Learn about Microsoft 365 Endpoint data loss prevention

You can use Microsoft 365 data loss prevention (DLP) to monitor the actions that are being taken on items you've determined to be sensitive and to help prevent the unintentional sharing of those items. For more information on DLP, see Overview of data loss prevention.

Endpoint data loss prevention (Endpoint DLP) extends the activity monitoring and protection capabilities of DLP to sensitive items that are on Windows 10 devices. Once devices are onboarded into the Microsoft 365 compliance solutions, the information about what users are doing with sensitive items is made visible in activity explorer and you can enforce protective actions on those items via DLP policies.

Endpoint activities you can monitor and take action on

Microsoft Endpoint DLP enables you to audit and manage the following types of activities users take on sensitive items on devices running Windows 10. This includes:

activity on item auditable/restrictable
created auditable
renamed auditable
copied to or created on removable media auditable and restrictable
copied to network share, e.g. \my-server\fileshare auditable and restrictable
printed auditable and restrictable
copied to cloud via Chromium Edge auditable and restrictable
accessed by unallowed apps and browsers auditable and restrictable

What's different in Endpoint DLP

There are a few extra concepts that you need to be aware of before you dig into Endpoint DLP.

Enabling Device management

Device management is the functionality that enables the collection of telemetry from devices and brings it into Microsoft 365 compliance solutions like Endpoint DLP and Insider Risk management. You'll need to onboard all devices you want to use as locations in DLP policies.

enable device management

Onboarding and offboarding are handled via scripts you download from the Device management center. The center has custom scripts for each of these deployment methods:

  • local script (up to 10 machines)
  • Group policy
  • System Center Configuration Manager (version 1610 or later)
  • Mobile Device Management/Microsoft Intune
  • VDI onboarding scripts for non-persistent machines

device onboarding page

Use the procedures in Getting started with Microsoft 365 Endpoint DLP to onboard devices.

If you have onboarded devices through Microsoft Defender for Endpoint, those devices will automatically show up in the list of devices.

managed devices list

Viewing Endpoint DLP data

Endpoint DLP monitors activity-based on MIME type, so activities will be captured even if the file extension is changed. At public preview it watches all:

  • Word files
  • PowerPoint files
  • Excel files
  • PDF files
  • .csv files
  • .tsv files
  • .txt files
  • .rtf files
  • .c files
  • .class files
  • .cpp files
  • .cs files
  • .h files
  • .java files


Endpoint DLP evaluates files of all the above types against the DLP policy and applies protection actions accordingly. All files that match a DLP policy are audited for all supported actions, even if they aren't blocked. In addition, file activity performed on any Word, PowerPoint, Excel, PDF, and .csv file is audited by default, independent of whether a DLP policy exists or matches these files.

You can view alerts related to DLP policies enforced on endpoint devices by going to the DLP Alerts Management Dashboard.

Alert info

You can also view details of the associated event with rich metadata in the same dashboard

event info

Once a device is onboarded, information about audited activities flows into Activity explorer even before you configure and deploy any DLP policies that have devices as a location.

endpoint dlp events in activity explorer

Endpoint DLP collects extensive information on audited activity.

For example, if a file is copied to removable USB media, you'd see these attributes in the activity details:

  • activity type
  • client IP
  • target file path
  • happened timestamp
  • file name
  • user
  • file extension
  • file size
  • sensitive information type (if applicable)
  • sha1 value
  • sha256 value
  • previous file name
  • location
  • parent
  • filepath
  • source location type
  • platform
  • device name
  • destination location type
  • application that performed the copy
  • Microsoft Defender for Endpoint device ID (if applicable)
  • removable media device manufacturer
  • removable media device model
  • removable media device serial number

copy to usb activity attributes

Next steps

Now that you've learned about Endpoint DLP, your next steps are:

  1. Getting started with Microsoft Endpoint data loss prevention
  2. Using Microsoft Endpoint data loss prevention

See also