Endpoint DLP: Setup & Configuration
Extend DLP beyond the cloud to Windows and macOS devices. Configure device onboarding, Endpoint DLP settings, browser extensions, and just-in-time protection for files on user devices.
Why Endpoint DLP?
Cloud DLP is like a security guard at the office door. Endpoint DLP is a guard who follows you home.
Cloud DLP protects data in SharePoint, OneDrive, Exchange, and Teams β data that lives in Microsoftβs cloud. But what about the file a user downloads to their laptop? Or prints on a home printer? Or copies to a USB drive?
Endpoint DLP extends protection to the device itself. It monitors and controls what users do with sensitive files on their Windows or macOS computers β copying to USB, printing, uploading to personal cloud services, accessing with unallowed apps, or pasting into a browser.
Device requirements and onboarding
Supported platforms
| Platform | Minimum Version | Onboarding Method |
|---|---|---|
| Windows 10 | Version 1809+ (Enterprise, Pro, Education) | Defender for Endpoint, Intune, Group Policy, Configuration Manager, local script |
| Windows 11 | All versions | Same as Windows 10 |
| macOS | 12 (Monterey)+ | Intune, JAMF, local script |
Onboarding methods
| Method | Best For | Scale |
|---|---|---|
| Microsoft Intune | Cloud-managed devices already enrolled in Intune | Large scale β thousands of devices |
| Microsoft Defender for Endpoint | Devices already onboarded to Defender | Seamless β no extra deployment needed |
| Group Policy | Domain-joined Windows devices in on-premises AD | Large scale β AD-based deployment |
| Configuration Manager | SCCM/MECM managed devices | Large scale β existing SCCM infrastructure |
| Local script | Testing, pilot groups, non-domain-joined devices | Small scale β manual per device |
Endpoint DLP settings
Configure global Endpoint DLP behaviour in Microsoft Purview portal β Settings β Endpoint DLP settings:
Unallowed apps
Define applications that cannot access sensitive files:
| Setting | What It Does |
|---|---|
| Unallowed apps (Windows) | Block specific Windows applications from opening sensitive files |
| Unallowed browser activities | Control browser-based activities for sensitive content |
| Unallowed Bluetooth apps | Prevent Bluetooth transfer of sensitive files |
File path exclusions
Exclude specific folders from Endpoint DLP monitoring β useful for system directories, temp folders, or approved applications:
| Example Exclusion | Why |
|---|---|
%AppData%\CompanyApp\ | Your internal app needs access to sensitive files |
%SystemRoot%\System32\ | System files should not trigger DLP |
%ProgramFiles%\ApprovedTool\ | An approved security tool that needs file access |
Browser extension
The Microsoft Purview browser extension for Chrome and Microsoft Edge monitors uploads from browsers:
| Feature | Without Extension | With Extension |
|---|---|---|
| Upload monitoring | Cannot see what users upload via browser | Detects when sensitive files are uploaded to non-corporate cloud services |
| Paste monitoring | Cannot see browser clipboard actions | Detects when sensitive content is pasted into web forms |
| Policy enforcement | No browser-level DLP | Block or warn on sensitive uploads and paste actions |
Just-in-time protection
Just-in-time (JIT) protection is a newer Endpoint DLP feature that provides dynamic, on-demand encryption:
| Aspect | Detail |
|---|---|
| What it does | Automatically encrypts a sensitive file when a user attempts a restricted action |
| When it triggers | When a DLP policy detects a sensitive file being copied, moved, or accessed by an unallowed app |
| Encryption type | Applies Microsoft Purview Information Protection encryption on the fly |
| User experience | The file is encrypted before the action completes β even if the user copies it to USB, the copy is encrypted |
| Benefit | Protects data at the point of risk without pre-labeling every file |
JIT protection scenario
Without JIT: User copies a sensitive file to USB β file is unencrypted on the USB drive. With JIT: User tries to copy a sensitive file to USB β DLP detects the action β file is encrypted before the copy completes β USB copy is encrypted and requires authentication to open.
Scenario: Dr. Liam deploys Endpoint DLP
St. Harbour Health needs to prevent patient data from leaving devices via USB or personal cloud:
- Onboarding: Clinical workstations enrolled via Intune β devices onboarded to Endpoint DLP automatically
- Unallowed apps: Personal Dropbox, personal Google Drive client, WeTransfer marked as unallowed
- Browser extension: Deployed to Chrome and Edge on all clinical workstations
- JIT protection: Enabled for removable storage β any sensitive file copied to USB is automatically encrypted
- Policy: Block USB copy of files matching patient health identifier SIT. Block with override for printing (nurses may need to print discharge summaries).
Marcus at NovaTech wants Endpoint DLP to block developers from uploading source code files to personal GitHub accounts via the browser. The developers use Chrome. What must Marcus deploy in addition to the Endpoint DLP policy?
Dr. Liam enabled JIT protection on clinical workstations at St. Harbour Health. A nurse copies a file containing patient identifiers to a USB drive. What happens to the file on the USB drive?
π¬ Video coming soon
Next up: Endpoint DLP: Advanced Rules & Monitoring β create sophisticated device-specific DLP rules and monitor whatβs happening on endpoints.