Get started with Endpoint data loss prevention

Microsoft Endpoint data loss prevention (Endpoint DLP) is part of the Microsoft 365 data loss prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. For more information about all of Microsoft’s DLP offerings, see Learn about data loss prevention. To learn more about Endpoint DLP, see Learn about Endpoint data loss prevention

Microsoft Endpoint DLP allows you to monitor onboarded Windows 10, and Windows 11 and onboarded macOS devices (preview) running Catalina 10.15 and higher. Once a device is onboarded, DLP will detect when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they are used and protected properly, and to help prevent risky behavior that might compromise them.

Before you begin

SKU/subscriptions licensing

Before you get started with Endpoint DLP, you should confirm your Microsoft 365 subscription and any add-ons. To access and use Endpoint DLP functionality, you must have one of these subscriptions or add-ons.

  • Microsoft 365 E5
  • Microsoft 365 A5 (EDU)
  • Microsoft 365 E5 compliance
  • Microsoft 365 A5 compliance
  • Microsoft 365 E5 information protection and governance
  • Microsoft 365 A5 information protection and governance

for full licensing details, see Microsoft 365 licensing guidance for information protection

Configure proxy on the Windows 10 or Windows 11 device

If you are onboarding Windows 10 or Windows 11 devices, check to make sure that the device can communicate with the cloud DLP service. For more information see, Configure device proxy and internet connection settings for Information Protection.

Windows 10 and Windows 11 Onboarding procedures

For a general introduction to onboarding Windows devices, see:

For specific guidance to onboarding Windows devices, see:

Topic Description
Onboard Windows 10 or 11 devices using Group Policy Use Group Policy to deploy the configuration package on devices.
Onboard Windows 10 or 11 devices using Microsoft Endpoint Configuration Manager You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
Onboard Windows 10 or 11 devices using Mobile Device Management tools Use Mobile Device Management tools or Microsoft Intune to deploy the configuration package on device.
Onboard Windows 10 or 11 devices using a local script Learn how to use the local script to deploy the configuration package on endpoints.
Onboard non-persistent virtual desktop infrastructure (VDI) devices Learn how to use the configuration package to configure VDI devices.

macOS onboarding procedures

For a general introduction to onboarding macOS devices, see:

For specific guidance to onboarding macOS devices, see:

Topic Description
Onboard and offboard macOS devices into Microsoft 365 Compliance solutions using Intune (preview) For macOS devices that are managed through Intune
Onboard and offboard macOS devices into Compliance solutions using Intune for Microsoft Defender for Endpoint customers (preview) For macOS devices that are managed through Intune and that have Microsoft Defender for Endpoint (MDE) deployed to them
Onboard and offboard macOS devices into Microsoft 365 Compliance solutions using JAMF Pro (preview) For macOS devices that are managed through JAMF Pro
Onboard and offboard macOS devices into Compliance solutions using JAMF Pro for Microsoft Defender for Endpoint customers (preview) For macOS devices that are managed through JAMF Pro and that have Microsoft Defender for Endpoint (MDE) deployed to them

Once an device is onboarded, it should be visible in the devices list and also start reporting audit activity to Activity explorer.