Forum Discussion
Use Endpoint DLP to block uploads
Hi PenTestPatrick,
here are steps to configure Endpoint DLP to block all file uploads to specific domains, not just those with a sensitivity label:
Service Domains:
Ensure you've added the domains to the Service Domain section and set them to Block. Adding them to a Service Domain Group is optional.DLP Policy:
Create a DLP policy scoped to Devices. In the rule conditions, set it to block any file over 1 byte in size.File Types/Extensions:
Although DLP typically focuses on sensitive information, you can set the policy to block uploads based on file types and/or extensions. This allows you to block all files, not just those with a sensitivity label.Apply Policy:
Activate the policy and confirm it's applied to the relevant endpoints.
If the policy isn't blocking all file uploads, check the specific applications or browsers used for upload.
Endpoint DLP enables restrictions on user activities per application, including browser and domain restrictions.
Configure endpoint DLP settings | Microsoft Learn
Blocking file uploads to all sites, unless safelisted - Microsoft Community Hub
Re: Can I block upload of data based on DLP Policy and/or Sensitivity Label? - Microsoft Community Hub
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.
If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)
Hi Leon,
I appreciate you taking the time to respond. I have followed those steps you have outlined and I am still able to upload files that are not labelled as sensitive. I've attached some screenshots of the policy.
Rule configuration:
Restricted actions:
Service domains:
We are using MS Edge to test and labelled files are blocked from upload with the appropriate DLP message but I can still attach files that are not labelled even if they are one of the extensions listed. Do you have any ideas on this?
Thanks
Hi PenTestPatrick,
thanks for your update.Here are some recommended steps to address potential issues:
1. Confirm the Health of Your Endpoint DLP Setup:
- For Windows devices, make sure you're using the correct Windows version, have Real-Time Protection (RTP) and Behavior Monitoring (BM) enabled, and are using the Microsoft Edge browser.
2. Verify Policy Synchronization:
- Check that the device's configuration status is "Updated" in the Device Onboarding page.
- Utilize the MDE Client Analyzer tool on Windows machines for troubleshooting. Execute the command "MDEClientAnalyzer.cmd -t" in an elevated command line, reproduce the issue, stop trace collection, and share the generated ZIP file with the support team for further assistance.
3. Confirm Policy Application to Files:
- Download the MDE Client Analyzer tool.
- Run the command "MDEClientAnalyzer.cmd -t" in an elevated command line, reproduce the issue, stop trace collection, and share the ZIP file with the support team for further analysis.
4. Addressing Policy Discrepancies:
- Validate the installed Office version for compliance.
- Check if the file location may not be covered by Endpoint DLP, such as being on removable media or a network share.
- Understand that policies follow the most restrictive enforcement; when a file matches multiple DLP policies, the most stringent rule takes precedence.
Common questions on Microsoft Purview Data Loss Prevention for endpoints - Microsoft Community Hub
Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.If the post was useful in other ways, please consider giving it Like.
Kindest regards,
Leon Pavesic
(LinkedIn)- PenTestPatrick -- did you ever get a resolution on this? We are experiencing something very similar.
