Learn about Microsoft 365 Endpoint data loss prevention
You can use Microsoft 365 data loss prevention (DLP) to monitor the actions that are being taken on items you've determined to be sensitive and to help prevent the unintentional sharing of those items. For more information on DLP, see Overview of data loss prevention.
Endpoint data loss prevention (Endpoint DLP) extends the activity monitoring and protection capabilities of DLP to sensitive items that are on Windows 10 devices. Once devices are onboarded into the Microsoft 365 compliance solutions, the information about what users are doing with sensitive items is made visible in activity explorer and you can enforce protective actions on those items via DLP policies.
Endpoint activities you can monitor and take action on
Microsoft Endpoint DLP enables you to audit and manage the following types of activities users take on sensitive items on devices running Windows 10. This includes:
|activity on item||auditable/restrictable|
|copied to or created on removable media||auditable and restrictable|
|copied to network share, e.g. \my-server\fileshare||auditable and restrictable|
|printed||auditable and restrictable|
|copied to cloud via Chromium Edge||auditable and restrictable|
|accessed by unallowed apps and browsers||auditable and restrictable|
What's different in Endpoint DLP
There are a few extra concepts that you need to be aware of before you dig into Endpoint DLP.
Enabling Device management
Device management is the functionality that enables the collection of telemetry from devices and brings it into Microsoft 365 compliance solutions like Endpoint DLP and Insider Risk management. You'll need to onboard all devices you want to use as locations in DLP policies.
Onboarding and offboarding are handled via scripts you download from the Device management center. The center has custom scripts for each of these deployment methods:
- local script (up to 10 machines)
- Group policy
- System Center Configuration Manager (version 1610 or later)
- Mobile Device Management/Microsoft Intune
- VDI onboarding scripts for non-persistent machines
Use the procedures in Getting started with Microsoft 365 Endpoint DLP to onboard devices.
If you have onboarded devices through Microsoft Defender for Endpoint, those devices will automatically show up in the list of devices.
Viewing Endpoint DLP data
Endpoint DLP monitors activity-based on MIME type, so activities will be captured even if the file extension is changed. At public preview it watches all:
- Word files
- PowerPoint files
- Excel files
- PDF files
- .csv files
- .tsv files
- .txt files
- .rtf files
- .c files
- .class files
- .cpp files
- .cs files
- .h files
- .java files
Endpoint DLP evaluates files of all the above types against the DLP policy and applies protection actions accordingly. All files that match a DLP policy are audited for all supported actions, even if they aren't blocked. In addition, file activity performed on any Word, PowerPoint, Excel, PDF, and .csv file is audited by default, independent of whether a DLP policy exists or matches these files.
You can view alerts related to DLP policies enforced on endpoint devices by going to the DLP Alerts Management Dashboard.
You can also view details of the associated event with rich metadata in the same dashboard
Once a device is onboarded, information about audited activities flows into Activity explorer even before you configure and deploy any DLP policies that have devices as a location.
Endpoint DLP collects extensive information on audited activity.
For example, if a file is copied to removable USB media, you'd see these attributes in the activity details:
- activity type
- client IP
- target file path
- happened timestamp
- file name
- file extension
- file size
- sensitive information type (if applicable)
- sha1 value
- sha256 value
- previous file name
- source location type
- device name
- destination location type
- application that performed the copy
- Microsoft Defender for Endpoint device ID (if applicable)
- removable media device manufacturer
- removable media device model
- removable media device serial number
Now that you've learned about Endpoint DLP, your next steps are:
- Getting started with Microsoft Endpoint data loss prevention
- Using Microsoft Endpoint data loss prevention