Feb 26 2022 02:40 AM - edited Feb 26 2022 02:41 AM
Hi,
i created new test tenant to try Endpoint device DLP, i inboard devices and i created DLP policy for devices , with block action but i its not working .
can you help
thanks
Feb 28 2022 01:36 AM
Just to give more information ,
i am able to see all activities in the activity explorer in the compliance center. for example i can see upload to the cloud activity which i block in the policy but nothing happened
Jun 06 2022 03:02 PM
Hey man, I am having the exact same problem. The events get audited but still no actions taken on the Endpoint aka Windows 10 devices. Did you ever find a solution to this?
Jul 20 2022 10:43 PM
Aug 15 2022 12:14 AM
Oct 18 2022 08:16 AM
Hi, I know its been a long time since this thread was active but I am experiencing the same from my endpoint DLP rules, so i thought I ask a question here.
Did you manage to solve the problem back then?
In my scenario the protected files gets audited (I can see that in the Activity Explorer) but they are not blocked as they should.
The device is already onboarded via script.
Any ideas what might be wrong?
Oct 19 2022 07:27 AM - edited Oct 19 2022 07:48 AM
@Jordi_Nogues , @AdminAt845 @DP-IT , @yodaPREDATOR , same issue, the device is a Windows 11 Pro, managed by intunes, joined as Azure AD ; I can see that the activities are audited in the Purview Compliance DLP Activity Explorer but they are not blocked on my device as they should by the Endpoint DLP policy I deployed.
NB : I don't see any policy / rule names in the last columns of Activity Explorer?! (check
my Purview Endpoint DLP Activity Explorer
Does anyone find the root cause of that issue?
Oct 19 2022 01:10 PM
Maybe the files are not actually scanned by a policy?
I believe those files that appear in the Activity Explorer are audited because the “Always audit file activity for devices” option is On, in the Data loss prevention -> Endpoint DLP settings, in the Compliance portal.
I cant see what is wrong because if they can be audited then they should been scanned and blocked by the dlp polices.
My device is Windows 10 Pro and is onboarded be script through the Compliance portal.
Anyone, any ideas are appreciated.
Oct 20 2022 01:58 AM
Oct 20 2022 02:10 AM
@GuillaumeB i'll tell you what you need to look at. For endpoint dlp to work window defender service needs to be running. If you run just this command MDEClientAnalyzer.cmd (without -t) it will produce the result in web page. There on web page make sure it says defender service is running.
Note: you can run defender with any other AV solution your org uses. If defender detects other AV , it will run in passive mode.
Microsoft Defender Antivirus compatibility with other security products | Microsoft Learn
Oct 20 2022 08:39 AM
Hi @Anshulbeniwal , that's very nice of you. Here is in attachment the logs files I got. Let me know from your expert viewpoint if something is wrong. On my side I already updated Defender AV Security Intelligence Version
Oct 20 2022 11:20 AM - edited Oct 20 2022 11:23 AM
@Anshulbeniwal , don’t bother with any analysis of my logs : Microsoft support just replied to me with the following root cause analysis
“finding based on collected logs: The file in question (NewCustomers.xlsx) is not enforced with expected End DLP policy. Instead, it is applied with default policy which is not expected. We are analyzing further to understand why”
Nov 02 2022 04:22 PM
Dec 18 2022 10:42 PM
Jan 23 2023 11:17 AM
Configure endpoint DLP settings - Microsoft Purview (compliance) | Microsoft Learn
Printer Groups, USB Groups and Network Groups were recently added to Endpoint DLP in Purview Compliance Center.
Jan 23 2023 11:51 AM
Feb 02 2023 07:48 AM
Feb 15 2023 07:01 PM
@GuillaumeB did you ever resolve this issue? I am having the same issue. MS Support is telling me that the extended attributes are not being applied to the files.
Feb 15 2023 07:09 PM
@SecD3 Try running endpoint on-boarding script again on the endpoint. I have noticed that after a month or so endpoint stopped working on some users. Running the script again seems to have solved the problem.
Feb 15 2023 07:41 PM