Microsoft Purview - Paint By Numbers Series (Part 3b) – DLP for Endpoint (Label-based)
Published Apr 02 2022 09:22 PM 2,196 Views



Before we start, please not that if you want to see a table of contents for all the sections of this blog and their various Purview topics, you can locate the in the following link:

Microsoft Purview- Paint By Numbers Series (Part 0) - Overview - Microsoft Tech Community



This document is not meant to replace any official documentation, including those found at  Those documents are continually updated and maintained by Microsoft Corporation.  If there is a discrepancy between this document and what you find in the Compliance User Interface (UI) or inside of a reference in, you should always defer to that official documentation and contact your Microsoft Account team as needed.  Links to the data will be referenced both in the document steps as well as in the appendix.

All of the following steps should be done with test data, and where possible, testing should be performed in a test environment.  Testing should never be performed against production data.


Target Audience

The Data Loss Protection (DLP) section of this blog series is aimed at Security and Compliance officers who need to prevent data from being emailed to users in untrusted domains.



Document Scope

This document is meant to guide an administrator who is “net new” to Microsoft E5 Compliance through the use of Data Loss Prevention for Endpoints with a Sensitivity Label.

We will only step through a basic DLP case (see the Use Case section) with an Endpoint Device, specifically copying to a clipboard, printing, and copying to a USB device.

For the purpose of this document, an Endpoint Device is either a Windows 10 or Window 11 device AND it is a physical device, not a virtual device.



This document does not cover any other aspect of Microsoft E5 Compliance, including:

  • Sensitive Information Types
  • Exact Data Matching
  • Data Protection Loss (DLP) for Exchange, OneDrive
  • Microsoft Cloud App Security (MCAS)
  • Records Management (retention and disposal)
  • Overview of Advanced eDiscovery (AeD)
  • Reports and Analytics available in of Advanced eDiscovery (AeD)
  • Insider Risk Management
  • Privacy Management

It is presumed that you have a pre-existing of understanding of what Microsoft E5 Compliance does and how to navigate the User Interface (UI).

It is also presumed you are using an existing Information Types (SIT) or a Exact Data Match (EDM) you have created for your testing.


If you wish to set up and test any of the other aspects of Microsoft E5 Compliance, please refer to Part 1 of this blog series (listed in the link below) for the latest entries to this blog.  That webpage will be updated with any new walk throughs or Compliance relevant information, as time allows.

Microsoft Compliance - Paint By Numbers Series (Part 1) - Sensitive Information Types - Microsoft Te...

Use Case

We will prevent a user on a Windows 10 or Windows 11 device from being able to

  • copying to a clipboard
  • printing
  • copying to a USB device.

The data we will be blocking will be our “HR Data” SIT created in part 1a of this series.  This is blocking is done to prevent accidental leakage of data or purposeful removal or theft of company data.


Overview of Document

  1. Create an Endpoint policy with a Sensitivity Label to block Copy to Clipboard, Copy to USB, Print.
  2. Test Copying to clipboard
  3. Test Printing
  4. Test Copying to USB






  • DLP and Clipboard – Endpoint DLP will allow you to copy data from one file to another if you are in the same program (example – from one Word file to another Word file).  It will NOT allow you to copy data from one file to another if that second file is in a different program (example – from a Word file to a Text File).
  • DLP and USB – For testing, the Windows 10/11 device must be a physical device, not a virtual machine (VM).  This is because some VM’s allow for USB devices treat USB devices as physical devices.  Other VMs treat USB devices as Network shares.  Performing DLP against both USB and Network shares is possible, but we will not be testing DLP against Networks shares in this part of the blog.


  • Verify that you have performed Part 1 of this blog series (creating a Sensitive Information Type).  If you have not done that part of the blog, you will need to populate your test environment with test data for the steps to follow.
  • Verify that your endpoint Devices is on-boarded.  If you are not sure how to do this, look at the next section.


Verify Device is On-boarded

Verify that your Endpoint Device has been onboarded

  1. Go onboard devices via Security,
    1. Method #1: Go to -> Endpoints -> Device inventory



b. Method #2: Go to -> Settings -> Device onboarding -> Devices




  1. You should then see a list of your on-boarded devices, similar to the example below.


Creating and testing Endpoint DLP policies


Create Endpoint DLP policy


  1. On the left-hand navigation field, select Data Loss Prevention.



  1. In the right-hand pane, select Policies and Create Policy



  1. First you need to Choose the information to Protect.  Select Custom –> Custom Policy and then click Next.




  1. Name your Policy and give it a description.  Then click Next.
    1. Example = Name – Endpoint DLP (Label)
    2. Example = Description – USB, Print,




  1. Chose the Locations to apply the policy.  For this DLP policy, we will deselect everything Exchange for the Devices.
    1. Under Included, leave the All as the default.
    2. Under Excluded, leave the None as the default.
    3. Click Next.




  1. Define DLP rules settings
    1. Click Create or Customize advanced DLP rules and click Next.
    2. Now click Create Rule.




c. In the Customize advanced DLP rules, click Create Rule




d. Name your Rule and give it a description.

i. Example = Name – Endpoint DLP (Label) Rule

ii. Example = Description – Endpoint DLP (Label) Rule








e. Under Conditions, click Add Condition and select Add -> Sensitivity labels and select your Label.  I am selecting the Sensitivity Label “Default” that I created in part 2c of this blog series.





f. On the right-hand side you will see a drop down.  Leave this at the default of Any of these.




g. Do NOT add a second Condition for this test, but you can add multiple Conditions for your own testing later-on.




h. Do not added an Exception.  Again, you can do this for your own testing at a later time.




i. Under Actions, select Add an Action -> Audit or restrict activities on devices.




j. Change all activities from Audit to Block.  We will only be testing Copy to Clipboard, Copy to USB removable media, and Print.  However, this will allow you to a) be sure that those 3 scenarios are blocked along with everything else, and b) it will allow you to test other Endpoint DLP options on your own later-on.




k. Now go to User Notifications.  Here you will set up the alerts to be sent to your administrator or compliance officer. 


i. Select On


ii. Select Customize the notification.  This will alert the users that they have violated the DLP policy.  If desired, create a custom title and content.





l. Leave the rest of the options in the Rules pane with their defaults.  We will not need them for the next parts of our testing.  Click Save and then click Next.


  1. Now we arrive at the step to configure Test or turn on the policy.  Let us enable Turn it on right away, and then click Next.




  1. Review your policy and create it.  You will see a summary of what you have created.  If everything looks correct, click Submit.




  1. Click Done


  1. In the Policies, click the 3 vertical dots next to your new policy.





  1. Select Move to top.  This will place the policy in the 0 slot, which will give it priority over all DLP policies.  From a testing perspective, this will force this policy to take effect before any other policies you might have created previously.




  1. Now wait between 15 minutes and 24 hours for your policy to be synchronized to your Endpoint Device.  This can take up to 7 days depending on how your tenant replication is configured on the backend.  You are now done with creating your Endpoint DLP SIT policy and are ready to move to the testing phase.

Test Copying data to clipboard


  1. Open File Explore and navigate to a file with a label on it (“Default” in my case). with SIT data.



  1. Click Dismiss.  You are now done with this part of the test.


Test Printing data


  1. Open File Explore and navigate to a file with a label on it (“Default” in my case).




a. I will be using a file called “Default Label.docx”.




  1. Open the file and select Print to PDF


  1. You should see a pop-up message indicating that file is blocked from printing.




  1. Click Dismiss.  You are now done with this part of the test.

Test Copying data to USB


  1. Open File Explore and navigate to a file with a label on it (“Default” in my case).




a. I will be using a file called “Default Label.docx”.






  1. Click on the file and click Copy.


  1. Paste into a USB device.


  1. You should see a pop-up message indicating that file is blocked from printing.





  1. Click Dismiss.  You are now done with this part of the test.


Appendix and Links






1 Comment
Version history
Last update:
‎Nov 03 2022 10:08 AM
Updated by: