Forum Discussion

DP-IT's avatar
DP-IT
Copper Contributor
Feb 26, 2022

Endpoint DLP not working as expected

Hi, i created new test tenant to try Endpoint device DLP, i  inboard devices and i created DLP policy for devices , with block action but i its not working .   can you help  thanks  
microsoft 365
security compliance and identity
AdminAt845's avatar
AdminAt845
Copper Contributor
Jun 06, 2022

DP-IT 

 

Hey man, I am having the exact same problem.  The events get audited but still no actions taken on the Endpoint aka Windows 10 devices.  Did you ever find a solution to this?

Jordi_Nogues's avatar
Jordi_Nogues
Copper Contributor
Jul 21, 2022
AdminAt845, DP-IT, @All...
I'm having the same problem: "events get audited but still no (block) actions taken on the Endpoints". Did you find the solution?
I've been succesful in a number of previous deployments, and the only differences I can identify here are:
a- the endpoint is managed from SCCM (no Intune);
b- device join type is "hybrid azure AD join";
c- the UPN I use to authenticate to Azure AD doesn't match my email address.
  • GuillaumeB's avatar
    GuillaumeB
    Brass Contributor
    Oct 19, 2022

    Jordi_Nogues , AdminAt845 DP-IT , yodaPREDATOR , same issue, the device is a Windows 11 Pro, managed by intunes, joined as Azure AD ;  I can see that the activities are audited in the Purview Compliance DLP Activity Explorer but they are not blocked on my device as they should by the Endpoint DLP policy I deployed.

     

    NB :  I don't see any policy / rule names in the last columns of Activity Explorer?!  (check 

    https://cruet-my.sharepoint.com/personal/guillaume_synapse-me_com/_layouts/15/onedrive.aspx?id=%2Fpersonal%2Fguillaume%5Fsynapse%2Dme%5Fcom%2FDocuments%2FAttachments%2FDLP%20Activity%20Explorer%2Ejpg&parent=%2Fpersonal%2Fguillaume%5Fsynapse%2Dme%5Fcom%2FDocuments%2FAttachments&ga=1 

     

    Does anyone find the root cause of that issue?




    • yodaPREDATOR's avatar
      yodaPREDATOR
      Copper Contributor
      Oct 19, 2022

      GuillaumeB 

      Maybe the files are not actually scanned by a policy?

      I believe those files that appear in the Activity Explorer are audited because the “Always audit file activity for devices” option is On, in the Data loss prevention -> Endpoint DLP settings,  in the Compliance portal.

      I cant see what is wrong because if they can be audited then they should been scanned and blocked by the dlp polices. 

      My device is Windows 10 Pro and is onboarded be script through the Compliance portal.

       

      Anyone, any ideas are appreciated.

       

      • GuillaumeB's avatar
        GuillaumeB
        Brass Contributor
        Oct 20, 2022
        Hi, thanks for your reply ; actually Microsoft Support gave me this procedure to execute from my device to troubleshoot. I'm waiting for them to come back to me with their analysis ; the log generated is giving a lot of valuable information.

        1. Download latest stable version from: https://aka.ms/Betamdeanalyzer
        2. Extract contents to "C:\MDATP\MDEClientAnalyzerPreview"
        3. From an elevated CMD prompt, run: "C:\MDATP\MDEClientAnalyzerPreview\MDEClientAnalyzer.cmd -t"
        4. Specify the maximum number of minutes to collect traces: 6-10 min
        5. Reproduce the issue.
        6. When completed, send us "C:\MDATP\MDEClientAnalyzerPreview\MDEClientAnalyzerResult.zip

Resources