Get started with Endpoint data loss prevention (preview)

Microsoft Endpoint data loss prevention (Endpoint DLP) is part of the Microsoft 365 data loss prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. For more information about all of Microsoft’s DLP offerings, see Overview of data loss prevention. To learn more about Endpoint DLP, see Learn about Endpoint data loss prevention (preview)

Microsoft Endpoint DLP allows you to monitor Windows 10 devices and detect when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they are used and protected properly, and to help prevent risky behavior that might compromise them.

Before you begin

SKU/subscriptions licensing

Before you get started with Endpoint DLP, you should confirm your Microsoft 365 subscription and any add-ons. To access and use Endpoint DLP functionality, you must have one of these subscriptions or add-ons.

  • Microsoft 365 E5
  • Microsoft 365 A5 (EDU)
  • Microsoft 365 E5 compliance
  • Microsoft 365 A5 compliance
  • Microsoft 365 E5 information protection and governance
  • Microsoft 365 A5 information protection and governance

Permissions

To enable device management, the account you use must be a member of any one of these roles:

  • Global admin
  • Security admin
  • Compliance admin

If you want to use a custom account to view the device management settings, it must be in one of these roles:

  • Global admin
  • Compliance admin
  • Compliance data admin
  • Global reader

If you want to use a custom account to access the onboarding/offboarding page, it must be in one of these roles:

  • Global admin
  • Compliance admin

If you want to use a custom account to turn on/off device monitoring, it must be in one of these roles:

  • Global admin
  • Compliance admin

Data from Endpoint DLP can be viewed in Activity explorer. There are four roles that grant permission to activity explorer, the account you use for accessing the data must be a member of any one of them.

  • Global admin
  • Compliance admin
  • Security admin
  • Compliance data admin

Prepare your endpoints

Make sure that the Windows 10 devices that you plan on deploying Endpoint DLP to meet these requirements.

  1. Must be running Windows 10 x64 build 1809 or later.

  2. Antimalware Client Version is 4.18.2009.7 or newer. Check your current version by opening Windows Security app, select the Settings icon, and then select About. The version number is listed under Antimalware Client Version. Update to the latest Antimalware Client Version by installing Windows Update KB4052623. Note: None of Windows Security components need to be active, you can run Endpoint DLP independent of Windows Security status.

  3. The following Windows Updates are installed. Note: These updates are not a pre-requisite to onboard a device to Endpoint DLP, but contain fixes for important issues thus must be installed before using the product.

    • For Windows 10 1809 - KB4559003, KB4577069, KB4580390
    • For Windows 10 1903 or 1909 - KB4559004, KB4577062, KB4580386
    • For Windows 10 2004 - KB4568831, KB4577063
    • For devices running Office 2016 (and not any other Office version) - KB4577063
  4. All devices must be Azure Active Directory (Azure AD) joined, or Hybrid Azure AD joined.

  5. Install Microsoft Chromium Edge browser on the endpoint device to enforce policy actions for the upload to cloud activity. See, Download the new Microsoft Edge based on Chromium.

Onboarding devices into device management

You must enable device monitoring and onboard your endpoints before you can monitor and protect sensitive items on a device. Both of these actions are done in the Microsoft 365 Compliance portal.

When you want to onboard devices that haven't been onboarded yet, you'll download the appropriate script and deploy it to those devices. Follow the Onboarding devices procedure.

If you already have devices onboarded into Microsoft Defender for Endpoint, they will already appear in the managed devices list. Follow the [With devices onboarded into Microsoft Defender for Endpoint procedure](endpoint-dlp-getting-started.md#with-devices-onboarded-into-microsoft-defender-for- endpoint).

Onboarding devices

In this deployment scenario, you'll onboard devices that have not been onboarded yet, and you just want to monitor and protect sensitive items from unintentional sharing on Windows 10 devices.

  1. Open the Microsoft compliance center.

  2. Open the Compliance Center settings page and choose Onboard devices.

    enable device management

    Note

    While it usually takes about 60 seconds for device onboarding to be enabled, please allow up to 30 minutes before engaging with Microsoft support.

  3. Choose Device management to open the Devices list. The list will be empty until you onboard devices.

  4. Choose Onboarding to begin the onboarding process.

  5. Choose the way you want to deploy to these additional devices from the Deployment method list and then download package.

    deployment method

  6. Follow the appropriate procedures in Onboarding tools and methods for Windows 10 machines. This link take you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5:

    • Onboard Windows 10 machines using Group Policy
    • Onboard Windows machines using Microsoft Endpoint Configuration Manager
    • Onboard Windows 10 machines using Mobile Device Management tools
    • Onboard Windows 10 machines using a local script
    • Onboard non-persistent virtual desktop infrastructure (VDI) machines.

Once done and endpoint is onboarded, it should be visible in the devices list and also start reporting audit activity logs to Activity explorer.

Note

This experience is under license enforcement. Without the required license, data will not be visible or accessible.

With devices onboarded into Microsoft Defender for Endpoint

In this scenario, Microsoft Defender for Endpoint is already deployed and there are endpoints reporting in. All these endpoints will appear in the managed devices list. You can continue to onboard new devices into Endpoint DLP to expand coverage by using the Onboarding devices procedure.

  1. Open the Microsoft compliance center.

  2. Open the Compliance Center settings page and choose Enable device monitoring.

  3. Choose Device management to open the Devices list. You should see the list of devices that are already reporting in to Microsoft Defender for Endpoint.

    device management

  4. Choose Onboarding if you need to onboard additional devices.

  5. Choose the way you want to deploy to these additional devices from the Deployment method list and then Download package.

  6. Follow the appropriate procedures in Onboarding tools and methods for Windows 10 machines. This link take you to a landing page where you can access Microsoft Defender for Endpoint procedures that match the deployment package you selected in step 5:

    • Onboard Windows 10 machines using Group Policy
    • Onboard Windows machines using Microsoft Endpoint Configuration Manager
    • Onboard Windows 10 machines using Mobile Device Management tools
    • Onboard Windows 10 machines using a local script
    • Onboard non-persistent virtual desktop infrastructure (VDI) machines.

Once done and endpoint is onboarded, it should be visible under the Devices table and also start reporting audit logs to the Activity Explorer.

Note

This experience is under license enforcement. Without the required license, data will not be visible or accessible.

Viewing Endpoint DLP data in activity explorer

  1. Open the Data classification page for your domain in the Microsoft 365 Compliance center and choose Activity explorer.

  2. Refer to the procedures in Get started with Activity explorer to access and filter all the data for your Endpoint devices.

    activity explorer filter for endpoint devices

Next steps

Now that you have onboarded devices and can view the activity data in Activity explorer, you are ready to move on to your next step where you create DLP policies that protect your sensitive items.

See also