Microsoft Defender for Endpoint policy not working for office documents

Copper Contributor

I created endpoint DLP policy to block copying data to USB devices , the condition i used is file types and i include all office documents and pdf. the policy is working on pdf but not applied to office documents.


5 Replies



If you go to activity explorer, do you see the office files showing up as DLP Rule Match or as the "File copied to removeable media" action?

@miller34mike  Hi 

No it is not showing DLP Rule Match , its showing File copied to removeable media.


i attach both events the PDF and DOCX








Could you provide a screenshot of your policy conditions by chance?

@ALI_hamed17 I just had a case with MS regarding the same issue. They advised that in order for the policy to trigger, the document must be classified by their classification engine. This engine is triggered by different actions taken on the document (open, close, save, download....) so if you have a file, at rest, on your device this won't be seen by the classification engine. You will be able to copy it on the removable media and if you delete it and try to paste it again, the action will trigger the DLP policy and block the copy operation.


I hope this helps!