Get started with endpoint data loss prevention

Endpoint data loss prevention (Endpoint DLP) is part of the Microsoft Purview Data Loss Prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. For more information about all of Microsoft's DLP offerings, see Learn about data loss prevention. To learn more about Endpoint DLP, see Learn about Endpoint data loss prevention

Microsoft Endpoint DLP allows you to monitor onboarded Windows 10, and Windows 11 and onboarded macOS devices running any of the three latest released versions. Once a device is onboarded, DLP detects when sensitive items are used and shared. This gives you the visibility and control you need to ensure that they're used and protected properly, and to help prevent risky behavior that might compromise them.

Tip

Get started with Microsoft Security Copilot to explore new ways to work smarter and faster using the power of AI. Learn more about Microsoft Security Copilot in Microsoft Purview.

Before you begin

SKU/subscriptions licensing

Before you get started with Endpoint DLP, you should confirm your Microsoft 365 subscription and any add-ons. To access and use Endpoint DLP functionality, you must have one of these subscriptions or add-ons.

  • Microsoft 365 E5
  • Microsoft 365 A5 (EDU)
  • Microsoft 365 E5 compliance
  • Microsoft 365 A5 compliance
  • Microsoft 365 E5 information protection and governance
  • Microsoft 365 A5 information protection and governance

For full licensing details, see Microsoft 365 licensing guidance for information protection

Configure proxy on the Windows 10 or Windows 11 device

If you're onboarding Windows 10 or Windows 11 devices, check to make sure that the device can communicate with the cloud DLP service. For more information, see, Configure device proxy and internet connection settings for Information Protection.

Windows 10 and Windows 11 Onboarding procedures

For a general introduction to onboarding Windows devices, see:

For specific guidance to onboarding Windows devices, see:

Article Description
Onboard Windows 10 or 11 devices using Group Policy Use Group Policy to deploy the configuration package on devices.
Onboard Windows 10 or 11 devices using Microsoft Endpoint Configuration Manager You can use either use Microsoft Endpoint Configuration Manager (current branch) version 1606 or Microsoft Endpoint Configuration Manager (current branch) version 1602 or earlier to deploy the configuration package on devices.
Onboard Windows 10 or 11 devices using Microsoft Intune Use Microsoft Intune to deploy the configuration package on device.
Onboard Windows 10 or 11 devices using a local script Learn how to use the local script to deploy the configuration package on endpoints.
Onboard non-persistent virtual desktop infrastructure (VDI) devices Learn how to use the configuration package to configure VDI devices.

Endpoint DLP support for virtualized environments

You can onboard virtual machines as monitored devices in Microsoft Purview compliance portal. There's no change to the onboarding procedures listed above.

The table that follows lists the virtual operating systems that are supported by virtualization environments.

Virtualization
platform
Windows 10 Windows 11 Windows Server 2019 Windows Server 2022
21H2, 22H2, Data Center
Azure virtual desktop (AVD)
  • Single session supported for 21H2, 22H2
  • Multi session supported for 21H2, 22H2
  • Single session supported for 21H2, 22H2
  • Multi session supported for 21H2, 22H2
Single session and Multi session supported. Supported
Windows 365
  • Supported for 21H2, 22H2
  • Supported for 21H2, 22H2
Not applicable Not applicable
Citrix Virtual Apps and Desktops 7 (2209 and higher)
  • Single session supported for 21H2, 22H2
  • Multi session supported for 21H2, 22H2
  • Single session supported for 21H2, 22H2
  • Multi session supported for 21H2, 22H2
Supported Supported
Amazon workspaces
  • Single session supported for 21H2, 22H2
Not applicable
  • Windows 10 powered by Windows Server 2019
Not applicable
Hyper-V
  • Single session supported for 21H2, 22H2
  • Multi session with Hybrid AD join supported for 21H2, 22H2
  • Single session supported for 21H2, 22H2
  • Multi session with Hybrid AD join supported for 21H2, 22H2
Supported with Hybrid AD join Supported with Hybrid AD join

Known issues

  1. You can't monitor Copy to Clipboard and Enforcing Endpoint DLP on Azure Virtual Desktop environments via browsers. However, the same egress operation will be monitored by Endpoint DLP for actions via Remote Desktop Session (RDP).
  2. Citrix XenApp doesn't support access by restricted app monitoring.

Limitations

  1. Handling of USBs in virtualized environments: USB storage devices are treated as network shares. You need to include the Copy to network share activity to monitor Copy to a USB device. All activity explorer events for virtual devices and incident alerts show the Copy to a network share activity for all copy to USB events.

macOS onboarding procedures

For a general introduction to onboarding macOS devices, see:

For specific guidance to onboarding macOS devices, see:

Article Description
Intune For macOS devices that are managed through Intune
Intune for Microsoft Defender for Endpoint customers For macOS devices that are managed through Intune and that have Microsoft Defender for Endpoint (MDE) deployed to them
JAMF Pro) For macOS devices that are managed through JAMF Pro
JAMF Pro for Microsoft Defender for Endpoint customers) For macOS devices that are managed through JAMF Pro and that have Microsoft Defender for Endpoint (MDE) deployed to them

Once a device is onboarded, it should be visible in the devices list, and should start reporting audit activity to Activity explorer.

See also