cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Microsoft Defender for Endpoint policy not working for office documents

ALI_hamed17
Copper Contributor

‎May 17 2023 03:33 AM

‎May 17 2023 03:33 AM

Microsoft Defender for Endpoint policy not working for office documents

I created endpoint DLP policy to block copying data to USB devices , the condition i used is file types and i include all office documents and pdf. the policy is working on pdf but not applied to office documents.

 

863 Views
0 Likes
5 Replies
Reply
5 Replies
miller34mike

‎May 25 2023 02:19 AM

‎May 25 2023 02:19 AM

Re: Microsoft Defender for Endpoint policy not working for office documents

@ALI_hamed17 

 

If you go to activity explorer, do you see the office files showing up as DLP Rule Match or as the "File copied to removeable media" action?

0 Likes
Reply
ALI_hamed17

‎May 29 2023 05:50 AM - edited ‎May 29 2023 05:51 AM

‎May 29 2023 05:50 AM - edited ‎May 29 2023 05:51 AM

Re: Microsoft Defender for Endpoint policy not working for office documents

@miller34mike  Hi 

No it is not showing DLP Rule Match , its showing File copied to removeable media.

 

i attach both events the PDF and DOCX

 

thanks

ALI_hamed17_0-1685364538283.png

ALI_hamed17_1-1685364643481.png

 

0 Likes
Reply
miller34mike

‎Jun 02 2023 05:04 AM

‎Jun 02 2023 05:04 AM

Re: Microsoft Defender for Endpoint policy not working for office documents

@ALI_hamed17 

 

Could you provide a screenshot of your policy conditions by chance?

0 Likes
Reply
Alex_Octav

‎Jun 08 2023 04:45 AM

‎Jun 08 2023 04:45 AM

Re: Microsoft Defender for Endpoint policy not working for office documents

@ALI_hamed17 I just had a case with MS regarding the same issue. They advised that in order for the policy to trigger, the document must be classified by their classification engine. This engine is triggered by different actions taken on the document (open, close, save, download....) so if you have a file, at rest, on your device this won't be seen by the classification engine. You will be able to copy it on the removable media and if you delete it and try to paste it again, the action will trigger the DLP policy and block the copy operation.

 

I hope this helps!  

0 Likes
Reply