Forum Discussion
Microsoft Defender for Endpoint policy not working for office documents
I created endpoint DLP policy to block copying data to USB devices , the condition i used is file types and i include all office documents and pdf. the policy is working on pdf but not applied to office documents.
- miller34mike
Microsoft
- miller34mike
If you go to activity explorer, do you see the office files showing up as DLP Rule Match or as the "File copied to removeable media" action?
miller34mike Hi
No it is not showing DLP Rule Match , its showing File copied to removeable media.
i attach both events the PDF and DOCX
thanks
ALI_hamed17 I just had a case with MS regarding the same issue. They advised that in order for the policy to trigger, the document must be classified by their classification engine. This engine is triggered by different actions taken on the document (open, close, save, download....) so if you have a file, at rest, on your device this won't be seen by the classification engine. You will be able to copy it on the removable media and if you delete it and try to paste it again, the action will trigger the DLP policy and block the copy operation.
I hope this helps!
