Home

Sensitivity Label Endpoint data loss prevention does nothing

%3CLINGO-SUB%20id%3D%22lingo-sub-1120829%22%20slang%3D%22en-US%22%3ESensitivity%20Label%20Endpoint%20data%20loss%20prevention%20does%20nothing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1120829%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20trying%20to%20set%20up%20sensitivity%20labels%20and%20Windows%20Information%20Protection%20to%20prevent%20employees%20from%20accidentally%20or%20purposefully%20leaking%20sensitive%20documents%20to%20non-corporate%20environments.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEverything%20with%20WIP%20works%20great%2C%20it's%20configured%20via%20Intune%2C%20and%20sensitivity%20labels%20appear%20to%20be%20working.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20I'm%20not%20sure%20what%20the%20point%20is%20of%20the%20sensitivity%20label%20option%20for%20%22Endpoint%20data%20loss%20prevention%22.%20If%20I%20apply%20a%20SUPER%20SECRET%20sensitivity%20label%20to%20a%20Word%20document%20with%20the%20option%20enabled%2C%20users%20are%20still%20able%20to%20simply%20right%20click%20and%20change%20file%20ownership%20to%20Personal%2C%20and%20then%20they%20can%20email%20it%20from%20their%20personal%20gmail%20account%20or%20whatever.%20So%20it's%20not%20enforcing%20endpoint%20DLP%20at%20all.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20%22%3CA%20title%3D%22Learn%20how%20endpoint%20DLP%20works%20with%20sensitivity%20labels%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Finformation-protection%2Fwindows-information-protection%2Fhow-wip-works-with-labels%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELearn%20how%20endpoint%20DLP%20works%20with%20sensitivity%20labels%3C%2FA%3E%22%20link%20on%20the%20settings%20page%20says%20%22%3CSPAN%3EIf%20endpoint%20data%20loss%20prevention%20is%20enabled%2C%20the%20device%20enforces%20work%20protection%20for%20any%20file%20with%20the%20label%22%2C%20but%20it's%20not%20a%20very%20detailed%20section.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20I%20stop%20users%20from%20changing%20ownership%20of%20files%2C%20and%20is%20it%20possible%20to%20restrict%20that%20ability%20based%20on%20the%20sensitivity%20label%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1120829%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDLP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESensitivity%20Labels%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWIP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1304100%22%20slang%3D%22en-US%22%3ERe%3A%20Sensitivity%20Label%20Endpoint%20data%20loss%20prevention%20does%20nothing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1304100%22%20slang%3D%22en-US%22%3E%3CP%3EHI%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F119035%22%20target%3D%22_blank%22%3E%40Andrew%20Kovacs%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20facing%20similar%20scenario.%20You%20can%20restrict%20this%20capability%20deleting%20this%20registry%20Key%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EHKEY_CLASSES_ROOT%5C*%5Cshell%5CUpdateEncryptionSettingsWork%3C%2FFONT%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CFONT%3EIt%20is%20not%20documented%20by%20Microsoft%3B%20since%20this%20is%20an%20EFS%20setting.%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I'm trying to set up sensitivity labels and Windows Information Protection to prevent employees from accidentally or purposefully leaking sensitive documents to non-corporate environments.

 

Everything with WIP works great, it's configured via Intune, and sensitivity labels appear to be working.

 

However, I'm not sure what the point is of the sensitivity label option for "Endpoint data loss prevention". If I apply a SUPER SECRET sensitivity label to a Word document with the option enabled, users are still able to simply right click and change file ownership to Personal, and then they can email it from their personal gmail account or whatever. So it's not enforcing endpoint DLP at all.

 

The "Learn how endpoint DLP works with sensitivity labels" link on the settings page says "If endpoint data loss prevention is enabled, the device enforces work protection for any file with the label", but it's not a very detailed section.

 

How can I stop users from changing ownership of files, and is it possible to restrict that ability based on the sensitivity label?

1 Reply
Highlighted

HI @Andrew Kovacs 

 

I am facing similar scenario. You can restrict this capability deleting this registry Key:

 

HKEY_CLASSES_ROOT\*\shell\UpdateEncryptionSettingsWork

 

It is not documented by Microsoft; since this is an EFS setting.