Common questions on Microsoft Purview Data Loss Prevention for endpoints

This guide covers the top-of-mind FAQs on Microsoft Purview Data Loss Prevention for endpoints (referred to as Endpoint DLP in this post). We have collaborated with engineers, designers, and Endpoint DLP experts to increase your confidence in the Endpoint DLP capabilities, and to help you learn more about your setup. We hope you enjoy these guidelines to troubleshoot your most common issues with deployment, if any!

Licensing and supported platforms

What are the license requirements and supported OS?

Endpoint DLP is supported on Windows 10 1809 or higher and Windows 11 and the three latest released versions of MacOS. Endpoint DLP is included with the following SKUs:

• Microsoft 365 E5/A5
• Microsoft 365 E5/A5 Compliance
• Microsoft 365 E5/A5 Information Protection and Governance

Refer to Microsoft 365 licensing guidance for security & compliance to identify the required licenses for your organization.

Which browsers are supported for blocking the upload of sensitive files to cloud apps?

For Windows devices, blocking access and upload of sensitive files to cloud apps is supported on:

• Microsoft Edge
• Google Chrome (Microsoft Purview Chrome Extension)
• Firefox (coming soon)

Non-Microsoft browsers can be blocked from accessing sensitive files while enabling normal activity on non-sensitive files.

For macOS devices, addition to the browsers listed above endpoint DLP also supports:

• Safari

Does Endpoint DLP work on non-Windows devices? (Mac, iOS, Android)

Endpoint DLP supports Windows 10 Enterprise 1809+ and the three latest released versions of MacOS. We are evaluating expanding support for Linux and mobile platforms in the future.

Will the Mail app be monitored by Endpoint DLP (personal, Gmail, Yahoo)?

Yes, desktop applications will be supported. Webmail will be done with domain restrictions.

Policy evaluation and enforcement

When a DLP policy is created or edited in the Microsoft Purview compliance portal, how long does it take for the updated policy to sync to the device?

Syncing new or updated DLP policies should occur on onboarded devices within 60 minutes.

What happens if a group membership changes for a distribution group scoped into an Endpoint DLP policy?

After modifying a user group, e.g., user added or removed from a group scoped to an endpoint DLP policy, it takes approximately 24 hours for that change to come into the scope of the DLP policy.

Can Endpoint DLP work when a device is offline and not connected?

If a device is offline, the existing policy continues to be enforced on existing files. If a new file is created when the device is offline, scanning and protection won’t be enforced until the device has an internet connection. If DLP policy is updated or changed while a device is offline, the device won’t receive the updated policy until the device has internet connectivity.

What happens to DLP audit and alerting events when the endpoint device disconnects from the internet?

The telemetry for activities happening on the file are cached on the device and is synced to the service when the device reconnects.

Does Endpoint DLP scan files at rest on devices?

Endpoint DLP will scan all files on the endpoint device which are created or modified or opened after the device is onboarded. Existing policies will continue to protect even if the device goes offline.

We’re currently working on a feature that addresses files that have been present on the device before onboarding it to Endpoint DLP but have not been accessed/modified and will share details in the coming months. To track this feature please visit the public roadmap.

Policy features for Endpoint DLP

What are some of the activities that Endpoint DLP can monitor?

Refer to endpoint activities you can monitor and take action on.

Which files can be inspected for sensitive content?

Endpoint DLP supports monitoring of files through policy.

Does Endpoint DLP work on protected (encrypted) files that have a sensitivity label and protection settings?

Endpoint DLP does not decrypt protected files to scan for sensitive content. If the DLP policies are based on the detection of sensitive information types, encrypted files will not be inspected. However, you can define policies to use sensitivity labels (e.g., Confidential) as a condition or use the Attachment is password protected condition to enforce specific restrictions on password protected files.

How can I protect files that are not scannable by endpoint DLP?

You can use the following features to protect files that are not included in scannable files:

• Protection through file extension as a condition
• Protection through file type as a condition
• Protection for password protected files

Does Endpoint DLP inspect files in all locations on the endpoint device?

Yes, Endpoint DLP will inspect all files locally stored on the device. However, you also have the flexibility to define file paths to be excluded from Endpoint DLP inspection and policy enforcement. These settings are available in the “Data Loss Prevention” section of the Microsoft Purview compliance portal under “Global settings”. Refer to File path exclusions.

If you add a file path to the “File Path Exclusions” list, will this behavior still be monitored?

No, it will not be monitored even if always audit is turned on.

Can you create an Endpoint DLP policy using sensitivity labels as a condition?

Yes, you can configure the policy to use sensitivity labels as conditions. For example, if a Word document is labeled as Highly Confidential, then you can enforce the policy to block copy to external USB drive. In addition, you also have the ability to detect the absence of a sensitivity label through the condition content is not labeled.

Does Endpoint DLP support classification techniques like Exact Data Match (EDM) for Endpoint devices? What do I need to do to enable them?

You can take advantage of classification techniques like Exact Data Match (EDM) classification and named entities on Endpoint DLP by turning on advanced classification scanning and protection. EDM-based classification enables you to create custom sensitive information types that refer to exact values in a database of sensitive information. Refer to Learn about exact data match based sensitive information types.

In addition, you can categorize and label content so it can be protected and handled properly through trainable classifiers. Refer to Trainable classifiers definitions for a complete list of all pre-trained classifiers.

What are the supported file types for advanced classification?

Support for advanced classification is available for Office (Word, Excel, PowerPoint) and PDF file types.

These Windows versions support advanced classification scanning and protection:

• Windows 10 versions 20H1/20H2/21H1
• Windows 10 versions 19H1/19H2
• Windows 10 RS5

How can I set up differentiated restrictions for some set of printers, USB devices, VPN, or network share?

You can define groups of printers/removable storage devices/VPN/network share and assign differentiated restrictions for each group when defining your endpoint DLP policy. Refer to Printer groups, Removable storage device groups, VPN settings, and Network share groups.

How can I set up different restriction levels for sensitive data upload to different sites?

Endpoint DLP allows you to monitor or restrict user activities (e.g., Audit only, block, allow) on sensitive service domains when uploading to a restricted cloud service domain. For example, allow upload of sensitive data to internal SPO sites but prevent upload of sensitive data to social media sites. Refer to Monitor or restrict user activities on sensitive service domains.

Troubleshooting your Endpoint DLP setup

How can I verify if my Endpoint DLP setup is healthy?

Make sure your device meets the onboarding prerequisites. Set up the right prerequisites by following the steps below.

• For Windows devices, make sure you are using the right Windows version and have enabled Real Time Protection (RTP), Behavior Monitoring (BM), and using Microsoft Edge browser.
  Refer to Prepare your Windows devices.
• For MacOS devices, make sure you are using the supported OS. If not, you will see unhealthy in the configuration portal. Make sure you have installed accessibility, full disk access, network filter, system extensions, package version, and using Microsoft Edge browser.
  Refer to Onboard macOS devices into Microsoft 365 overview.

How can I verify the policy has synced to the device(s)?

If you have created or edited a policy and you want to verify that it was deployed to your device, contact the support team and follow the steps below to provide details of the scenario you’re having issues with:

1. Make sure that the configuration status of your device is “Updated” in the Device Onboarding page. If not, set up the prerequisites on your device until the configuration status changes to “Updated”.
   1. For Windows devices, make sure you are using the right Windows version and have enabled Real Time Protection (RTP), Behavior Monitoring (BM), and using Microsoft Edge browser.
   2. For MacOS devices, make sure you are using the supported OS. If not, you will see unhealthy in the configuration portal. Make sure you have installed accessibility, full disk access, network filter, system extensions, package version, and using Microsoft Edge browser.
2. Download the MDE Client Analyzer tool to the Windows machine you need to investigate. The client analyzer collects data for troubleshooting when diagnosing reliability issues on onboarded devices.
3. Extract all the contents of the MDEClientAnalyzer.zip on the machine.
4. Open an elevated command line:
   1. Go to Start and type cmd, right-click Command prompt and select Run as administrator.
   2. Answer Yes if a User Account Control message appears.
5. Run the following command “MDEClientAnalyzer.cmd -t”
6. Reproduce the issue and stop the trace collection.
7. Share the ZIP with the support team for further assistance.

How can I verify if a policy was applied to a file?

If the policy has already been deployed to the client machine and you want to verify if it was applied to a file, contact the support team and follow the steps below to provide details of the scenario you’re having issues with:

1. Download the MDE Client Analyzer tool to the Windows, Linux, or macOS machine you need to investigate. The client analyzer collects data for troubleshooting when diagnosing reliability issues on onboarded devices.
2. Extract all the contents of the MDEClientAnalyzer.zip on the machine.
3. Open an elevated command line:
   1. Go to Start and type cmd, right-click Command prompt and select Run as administrator.
   2. Answer Yes if a User Account Control message appears.
4. Run the following command “MDEClientAnalyzer.cmd -t”
5. Reproduce the issue and stop the trace collection.
6. Share the ZIP with the support team for further assistance.

Why is my policy not working as expected?

1. The most common reason behind a policy not working as expected is the Office version on your device. Make sure you have the right Office version installed.
2. Another possible reason is that the file location might not be covered by Endpoint DLP.
   1. The file is stored on the removable media storage. E.g., Open file stored on the removable media storage, and print will not trigger the policy.
   2. The file is stored on the network share.
3. You should also know that policies behave with the most restrictive enforcement. Identify if this is the case for your policy. 
   1. When a file matches multiple DLP policies, the most restrictive rule takes precedence over the rest and gets enforced on the content first. For example, if content matches all the following rules, then Rule 2 takes precedence over the other rules since it's the most restrictive. 
      1. Rule 1: only audits all activity.
      2. Rule 2: blocks all activity.
      3. Rule 3: blocks all activity with option for end user to override.

All the other rules are evaluated but their actions aren't enforced. Audit logs will show the most restrictive rule applied on the file. If there's more than one rule that matches and they're equally restrictive, then policy and rule priority govern which rule would be applied on the file.

For further assistance on this matter contact support.

We hope these answers are helpful and we look forward to your feedback. 

Thank you,

Microsoft Purview Data Loss Prevention Team