cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Use Endpoint DLP to block uploads

PenTestPatrick
Copper Contributor

‎Dec 15 2023 01:00 PM

‎Dec 15 2023 01:00 PM

Use Endpoint DLP to block uploads

Hello,

 

I am trying to block files from being uploaded to specific domains using Endpoint DLP. I have added several domains to the Service Domain section of DLP and set it to Block. I have also added a Service Domain Group with those same domains (not sure if this is required in this case). Then I have created a DLP policy scoped to Devices only. The rule conditions in the policy are set to any file over 1 byte in size should be blocked from upload to those service domains. I have also added the Service Domain Groups to this policy and set it to block. I turn on the policy and it is applied to the appropriate endpoints but when I test, the only files blocked from being uploaded to those domains are files tagged a sensitivity label. Can this DLP policy apply to all files instead of just labelled ones? We just want to block upload to specific domains outright. Any help is appreciated!

 

Labels:
3,579 Views
0 Likes
10 Replies
Reply
10 Replies
LeonPavesic

‎Dec 18 2023 06:40 AM

‎Dec 18 2023 06:40 AM

Re: Use Endpoint DLP to block uploads

Hi @PenTestPatrick,

here are steps to configure Endpoint DLP to block all file uploads to specific domains, not just those with a sensitivity label:

  1. Service Domains:
    Ensure you've added the domains to the Service Domain section and set them to Block. Adding them to a Service Domain Group is optional.

  2. DLP Policy:
    Create a DLP policy scoped to Devices. In the rule conditions, set it to block any file over 1 byte in size.

  3. File Types/Extensions:
    Although DLP typically focuses on sensitive information, you can set the policy to block uploads based on file types and/or extensions. This allows you to block all files, not just those with a sensitivity label.

  4. Apply Policy:
    Activate the policy and confirm it's applied to the relevant endpoints.

If the policy isn't blocking all file uploads, check the specific applications or browsers used for upload.

Endpoint DLP enables restrictions on user activities per application, including browser and domain restrictions.

Configure endpoint DLP settings | Microsoft Learn
Blocking file uploads to all sites, unless safelisted - Microsoft Community Hub
Re: Can I block upload of data based on DLP Policy and/or Sensitivity Label? - Microsoft Community H...


Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

0 Likes
Reply
PenTestPatrick

‎Dec 18 2023 11:34 AM

‎Dec 18 2023 11:34 AM

Re: Use Endpoint DLP to block uploads

@LeonPavesic 

Hi Leon,

 

I appreciate you taking the time to respond. I have followed those steps you have outlined and I am still able to upload files that are not labelled as sensitive. I've attached some screenshots of the policy.

 

Rule configuration:

PenTestPatrick_0-1702927065823.png

Restricted actions:

PenTestPatrick_1-1702927664600.png

Service domains:

PenTestPatrick_2-1702927728915.png

We are using MS Edge to test and labelled files are blocked from upload with the appropriate DLP message but I can still attach files that are not labelled even if they are one of the extensions listed. Do you have any ideas on this? 

 

Thanks

 

0 Likes
Reply
LeonPavesic

‎Dec 18 2023 10:57 PM

‎Dec 18 2023 10:57 PM

Re: Use Endpoint DLP to block uploads

Hi @PenTestPatrick,

thanks for your update.

Here are some recommended steps to address potential issues:

1. Confirm the Health of Your Endpoint DLP Setup:

  • For Windows devices, make sure you're using the correct Windows version, have Real-Time Protection (RTP) and Behavior Monitoring (BM) enabled, and are using the Microsoft Edge browser.

2. Verify Policy Synchronization:

  • Check that the device's configuration status is "Updated" in the Device Onboarding page.
  • Utilize the MDE Client Analyzer tool on Windows machines for troubleshooting. Execute the command "MDEClientAnalyzer.cmd -t" in an elevated command line, reproduce the issue, stop trace collection, and share the generated ZIP file with the support team for further assistance.

3. Confirm Policy Application to Files:

  • Download the MDE Client Analyzer tool.
  • Run the command "MDEClientAnalyzer.cmd -t" in an elevated command line, reproduce the issue, stop trace collection, and share the ZIP file with the support team for further analysis.

4. Addressing Policy Discrepancies:

  • Validate the installed Office version for compliance.
  • Check if the file location may not be covered by Endpoint DLP, such as being on removable media or a network share.
  • Understand that policies follow the most restrictive enforcement; when a file matches multiple DLP policies, the most stringent rule takes precedence.

Common questions on Microsoft Purview Data Loss Prevention for endpoints - Microsoft Community Hub

Please click Mark as Best Response & Like if my post helped you to solve your issue.
This will help others to find the correct solution easily. It also closes the item.


If the post was useful in other ways, please consider giving it Like.


Kindest regards,


Leon Pavesic
(LinkedIn)

0 Likes
Reply
Luke_Michael_Fisher

‎Jan 17 2024 01:35 PM

‎Jan 17 2024 01:35 PM

Re: Use Endpoint DLP to block uploads

@PenTestPatrick -- did you ever get a resolution on this? We are experiencing something very similar.
0 Likes
Reply
PenTestPatrick

‎Jan 24 2024 09:46 AM

‎Jan 24 2024 09:46 AM

Re: Use Endpoint DLP to block uploads

@Luke_Michael_Fisher We have not yet resolved this issue. Going back and forth with MS support for several weeks now with different implementations of the DLP rule. Per Microsoft's recommendation, our current rules are as follows: 

PenTestPatrick_0-1706118242140.png

We are experiencing inconsistent DLP blocking when uploading to our specified domains. Sometimes it blocks upload, sometimes it allows it, even for the same file. We're hoping to get some clarification from MS on this. Are you having any success?

0 Likes
Reply
Luke_Michael_Fisher

‎Jan 25 2024 11:24 AM

‎Jan 25 2024 11:24 AM

Re: Use Endpoint DLP to block uploads

We are also working with Microsoft (who actually linked us to this post) but so far no concrete answers. We have tested a number of configurations on our own (including the one you show above). Inconsistent blocking. Hoping for resolution soon. I'll keep an eye on this post and be sure to share anything I learn here too. Thanks!
0 Likes
Reply
Brandon_Tuck

‎Feb 07 2024 10:38 AM

‎Feb 07 2024 10:38 AM

Re: Use Endpoint DLP to block uploads

Any resolution? Also having the same issue
0 Likes
Reply
vicwingsing

‎Mar 05 2024 06:21 AM

‎Mar 05 2024 06:21 AM

Re: Use Endpoint DLP to block uploads

@PenTestPatrick 

 

Purview Endpoint DLP can only block sensitive data (the ones with Sensitivity labels)

 

I'd use Defender for Cloud apps instead and use the File Policy DLP config:

 

The policy below shows [Any File] being [Sent to any external users] to any [X domain.] 

 

vicwingsing_0-1709648431390.png

 

0 Likes
Reply
Frank Trout

‎Apr 10 2024 10:05 PM

‎Apr 10 2024 10:05 PM

Re: Use Endpoint DLP to block uploads

Has anyone gotten this to work as expected? Having the same issues.
0 Likes
Reply
AdrianFG

‎Apr 11 2024 07:36 AM

‎Apr 11 2024 07:36 AM

Re: Use Endpoint DLP to block uploads

Im waiting for news about this case. I want to implement this in my enviroment.
0 Likes
Reply