Forum Discussion

DP-IT's avatar
DP-IT
Copper Contributor
Feb 26, 2022

Endpoint DLP not working as expected

Hi, i created new test tenant to try Endpoint device DLP, i  inboard devices and i created DLP policy for devices , with block action but i its not working .   can you help  thanks  
microsoft 365
security compliance and identity
GuillaumeB's avatar
GuillaumeB
Brass Contributor
Oct 19, 2022

Jordi_Nogues , AdminAt845 DP-IT , yodaPREDATOR , same issue, the device is a Windows 11 Pro, managed by intunes, joined as Azure AD ;  I can see that the activities are audited in the Purview Compliance DLP Activity Explorer but they are not blocked on my device as they should by the Endpoint DLP policy I deployed.

 

NB :  I don't see any policy / rule names in the last columns of Activity Explorer?!  (check 

https://cruet-my.sharepoint.com/personal/guillaume_synapse-me_com/_layouts/15/onedrive.aspx?id=%2Fpersonal%2Fguillaume%5Fsynapse%2Dme%5Fcom%2FDocuments%2FAttachments%2FDLP%20Activity%20Explorer%2Ejpg&parent=%2Fpersonal%2Fguillaume%5Fsynapse%2Dme%5Fcom%2FDocuments%2FAttachments&ga=1 

 

Does anyone find the root cause of that issue?




yodaPREDATOR's avatar
yodaPREDATOR
Copper Contributor
Oct 19, 2022

GuillaumeB 

Maybe the files are not actually scanned by a policy?

I believe those files that appear in the Activity Explorer are audited because the “Always audit file activity for devices” option is On, in the Data loss prevention -> Endpoint DLP settings,  in the Compliance portal.

I cant see what is wrong because if they can be audited then they should been scanned and blocked by the dlp polices. 

My device is Windows 10 Pro and is onboarded be script through the Compliance portal.

 

Anyone, any ideas are appreciated.

 

  • GuillaumeB's avatar
    GuillaumeB
    Brass Contributor
    Oct 20, 2022
    Hi, thanks for your reply ; actually Microsoft Support gave me this procedure to execute from my device to troubleshoot. I'm waiting for them to come back to me with their analysis ; the log generated is giving a lot of valuable information.

    1. Download latest stable version from: https://aka.ms/Betamdeanalyzer
    2. Extract contents to "C:\MDATP\MDEClientAnalyzerPreview"
    3. From an elevated CMD prompt, run: "C:\MDATP\MDEClientAnalyzerPreview\MDEClientAnalyzer.cmd -t"
    4. Specify the maximum number of minutes to collect traces: 6-10 min
    5. Reproduce the issue.
    6. When completed, send us "C:\MDATP\MDEClientAnalyzerPreview\MDEClientAnalyzerResult.zip
    • Bhavin_Pawar's avatar
      Bhavin_Pawar
      Copper Contributor
      Dec 18, 2022
      Hello GuillaumeB,

      I am also on same page,
      My requirements are, I would like to block Confidential Sensitivity label Document if someone is trying to print.
      I have set the workload to Endpoint.
      As per Microsoft, endpoint workload covers the below action when you create an endpoint DLP policy.
      1. Upload to a restricted cloud service domain or access from an unallowed browser. - For me, it is working.
      2. Copy to clipboard - Not require
      3. Copy to removalbe USB device - Not working
      4. Copy to Network Share - - Not require
      5. Print - Not working
      6. Copy or move using unallowed bluetooth app - Not require
      7. Copy or move using RDP - Not require
      One Bigger Surprise is here for browser level its working as per requirements (means Confidential Sensitivity label document is blocking if i upload on untrusted domains)
      But for Print is not blocking.
      My curiosity is over there if its working for Browser level then why it is not blocking for Print.? since it is working for Browser means my Endpoint policy is already reach on respected endpoint machine. it should also work from print task (monitor/block)
      Surprised for me: for few machines it is working and for few machines it’s not working.
      i have also shared logs with Microsoft team but till date i not heard any solution. if someone knowing this issue and solution. please do the needful.
      Note: Expected Defender URL already allowed from proxy.
    • Anshulbeniwal's avatar
      Anshulbeniwal
      Copper Contributor
      Oct 20, 2022

      GuillaumeB i'll tell you what you need to look at. For endpoint dlp to work window defender service needs to be running. If you run just this command MDEClientAnalyzer.cmd (without -t) it will produce the result in web page. There on web page make sure it says defender service is running.

      Note: you can run defender with any other AV solution your org uses. If defender detects other AV , it will run in passive mode.
      https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#microsoft-defender-antivirus-and-non-microsoft-antivirusantimalware-solutions

      • GuillaumeB's avatar
        GuillaumeB
        Brass Contributor
        Oct 20, 2022

        Hi Anshulbeniwal , that's very nice of you. Here is in attachment the logs files I got. Let me know from your expert viewpoint if something is wrong. On my side I already updated Defender AV Security Intelligence Version