Forum Discussion

DP-IT's avatar
DP-IT
Copper Contributor
Feb 26, 2022

Endpoint DLP not working as expected

Hi, i created new test tenant to try Endpoint device DLP, i  inboard devices and i created DLP policy for devices , with block action but i its not working .   can you help  thanks  
microsoft 365
security compliance and identity
Anshulbeniwal's avatar
Anshulbeniwal
Copper Contributor
Oct 20, 2022

GuillaumeB i'll tell you what you need to look at. For endpoint dlp to work window defender service needs to be running. If you run just this command MDEClientAnalyzer.cmd (without -t) it will produce the result in web page. There on web page make sure it says defender service is running.

Note: you can run defender with any other AV solution your org uses. If defender detects other AV , it will run in passive mode.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility?view=o365-worldwide#microsoft-defender-antivirus-and-non-microsoft-antivirusantimalware-solutions

GuillaumeB's avatar
GuillaumeB
Brass Contributor
Oct 20, 2022

Hi Anshulbeniwal , that's very nice of you. Here is in attachment the logs files I got. Let me know from your expert viewpoint if something is wrong. On my side I already updated Defender AV Security Intelligence Version

  • Pablo R. Ortiz's avatar
    Pablo R. Ortiz
    Iron Contributor
    Aug 19, 2024

    GuillaumeB did you ever get this solved? I am getting the same reply from product group, but they also say it's a limitation of the product which is not publicly informed. I find this to be hard to understand and accept.

    So I buy the licenses for what Microsoft officially says the product does, configure everything following docs, all prereqs in place, but it doesn't work, then I open a support ticket, both support and PG end up saying there's no problem from our side, it's just a product limitation documented internally, but they don't think it has to become public. Excuse me??

  • Anshulbeniwal's avatar
    Anshulbeniwal
    Copper Contributor
    Feb 15, 2023

    SecD3  Try running endpoint on-boarding script again on the endpoint. I have noticed that after a month or so endpoint stopped working on some users. Running the script again seems to have solved the problem. 

  • SecD3's avatar
    SecD3
    Copper Contributor
    Feb 15, 2023

    GuillaumeB did you ever resolve this issue? I am having the same issue. MS Support is telling me that the extended attributes are not being applied to the files.

  • PB_2713's avatar
    PB_2713
    Copper Contributor
    Nov 02, 2022
    Can anyone share solutions for this? I have been working with MS support for a while now on this with no resolution
  • GuillaumeB's avatar
    GuillaumeB
    Brass Contributor
    Oct 20, 2022

    Anshulbeniwal , don’t bother with any analysis of my logs : Microsoft support just replied to me with the following root cause analysis

     

    finding based on collected logs: The file in question (NewCustomers.xlsx) is not enforced with expected End DLP policy. Instead, it is applied with default policy which is not expected. We are analyzing further to understand why”

     

Resources