Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community
Announcing public preview of Microsoft Endpoint Data Loss Prevention
Published Jul 21 2020 08:00 AM 82.9K Views
Microsoft

UPDATE: We are excited to announce that Microsoft Endpoint DLP has finished rolling out in Public Preview to entitled customers! See the Get Started section in this blog post for links and instructions to get started, and visit our forum to share your questions & feedback at https://aka.ms/mip/yammer 

 

Ensuring that sensitive data is protected from risky or inappropriate sharing, transfer, or use has always been a top priority for organizations. The new reality of significant numbers of employees working from home or other remote locations indefinitely has created renewed emphasis on providing strong and coordinated protection on the endpoints they use every day. To help customers accelerate their deployment of a comprehensive information protection strategy across all their environments, we are announcing the public preview of Microsoft Endpoint Data Loss Prevention (DLP).

 

At Microsoft, we have long invested in developing cutting-edge information protection solutions for our customers. Microsoft Information Protection (MIP) is a built-in, intelligent, unified, and extensible solution that understands and classifies your data, keeps it protected, and prevents data loss across Microsoft 365 apps (e.g., Word, PowerPoint, Excel, Outlook), services (e.g., Microsoft Teams, SharePoint, Exchange), third-party SaaS applications, and more – on premises or in the cloud. Endpoint DLP now extends MIP classification and protection to devices.

 

Microsoft 365 customers only need to create DLP policies once in the Microsoft 365 compliance center. They can then apply the policies to Exchange, Teams, SharePoint, OneDrive for Business, and now – to endpoints as well. All that is required is for the endpoint to be onboarded in your environment using your established device management onboarding process.

 

Figure 1: DLP policy location choices (including ‘Devices’) in the Microsoft 365 compliance centerFigure 1: DLP policy location choices (including ‘Devices’) in the Microsoft 365 compliance center

Endpoint DLP identifies and protects information on endpoints. Endpoint DLP does not restrict or limit the use of applications, web browsers, or other services when sensitive data is not present. It delivers three core capabilities: Native protection, seamless deployment, and integrated insights.


Native protection

Endpoint DLP is native to Windows 10 and the new Microsoft Edge browser. There is no need to install or manage additional DLP software on Windows 10 machines anymore. Providing DLP experiences natively on the endpoint has many benefits.

 

A familiar look and feel users are already accustomed to from applications and services they use every day is just the beginning. Endpoint DLP also reduces end-user training time and alert confusion, increases user confidence in prescribed guidance and remediations, and improves policy compliance – without reducing productivity.

 

Users are automatically alerted when they take an inappropriate or risky action with sensitive data and are provided with actionable policy tips and guidance to remediate properly. For example, in Figure 2, a user attempts to copy sensitive data from the Word document – Project Obsidian Spec.docx – which contains sensitive information about an updated engine chip design. In this example, the policy is set as ‘Block’ without the option to Override. When the user performs the activity – in this case, copying sensitive data, the event is recorded, and the user is notified that this action is being blocked because copying this data is not allowed, per the DLP policy.

 

Figure 2: User alerted not to copy sensitive data from a Word documentFigure 2: User alerted not to copy sensitive data from a Word document

The user experience for third-party applications is similar. In Figure 3 below, a user tries to copy a document with sensitive data – Project Obsidian.pdf – to a personal Dropbox account using Microsoft Edge. In this example, the DLP policy is set as ‘Block with Override.’ The user is notified this action is blocked because copying the file to that specific cloud application is not allowed, and the event is recorded and available for review and analysis in the Microsoft 365 compliance center console.

 

Figure 3: User alerted in Microsoft Edge to not copy a file containing sensitive data to a cloud file serviceFigure 3: User alerted in Microsoft Edge to not copy a file containing sensitive data to a cloud file service


Seamless deployment

Endpoint DLP is managed via the cloud and the Microsoft 365 compliance center, eliminating the need to deploy and operate additional consoles, event management systems, databases, and hardware on premises. As an integral part of MIP, Endpoint DLP leverages the same robust classification system to identify sensitive data accurately and consistently. It is easy to get started with data protection using our 100+ built-in sensitive data types and over 40 templates for common industry regulations. MIP policies can be deployed to Endpoint DLP without additional reconfiguration. Organizations that use MIP’s intuitive interface to create custom sensitive content identifiers and policies can deploy these to Endpoint DLP without any reconfiguration as well.

 

Figure 1: Easy policy configuration in the Microsoft 365 Compliance CenterFigure 1: Easy policy configuration in the Microsoft 365 Compliance Center

Organizations also require flexibility when deploying policies to ensure they minimize disruptions to users and maximize policy effectiveness. Microsoft DLP solutions offer three different modes to monitor and restrict activities in each DLP policy to ensure the intended compliance objectives are achieved:

  • Audit: only records policy violation events without impacting end user activity
  • Block with Override: records and blocks the activity, but allows the user to override when they have a legitimate business need
  • Block: records and blocks the activity without the ability to override 

Endpoint DLP can enforce policies for a broad range of activities unique to the endpoint including:

  • Copying a sensitive file to an external USB media device
  • Copying a sensitive file to a network share
  • Uploading a sensitive file to a cloud service
  • Printing a sensitive file
  • Copying sensitive content to the clipboard
  • Accessing a sensitive file by an unallowed app

 

Figure 5: DLP policy enforcement optionsFigure 5: DLP policy enforcement options

The seamless deployment of Endpoint DLP reduces the strain of incorporating endpoints into existing DLP programs. It increases consistency of compliance across cloud and native workloads and ensures immediate value upon deployment. Device telemetry, for instance, is available in the Microsoft 365 compliance center without having to configure any policies.

 

Figure 6: Microsoft 365 compliance center view of sensitive data activity including device telemetryFigure 6: Microsoft 365 compliance center view of sensitive data activity including device telemetry

Microsoft 365 compliance center’s Activity Explorer view filters events to identify risky activities and provides details on specific actions, user, and file details. This streamlines responses, and you can quickly remediate potential risks of unintended or intentional data breaches.

 

Figure 7: Activity Explorer view of sensitive data activity including device telemetryFigure 7: Activity Explorer view of sensitive data activity including device telemetry


Integrated insights

Microsoft Endpoint DLP integrates with other Security and Compliance solutions such as MIP, Microsoft Threat Protection, and Insider Risk Management in Microsoft 365. Endpoint DLP enriches the other solutions with precise insights about device activity of sensitive content. This provides comprehensive coverage and visibility of active data protections, device states and user actions required by organizations to meet regulatory and policy compliance.

 

Microsoft Threat Protection provides integrated protection against sophisticated attacks. It unifies a pre- and post-breach defense suite that natively coordinates detection, prevention, investigation and response across endpoints, identities, email, and applications. This is critical insight that can be used in addition to DLP findings to quickly assess if there are additional factors to consider, beyond the DLP policy violation itself and if a broader set of remediations need to take place.

 

Insider Risk Management in Microsoft 365 provides organizations with the ability to detect, investigate, and take actions on risky insider activities. Organizations can define a range of acceptable thresholds for a broad set of user and device activities beyond which an alert is generated and displayed in an interactive chart that plots risks and risk level over time for current or past activities. This critical insight can be used in addition to DLP event information to enhance the context of findings and quickly assess the scope of policy violations to help triage intentional versus accidental policy violations.

 

Endpoint DLP reduces the dependence on individual and uncoordinated solutions from disparate providers to monitor user actions, remediate policy violations, and educate users in context on the correct handling of sensitive data at the endpoint, on-premises and in the cloud.


Get Started

Endpoint DLP starts rolling out to customers’ tenants in Microsoft 365 E5/A5, Microsoft 365 E5/A5 Compliance, and Microsoft 365 E5/A5 Information Protection and Governance. To learn more about Endpoint DLP, visit our documentation. Endpoint DLP is part of a broad and comprehensive set of capabilities to identify, protect and govern your sensitive data. Get the latest version of Edge Chromium that’s integrated with Endpoint DLP, on the Microsoft Edge page. To learn more about our Information Protection and Governance solutions, on the documentation page. You can sign up for a trial of Microsoft 365 E5 or navigate to the Microsoft 365 compliance center to get started today.

 

Thank you,

Maithili Dandige, Principal Group Program Manager, Microsoft Information Protection and Compliance Engineering

Eric Ouellet, Senior Product Marketing Manager, Microsoft 365 Compliance

28 Comments
Brass Contributor

Wow, Microsoft 365 E5 sure becomes the vision of being a business plattform instead of just a feature collection.

Brass Contributor

This looks fantastic. 

Copper Contributor

@Mas Libman Just wondering what's the difference between Windows Information Protetcion and Microsoft Endpoint Data Loss Prevention (features)

Copper Contributor

@Mas Libman any plans to include Hybrid AD joined devices as I currently see only Azure AD devices are supported as per documentation

Brass Contributor

This is awesome but one feature we are waiting for around two years now that is DLP Rules based on "Sensitivity Labels". We can create DLP Rules based on "Retention Lables" but not "Sensitivity Lables" 

@Maithili Dandige Eagerly waiting and hope it comes out in 2020 itself.  

Brass Contributor

@Suresh Bakthavachalam That is correct the Devices should be Azure AD Joined and onboarded into Microsoft Security Center as well. 

Copper Contributor

Hi,

 

Looks like good coverage at the Endpoint. What will be capabilities of the detection engine with regards to the data? I noticed that there is the ability to create a custom policy or use a template. Are custom policies restricted to keywords and regex or is there an ability to fingerprint / index structured data and documents?

 

Best regards,

 

Jeff

Copper Contributor

No support for Chrome?

Microsoft

@dipendas1979 Glad to share that Sensitivity label as a condition in DLP is already in private preview. If you want to register for the private preview, please fill the form https://aka.ms/mipc/DLPlabels-preview. Once you do that, you will hear from us within a couple of days with the confirmation. Hope this helps.

Copper Contributor

One more strong step towards end-point security from Microsoft, Great Stuff.

Looking forward to leverage it. Kudos to team

Brass Contributor

Amazing News @Mas Libman @Shekhar_Palta . Thanks for this and will join the Private preview. Hope to see this feature coming out soon. 

Copper Contributor

How can I participate in the public preview?
Our tenant is in the Japan region.

The following settings cannot be found in our tenant.

 

https://docs.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-getting-started?view=o365-wor...

  1. Open the Microsoft compliance center.
  2. Open the Compliance Center settings page and choose Onboard devices.
Copper Contributor

@RizwanAliI assume it uses the same DLP engine, but now you have more granular control over the allowed/blocked activities (copy to external storage, clipboard, print ..etc.)

WIP is an "all or nothing" solution.

Brass Contributor

 

@Mas Libman Is it possible to stop user attached  documents which contains sensitive info type in to their personal emails such as yahoo, gmail, etc? 

Assuming we are using only edge browser.

 

Thanks. 

Bronze Contributor

Hi,

 

Really interesting features and hope to see see more improvements and features.

Silver Contributor

I was just told that build 1809 is required, but I cannot find any documentation to support this statement. Is this in fact a prerequisite?

Microsoft

Great questions and comments - we are excited to continue to hear your feedback as you use and deploy our solution!

 

Addressing a few open questions from the comments: requirements to deploy and use Endpoint DLP, including AAD / hybrid support, build support (1809) etc - are available in our Getting started guide here: https://aka.ms/EndpointDLPGuide --> https://docs.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-getting-started?view=o365-wor.... If you have any open questions or see anything missing, please do let us know through the comments!

 

Classification in Microsoft Endpoint DLP is integrated with our Microsoft Information Protection classification engine that's used across workloads like Endpoint. This helps to ensure you can uniformly detect when data is sensitive, and re-use your customizations and fine-tuning across all the places you scan for sensitive data. Here's a link to our documentation where you can learn more, including how to create custom classifiers. https://docs.microsoft.com/en-us/microsoft-365/compliance/custom-sensitive-info-types?view=o365-worl...

 

Thanks!

Copper Contributor

Looks like there are some great features here.  I notice multiple methods of on-boarding, including for VDI.  Please tell me you will also be supporting Windows 10 Multi-Session for WVD! 

Microsoft

According to the Getting Started documentation: "You must enable device monitoring and onboard your endpoints before you can monitor and protect sensitive items on a device." Later on, the Onboarding Tools and Methods for Windows 10 directions are for enrolling the device with Microsoft Defender ATP. The wording used in this article is "Endpoint DLP is native to Windows 10 and the new Microsoft Edge browser. There is no need to install or manage additional DLP software on Windows 10 machines anymore." For the sake of direct clarity, is MDATP a prerequisite for using Endpoint DLP?

Microsoft

Hi @Matthew Green thanks for the feedback/question - we'll work to make this more clear in our documentation.

 

No MD ATP is not a prerequisite for Endpoint DLP.

The device onboarding procedure for Endpoint DLP is the same as MD ATP. This means that when you onboard a device for one solution (like MD ATP), that device is ready to use with other solutions (like Endpoint DLP) - so you don't need to onboard twice - however this is not a requirement to use Endpoint DLP.

Copper Contributor

Anyone able to get the block function to work? Currently have this enabled with a DLP rule created and the block functionality doesn't appear to be working. Any other pre-requisites needed for the DLP policies to actually be applied to the endpoints? 

 

I see activity in the activity explorer and the DLP policy has the block actions configured. Machine is Azure AD joined and is listed in the monitored endpoints section. Latest edge is installed. Additionally I can open with a disallowed app. Activity explorer does show an event for a disallowed app opening data but it wasn't blocked. Just shows audited.

Copper Contributor

I am having a similar issue to @Rgermain.  Copy/Paste of content in a document with a policy assigned via sensitivity label is blocked as expected.  However, I am still unable to upload the document to dropbox.  I am using version 84.0.522.52 of Chromium Edge.  I thought it might be related to an experimental feature flag in Edge, and can see there is an Enable copy/print and save as functionality for Endpoint DLP which I have set to Enabled, but still no dice.  Has anyone got this working?  Is there something we have missed @Mas Libman 

Copper Contributor

I have configured the Endpoint DLP policies on block with override mode. Applied the policy on the Windows 10 Build 1809 and Microsoft Edge

Version 84.0.522.61 (Official build) (64-bit). I am able to Copy / paste the  sensitive content, copy sensitive file on network share, Printing or uploading the sensitive file to the cloud apps (not blocking by DLP policy).I am not getting any DLP prompt on my local machine.In the activity explorer we are able to see the events and activity but enforcement mode is showing Audit.  Is there some we have missed. ?@Mas Libman 

 

Copper Contributor

I understand that E5 licencing is required to enable and configure this in the Security and Compliance Centre, but will E5 licence be required by the users on the endpoints themselves? 

 

For example, if our IT Ops team all have E5 licences in order to access the full suite of security tools, but our endpoint users are on E3 licence, what would our position be?

 

Additionally, is anyone actually able to access the AIP/MIP Yammer page at the moment? I keep getting a 404 page.

MVP

What are the technical details for how endpoint DLP policies are applied or picked up by the Windows 10 endpoint?  Would be useful for troubleshoot - e.g. where are the logs, how often does it update, can you force a check in for new policies, etc.  I created some policies for an onboarded device but they have yet to apply and it's really just a guessing game as to why it hasn't or how long I should wait.

Copper Contributor

@Mas Libman Thanks for the information. Do we've any timeline on this Endpoint DLP capabilities with MacOS

 

Brass Contributor

So it looks like the Public preview is restricted to users with the following License:

https://docs.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-getting-started?view=o365-wor...

SKU/subscriptions licensing

Before you get started with Endpoint DLP, you should confirm your Microsoft 365 subscription and any add-ons. To access and use Endpoint DLP functionality, you must have one of these subscriptions or add-ons.

  • Microsoft 365 E5
  • Microsoft 365 A5 (EDU)
  • Microsoft 365 E5 compliance
  • Microsoft 365 A5 compliance
  • Microsoft 365 E5 information protection and governance
  • Microsoft 365 A5 information protection and governance

 

In my Test Tenant i don't see "Devices" under DLP Policies. But there i have only "Microsoft 365 E5 Developer" licenses in place. So will these licenses also get the feature?

Brass Contributor

Does anyone know if "Devices" should appear in DLP Policies for "Microsoft 365 E5 Developer"?  Thanks.

Version history
Last update:
‎May 11 2021 02:01 PM
Updated by: