Endpoint DLP) is part of the Microsoft Purview Data Loss Prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. For more information about all of Microsoft's DLP offerings, see Learn about data loss prevention. To learn more about Endpoint DLP, see Learn about Endpoint data loss prevention
Microsoft Endpoint DLP allows you to monitor onboarded Windows 10, and Windows 11 and onboarded macOS devices running any of the three latest released versions. Once a device is onboarded, DLP detects when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they're used and protected properly, and to help prevent risky behavior that might compromise them.
Tip
Get started with Microsoft Copilot for Security to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Copilot for Security in Microsoft Purview.
Before you begin
SKU/subscriptions licensing
Before you get started with Endpoint DLP, you should confirm your Microsoft 365 subscription and any add-ons. To access and use Endpoint DLP functionality, you must have one of these subscriptions or add-ons.
- Microsoft 365 E5
- Microsoft 365 A5 (EDU)
- Microsoft 365 E5 compliance
- Microsoft 365 A5 compliance
- Microsoft 365 E5 information protection and governance
- Microsoft 365 A5 information protection and governance
For full licensing details, see Microsoft 365 licensing guidance for information protection
Configure proxy on the Windows 10 or Windows 11 device
If you're onboarding Windows 10 or Windows 11 devices, check to make sure that the device can communicate with the cloud DLP service. For more information, see, Configure device proxy and internet connection settings for Information Protection.
Windows 10 and Windows 11 Onboarding procedures
For a general introduction to onboarding Windows devices, see:
For specific guidance to onboarding Windows devices, see:
| Article | Description |
|---|---|
| Onboard Windows 10 or 11 devices using Group Policy | Use Group Policy to deploy the configuration package on devices. |
| Onboard Windows 10 or 11 devices using Microsoft Endpoint Configuration Manager | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices. |
| Onboard Windows 10 or 11 devices using Microsoft Intune | Use Microsoft Intune to deploy the configuration package on device. |
| Onboard Windows 10 or 11 devices using a local script | Learn how to use the local script to deploy the configuration package on endpoints. |
| Onboard non-persistent virtual desktop infrastructure (VDI) devices | Learn how to use the configuration package to configure VDI devices. |
Endpoint DLP support for virtualized environments
You can onboard virtual machines as monitored devices in Microsoft Purview compliance portal. There's no change to the onboarding procedures listed above.
The table that follows lists the virtual operating systems that are supported by virtualization environments.
| Virtualization platform |
Windows 10 | Windows 11 | Windows Server 2019 | Windows Server 2022 21H2, 22H2, Data Center |
|---|---|---|---|---|
| Azure virtual desktop (AVD) |
|
|
Single session and Multi session supported. | Supported |
| Windows 365 |
|
|
Not applicable | Not applicable |
| Citrix Virtual Apps and Desktops 7 (2209 and higher) |
|
|
Supported | Supported |
| Amazon workspaces |
|
Not applicable |
|
Not applicable |
| Hyper-V |
|
|
Supported with Hybrid AD join | Supported with Hybrid AD join |
Known issues
- You can't monitor Copy to Clipboard and Enforcing Endpoint DLP on Azure Virtual Desktop environments via browsers. However, the same egress operation will be monitored by Endpoint DLP for actions via Remote Desktop Session (RDP).
- Citrix XenApp doesn't support access by restricted app monitoring.
Limitations
- Handling of USBs in virtualized environments: USB storage devices are treated as network shares. You need to include the Copy to network share activity to monitor Copy to a USB device. All activity explorer events for virtual devices and incident alerts show the Copy to a network share activity for all copy to USB events.
macOS onboarding procedures
For a general introduction to onboarding macOS devices, see:
For specific guidance to onboarding macOS devices, see:
| Article | Description |
|---|---|
| Intune | For macOS devices that are managed through Intune |
| Intune for Microsoft Defender for Endpoint customers | For macOS devices that are managed through Intune and that have Microsoft Defender for Endpoint (MDE) deployed to them |
| JAMF Pro) | For macOS devices that are managed through JAMF Pro |
| JAMF Pro for Microsoft Defender for Endpoint customers) | For macOS devices that are managed through JAMF Pro and that have Microsoft Defender for Endpoint (MDE) deployed to them |
Once a device is onboarded, it should be visible in the devices list, and should start reporting audit activity to Activity explorer.
See also
- Learn about Endpoint data loss prevention
- Using Endpoint data loss prevention
- Learn about data loss prevention
- Create and Deploy data loss prevention policies
- Get started with Activity explorer
- Microsoft Defender for Endpoint
- Onboarding tools and methods for Windows machines
- Microsoft 365 subscription
- Microsoft Entra joined devices
- Download the new Microsoft Edge based on Chromium