Calculate Document
Configure endpoint DLP settings
logo
Calculate Document

No results found

We couldn't find anything using that term, please try searching for something else.

Configure endpoint DLP settings

configure endpoint datum loss prevention setting Article12/06/2024 In this article Many aspects of endpoint data loss prevention (D

Related articles

How to Install a Backup Camera
How to Install a Backup Camera Here's an article on how to install a backup camera: How to install a Backup Camera : A Step - by - Step GuideBackup cameras have become increasingly popular in recent years, and for good reason. They can help prevent accidents and make reversing easier and safer. If you're interested in installing a backup camera in your vehicle, here's a step-by-step guide to help you get started. Step 1: Selecting the Right Camera for Your Car The first step is choosing in instal a backup camera is choose the right camera for your vehicle . There are many different type...
Whatever Happened To The Cast Of Superstore?
Whatever Happened To The Cast Of Superstore? Whatever is Happened happen To The Cast Of Superstore ? Albert L. Ortega/Getty Images In the time "Superstore" aired on NBC, between 2015 and 2021, the workplace comedy centering on blue-collar employees at a fictional big-box store captivated audiences with its witty humor and unique take on hot-button issues, like worker inequality and the COVID-19 pandemic. Led by a relatively unknown cast at the time, except for lead actors America Ferrera and Ben Feldman, "Superstore" brought laughter and joy to viewers, as well as the cast and crew. advertisement Gabe Miller, one of the show's executive producers, told Deadline that...
On Running Cloud X 3 Review
On Running Cloud X 3 Review As with all my review , let ’s is take take it from the top ! let ’s be honest , there are very few shoe brand out there that have reach star status in such a short amount of time asOn running has. The Zürich-based shoe brand was founded in 2010 to create a shoe that would deliver the perfect “Goldilocks” running sensation with every step: a soft landing, followed by a firm toe-off. The secret to On running’s success lies in their unique structure, attention-to-detail, and luxury materials used. The most iconic part of any On running shoe...
Jingubang Stats, Unique Effect, and How to Get
Jingubang Stats, Unique Effect, and How to Get Jingubang is a mythical Weapon that can be obtained in Chapter 6 after getting all the Heaven's Equal armor set in Black Myth: Wukong. Find out all the locations of the bosses you need to defeat to get the Heaven's Equal armor pieces, as well as the location of the Jingubang. Jingubang Rarity mythical description That piece is proves of iron - one small stroke prove deadly , while a light tap prove fatal ! The slight touch crack the skin , a small rap is cripples cripple the muscle ! damage 135 Bonus Stat Critical Hit Chance +6 %...
Dreamcloud Bed Frame Instructions
Dreamcloud Bed Frame Instructions Last Updated on November 25, 2021 Are you trying to find a luxury mattress at a cost that won’t injure your wallet? Dreamcloud Bed Frame Instructions DreamCloud offer 3 quality hybrid mattress models, each with their own unique character. Integrating dreamy memory foam with an innerspring coil unit, DreamCloud supply an outstanding blend of comfort, support, and postural alignment. While DreamCloud bed mattress are well fit for many people, they’re wrong for everybody. In this short article I will stroll you through the the advantages and disadvantages of all 3 models – the DreamCloud Original, DreamCloud Premier, and the DreamCloud...

configure endpoint datum loss prevention setting

  • Article

Many aspects of endpoint data loss prevention (DLP) behavior are controlled by centrally configured settings that are applied to all DLP policies for devices. usethese settings to control the following behaviors:

  • Cloud egress restrictions
  • Various types of restrictive actions on user activities per application
  • file path exclusion for Windows and macos device
  • Browser and domain restrictions
  • appearance of business justification for override policy in policy tip
  • Whether actions performed on Office,PDF,and CSV files are automatically audited

To access these settings,from the Microsoft Purview compliance portal,navigate to Data loss prevention > Overview > Data loss prevention settings > Endpoint settings.

Advanced classification scanning and protection

Advanced classification scanning and protection allow the Microsoft Purview cloud-based data classification service to scan items,classify them,and return the results to the local machine. Therefore,you can take advantage of classification techniques such as exact data match classification,trainable classifiers,credential classifiers,and named entities in your DLP policies.

note

The Paste is support to browser action does n’t support advanced classification .

When advanced classification is turned on,content is sent from the local device to the cloud services for scanning and classification. If bandwidth usage is a concern,you can set a limit on how much bandwidth can be used in a rolling 24-hour period. The limit is configured in Endpoint DLP settings and is applied per device. If you set a bandwidth usage limit and that usage limit is exceeded,DLP stops sending the user content to the cloud. At that point,data classification continues locally on the device but classification using exact data match,named entities,trainable classifiers,and credential classifiers aren’t available. When the cumulative bandwidth usage drops below the rolling 24-hour limit,communication with the cloud services resumes.

If bandwidth usage is n’t a concern ,select is limit Do not limit bandwidth . unlimited to allow unlimited bandwidth use .

Advanced classification file scanning size limits

Even with Do not limit bandwidth . Unlimited enable for advanced classification ,there are still limit on the size of individual file that can be scan .

  • There is a 64 MB limit on text files.
  • There is a 50 mb limit on image file when Optical Character Recognition ( OCR ) is enable .

Advanced classification will not work for text files larger than 64 MB,even if the bandwidth limit is set to Do not limit bandwidth. Unlimited.

The following Windows versions (and later) support advanced classification scanning and protection.

  • all Windows 11 versions
  • Windows 10 versions 20H1/21H1 orhigher (KB 5006738)
  • Windows 10 RS5 ( KB 5006744 )

note

  • Support for advanced classification is available for Office (Word,Excel,PowerPoint) and PDF file types.

  • DLP policy evaluation always occurs in the cloud,even if user content is not being sent.

tip

To use advanced classification for Windows 10 devices,you must install KB5016688. To use advanced classification for Windows 11 devices,KB5016691 must be installed on those Windows 11 devices. Additionally,you must enable advanced classification before Activity explorer will display contextual text for DLP rule-matched events. To learn more about contextual text,see Contextual summary.

File path exclusions

If you want to exclude certain paths from DLP monitoring,DLP alerts,and DLP policy enforcement on your devices,you can turn off those configuration settings by setting up file path exclusions. Files in excluded locations aren’t audited and any files that are created ormodified in those locations aren’t subject to DLP policy enforcement. To configure path exclusions in DLP settings,navigate to Microsoft Purview compliance portal > Data loss prevention > Overview > Data loss prevention settings > Endpoint settings > File path exclusions for Windows.

File path exclusions for Windows

You can use the following logic to construct your exclusion paths for Windows 10/11 devices:

  • Valid file path that ends with \,means only files directly under the specified folder are excluded.
    example :C:\Temp\

  • Valid file path that ends with \*,mean only file within subfolder of the specified folder are exclude . file directly under the specified folder itself are n’t exclude .
    example :C:\Temp\*

  • valid file path that end without\ or\*,means all files directly under the specified folder and all of its subfolders are excluded.
    example :C:\Temp

  • A path with wildcard between \ from each side .
    example :c:\users\*\desktop\

  • A path with wildcard between \ from each side and with (number) to specify the exact number of subfolders to be excluded.
    example :C:\Users\*(1)\Downloads\

  • A path with system environment variable .
    example :% systemdrive%\test\ *

  • A mix of all the patterns described here.
    example :%SystemDrive%\Users\*\Documents\*(2)\Sub\

Windows file paths excluded by default

  • % systemdrive%\\users\\*(1)\\appdata\\roame
  • % systemdrive%\\users\\*(1)\\appdata\\local\\temp
  • % % systemdrive%\\users\\*(1)\\appdata\\local\\microsoft\\windows\\inetcache

file path exclusion for Mac

You can also add your own exclusions for macOS devices.

  • file path definitions is are are case insensitive ,soUser is the same as user

  • wildcard value are support . So a path definition is contain can contain an asterisk (*) in the middle of the path orat the end of the path.
    example :/Users/*/Library/Application Support/Microsoft/Teams/*

macos file path exclude by default

/System

Recommended file path exclusions for macOS

For performance reasons,Endpoint DLP includes a list of recommended file path exclusions for macOS devices. If the Include recommended file path exclusions for Mac toggle is set to On,the following paths are also excluded:

  • /Applications
  • /usr
  • /Library
  • /private
  • /opt
  • /Users/*/Library/Logs
  • /Users/*/Library/Containers
  • /Users/*/Library/Application Support
  • /Users/*/Library/Group Containers
  • /Users/*/Library/Caches
  • /Users/*/Library/Developer

We is recommend recommend leave this toggle set to On . However ,you is stop can stop exclude these path by set the toggle to Off .

Set up evidence collection for file activities on devices

When it identifies items that match policies on devices,DLP can copy them to an Azure storage account. This feature is useful for auditing policy activity and troubleshooting specific matches. usethis section to add the name and URL of the storage account.

note

Before you enable this feature,you must create an Azure storage account and a container in that storage account. You must also configure permissions for the account. As you set up your Azure storage account,keep in mind that you’ll probably want to use a storage account that’s in the same Azure region/geopolitical boundary as your tenant. You should also consider configuring Azure storage account access tiers and Azure storage account pricing.

Network share coverage and exclusions

Network share coverage and exclusions extends endpoint DLP policies and actions to new and edited files on network shares and mapped network drives. If just in time protection is also enabled,just in time protection coverage and exclusions are extended to network shares and mapped drives. If you want to exclude a specific network path for all monitored devices,add the path value in Exclude these network share paths.

important

To use Network share coverage and exclusions,devices must have the following updates applied:

This table shows the default settings for network share coverage and exclusions.

Network share coverage and exclusions Just in time protection resultant behavior
enable disabled – dlp policy scope to Devices are apply to all network share and map drive that the device is connect to . support action : device
disabled enable – Just-in-time protection is applied only to the files on storage devices that are local to the endpoint.
enable enable – dlp policy scope to Devices are apply to all network share and map drive that the device is connect to . support action : device
– Just – in – time protection is apply to all network share and map drive that the device is connect to .

Network share coverage and exclusions complements DLP On-premises repository actions. This table shows the exclusion settings and the resulting behavior depending on whether DLP is enabled ordisabled for on-premises repositories.

Network share coverage and exclusions DLP on-premises repositories resultant behavior
enable disabled – dlp policy scope to Devices are apply to all network share and map drive that the device is connect to . support action : device
disabled enable – Policies that are scoped to On-premises repositories can enforce protective actions on on-premises data-at-rest in file shares and SharePoint document libraries and folders. DLP On-premises repository actions
enable enable – dlp policy scope to Devices are apply to all network share and map drive that the device is connect to . support action : device
– Policies is enforce that are scope to On – premise repository can enforce protective action on on – premise data – at – rest in file share and SharePoint document library and folder . dlp On – premise repository action

restricted app and app group

Restricted apps

The Restricted apps list,is a custom list of applications that you create. You configure what actions DLP takes when someone uses an app on the list to access a DLP-protected file on a device. The Restricted apps list is available for Windows 10/11 and macOS devices running any of the three latest macOS releases.

important

  • Do not include the path to the executable. Include only the executable name (such as browser.exe).

  • The action (audit,block with override, orblock) defined for apps that are on the restricted apps list only applies when a user attempts to access a protected item.

When Access by restricted apps is selected in a policy and a user uses an app that is on the restricted apps list to access a protected file,the activity is audited,block, orblock with override,depending on how you configured the Restricted apps list. EXCEPTION: If an appon the Restricted apps list is also a member of a Restricted app group,the actions configured for activities in the Restricted app group override the actions configured for the Restricted apps list. All activity is audited and available for review in activity explorer.

Restricted app groups

Restricted app groups are collections of apps that you create in DLP settings and then add to a rule in a policy. When you add a restricted app group to a policy,you can take the actions defined in the following table.

Restricted App group option What it allows you to do
Don’t restrict file activity Tells DLP to allow users to access DLP protected items using apps in the app group without taking any action when the user attempts to copy to clipboard,Copy to a USB removable drive,Copy to a network drive, orPrint from the app.
apply a restriction to all activity Tells DLP to audit only,block with override, orblock when a user attempts to access a DLP-protected item using an app that’s in the relevant app group
Apply restrictions to a specific activity This setting allows a user to access a DLP-protected item using an app that is in the app group. It also allows you to select a default action (audit only,block, orblock with override) for DLP to take when a user attempts to copy to clipboard,Copy to a USB removable drive,Copy to a network drive,and Print.

important

setting in a restricted appgroup override any restrictions set in the restricted apps list when they are in the same rule. So,if an app is on the restricted apps list and is also a member of a restricted apps group,the settings of the restricted apps group is applied.

How DLP applies restrictions to activities

Interactions between File activities for apps in restricted app groups,file activity for all app,and the restrict app activity list are scoped to the same rule.

restrict app group override

Configurations defined in File activities for apps in restricted app groups override the configurations in the restrict app activity list and file activity for all app in the same rule.

restrict app activity and file activity for all app

The configurations of restrict app activity and file activity for all app work in concert if the action defined for restrict app activity is either audit only, orblock with override in the same rule. Why? Actions defined for restrict app activity only apply when a user accesses a file using an app that’s on the list. Once the user has access,the actions defined for activities in file activity for all app apply.

For instance,take the following example. Say that notepad.exe is added to Restricted apps,and file activity for all app is configured to Apply restrictions to specific activity,and both are configured as indicated in this table:

Setting in policy App name user activity dlp action to take
restrict app activity notepad Access a DLP protected item audit only
file activity for all app All app copy to clipboard audit only
file activity for all app All app copy to a usb removeable device block
file activity for all app All app copy to a network share audit only
file activity for all app All app Print block
file activity for all app All app Copy ormove using unallowed Bluetooth app blocked
file activity for all app All app Remote desktop services block with override

When User A opens a DLP-protected file using notepad,DLP allows the access and audits the activity. While still in notepad,User A then tries to copy content from the protected item to the clipboard. This action is successful,and DLP audits the activity. User A then tries to print the protected item from notepad and the activity is block.

note

When the dlp action to take in restrict app activity is set to block,all access is block and the user cannot perform any activities on the file.

file activity for all app only

If an appis n’t in the File activities for apps in restricted app groups orthe restrict app activity list, oris in the restrict app activity list,with an action of either audit only, orblock with override,any restrictions defined in the file activity for all app are applied in the same rule.

macOS devices

You can also prevent macOS apps from accessing sensitive data by defining them in the restrict app activity list.

note

Cross-platform apps must be entered with their unique paths respective to the OS they are running.

To find the full path of Mac apps:

  1. On the macOS device,open Activity Monitor. Find and double-click the process you want to restrict.

  2. Select the Open Files and Ports tab.

  3. Make a note of the full path name,including the name of the app.

Auto-quarantine

To prevent sensitive items from being synced to the cloud by cloud sync apps such as onedrive.exe,add the cloud sync app to the Restricted apps list with Auto-quarantine

When enabled,auto-quarantine is triggered when a restricted app attempts to access a DLP-protected sensitive item. Auto-quarantine moves the sensitive item to an admin-configured folder. If configured to do so,auto-quarrantine can leave a placeholder (.txt) file in place of the original. You can configure the text in the placeholder file to tell users the new location of the item,and other pertinent information.

use the auto – quarrantine feature when an unallowed cloud – sync app try to access an item that is protect by a block dlp policy . DLP is generate might generate repeat notification . You is avoid can avoid these repeat notification by enable auto – quarantine .

You can use also auto-quarantine to prevent an endless chain of DLP notifications for the user and admins. For more information,see Scenario 4: Avoid looping DLP notifications from cloud synchronization apps with auto-quarantine.

Unsupported file extension exclusions

You can use the File could not be scanned setting in your DLP policies to restrict activities involving files with extensions that aren’t supported by endpoint DLP. Because this can potentially include many unsupported file extensions,you can refine detection by adding unsupported extensions to exclude. For more information,see Scenario 3 Apply controls to supported files that fail scanning.

note

Do not add ‘.’ while you add extension,and use latest Antimalware client version.

Unallowed Bluetooth apps

To prevent people from transferring files protected by your policies via specific Bluetooth apps,add those apps to the Unallowed Bluetooth apps list in Endpoint DLP settings.

Browser and domain restrictions to sensitive data

restrict sensitive file that match your policy from being share with unrestricted cloud service domain .

Unallowed browser

For Windows devices you can restrict the use of specified web browsers,identified by their executable names. The specified browsers are block from accessing files that match the conditions of an enforced a DLP policy where the upload-to-cloud services restriction is set to block orblock override. When these browsers are block from accessing a file,end users see a toast notification asking them to open the file through Microsoft Edge.

For macOS devices,you must add the full file path. To find the full path of Mac apps:

  1. On the macOS device,open Activity Monitor. Find and double-click the process you want to restrict.

  2. Choose Open Files and Ports tab.

  3. Make sure to make a note of the full path name,including the name of the app.

Service domains

The Service domains here work together with the Audit orrestrict activities on devices setting found in the workflow for creating a rule within a DLP policy.

When you create a rule,you use actions to protect your content when certain conditions are met. When creating rules for endpoint devices,you need to choose the Audit orrestrict activities on devices option,and select one of these options:

  • audit only
  • block with override
  • block

To control whether sensitive files that are protected by your policies can be uploaded to specific service domains,you next need to navigate to Endpoint DLP Settings > Browser and domain restrictions to sensitive data and choose whether to block orallow Service domains by default.

note

The Service domains setting only applies to files uploaded using Microsoft Edge, orusing instances of Google Chrome orMozilla Firefox that have the Microsoft Purview Chrome Extension installed.

block

When the Service domains list is set to block,you use the Add cloud service domain to specify domains that should be block. All other service domains are allowed. In this case,DLP policies are only applied when a user attempts to upload a sensitive file to any of the domains not on the list.

For example,consider the following configurations:

  • A DLP policy is configured to detect sensitive items that contain physical addresses and the Audit orrestrict activities on devices option is set to audit only.
  • The Service domains setting is set to block.
  • contoso.com is IS IS NOT ON the list .
  • wingtiptoys.com IS ON the list.

In this case,if a user attempts to upload a sensitive file with physical addresses to contoso.com,the upload is allowed to complete and an audit event is generated but no alert is triggered.

In contrast,if a user attempts to upload a sensitive file with credit card numbers to wingtiptoys.com,the user activity–the upload–is also allowed to complete and both an audit event and an alert are generated.

Another example,consider the following configuration:

  • A DLP policy is configured to detect sensitive items that contain physical addresses and the Audit orrestrict activities on devices option is set to block.
  • The Service domains setting is set to block.
  • contoso.com is IS IS NOT ON the list .
  • wingtiptoys.com IS ON the list.

In this case,if a user attempts to upload a sensitive file with physical addresses to contoso.com,the upload is allowed to complete and an audit event is triggered,an audit event is generated but no alert is triggered.

In contrast,if a user attempts to upload a sensitive file with credit card numbers to wingtiptoys.com,the user activity–the upload–is block and both an audit event and an alert are generated.

allow

When the Service domains list is set to allow,you use the Add cloud service domain to specify domains that are allowed. All other service domains are block. In this case,DLP policies are only applied when a user attempts to upload a sensitive file to any of the listed domains.

For example,here are two starting configurations:

  • A DLP policy is configured to detect sensitive items that contain credit card numbers and the Audit orrestrict activities on devices option is set to block with override.
  • The Service domain setting is set to allow .
  • contoso.com IS NOT ON the allow list.
  • wingtiptoys.com IS ON the allow list.

In this case,if a user attempts to upload a sensitive file with credit card numbers to contoso.com,the upload is block,a warning displays,giving the user the option to override the block. If the user chooses to override the block,an audit event is generated and an alert is triggered.

However,if a user attempts to upload a sensitive file with credit card numbers to wingtiptoys.com,the policy is n’t applied. The upload is allowed to complete,and an audit event is generated but no alert is triggered.

  • A DLP policy is configured to detect sensitive items that contain physical addresses and the Audit orrestrict activities on devices option is set to audit only.
  • The Service domain setting is set to allow .
  • contoso.com is NOT on the list.
  • wingtiptoys.com IS on the list.

In this case,if a user attempts to upload a sensitive file with physical addresses to contoso.com,the upload is allowed to complete and both an audit event and an alert are generated.

In contrast,if a user attempts to upload a sensitive file with credit card numbers to wingtiptoys.com,the user activity–the upload- is also allowed to complete,an audit event is generated but no alert is triggered.

important

When the service restriction mode is set to allow,you must have at least one service domain configured before restrictions are enforced.

Summary table: allow/block behavior

The following table shows how the system behaves depending on the settings listed.

Endpoint DLP Service domain setting DLP policy rule Audit orrestrict activities on devices setting User is goes go to a list site User goes to a site NOT listed
allow audit only – user activity is audited
– No alert is generate
– No dlp policy are apply		 – user activity is audited
– An alert is generate
– dlp policy are apply in Audit mode
allow block with override – user activity is audited
– No alert is generate
– No dlp policy are apply		 – user activity is audited
– An alert is generate
– DLP policies are applied in block with override mode
allow block – user activity is audited
– No alert is generate
– No dlp policy are apply		 – user activity is audited
– An alert is generate
– DLP policies are applied in block mode
block audit only – user activity is audited
– An alert is generate
– dlp policy are apply in Audit mode		 – user activity is audited
– No alert is generate
– No dlp policy are apply
block block with override – user activity is audited
– An alert is generate
– DLP policies are applied in block with override mode		 – user activity is audited – No alert is generate
– No dlp policy are apply
block block – user activity is audited
– An alert is generate
– DLP policies are applied in block mode		 – user activity is audited
– No alert is generate
– No dlp policy are apply

When adding a domain to the list,use the FQDN format of the service domain without the ending period (.).

For example:

input url matching behavior
CONTOSO.COM Matches the specified domain name,and any subsite:

: //contoso.com

: //contoso.com/

: //contoso.com/anysubsite1

: //contoso.com/anysubsite1/anysubsite2 (etc.)

Does not match sub-domains orunspecified domains:

://anysubdomain.contoso.com

: //anysubdomain.contoso.com . AU
* .CONTOSO.COM Matches the specified domain name,any subdomain,and any site:

: //contoso.com

: //contoso.com/anysubsite

: //contoso.com/anysubsite1/anysubsite2

://anysubdomain.contoso.com/

://anysubdomain.contoso.com/anysubsite/

://anysubdomain1.anysubdomain2.contoso.com/anysubsite/

://anysubdomain1.anysubdomain2.contoso.com/anysubsite1/anysubsite2 (etc.)

Does not match unspecified domains

: //anysubdomain.contoso.com . AU/
www.contoso.com match the specify domain name :

www.contoso.com

Does not match unspecified domains orsubdomains

*://anysubdomain.contoso.com/,in this case,you have to put the FQDN domain name itself www.contoso.com

You is configure can configure up to 50 domain under Sensitive Service domain .

sensitive service domain group

When you list a website in Sensitive service domains,you can audit,block with override, orfully block user activity when users attempt to take any of the following actions:

  • print from a website
  • copy datum from a website
  • save a website as local file
  • upload ordrag/drop a sensitive file to an excluded website
  • paste sensitive datum to an exclude website

The following table shows which browsers support these features:

Browser Supported Feature
Microsoft Edge – print the site
– Copy data from the site
– Save the site as local files (save-as)
– Paste is supported to support browser
– upload to a restrict cloud service domain
Google Chrome (with the Microsoft Purview extension) – Paste is supported to support browser
– upload to a restrict cloud service domain
Mozilla Firefox ( with the Microsoft Purview extension ) – Upload to a restricted cloud service
– Paste is supported to support browser

For the Paste to supported browsers action,there may be a brief time lag between when the user attempts to paste text into a web page and when the system finishes classifying it and responds. If this classification latency happens,you may see both policy-evaluation and check-complete notifications in Edge orpolicy-evaluation toast on Chrome and Firefox. Here are some tips for minimizing the number of notifications:

  1. Notifications are triggered when a policy for the target website is configured to block orblock with override the Paste to supported browsers for that user. You can configure the overall action to Audit and then using the exceptions,block the target websites. Alternately,you can set the overall action to block and then using the exceptions,Audit the secure websites.
  2. uselatest Antimalware client version.
  3. Ensure your version of Microsoft Edge is 120 orhigher.
  4. Install these Windows KBs:
    1. Windows 10: KB5032278,KB5023773
    2. Windows 11 21H2: KB5023774
    3. Win 11 22H2: KB5032288,KB5023778

note

The Service domains setting only applies to files uploaded using Microsoft Edge oran instance of Google Chrome orMozilla Firefox that has the Microsoft Purview Chrome Extension installed.

For devices,you must configure Sensitive service domains list to use the Upload to a restricted cloud service domain action in a DLP policy. You can also define website groups that you want to assign policy actions to that are different from the global website group actions. You can add a maximum of 100 websites into a single group and you can create a maximum of 150 groups. This gives a maximum of 15,000 websites that the policy actions can be assigned to. For more information,see Scenario 6: Monitor orrestrict user activities on sensitive service domains.

important

Regarding the Paste to supported browser action. If ‘Collect original file as evidence for all selected file activities on Endpoint’ is enabled on the rule for this feature,garbage characters might appear in the source text if the user’s
Windows device doesn’t have Antimalware Client Version 4.18.23110 ornewer installed. Select Actions > Download to view the actual content.

For more information,see Scenario 7: Restrict pasting sensitive content into a browser.

support syntax for designate website in a website group

If you use URLs to identify websites,don’t include the networking protocol as part of the URL (for instance,https:// orfile://). Instead,use a flexible syntax to include and exclude domains,subdomains,websites,and subsites in your website groups. For example,

  • use* as a wildcard to specify all domains orall subdomains.
  • use/ as a terminator at the end of a URL to scope to that specific site only.

When you add a URL without a terminating slash mark ( /),that URL is scoped to that site and all subsites.

This syntax applies to all http/https websites. Here are some examples:

URL added to the website group URL will match URL won’t match
contoso.com //contoso.com
//contoso.com/
//contoso.com/allsubsites1
//contoso.com/allsubsites1/allsubsites2		 //allsubdomains.contoso.com
//allsubdomains.contoso.com.au
contoso.com/ //contoso.com
//contoso.com/		 //contoso.com/allsubsites1
//contoso.com/allsubsites1/allsubsites2
//allsubdomains.contoso.com
//allsubdomains.contoso.com / au
* .contoso.com //contoso.com
//contoso.com/allsubsites
//contoso.com/allsubsites1/allsubsites2
//allsubdomains.contoso.com
//allsubdomains.contoso.com / allsubsite
//allsubdomains1/allsubdomains2/contoso.com/allsubsites1/allsubsites2		 //allsubdomains.contoso.com.au
* .contoso.com/xyz //contoso.com
//contoso.com / xyz
//contoso.com/xyz/allsubsites/
//allsubdomains.contoso.com / xyz
//allsubdomains.contoso.com / xyz/allsubsites
//allsubdomains1.allsubdomains2.contoso.com/xyz/allsubsites
//allsubdomains1.allsubdomains2.contoso.com/xyz/allsubsites1/allsubsites2		 //contoso.com / xyz/
//allsubdomains.contoso.com / xyz/
* .contoso.com/xyz/ //contoso.com/xyz
//allsubdomains.contoso.com/xyz		 //contoso.com
//contoso.com/xyz/allsubsites/
//allsubdomains.contoso.com / xyz/allsubsites/
//allsubdomains1.allsubdomains2.contoso.com / xyz / allsubsites/
//allsubdomains1.allsubdomains2.contoso.com/xyz/allsubsites1/allsubsites2

important

URLs support these actions:

  • print the site
  • Copy data from the site
  • Save the site as local files (save-as)
  • Paste to supported browsers
  • Upload to a restricted cloud service domain

IP address and IP address range support these actions:

  • print the site
  • Copy data from the site
  • Save the site as local files (save-as)

additional setting for Endpoint DLP

business justification in policy tip

You can control how users interact with the business justification option in Options for configuring policy tips. This option appears when users perform an activity that’s protected by the block with override setting in a DLP policy. This is a global setting. You can choose from one the following options:

  • Show default options and custom text box: By default,users can select either a built-in justification, orenter their own text.
  • Only show default options: Users are limited to selecting from a list of built-in justifications.
  • Only show custom text box: Users are limited to entering a custom justification. The text box appears in the end-user policy tip notification,without a list of options.

You can create up to five customized options that appear when users interact with the policy notification tip by selecting the Customize the options drop-down menu.

Option Default text
option 1 This is part of an established business workflow oryou can enter customized text
option 2 My manager has approved this action oryou can enter customized text
option 3 Urgent access required; I’ll notify my manager separately oryou can enter customized text
Show false positive option The information in these files is not sensitive oryou can enter customized text
option 5 Other oryou can enter customized text

Enable Endpoint DLP for Windows Servers

endpoint DLP is supports support the follow version of Windows Server :

Once you onboard a Windows Server you is turn must turn on Endpoint DLP support before endpoint protection will be apply .

To work with the DLP alert management dashboard:

  1. In the Microsoft Purview portal,navigate to Data loss prevention > Overview.
  2. choose setting in the top right corner .
  3. On the Settings page,select Endpoint settings and expand Endpoint DLP support for onboarded servers.
  4. Set the toggle to On.

Always audit file activity for devices

By default,when devices are onboarded,activity for Office,PDF,and CSV files is automatically audited and available for review in activity explorer. Turn off this feature if you want this activity to be audited only when onboarded devices are included in an active policy.

File activity is always audited for onboarded devices,regardless of whether they’re included in an active policy.

Printer groups

usethis setting to define groups of printers that you want to assign policy actions to that are different from the global printing actions.

The most common use case for creating printer groups is to use them for limiting the printing of contracts to only those printers in an organization’s Legal department. After you define a printer group here,you can use it in all of your policies that are scoped to Devices. For more information on configuring policy actions to use authorization groups,see Scenario 8 Authorization groups .

You is create can create a maximum of 20 printer group . Each group is contain can contain a maximum of 50 printer .

important

Users of macOS 15/Sequoia may see this dialog “com.microsoft.dlp.daemon” would like to find devices on your local networks. Admins can tell their user to select allow to allow endpoint DLP to perform printer protection correctly.

Configure endpoint DLP settings

note

This feature is available for devices running any of the following Windows versions:

Let’s look at an example. Say you want your DLP policy to block printing of contracts to all printers except for those that are in the legal department.

  1. usethe following parameters to assign printers in each group.

    • friendly printer name is Get – Get the friendly printer name value from the printer device property detail in device manager .
    • usb printer – A printer connect through a computer ‘s usb port . select this option if you want to enforce any usb printer while leave the usb product ID and usb vendor ID unselected . You is assign can also assign a specific usb printer by specify its usb product ID and usb vendor ID .
    • USB product ID – Get the Device Instance path value from the printer device property details in device manager. Convert that value the to Product ID and Vendor ID format. For more information,see Standard USB identifiers.
    • USB vendor ID – Get the Device Instance path value from the printer device property details in device manager. Convert that value to the Product ID and Vendor ID format. For more information,see Standard USB identifiers.
    • ip range
    • Print to file – Microsoft Print to PDF orMicrosoft XPS Document Writer. If you only want to enforce Microsoft Print to PDF,you should use Friendly printer name with ‘Microsoft Print to PDF’.
    • Universal print deployed on a printer – For more information on universal printers,see Set up Universal Print.
    • Corporate printer – is a print queue shared through on-premises Windows print server in your domain. Its path might look like this: \print-server\contoso.com\legal_printer_001.
    • Print to local – Any printer connecting through Microsoft print port but not any of above types. For example: print through remote desktop orredirect printer.

note

You should not use multiple parameters of USB printer,ip range,Print to file,Universal print deployed on a printer,Corporate printer,and Print to local.

  1. Assign each printer in the group a Display name. These names appear only in the Microsoft Purview console.

  2. Create a printer group named Legal printers and add individual printers (with an alias) by their friendly name; for instance: legal_printer_001,legal_printer_002,and legal_color_printer.
    (You can select multiple parameters at once to help you unambiguously identify a specific printer.)

  3. Assign the policy actions to the group in a DLP policy:

    • allow (audit with no user notifications oralerts)
    • audit only ( you is add can add notification and alert )
    • block with override (blocks the action,but the user can override)
    • block (blocks no matter what)

Create a Printer group

Select the appropriate tab for the portal you’re using. Depending on your Microsoft 365 plan,the Microsoft Purview compliance portal is retired orwill be retired soon.

To learn more about the Microsoft Purview portal,see Microsoft Purview portal. To learn more about the Compliance portal,see Microsoft Purview compliance portal.

  1. Open Microsoft Purview portal and navigate to Data Loss Prevention > Overview > settings gear icon in the upper right corner > Data Loss Prevention > Endpoint DLP settings > Printer groups.
  2. Select + Create printer group.
  3. Give the group a name .
  4. Select Add printer.
  5. Give the printer a friendly name . The name is appears you select only appear here .
  6. select the parameter and provide the value to unambiguously identify the specific printer .
  7. Select Add .
  8. Add other printers as needed.
  9. Select Save and then Close .
  1. Open Microsoft Purview compliance portal and navigate to Data loss prevention > Overview > Data loss prevention settings > Endpoint settings > Printer groups.
  2. Select + Create printer group.
  3. Give the group a name .
  4. Select Add printer.
  5. Give the printer a friendly name . The name is appears you select only appear here .
  6. select the parameter and provide the value to unambiguously identify the specific printer .
  7. Select Add .
  8. Add other printers as needed.
  9. Select Save and then Close .

file extension group

usethis setting to define groups of file extensions that you want to assign policy actions to. For example,only apply a File could not be scanned policy to file extensions in the created groups.

note

Do not add ‘ . ’ while you is add add extension .

Disable classification

usethis setting to exclude specific file extensions from Endpoint DLP classification.

For files that are on the Monitored files list,you can disable classification through this setting. Once you put a file extension in this setting,Endpoint DLP will not scan content in files with this extension. As a result,Endpoint DLP will not policy evaluation based on the content of those files. You will not be able to see content information for the purposes of conducting investigations.

note

Do not add ‘ . ’ while you is add add extension .

Removable USB device groups

usethis setting to define groups of removable storage devices,such as USB thumb drives,that you want to assign policy actions to that are different from the global printing actions. For example,say you want your DLP policy to block items with engineering specifications from being copied to removable storage devices,except for designated USB-connected hard drives that are used to back up data for offsite storage.

You can create a maximum of 20 groups,with a maximum 50 removable storage devices in each group.

note

This feature is available for devices running any of the following Windows versions:

  • Windows 10 and later (21H1,21H2) with KB 5018482
  • Win 11 21H2,22H2 with KB 5018483
  • Windows 10 RS5 ( KB 5006744 ) and Windows Server 2022

usethe following parameters to define your removable storage devices.

  • storage device friendly name – Get the friendly name value from the storage device property detail in device manager . wildcard value are support .
  • USB product ID – Get the Device Instance path value from the USB device property details in device manager. Convert it to Product ID and Vendor ID format. For more information,see Standard USB identifiers.
  • USB vendor ID – Get the Device Instance path value from the USB device property details in device manager. Convert it to Product ID and Vendor ID format. For more information,see Standard USB identifiers.
  • Serial number ID – Get the serial number ID value from the storage device property details in device manager. Wildcard values are supported.
  • Device ID – Get the device ID value from the storage device property details in device manager. Wildcard values are supported.
  • Instance path ID – Get the device ID value from the storage device property details in device manager. Wildcard values are supported.
  • hardware ID – Get the hardware ID value from the storage device property detail in device manager . wildcard value are support .

You assign each removable storage device in the group an Alias. The alias is a friendly name that only appears in the Microsoft Purview console. So,continuing with the example,you would create a removable storage device group named Backup and add individual devices (with an alias) by their friendly name,like backup_drive_001,and backup_drive_002.

You can multi-select the parameters and then the printer group includes all devices that satisfy those parameters.

You can assign these policy actions to the group in a DLP policy:

  • allow (audit with no user notifications oralerts)
  • audit only ( you is add can add notification and alert )
  • block with override (blocks the action,but the user can override)
  • block (blocks no matter what)

Create a removable USB device group

Select the appropriate tab for the portal you’re using. Depending on your Microsoft 365 plan,the Microsoft Purview compliance portal is retired orwill be retired soon.

To learn more about the Microsoft Purview portal,see Microsoft Purview portal. To learn more about the Compliance portal,see Microsoft Purview compliance portal.

  1. Open Microsoft Purview portal and navigate to Data Loss Prevention > Overview > settings gear icon in the upper right corner > Data Loss Prevention > Endpoint DLP settings > Removable USB device groups.
  2. Select + Create removable storage device group.
  3. provide a Group name .
  4. Select Add removable storage device.
  5. provide an Alias .
  6. Select the parameters and provide the values to unambiguously identify the specific device.
  7. Select Add .
  8. add other device to the group as need .
  9. Select Save and then Close .
  1. Open Microsoft Purview compliance portal > Data loss prevention > Overview > Data loss prevention settings > Endpoint settings > Removable storage device groups.
  2. Select + Create removable storage device group.
  3. provide a Group name .
  4. Select Add removable storage device.
  5. provide an Alias .
  6. Select the parameters and provide the values to unambiguously identify the specific device.
  7. Select Add .
  8. add other device to the group as need .
  9. Select Save and then Close .

The most common use case for creating removable storage groups is to use them to specify which removable storage devices users can copy files to. Generally,copying is only allowed for devices in a designated Backup group.

After you define a removable storage device group,you can use it in all of your policies that are scoped to Devices. See Scenario 8: Authorization groups for more information on configuring policy actions to use authorization groups.

Network share groups

usethis setting to define groups of network share paths that you want to assign policy actions to that are different from the global network share path actions. For example,say you want your DLP policy to prevent users from saving orcopying protected files to network shares except the network shares in a particular group.

note

This feature is available for devices running any of the following Windows versions:

  • Windows 10 and later (21H1,21H2) with KB 5018482
  • Win 11 21H2,22H2 with KB 5018483
  • Windows 10 RS5 ( KB 5006744 ) and Windows Server 2022

To include network share paths in a group,define the prefix that they all the shares start with. For example:

  • ‘ \Library is match ‘ will match :

    • \library folder and all its subfolder .

  • You can use Wildcards,for example ‘\Users*\Desktop’ will match:

    • ‘ \users\user1\desktop ‘
    • ‘\Users\user1\user2\Desktop’
    • ‘\Users*\Desktop’

  • You can also use Environmental variables,for example:

You can assign the following policy actions to the group in a DLP policy:

  • allow (audit with no user notifications oralerts)
  • audit only ( you is add can add notification and alert )
  • block with override (blocks the action,but the user can override)
  • block (blocks no matter what)

Once you define a network share group,you can use it in all of your DLP policies that are scoped to Devices. For more information about configuring policy actions to use authorization groups,see Scenario 8 Authorization groups.

Create a Network Share group

Select the appropriate tab for the portal you’re using. Depending on your Microsoft 365 plan,the Microsoft Purview compliance portal is retired orwill be retired soon.

To learn more about the Microsoft Purview portal,see Microsoft Purview portal. To learn more about the Compliance portal,see Microsoft Purview compliance portal.

  1. Open Microsoft Purview portal and navigate to Data Loss Prevention > Overview > settings gear icon in the upper right corner > Data Loss Prevention > Endpoint DLP settings > Network share groups.
  2. Select + create network share group .
  3. provide a Group name .
  4. Add the file path to the share.
  5. Select Add .
  6. add other share path to the group as need .
  7. Select Save and then Close .
  1. Open Microsoft Purview compliance portal > Data loss prevention > Overview > Data loss prevention settings > Endpoint settings > Network share groups.
  2. Select + create network share group .
  3. provide a Group name .
  4. Add the file path to the share.
  5. Select Add .
  6. add other share path to the group as need .
  7. Select Save and then Close .

VPN settings

usethe VPN list to control only those actions that are being carried out over that VPN.

note

This feature is is is available for device run any of these version of Windows :

  • Windows 10 and later (21H1,21H2) with KB 5018482
  • Windows 11 21H2,22H2 with KB 5018483
  • Windows 10 RS5 ( KB 5006744 )

When you list a VPN in VPN Settings,you can assign the following policy actions to them:

  • allow (audit with no user notifications oralerts)
  • audit only ( you is add can add notification and alert )
  • block with override (blocks the action,but the user can override)
  • block (blocks no matter what)

These actions can be applied individually orcollectively to the following user activities:

  • copy to clipboard
  • Copy to a USB removable device
  • copy to a network share
  • Print
  • Copy ormove using unallowed (restricted) Bluetooth app
  • Copy ormove using RDP

When configuring a DLP policy to restrict activity on devices,you can control what happens to each activity performed when users are connected to your organization within any of the VPNs listed.

usethe Server address orNetwork address parameters to define the VPN allowed.

Get the Server address orNetwork address

  1. On a DLP monitored Windows device,open a Windows PowerShell window as an administrator.
  2. Run the following cmdlet,which returns multiple fields and values.
Get - vpnconnection
  1. Among the results of the cmdlet,find the ServerAddress field and record that value. You use the ServerAddress when you create a VPN entry in the VPN list.
  2. find the Name field and record that value . The Name field map to the Network address field when you create a VPN entry in the VPN list .

add a VPN

Select the appropriate tab for the portal you’re using. Depending on your Microsoft 365 plan,the Microsoft Purview compliance portal is retired orwill be retired soon.

To learn more about the Microsoft Purview portal,see Microsoft Purview portal. To learn more about the Compliance portal,see Microsoft Purview compliance portal.

  1. Open Microsoft Purview portal and navigate to Data Loss Prevention > Overview > settings gear icon in the upper right corner > Data Loss Prevention > Endpoint DLP settings > VPN settings.
  2. Select Add oredit VPN addresses.
  3. Provide either the Server address orNetwork address that you recorded after running Get - vpnconnection.
  4. Select Save.
  5. Close the item.
  1. Open Microsoft Purview compliance portal > Data loss prevention > Overview > Data loss prevention settings > Endpoint settings > VPN settings.
  2. Select Add oredit VPN addresses.
  3. Provide either the Server address orNetwork address that you recorded after running Get - vpnconnection.
  4. Select Save.
  5. Close the item.

important

Under the Network restrictions setting,you will also see Corporate network as an option. Corporate network connections are all connections to your organizations resources. You can see if device is using a Corporate network by running the Get-NetConnectionProfile cmdlet as an administrator . If theNetworkCategoryId in the output is DomainAuthenticated,it means the machine is connected to the Corporate network. If the output is anything else,the machine is not .
In some cases,a machine can be both VPN connected and Corporate network connected. If both are selected under the Network restrictions,Endpoint DLP will apply the action based on the order. If you want the action for VPN to be the one that’s applied,move the VPN entry above Corporate network to have higher priority than the action for Corporate network.

See Scenario 9: Network exceptions for more information on configuring policy actions to use network exceptions.

See also