Table of Contents
Configure advanced DLP rules for devices in DLP policies
Supported virtualization
You can include virtual machines as monitored devices in the Microsoft Purview compliance portal, and the onboarding procedures remain the same as those listed above.
Onboarding
Endpoint Data Loss Prevention (Endpoint DLP) and Insider Risk Management necessitate the onboarding of Windows 10 and Windows 11 devices into the service. This enables these devices to transmit monitoring data to the services.
Endpoint DLP provides the capability to oversee Windows 10 and Windows 11 devices, identifying the usage and sharing of sensitive items. This grants the necessary visibility and control to ensure proper use and protection, as well as the prevention of potentially harmful actions that could jeopardize these devices.
Permissions
To enable device management, your account should be in one of these roles:
- Global admin
- Security admin
- Compliance admin
For custom accounts to access device management settings, they should be in one of these roles:
- Global admin
- Compliance admin
- Compliance data admin
- Global reader
For onboarding/offboarding access, use one of these roles:
- Global admin
- Compliance admin
To control device monitoring, your custom account should have one of these roles:
- Global admin
- Compliance admin
PowerShell script
I will use PowerShell script in my demo case and the script has been optimized for use on up to 10 devices.
If you want to onboard Defender for Endpoint devices, you have turn on the Device onboarding https://compliance.microsoft.com/compliancesettings/deviceonboarding this is a requirement to Onboard any devices even with the script.
Regardless of whether you already have onboarded devices, you’ll be able to onboard new ones from the “Onboarding” page. You can download the Onboarding script from the Onboarding page
Once you download the script (CMD) and run it, it will display the following.
And the progress as follows. Note that the device will be onboarded to Defender for Endpoint
And you can see policy and device details under onboarded devices
Configure Endpoint DLP settings
You have various different settings that you modify for your Endpoint DLP.
The first will allow M365 Data classification service to scan items and classify them.
The second will allow exclude file path on Windows and Mac
The third will allow you to add block for Bluetooth apps inside the Endpoint, to restrict apps and app groups and to set Auto-quarantine the files to an specific location.
The fourth will enable block specific browser and domains.
And the fifth will allow you to specify Policy tips for Block with override, to enable Always audit files on devices and to specify restricted printers.
The sixth will let you to apply restrictions for specific USB devices, Network shared and VPN connections.
Recommend a deployment method for device onboarding
Endpoint Data Loss Prevention (Endpoint DLP) and Insider Risk Management require onboarding Windows 10 and Windows 11 devices to send monitoring data to the services.
Endpoint DLP lets you monitor Windows 10 and Windows 11 devices, detecting the use and sharing of sensitive items. This provides the needed visibility and control to ensure proper use and protection, preventing compromising behaviors.
Insider Risk Management utilizes service and 3rd-party indicators to swiftly identify, triage, and respond to risky user activity. Using Microsoft 365 logs and Microsoft Graph, you can define policies to identify risk indicators and take action to mitigate these risks.
Windows Onboarding
Topic | Description |
---|---|
Intune | Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device. |
Configuration Manager | You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices. |
Group Policy | Use Group Policy to deploy the configuration package on devices. |
Local script | Learn how to use the local script to deploy the configuration package on endpoints. |
Virtual desktop infrastructure (VDI) devices | Learn how to use the configuration package to configure VDI devices. |
MacOS Onboarding
Article | Description |
---|---|
Intune | For macOS devices that are managed through Intune |
Intune for Microsoft Defender for Endpoint customers | For macOS devices that are managed through Intune and that have Microsoft Defender for Endpoint (MDE) deployed to them |
JAMF Pro) | For macOS devices that are managed through JAMF Pro |
JAMF Pro for Microsoft Defender for Endpoint customers) | For macOS devices that are managed through JAMF Pro and that have Microsoft Defender for Endpoint (MDE) deployed to them |
Identify endpoint requirements for device onboarding
Operating System | Supported Builds |
---|---|
Windows (X64) | Windows 10 21H2 or Windows 10 22H2 update |
Windows (ARM64) | Windows 11 21H2 or Windows 11 22H2 |
Windows Server | Windows Server 2019 OS: 1809 onwards Windows Server 2022 OS: 21H2 onwards |
Antimalware Client Version | 4.18.2110 or newer |
Windows Security Settings | Real-time protection and Behavior monitor must be enabled |
Device Requirements | Microsoft Entra, Microsoft Entra hybrid joined or Microsoft Entra registered |
Microsoft 365 Apps Version | 16.0.14701.0 or later |
Office 365 Requirement | KB 4577063 is required if running Office 365 |
Microsoft 365 Apps Monthly Enterprise Channel | Update to version 2009 or later if using versions 2004-2008 |
None of Windows Security components need to be active, but the Real-time protection and Behavior monitor must be enabled.
Monitor endpoint activities
Endpoint DLP enables you to audit and manage the following types of activities users take on sensitive items that are physically stored Windows 10, Windows 11, or macOS devices.
Activity | Description | Windows 10 (X64), Windows 11 (X64), Windows Server, macOS | Windows 11 (ARM64) |
---|---|---|---|
Upload to Cloud Service or Access by Unallowed Browsers | Detects upload to restricted service domains or access via unallowed browsers. Upload blocked and redirected to Microsoft Edge for decision. | Supported | Supported |
Paste to Supported Browsers | Detects paste to restricted service domains. | Supported | Supported |
Copy to USB Removable Media | Detects copying/moving protected files to USB removable media. | Supported | Supported |
Copy to a Network Share | Detects copying/moving protected files to network shares. | Supported | Supported |
Print a Document | Detects printing of protected files from an endpoint device. | Supported | Supported |
Copy to a Remote Session | Detects copying to remote desktop sessions. | Supported | Supported |
Copy to a Bluetooth Device | Detects copying to unallowed Bluetooth apps. | Supported | Supported |
Create an Item | Detects the creation of an item. | Supported | Supported |
Rename an Item | Detects the renaming of an item. | Supported | Supported |
Copy to Clipboard | Detects copying to the clipboard. Blocking available when source content is sensitive except within the same Microsoft 365 Office app. | Supported | Supported |
Access by Unallowed Apps | Detects unallowed app access to protected files on an endpoint device. | Supported | Supported |
In Microsoft Purview, DLP policy assessment for sensitive items happens centrally, ensuring policies and updates are immediately available across devices without delays. Typically, after updating a policy in the compliance center, it takes about an hour for the changes to synchronize throughout the service. Once synchronized, targeted devices automatically re-evaluate items when accessed or modified. Note that for Authorized Groups changes, the policy may take up to 24 hours to sync.
See here for Monitored files
Implement the Microsoft Purview Extension
Users who have the Microsoft Purview extension installed on their devices won’t be blocked when using Chrome or Firefox, even if they are listed as unallowed browsers.
Capability | What problems does it solve? | Get started |
---|---|---|
Microsoft Purview extension for Chrome | Extends DLP capabilities to the Chrome browser | Get started with the Microsoft Purview extension for Chrome |
Learn about the Microsoft Purview extension for Firefox | Extends DLP capabilities to the Firefox browser | Get startd with the Microsoft Purview extension for Firefox |
You might be wondering why Edge isn’t here. Well, there is a easy explanation.
Endpoint DLP does not require application to Microsoft Edge. “The Microsoft Purview Extension can extend existing Endpoint DLP capabilities to non-native applications.” It’s worth noting that Edge is a native application.
Closure
Like before, let’s see what we learned.
Permissions needed for Endpoint DLP:
To enable device management, your account should be in one of these roles:
- Global admin
- Security admin
- Compliance admin
For custom accounts to access device management settings, they should be in one of these roles:
- Global admin
- Compliance admin
- Compliance data admin
- Global reader
For onboarding/offboarding access, use one of these roles:
- Global admin
- Compliance admin
To control device monitoring, your custom account should have one of these roles:
- Global admin
- Compliance admin
Onboarding PowerShell script has been optimized for 10 devices and the device will be onboarded to Defender for Endpoint during the process.
Endpoint settings that you can define.
Endpoint Data Loss Prevention (Endpoint DLP) and Insider Risk Management require onboarding Windows 10 and Windows 11 devices to send monitoring data to the services.
Endpoint DLP lets you monitor Windows 10 and Windows 11 devices, detecting the use and sharing of sensitive items. This provides the needed visibility and control to ensure proper use and protection, preventing compromising behaviors.
Intune is the preferred option to Onboard the Windows devices but there are multiple ways like, GPO, SCCM and configuration package for VDI.
For macOS again Intune is preferred but can be done with Defender for Endpoint or with JAMF.
In Microsoft Purview, DLP policy assessment for sensitive items happens centrally, ensuring policies and updates are immediately available across devices without delays. Typically, after updating a policy in the compliance center, it takes about an hour for the changes to synchronize throughout the service. Once synchronized, targeted devices automatically re-evaluate items when accessed or modified. Note that for Authorized Groups changes, the policy may take up to 24 hours to sync.
Users who have the Microsoft Purview extension installed on their devices won’t be blocked when using Chrome or Firefox, even if they are listed as unallowed browsers.
Endpoint DLP does not require application to Microsoft Edge. “The Microsoft Purview Extension can extend existing Endpoint DLP capabilities to non-native applications.” It’s worth noting that Edge is a native application.