Forum Discussion
Endpoint DLP not working as expected
I'm having the same problem: "events get audited but still no (block) actions taken on the Endpoints". Did you find the solution?
I've been succesful in a number of previous deployments, and the only differences I can identify here are:
a- the endpoint is managed from SCCM (no Intune);
b- device join type is "hybrid azure AD join";
c- the UPN I use to authenticate to Azure AD doesn't match my email address.
Jordi_Nogues , AdminAt845 DP-IT , yodaPREDATOR , same issue, the device is a Windows 11 Pro, managed by intunes, joined as Azure AD ; I can see that the activities are audited in the Purview Compliance DLP Activity Explorer but they are not blocked on my device as they should by the Endpoint DLP policy I deployed.
NB : I don't see any policy / rule names in the last columns of Activity Explorer?! (check
https://cruet-my.sharepoint.com/personal/guillaume_synapse-me_com/_layouts/15/onedrive.aspx?id=%2Fpersonal%2Fguillaume%5Fsynapse%2Dme%5Fcom%2FDocuments%2FAttachments%2FDLP%20Activity%20Explorer%2Ejpg&parent=%2Fpersonal%2Fguillaume%5Fsynapse%2Dme%5Fcom%2FDocuments%2FAttachments&ga=1
Does anyone find the root cause of that issue?
Maybe the files are not actually scanned by a policy?
I believe those files that appear in the Activity Explorer are audited because the “Always audit file activity for devices” option is On, in the Data loss prevention -> Endpoint DLP settings, in the Compliance portal.
I cant see what is wrong because if they can be audited then they should been scanned and blocked by the dlp polices.
My device is Windows 10 Pro and is onboarded be script through the Compliance portal.
Anyone, any ideas are appreciated.
- Hi, thanks for your reply ; actually Microsoft Support gave me this procedure to execute from my device to troubleshoot. I'm waiting for them to come back to me with their analysis ; the log generated is giving a lot of valuable information.
1. Download latest stable version from: https://aka.ms/Betamdeanalyzer
2. Extract contents to "C:\MDATP\MDEClientAnalyzerPreview"
3. From an elevated CMD prompt, run: "C:\MDATP\MDEClientAnalyzerPreview\MDEClientAnalyzer.cmd -t"
4. Specify the maximum number of minutes to collect traces: 6-10 min
5. Reproduce the issue.
6. When completed, send us "C:\MDATP\MDEClientAnalyzerPreview\MDEClientAnalyzerResult.zip- Hello GuillaumeB,
I am also on same page,
My requirements are, I would like to block Confidential Sensitivity label Document if someone is trying to print.
I have set the workload to Endpoint.
As per Microsoft, endpoint workload covers the below action when you create an endpoint DLP policy.
1. Upload to a restricted cloud service domain or access from an unallowed browser. - For me, it is working.
2. Copy to clipboard - Not require
3. Copy to removalbe USB device - Not working
4. Copy to Network Share - - Not require
5. Print - Not working
6. Copy or move using unallowed bluetooth app - Not require
7. Copy or move using RDP - Not require
One Bigger Surprise is here for browser level its working as per requirements (means Confidential Sensitivity label document is blocking if i upload on untrusted domains)
But for Print is not blocking.
My curiosity is over there if its working for Browser level then why it is not blocking for Print.? since it is working for Browser means my Endpoint policy is already reach on respected endpoint machine. it should also work from print task (monitor/block)
Surprised for me: for few machines it is working and for few machines it’s not working.
i have also shared logs with Microsoft team but till date i not heard any solution. if someone knowing this issue and solution. please do the needful.
Note: Expected Defender URL already allowed from proxy.
