cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Endpoint DLP not working as expected

DP-IT
Copper Contributor

‎Feb 26 2022 02:40 AM - edited ‎Feb 26 2022 02:41 AM

‎Feb 26 2022 02:40 AM - edited ‎Feb 26 2022 02:41 AM

Endpoint DLP not working as expected

Hi,

i created new test tenant to try Endpoint device DLP, i  inboard devices and i created DLP policy for devices , with block action but i its not working .

 

can you help 

thanks

 

10.4K Views
4 Likes
19 Replies
Reply
19 Replies
DP-IT

‎Feb 28 2022 01:36 AM

‎Feb 28 2022 01:36 AM

Re: Endpoint DLP not working as expected

@DP-IT 

Just to give more information ,
i am able to see all activities in the activity explorer in the compliance center. for example i can see upload to the cloud activity which i block in the policy but nothing happened

 

DPIT_0-1646040980450.png

 

1 Like
Reply
AdminAt845

‎Jun 06 2022 03:02 PM

‎Jun 06 2022 03:02 PM

Re: Endpoint DLP not working as expected

@DP-IT 

 

Hey man, I am having the exact same problem.  The events get audited but still no actions taken on the Endpoint aka Windows 10 devices.  Did you ever find a solution to this?

1 Like
Reply
Jordi_Nogues

‎Jul 20 2022 10:43 PM

‎Jul 20 2022 10:43 PM

Re: Endpoint DLP not working as expected

@AdminAt845, @DP-IT, @All...
I'm having the same problem: "events get audited but still no (block) actions taken on the Endpoints". Did you find the solution?
I've been succesful in a number of previous deployments, and the only differences I can identify here are:
a- the endpoint is managed from SCCM (no Intune);
b- device join type is "hybrid azure AD join";
c- the UPN I use to authenticate to Azure AD doesn't match my email address.
0 Likes
Reply
Anshulbeniwal

‎Aug 15 2022 12:14 AM

‎Aug 15 2022 12:14 AM

Re: Endpoint DLP not working as expected

Microsoft DLP is bit different. After creating the policy for endpoint devices you'll have to go to Microsoft Purview > Data Loss Prevent > Endpoint Settings > Browser and domain restrictions to sensitive data and Set service domain to block.
Also add the domain where you are trying to block the upload on
Assumptions:
1- Device is already onboarded
2- Policy has a action set to block or block with user override for sensitive data
0 Likes
Reply
yodaPREDATOR

‎Oct 18 2022 08:16 AM

‎Oct 18 2022 08:16 AM

Re: Endpoint DLP not working as expected

@DP-IT 

Hi, I know its been a long time since this thread was active but I am experiencing the same from my endpoint DLP rules, so i thought I ask a question here.

Did you manage to solve the problem back then? 
In my scenario the protected files gets audited (I can see that in the Activity Explorer) but they are not blocked as they should. 

The device is already onboarded via script.

Any ideas what might be wrong?

 

0 Likes
Reply
GuillaumeB

‎Oct 19 2022 07:27 AM - edited ‎Oct 19 2022 07:48 AM

‎Oct 19 2022 07:27 AM - edited ‎Oct 19 2022 07:48 AM

Re: Endpoint DLP not working as expected

@Jordi_Nogues , @AdminAt845 @DP-IT , @yodaPREDATOR , same issue, the device is a Windows 11 Pro, managed by intunes, joined as Azure AD ;  I can see that the activities are audited in the Purview Compliance DLP Activity Explorer but they are not blocked on my device as they should by the Endpoint DLP policy I deployed.

 

NB :  I don't see any policy / rule names in the last columns of Activity Explorer?!  (check 

my Purview Endpoint DLP Activity Explorer 

 

Does anyone find the root cause of that issue?




0 Likes
Reply
yodaPREDATOR

‎Oct 19 2022 01:10 PM

‎Oct 19 2022 01:10 PM

Re: Endpoint DLP not working as expected

@GuillaumeB 

Maybe the files are not actually scanned by a policy?

I believe those files that appear in the Activity Explorer are audited because the “Always audit file activity for devices” option is On, in the Data loss prevention -> Endpoint DLP settings,  in the Compliance portal.

I cant see what is wrong because if they can be audited then they should been scanned and blocked by the dlp polices. 

My device is Windows 10 Pro and is onboarded be script through the Compliance portal.

 

Anyone, any ideas are appreciated.

 

1 Like
Reply
GuillaumeB

‎Oct 20 2022 01:58 AM

‎Oct 20 2022 01:58 AM

Re: Endpoint DLP not working as expected

Hi, thanks for your reply ; actually Microsoft Support gave me this procedure to execute from my device to troubleshoot. I'm waiting for them to come back to me with their analysis ; the log generated is giving a lot of valuable information.

1. Download latest stable version from: https://aka.ms/Betamdeanalyzer
2. Extract contents to "C:\MDATP\MDEClientAnalyzerPreview"
3. From an elevated CMD prompt, run: "C:\MDATP\MDEClientAnalyzerPreview\MDEClientAnalyzer.cmd -t"
4. Specify the maximum number of minutes to collect traces: 6-10 min
5. Reproduce the issue.
6. When completed, send us "C:\MDATP\MDEClientAnalyzerPreview\MDEClientAnalyzerResult.zip
0 Likes
Reply
Anshulbeniwal

‎Oct 20 2022 02:10 AM

‎Oct 20 2022 02:10 AM

Re: Endpoint DLP not working as expected

@GuillaumeB i'll tell you what you need to look at. For endpoint dlp to work window defender service needs to be running. If you run just this command MDEClientAnalyzer.cmd (without -t) it will produce the result in web page. There on web page make sure it says defender service is running.

Note: you can run defender with any other AV solution your org uses. If defender detects other AV , it will run in passive mode.
Microsoft Defender Antivirus compatibility with other security products | Microsoft Learn

1 Like
Reply
GuillaumeB

‎Oct 20 2022 08:39 AM

‎Oct 20 2022 08:39 AM

Re: Endpoint DLP not working as expected

Hi @Anshulbeniwal , that's very nice of you. Here is in attachment the logs files I got. Let me know from your expert viewpoint if something is wrong. On my side I already updated Defender AV Security Intelligence Version

Preview file
430 KB
Preview file
79 KB
0 Likes
Reply
GuillaumeB

‎Oct 20 2022 11:20 AM - edited ‎Oct 20 2022 11:23 AM

‎Oct 20 2022 11:20 AM - edited ‎Oct 20 2022 11:23 AM

Re: Endpoint DLP not working as expected

@Anshulbeniwal , don’t bother with any analysis of my logs : Microsoft support just replied to me with the following root cause analysis

 

finding based on collected logs: The file in question (NewCustomers.xlsx) is not enforced with expected End DLP policy. Instead, it is applied with default policy which is not expected. We are analyzing further to understand why”

 

0 Likes
Reply
PB_2713

‎Nov 02 2022 04:22 PM

‎Nov 02 2022 04:22 PM

Re: Endpoint DLP not working as expected

Can anyone share solutions for this? I have been working with MS support for a while now on this with no resolution
0 Likes
Reply
Bhavin_Pawar

‎Dec 18 2022 10:42 PM

‎Dec 18 2022 10:42 PM

Re: Endpoint DLP not working as expected

Hello @GuillaumeB,

I am also on same page,
My requirements are, I would like to block Confidential Sensitivity label Document if someone is trying to print.
I have set the workload to Endpoint.
As per Microsoft, endpoint workload covers the below action when you create an endpoint DLP policy.
1. Upload to a restricted cloud service domain or access from an unallowed browser. - For me, it is working.
2. Copy to clipboard - Not require
3. Copy to removalbe USB device - Not working
4. Copy to Network Share - - Not require
5. Print - Not working
6. Copy or move using unallowed bluetooth app - Not require
7. Copy or move using RDP - Not require
One Bigger Surprise is here for browser level its working as per requirements (means Confidential Sensitivity label document is blocking if i upload on untrusted domains)
But for Print is not blocking.
My curiosity is over there if its working for Browser level then why it is not blocking for Print.? since it is working for Browser means my Endpoint policy is already reach on respected endpoint machine. it should also work from print task (monitor/block)
Surprised for me: for few machines it is working and for few machines it’s not working.
i have also shared logs with Microsoft team but till date i not heard any solution. if someone knowing this issue and solution. please do the needful.
Note: Expected Defender URL already allowed from proxy.
0 Likes
Reply
Thomas Moen

‎Jan 23 2023 11:17 AM

‎Jan 23 2023 11:17 AM

Re: Endpoint DLP not working as expected

@Bhavin_Pawar 

 

Configure endpoint DLP settings - Microsoft Purview (compliance) | Microsoft Learn

 

Printer Groups, USB Groups and Network Groups were recently added to Endpoint DLP in Purview Compliance Center.

0 Likes
Reply
JAMES DELORN HOWLAND JR

‎Jan 23 2023 11:51 AM

‎Jan 23 2023 11:51 AM

Re: Endpoint DLP not working as expected

How do I use a calculated field in access to test if hours is greater than 40 to calculate overtime pay(hours - 40) * (1.5 * payrate), else 0.
0 Likes
Reply
aymiee

‎Feb 02 2023 07:48 AM

‎Feb 02 2023 07:48 AM

Re: Endpoint DLP not working as expected

Do the printers that you specify for the printer group have to be onboarded, also? I have created a printer group consisting of my local printer (wireless), but it's not working. Any ideas?
0 Likes
Reply
SecD3

‎Feb 15 2023 07:01 PM

‎Feb 15 2023 07:01 PM

Re: Endpoint DLP not working as expected

@GuillaumeB did you ever resolve this issue? I am having the same issue. MS Support is telling me that the extended attributes are not being applied to the files.

0 Likes
Reply
Anshulbeniwal

‎Feb 15 2023 07:09 PM

‎Feb 15 2023 07:09 PM

Re: Endpoint DLP not working as expected

@SecD3  Try running endpoint on-boarding script again on the endpoint. I have noticed that after a month or so endpoint stopped working on some users. Running the script again seems to have solved the problem. 

1 Like
Reply
Thomas Moen

‎Feb 15 2023 07:41 PM

‎Feb 15 2023 07:41 PM

Re: Endpoint DLP not working as expected

The printers must be added to a group and configured for Universal Printing in Azure.
0 Likes
Reply