Section 6 – Implement DLP – Implement and monitor Endpoint DLP

Posted by Harri Jaakkonen Posted on 19/11/2023 0 Comments on Section 6 – Implement DLP – Implement and monitor Endpoint DLP
Posted in Azure, Compliance, Defender, Intune, SC-400, Security, Study guide

Configure advanced DLP rules for devices in DLP policies

Supported virtualization

You can include virtual machines as monitored devices in the Microsoft Purview compliance portal, and the onboarding procedures remain the same as those listed above.

Get started with Endpoint data loss prevention
Set up Endpoint data loss prevention to monitor file activities and implement protective actions for those files to endpoints.

Onboarding

Endpoint Data Loss Prevention (Endpoint DLP) and Insider Risk Management necessitate the onboarding of Windows 10 and Windows 11 devices into the service. This enables these devices to transmit monitoring data to the services.

Endpoint DLP provides the capability to oversee Windows 10 and Windows 11 devices, identifying the usage and sharing of sensitive items. This grants the necessary visibility and control to ensure proper use and protection, as well as the prevention of potentially harmful actions that could jeopardize these devices.

Permissions

To enable device management, your account should be in one of these roles:

  • Global admin
  • Security admin
  • Compliance admin

For custom accounts to access device management settings, they should be in one of these roles:

  • Global admin
  • Compliance admin
  • Compliance data admin
  • Global reader

For onboarding/offboarding access, use one of these roles:

  • Global admin
  • Compliance admin

To control device monitoring, your custom account should have one of these roles:

  • Global admin
  • Compliance admin

PowerShell script

I will use PowerShell script in my demo case and the script has been optimized for use on up to 10 devices.

If you want to onboard Defender for Endpoint devices, you have turn on the Device onboarding https://compliance.microsoft.com/compliancesettings/deviceonboarding this is a requirement to Onboard any devices even with the script.

Regardless of whether you already have onboarded devices, you’ll be able to onboard new ones from the “Onboarding” page. You can download the Onboarding script from the Onboarding page

Once you download the script (CMD) and run it, it will display the following.

And the progress as follows. Note that the device will be onboarded to Defender for Endpoint

And you can see policy and device details under onboarded devices

Configure Endpoint DLP settings

You have various different settings that you modify for your Endpoint DLP.

The first will allow M365 Data classification service to scan items and classify them.

The second will allow exclude file path on Windows and Mac

The third will allow you to add block for Bluetooth apps inside the Endpoint, to restrict apps and app groups and to set Auto-quarantine the files to an specific location.

The fourth will enable block specific browser and domains.

And the fifth will allow you to specify Policy tips for Block with override, to enable Always audit files on devices and to specify restricted printers.

The sixth will let you to apply restrictions for specific USB devices, Network shared and VPN connections.

Recommend a deployment method for device onboarding

Endpoint Data Loss Prevention (Endpoint DLP) and Insider Risk Management require onboarding Windows 10 and Windows 11 devices to send monitoring data to the services.

Endpoint DLP lets you monitor Windows 10 and Windows 11 devices, detecting the use and sharing of sensitive items. This provides the needed visibility and control to ensure proper use and protection, preventing compromising behaviors.

Insider Risk Management utilizes service and 3rd-party indicators to swiftly identify, triage, and respond to risky user activity. Using Microsoft 365 logs and Microsoft Graph, you can define policies to identify risk indicators and take action to mitigate these risks.

Windows Onboarding

TopicDescription
IntuneUse Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device.
Configuration ManagerYou can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
Group PolicyUse Group Policy to deploy the configuration package on devices.
Local scriptLearn how to use the local script to deploy the configuration package on endpoints.
Virtual desktop infrastructure (VDI) devicesLearn how to use the configuration package to configure VDI devices.

MacOS Onboarding

ArticleDescription
IntuneFor macOS devices that are managed through Intune
Intune for Microsoft Defender for Endpoint customersFor macOS devices that are managed through Intune and that have Microsoft Defender for Endpoint (MDE) deployed to them
JAMF Pro)For macOS devices that are managed through JAMF Pro
JAMF Pro for Microsoft Defender for Endpoint customers)For macOS devices that are managed through JAMF Pro and that have Microsoft Defender for Endpoint (MDE) deployed to them

Identify endpoint requirements for device onboarding

Operating SystemSupported Builds
Windows (X64)Windows 10 21H2 or Windows 10 22H2 update
Windows (ARM64)Windows 11 21H2 or Windows 11 22H2
Windows ServerWindows Server 2019 OS: 1809 onwards Windows Server 2022 OS: 21H2 onwards
Antimalware Client Version4.18.2110 or newer
Windows Security SettingsReal-time protection and Behavior monitor must be enabled
Device RequirementsMicrosoft Entra, Microsoft Entra hybrid joined or Microsoft Entra registered
Microsoft 365 Apps Version16.0.14701.0 or later
Office 365 RequirementKB 4577063 is required if running Office 365
Microsoft 365 Apps Monthly Enterprise ChannelUpdate to version 2009 or later if using versions 2004-2008

None of Windows Security components need to be active, but the Real-time protection and Behavior monitor must be enabled.

Monitor endpoint activities

Endpoint DLP enables you to audit and manage the following types of activities users take on sensitive items that are physically stored Windows 10, Windows 11, or macOS devices.

ActivityDescriptionWindows 10 (X64), Windows 11 (X64), Windows Server, macOSWindows 11 (ARM64)
Upload to Cloud Service or Access by Unallowed BrowsersDetects upload to restricted service domains or access via unallowed browsers. Upload blocked and redirected to Microsoft Edge for decision.SupportedSupported
Paste to Supported BrowsersDetects paste to restricted service domains.SupportedSupported
Copy to USB Removable MediaDetects copying/moving protected files to USB removable media.SupportedSupported
Copy to a Network ShareDetects copying/moving protected files to network shares.SupportedSupported
Print a DocumentDetects printing of protected files from an endpoint device.SupportedSupported
Copy to a Remote SessionDetects copying to remote desktop sessions.SupportedSupported
Copy to a Bluetooth DeviceDetects copying to unallowed Bluetooth apps.SupportedSupported
Create an ItemDetects the creation of an item.SupportedSupported
Rename an ItemDetects the renaming of an item.SupportedSupported
Copy to ClipboardDetects copying to the clipboard. Blocking available when source content is sensitive except within the same Microsoft 365 Office app.SupportedSupported
Access by Unallowed AppsDetects unallowed app access to protected files on an endpoint device.SupportedSupported

In Microsoft Purview, DLP policy assessment for sensitive items happens centrally, ensuring policies and updates are immediately available across devices without delays. Typically, after updating a policy in the compliance center, it takes about an hour for the changes to synchronize throughout the service. Once synchronized, targeted devices automatically re-evaluate items when accessed or modified. Note that for Authorized Groups changes, the policy may take up to 24 hours to sync.

See here for Monitored files

Learn about Endpoint data loss prevention
Endpoint data loss prevention extends monitoring of file activities and protective actions for those files to endpoints. Files are made visible in the Compliance solutions

Implement the Microsoft Purview Extension

Users who have the Microsoft Purview extension installed on their devices won’t be blocked when using Chrome or Firefox, even if they are listed as unallowed browsers.

CapabilityWhat problems does it solve?Get started
Microsoft Purview extension for ChromeExtends DLP capabilities to the Chrome browserGet started with the Microsoft Purview extension for Chrome
Learn about the Microsoft Purview extension for FirefoxExtends DLP capabilities to the Firefox browserGet startd with the Microsoft Purview extension for Firefox

You might be wondering why Edge isn’t here. Well, there is a easy explanation.

Endpoint DLP does not require application to Microsoft Edge. “The Microsoft Purview Extension can extend existing Endpoint DLP capabilities to non-native applications.” It’s worth noting that Edge is a native application.

Closure

Like before, let’s see what we learned.

Permissions needed for Endpoint DLP:

To enable device management, your account should be in one of these roles:

  • Global admin
  • Security admin
  • Compliance admin

For custom accounts to access device management settings, they should be in one of these roles:

  • Global admin
  • Compliance admin
  • Compliance data admin
  • Global reader

For onboarding/offboarding access, use one of these roles:

  • Global admin
  • Compliance admin

To control device monitoring, your custom account should have one of these roles:

  • Global admin
  • Compliance admin

Onboarding PowerShell script has been optimized for 10 devices and the device will be onboarded to Defender for Endpoint during the process.

Endpoint settings that you can define.

Configure endpoint DLP settings
Learn how to configure endpoint data loss prevention (DLP) central settings.

Endpoint Data Loss Prevention (Endpoint DLP) and Insider Risk Management require onboarding Windows 10 and Windows 11 devices to send monitoring data to the services.

Endpoint DLP lets you monitor Windows 10 and Windows 11 devices, detecting the use and sharing of sensitive items. This provides the needed visibility and control to ensure proper use and protection, preventing compromising behaviors.

Intune is the preferred option to Onboard the Windows devices but there are multiple ways like, GPO, SCCM and configuration package for VDI.

For macOS again Intune is preferred but can be done with Defender for Endpoint or with JAMF.

In Microsoft Purview, DLP policy assessment for sensitive items happens centrally, ensuring policies and updates are immediately available across devices without delays. Typically, after updating a policy in the compliance center, it takes about an hour for the changes to synchronize throughout the service. Once synchronized, targeted devices automatically re-evaluate items when accessed or modified. Note that for Authorized Groups changes, the policy may take up to 24 hours to sync.

Users who have the Microsoft Purview extension installed on their devices won’t be blocked when using Chrome or Firefox, even if they are listed as unallowed browsers.

Endpoint DLP does not require application to Microsoft Edge. “The Microsoft Purview Extension can extend existing Endpoint DLP capabilities to non-native applications.” It’s worth noting that Edge is a native application.

Link to main post

Exam cram for SC-400 – Administering Information Protection and Compliance in M365
Previously I did Study guides for SC-300, AZ-500, SC-100 and SC-200. So now it’s the turn for the Compliance part under the Security umbrella. See here for the previous Study guides. Exam cra…

Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published. Required fields are marked *