Using Endpoint data loss prevention

Note

Microsoft 365 compliance is now called Microsoft Purview and the solutions within the compliance area have been rebranded. For more information about Microsoft Purview, see the blog announcement.

To help familiarize you with Endpoint DLP features and how they surface in DLP policies, we've put together some scenarios for you to follow.

Important

These Endpoint DLP scenarios are not the official procedures for creating and tuning DLP policies. Refer to the below topics when you need to work with DLP policies in general situations:

Scenario 1: Create a policy from a template, audit only

These scenarios require that you already have devices onboarded and reporting into Activity explorer. If you haven't onboarded devices yet, see Get started with Endpoint data loss prevention.

  1. Open the Data loss prevention page.

  2. Choose Create policy.

  3. For this scenario, choose Privacy, then U.S. Personally Identifiable Information (PII) Data and choose Next.

  4. Toggle the Status field to off for all locations except Devices. Choose Next.

  5. Accept the default Review and customize settings from the template selection and choose Next.

  6. Accept the default Protection actions values and choose Next.

  7. Select Audit or restrict activities on Windows devices and leave the actions set to Audit only. Choose Next.

  8. Accept the default I'd like to test it out first value and choose Show policy tips while in test mode. Choose Next.

  9. Review your settings and choose Submit.

  10. The new DLP policy will appear in the policy list.

  11. Check Activity explorer for data from the monitored endpoints. Set the location filter for devices and add the policy, then filter by policy name to see the impact of this policy; see Get started with activity explorer, if needed.

  12. Attempt to share a test item that contains content that will trigger the U.S. Personally Identifiable Information (PII) Data condition with someone outside your organization. This should trigger the policy.

  13. Check Activity explorer for the event.

Scenario 2: Modify the existing policy, set an alert

  1. Open the Data loss prevention page.

  2. Choose the U.S. Personally Identifiable Information (PII) Data policy that you created in scenario 1.

  3. Choose edit policy.

  4. Go to the Advanced DLP rules page and edit the Low volume of content detected U.S. Personally Identifiable Inf.

  5. Scroll down to the Incident reports section and set Send an alert to admins when a rule match occurs to On. Email alerts will be automatically sent to the administrator and anyone else you add to the list of recipients.

turn-on-incident-reports.

  1. For the purposes of this scenario, choose Send alert every time an activity matches the rule.

  2. Choose Save.

  3. Retain all your previous settings by choosing Next and then Submit the policy changes.

  4. Attempt to share a test item that contains content that will trigger the U.S. Personally Identifiable Information (PII) Data condition with someone outside your organization. This should trigger the policy.

  5. Check Activity explorer for the event.

Scenario 3: Modify the existing policy, block the action with allow override

  1. Open the Data loss prevention page.

  2. Choose the U.S. Personally Identifiable Information (PII) Data policy that you created in scenario 1.

  3. Choose edit policy.

  4. Go to the Advanced DLP rules page and edit the Low volume of content detected U.S. Personally Identifiable Inf.

  5. Scroll down to the Audit or restrict activities on Windows device section and for each activity set the corresponding action to Block with override.

    set block with override action.

  6. Choose Save.

  7. Repeat steps 4-7 for the High volume of content detected U.S. Personally Identifiable Inf.

  8. Retain all your previous settings by choosing Next and then Submit the policy changes.

  9. Attempt to share a test item that contains content that will trigger the U.S. Personally Identifiable Information (PII) Data condition with someone outside your organization. This should trigger the policy.

    You'll see a popup like this on the client device:

    endpoint dlp client blocked override notification.

  10. Check Activity explorer for the event.

Scenario 4: Avoid looping DLP notifications from cloud synchronization apps with auto-quarantine (preview)

Before you begin

In this scenario, synchronizing files with the Highly Confidential sensitivity label to OneDrive is blocked. This is a complex scenario with multiple components and procedures. You will need:

There are three procedures.

  1. Configure the Endpoint DLP Auto-quarantine settings.
  2. Create a policy that blocks sensitive items that have the Highly Confidential sensitivity label.
  3. Create a Word document on the Windows 10 device that the policy is targeted to, apply the label, and copy it to the user accounts local OneDrive folder that is being synchronized.

Configure Endpoint DLP unallowed app and Auto-quarantine settings

  1. Open Endpoint DLP settings

  2. Expand Unallowed apps.

  3. Choose Add or edit unallowed apps and add OneDrive as a display name and the executable name onedrive.exe to disallow onedrive.exe from accessing items the Highly Confidential label.

  4. Select Auto-quarantine and Save.

  5. Under Auto-quarantine settings choose Edit auto-quarantine settings.

  6. Enable Auto-quarantine for unallowed apps.

  7. Enter the path to the folder on local machines where you want the original sensitive files to be moved to. For example:

    '%homedrive%%homepath%\Microsoft DLP\Quarantine' for the username Isaiah langer will place the moved items in a folder named:

    C:\Users\IsaiahLanger\Microsoft DLP\Quarantine\OneDrive

    and append a date and time stamp to the original file name.

    Note

    DLP Auto-quarantine will create sub-folders for the files for each unallowed app. So if you have both Notepad and OneDrive in your unallowed apps list, a sub-folder will be created for \OneDrive and another sub-folder for \Notepad.

  8. Choose Replace the files with a .txt file that contains the following text and enter the text you want in the placeholder file. For example for a file named auto quar 1.docx:

    %%FileName%% contains sensitive info that your organization is protecting with the data loss prevention (DLP) policy %%PolicyName%% and was moved to the quarantine folder: %%QuarantinePath%%

    will leave a text file that contains this message:

    auto quar 1.docx contains sensitive info that your organization is protecting with the data loss prevention (DLP) policy and was moved to the quarantine folder: C:\Users\IsaiahLanger\Microsoft DLP\Quarantine\OneDrive\auto quar 1_20210728_151541.docx.

  9. Choose Save

Configure a policy to block OneDrive synchronization of files with the sensitivity label Highly Confidential

  1. Open the Data loss prevention page.

  2. Choose Create policy.

  3. For this scenario, choose Custom, then Custom policy and choose Next.

  4. Fill in the Name and Description fields, choose Next.

  5. Toggle the Status field to off for all locations except Devices. If you have a specific end user account that you want to test this from, be sure to select it in the scope. Choose Next.

  6. Accept the default Create or customize advanced DLP rules selection and choose Next.

  7. Create a rule with these values:

    1. Name > Scenario 4 Auto-quarantine.
    2. Conditions > Content contains > Sensitivity labels > Highly Confidential.
    3. Actions > Audit or restrict activities on Windows devices > Access by unallowed apps > Block. For the purposes of this scenario, clear all the other activities.
    4. User notifications > On.
    5. Endpoint devices > Choose Show users a policy tip notification when an activity if not already enabled.
  8. Choose Save and Next.

  9. Choose Turn it on right away. Choose Next.

  10. Review your settings and choose Submit.

    Note

    Allow at least an hour for the new policy to be replicated and applied to the target Windows 10 computer.

  11. The new DLP policy will appear in the policy list.

Test Auto-quarantine on the Windows 10 device

  1. Log in to the Windows 10 computer with the user account you specified in Configure a policy to block OneDrive synchronization of files with the sensitivity label Highly Confidential step 5.

  2. Create a folder whose contents will not be synchronized to OneDrive. For example:

    C:\auto-quarantine source folder

  3. Open Microsoft Word and create a file in the auto-quarantine source folder. Apply the Highly confidential sensitivity label; see Apply sensitivity labels to your files and email in Office.

  4. Copy the file you just created to your OneDrive synchronization folder. A user notification toast should appear telling you that the action is not allowed and that the file will be quarantined. For example, for user name Isaiah Langer, and a document titled auto-quarantine doc 1.docx you would see this message:

    Data loss prevention user notification popup stating that the OneDrive synchronization action is not allowed for the specified file and that the file will be quarantined.

    The message reads:

    Opening autoquarantine doc 1.docx with this app is not allowed. The file will be quarantined to 'C:\Users\IsaiahLanger\Microsoft DLP\OneDrive'

  5. Choose Dismiss.

  6. Open the place holder text file. It will be named auto-quarantine doc 1.docx_date_time.txt.

  7. Open the quarantine folder and confirm that the original file is there.

  8. Check Activity explorer for data from the monitored endpoints. Set the location filter for devices and add the policy, then filter by policy name to see the impact of this policy; see Get started with activity explorer, if needed.

  9. Check Activity explorer for the event.

Scenario 5: Restrict unintentional sharing to unallowed cloud apps and services

With Endpoint DLP and Edge Web browser, you can restrict unintentional sharing of sensitive items to unallowed cloud apps and services. Edge understands when an item is restricted by an Endpoint DLP policy and enforces access restrictions.

When you select Devices as a location in a properly configured DLP policy and use the Microsoft Edge browser, the unallowed browsers that you've defined in these settings will be prevented from accessing the sensitive items that match your DLP policy controls. Instead, users will be redirected to use Microsoft Edge which, with its understanding of DLP imposed restrictions, can block or restrict activities when the conditions in the DLP policy are met.

To use this restriction, you’ll need to configure three important pieces:

  1. Specify the places – services, domains, IP addresses – that you want to prevent sensitive items from being shared to.

  2. Add the browsers that aren’t allowed to access certain sensitive items when a DLP policy match occurs.

  3. Configure DLP policies to define the kinds of sensitive items for which upload should be restricted to these places by turning on Upload to cloud services and Access from unallowed browser.

You can continue to add new services, apps, and policies to extend and augment your restrictions to meet your business needs and protect sensitive data.

This configuration will help ensure your data remains safe while also avoiding unnecessary restrictions that prevent or restrict users from accessing and sharing non-sensitive items.

See also