Monitoring sensitive files moved to USB

Question

Is there a way to use DLP policies to monitor when sensitive labeled files are moved to a USB drive on a users laptop or PC? Is this capability available using DLP policies and Activity explorer? Would we have to onboard the devices to DLP endpoint for this to happen or can it be done without it?

Answer 1

Hi @jpcapone

Welcome to Microsoft Q&A platform and thanks for posting your query here.

Yes, you can use Data Loss Prevention (DLP) policies to monitor when sensitive files are moved to a USB drive on a user's laptop or PC.

Here’s what you need to do:

1. Set Up DLP on Devices: You need to set up DLP on the devices (laptops and PCs) you want to monitor. This will give you the ability to see and control what happens to sensitive files on those devices.
2. Create DLP Rules: Make rules in the DLP settings that will watch for and possibly block sensitive files from being moved to a USB drive. These rules can alert you or stop the action if someone tries to do this.
3. Label Sensitive Files: Make sure your sensitive files are marked with special labels that identify them as important. This helps the DLP rules know which files to watch.
4. Use Activity Explorer: Use the Activity Explorer tool to see what users are doing with sensitive files. This tool will show you if someone tries to move a labeled file to a USB drive.

Without onboarding devices, DLP policies will not be able to monitor or enforce restrictions for file movements on endpoints, including USB drives.

The policies can still work for files stored or moved within cloud services, SharePoint, OneDrive, and Exchange activities, but USB monitoring requires Endpoint DLP.

For reference: https://learn.microsoft.com/en-us/purview/dlp-policy-reference

I hope this helps. Please let me know if you have any questions.