Discover and protect your sensitive data with Endpoint Data Loss Prevention (DLP)

8 min readNov 12, 2020

What it is and how to set it up in Microsoft 365

Extend information protection controls beyond apps and services to device endpoints with Microsoft Endpoint Data Loss Prevention (or DLP). As more and more users work outside the traditional corporate walls, natively for managing Windows 10 devices and the new Edge browser, they can discover and protect sensitive data as it’s being shared or transferred.

If a user inadvertently mislabels a file, DLP will detect sensitive information and apply corresponding restrictions to prevent data loss. Think of DLP as an extra layer of security and a defense in-depth approach before content ends up in the wrong hands, whether that data has been proactively labeled or not. Join host Jeremy Chapman, as he gives an overview of Microsoft Endpoint Data Loss Prevention, shows you the user experience, and shares how easy it is to set it all up.

QUICK LINKS:

01:06 — User experience: apply endpoint DLP policies at the file system level

02:18 — How it works: doesn’t slow your PC, fully cloud managed, and always up to date

03:05 — Admin experience: how to restrict printing, set up alerts, and set context

06:11 — See how to prevent specific apps from accessing protected files

06:48 — Closing notes

Link References:

Find a script-based configuration package that you can deploy with your existing tools at https://aka.ms/EndpointDLPGuide

Learn more about EndpointDLP, and try it out for yourself at https://aka.ms/EndpointDLP

Unfamiliar with Microsoft Mechanics?

We are Microsoft’s official video series for IT. You can watch and share valuable content and demos of current and upcoming tech from the people who build it at Microsoft.

Subscribe to our YouTube: https://www.youtube.com/c/MicrosoftMechanicsSeries?sub_confirmation=1
Follow us on Twitter: https://twitter.com/MSFTMechanics
Follow us on LinkedIn: https://www.linkedin.com/company/microsoft-mechanics/
Follow us on Facebook: https://facebook.com/microsoftmechanics/

Video Transcript:

-Coming up: with more and more of us working remotely, we’re going to look at how Microsoft is extending information protection controls, beyond apps and services to device endpoints with Microsoft Endpoint Data Loss Prevention, or DLP, now generally available.

-Now, if you’re new data loss prevention, it’s been an important part of Microsoft’s approach to information protection for the past several years, where you’ve been able to discover and protect sensitive information in your Microsoft 365 apps and services. Now the key to Microsoft’s approach here, has been to provide this protection without impacting your productivity. For example, as you can see here with this Teams chat message, we alert and educate users by a policy tip that indicates that sensitive content has been detected, before it’s shared or transferred. And you as an admin can determine the actions that should be taken to prevent data loss. And the good news is that we’ve now extended DLP to your device endpoints as well. Now this means that as more and more users work outside the traditional corporate walls, natively for managed Windows 10 devices and the new Edge browser, you can discover and protect sensitive data as it’s being shared or transferred.

-Now let me start by showing you the user experience, then later I’ll show you how easy it is to set all this up. So here in this case, I’m going to attempt to copy a sensitive PDF file into Dropbox. And you can see that my organization has blocked that, so I can click okay and the file didn’t get copied. Now if I switch over to an IT-approved service, in this case Box, if I try to copy that same file, so we’ll drag that one into Box, you’ll see after it uploads that it succeeded, so everything works as planned. That’s part of the policy. What’s more powerful is that we can apply these Endpoint DLP policies at the file system level. So let me try again, this time I’m going to actually copy a file to my removable USB drive. So I’m going to use the same file, drag it into that drive and you’ll see that I get a notification here, that it’s been blocked and I can see why it’s been blocked. Importantly here, in my case the IT team has allowed me to override that, once I do that I can copy the file over and it works. And this even works on an opened file. So I’m going to open the same PDF document here, and I’ll select some content. And you’ll see that even when I’m trying to copy that, I’m notified that the action is blocked again, with the option for me to override. Now let me explain how all of this works. So DLP is content and context aware. Endpoint DLP is natively integrated with Windows and the Microsoft Edge browser. Best of all, it doesn’t use any additional software or agents, so it doesn’t slow down your PC and it’s fully cloud managed so it’s always up to date. Importantly, it’s capable of scanning content to discover hundreds of types of sensitive data with built-in templates available for common industry regulations. And you can assign granular actions to be taken upon the discovery of content based on the sensitivity of the data and the context of use. Such as audit, where the action is just recorded, block with override that allows a user to proceed once acknowledging the risk, or block outright which ensures that users are warned and blocked from going any further.

-So now let’s take a closer look at the admin experience. We’ve made Endpoint DLP simple to deploy for your Windows 10 devices. Now if you’ve already onboarded your devices to Microsoft 365 Defender, you’re ready to go. Now, if you don’t use Microsoft 365 Defender, your devices need to be joined to Azure AD or Hybrid Azure AD. And we’ve made a script-based configuration package that you can deploy with your existing tools. And you can learn more about that at aka.ms/EndpointDLPGuide. Now, as soon as your devices are onboarded, the signals sent from these devices give you visibility, into the type of data flowing in and out of your organization, as well as just how protected it is. Now in Microsoft 365 Compliance Center under data classification you’ll find the activity explorer, and there you can see the top activities around your sensitive information. You can then use a number of other filters to pinpoint and investigate risky activities. So here under activity I’m going to select the ones to restrict using Endpoint DLP, like copying to the cloud, removable media, printing and copying to the clipboard. Now I can see right away that a lot of people are printing content with sensitive information. Now if I click into a specific activity like this one, I can see more activity like the sensitive information type and the DLP policy that was triggered. So let’s do something now to restrict printing. So to do that I’m going to enable a DLP policy on my endpoints to help my users understand the risks of printing sensitive information, and determine what actions I want to take. So here I’m going to jump in to my data loss prevention policies. And these can apply across my third-party clouds, my Microsoft 365 workloads with Exchange, SharePoint, OneDrive and Microsoft Teams. And I can easily extend existing policies to my endpoints. And this is going to save me time in being able to leverage the work I’ve already done to optimize my existing policies. So in my case, I’m going to click on edit policy. And this one already has a name, so I’m going to go ahead and click next. And here you can see the locations where the policy is being applied. Now, if you’ve used DLP before, you’ll be familiar with these locations. But here you can see there’s now an option for devices that I enabled earlier. So I’m going to click next and here I can customize the advanced DLP rules, and I already have rules configured for low volume content, so now I’ll click edit and go into that rule. And if I scroll down to actions, you can now see the types of activities that we can restrict for audit, block and block with override. Now here, you’ll see that copy to USB removable media was set to block with override as we saw earlier in the demo, as well as a number of other activity types. And now I want to restrict printing. So I’m going to select print and then block that. And while we’re here, it’s a good idea to also set up alerts. So I can go down and choose now to send an alert to my data officer Alex and my compliance manager Joni. So they can be flagged in email when your conditions are met. And once I save it, it will be enforced with the new print and alert settings.

-Now another consideration fundamental to this approach is the ability to set context to allow people to continue to work in a responsible way where defined exclusions might be necessary. So for example, earlier I showed you controls that allowed me to upload to Box but not to Dropbox. Let me show you how you do that. So in my case, I’m going to click into Endpoint DLP settings, and I can configure things like file paths to exclude for my policy, for example, if I want to allow people to continue using authorized file share locations or a specific file location in Windows, I can also add unallowed apps and this prevents specific apps from accessing protected files and along those same lines, I can also define unallowed browsers. And finally, as we saw before with box.com, I can allow our blocked cloud services by their service domains. That was a quick overview of Microsoft Endpoint Data Loss Prevention from the user experience to the ease of setting it up. Note that the signals from Endpoint DLP feed into Microsoft 365 Defender, Insider risk management, Azure Sentinel and you can also integrate with other SIMS for alerting and investigation of incidents. Endpoint DLP shares the exact same classification engine for the discovery of sensitive data as used in Microsoft Information Protection solutions, like the Activity Explorer or Auto-labeling. And it can provide additional protection, for example if a user inadvertently mislabeled a file, DLP will still detect sensitive information and apply corresponding restrictions to prevent data loss.

-So think of DLP as an extra layer of security in a defense in-depth approach before content ends up in the wrong hands, whether that data has been proactively labeled or not. Now to learn more and try it out for yourself, check out aka.ms/EndpointDLP and be sure to subscribe to Microsoft Mechanics if you haven’t already. Thanks for watching and we’ll see you next time.