Home

Sensitivity Label Endpoint data loss prevention does nothing

%3CLINGO-SUB%20id%3D%22lingo-sub-1120829%22%20slang%3D%22en-US%22%3ESensitivity%20Label%20Endpoint%20data%20loss%20prevention%20does%20nothing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1120829%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20trying%20to%20set%20up%20sensitivity%20labels%20and%20Windows%20Information%20Protection%20to%20prevent%20employees%20from%20accidentally%20or%20purposefully%20leaking%20sensitive%20documents%20to%20non-corporate%20environments.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EEverything%20with%20WIP%20works%20great%2C%20it's%20configured%20via%20Intune%2C%20and%20sensitivity%20labels%20appear%20to%20be%20working.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20I'm%20not%20sure%20what%20the%20point%20is%20of%20the%20sensitivity%20label%20option%20for%20%22Endpoint%20data%20loss%20prevention%22.%20If%20I%20apply%20a%20SUPER%20SECRET%20sensitivity%20label%20to%20a%20Word%20document%20with%20the%20option%20enabled%2C%20users%20are%20still%20able%20to%20simply%20right%20click%20and%20change%20file%20ownership%20to%20Personal%2C%20and%20then%20they%20can%20email%20it%20from%20their%20personal%20gmail%20account%20or%20whatever.%20So%20it's%20not%20enforcing%20endpoint%20DLP%20at%20all.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20%22%3CA%20title%3D%22Learn%20how%20endpoint%20DLP%20works%20with%20sensitivity%20labels%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Finformation-protection%2Fwindows-information-protection%2Fhow-wip-works-with-labels%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ELearn%20how%20endpoint%20DLP%20works%20with%20sensitivity%20labels%3C%2FA%3E%22%20link%20on%20the%20settings%20page%20says%20%22%3CSPAN%3EIf%20endpoint%20data%20loss%20prevention%20is%20enabled%2C%20the%20device%20enforces%20work%20protection%20for%20any%20file%20with%20the%20label%22%2C%20but%20it's%20not%20a%20very%20detailed%20section.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHow%20can%20I%20stop%20users%20from%20changing%20ownership%20of%20files%2C%20and%20is%20it%20possible%20to%20restrict%20that%20ability%20based%20on%20the%20sensitivity%20label%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1120829%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDLP%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESensitivity%20Labels%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWIP%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Occasional Contributor

I'm trying to set up sensitivity labels and Windows Information Protection to prevent employees from accidentally or purposefully leaking sensitive documents to non-corporate environments.

 

Everything with WIP works great, it's configured via Intune, and sensitivity labels appear to be working.

 

However, I'm not sure what the point is of the sensitivity label option for "Endpoint data loss prevention". If I apply a SUPER SECRET sensitivity label to a Word document with the option enabled, users are still able to simply right click and change file ownership to Personal, and then they can email it from their personal gmail account or whatever. So it's not enforcing endpoint DLP at all.

 

The "Learn how endpoint DLP works with sensitivity labels" link on the settings page says "If endpoint data loss prevention is enabled, the device enforces work protection for any file with the label", but it's not a very detailed section.

 

How can I stop users from changing ownership of files, and is it possible to restrict that ability based on the sensitivity label?

Related Conversations
What data does Microsoft collect?
Tim_Gent in Microsoft Teams on
1 Replies
History and Data
rosenbloomsnka in Microsoft To Do on
1 Replies
How often the sync is triggered?
HotCakeX in Discussions on
5 Replies