Troubleshooting endpoint data loss prevention configuration and policy sync

This article provides detailed instructions for:

  1. Determining the device configuration and policy sync status values for Windows devices and macOS devices that have been successfully onboarded into Microsoft Purview Data Loss Prevention (DLP).
  2. Identifying and resolve any issues with the configuration status and the policy sync status.
  3. Review and understand the device attribute that are available for each device and their meaning.

Device configuration and policy sync status values

Configuration status and the Policy sync status of all your onboarded devices have three possible values.

The Configuration status value shows you if the device is configured correctly, is sending a heartbeat signal to Purview, and the last time the configuration was validated. For Windows devices configuration includes checking the status of Microsoft Defender Antivirus always-on protection and behavior monitoring.

The Policy sync status shows you if the device received the latest policy version, or if the corresponding policies synced successfully to the device.

Field value Configuration status Policy sync status
Updated Device health parameters are enabled and correctly set. This status indicates that the device's configuration is up to date with the recommended settings. Device is up to date with the current versions of policies.
Not updated Certain settings may need attention. Follow the steps in the workflow diagram to address issues. You may need to enable the configuration settings for this device. Follow the procedures in Microsoft Defender Antivirus always-on protection This device hasn't synced the latest policy updates. It may take up to 2 hours for the status in the devices list to update. Follow the steps in the workflow diagram to address issues.
Not available Device properties aren't available in the device list. This could be because the device doesn't meet the minimum OS version to provide visibility into its properties, or configuration or if the device was just onboarded. Follow the steps in the workflow to address issues. Device properties aren't available in the device list. This could be because the device doesn't meet the minimum OS version to provide visibility into its properties, or configuration or if the device was just onboarded. Follow the steps in the workflow to address issues.

Important

Devices must be online for the policy update to happen. If the status isn't updating, check the last time the device was seen.

Device attribute details

To maintain overall device health from a DLP perspective, it’s important to go beyond determining the configuration and policy sync status and troubleshooting any issues found there. You need to understand the attributes of an onboarded device. The values for these attributes can provide useful information to help you track the device health.

Device attribute Note
Last seen The most recent time that the device was determined to be online.
Last policy sync time The timestamp of the previous instance when the device downloaded the latest policy versions.
OS The current operating system.
Defender engine version The version of the antivirus engine on the device.
Defender Mocamp version The version of the Defender client.
MDATP device ID The unique identifier assigned to this device.
Valid user This indicates if the currently logged on user has a corresponding Entra ID account and is in scope of a DLP policy that's targeted at Devices.
Sensitive Data Activity This provides a view all sensitive data activity for this device for the last 30 days.
Advanced classification bandwidth usage exceeded This attribute shows if the bandwidth usage limit for Advanced Classification has been exceeded in the past 24 hours.
Endpoint DLP status Shows if Endpoint DLP is enabled or disabled for the device.

Configuration and policy sync troubleshooting workflow

This diagram provides a workflow that walks you through the steps for diagnosing and resolving configuration and policy synchronization status for onboarded devices.

A workflow that walks you through the steps for diagnosing and resolving configuration and policy synchronization status for onboarded devices.

Check configuration status and resolve issues

Select the appropriate tab for the portal you're using. Depending on your Microsoft 365 plan, the Microsoft Purview compliance portal is retired or will be retired soon.

To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal > Settings (gear icon in the upper right hand corner) > Device onboarding > Devices.
  2. You can apply filters to narrow down the list of devices and simplify your investigation.
  3. Select a device to open the details pane for more information on the configuration status.
  4. If the status is Updated, the device is configured correctly. No further action is required. You can move on to Check policy sync status and resolve issues.
  5. If the status is either Not available, or Not updated, follow the remediation steps in the details pane and the steps in the workflow diagram.

Check policy sync status and resolve issues

Select the appropriate tab for the portal you're using. Depending on your Microsoft 365 plan, the Microsoft Purview compliance portal is retired or will be retired soon.

To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal > Settings (gear icon in the upper right hand corner) > Device onboarding > Devices.
  2. You can apply filters to narrow down the list of devices and simplify your investigation.
  3. Select a device to open the details pane for more information on the policy sync status.
  4. If the status is Updated, the device has successfully received the latest policy version. No further action is required. You can move on to Check device details.
  5. If the status is Not updated, or Not available, follow the remediation steps in the details pane and the steps in the workflow diagram.

Check device details

Select the appropriate tab for the portal you're using. Depending on your Microsoft 365 plan, the Microsoft Purview compliance portal is retired or will be retired soon.

To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal > Settings (gear icon in the upper right hand corner) > Device onboarding > Devices.
  2. You can apply filters to narrow down the list of devices and simplify your investigation.
  3. Select a device to open the details pane for more information on the specific device attributes under Device details.

Collect evidence for a support ticket

If self-remediation hasn’t been successful, it’s time to gather evidence and open a support ticket. For comprehensive support analysis.

From the Device details section, record the values for these fields:

  • OS
  • Defender engine version
  • Defender client version
  • MDATP device ID
  • Valid user

You can also use these links for more guidance: