Use Microsoft Purview Data Loss Prevention Just-in-time protection

You can use Endpoint data loss prevention (DLP) just-in-time (JIT) protection to block all egress activities on monitored files while waiting for policy evaluation to successfully complete.

When JIT protection is enabled, and while policy evaluation is processing, Endpoint DLP blocks all egress activities for each user whose account is in the selected scope. Endpoint DLP audits the egress activities for all user accounts that have been excluded (via the Exclude setting) or are otherwise not in scope.

Applies to

JIT protection for Endpoint DLP is natively supported on the following devices:

  • Windows 10
  • Windows 11
  • in preview macOS (three latest versions)

Best practice for deploying Just-in-time protection

Step 1: Prepare your environment

Before you can deploy just-in-time protection, you must first deploy anti-malware Client version 4.18.23080 or later:

Onboarding page_Defender Mocamp version

Note

For machines with an outdated version of the Antimalware Client, we recommend disabling just-in-time protection by installing one of the following KBs:

Step 2: Deploy JIT protection

Select the appropriate tab for the portal you're using. To learn more about the Microsoft Purview portal, see Microsoft Purview portal. To learn more about the Compliance portal, see Microsoft Purview compliance portal.

  1. Sign in to the Microsoft Purview portal.

  2. Select Settings > Data Loss Prevention > Just-in-time protection.

  3. Under Choose which locations to monitor, select the checkbox next to Devices.

  4. Under Fallback action in case of failure, select Allow users to complete actions. This lets the user action to complete if the classification fails.

Caution

Do NOT choose the Block users from completing actions option until you fully understand the impact of this feature.

You should validate your settings at each stage until the number of events is stable and you have a good understanding of the possible size of the user group you want to apply Enforce mode to, based on the following telemetry calculations.

Step 3: Estimate the number of JIT protection events for your deployment

Estimate the impact of deploying JIT protection by performing the following calculation based on the events on the activity explorer:

  • N = The number of unique machines firing JIT protection events.
  • S = The total number of machines within the scope of your deployment.

N/S yields percentage of machines that may experience a JIT protection “block” event.`

With this information, you should know how many machines will be affected by implementing the JIT Block mode when you expand the scope, and how many possible support tickets you may see. Then, you can decide whether or not to expand the scope.

Step 4: Fine-tune JIT protection through other Additional settings

In addition to Fall back in case of failure, as described in Step 1, you can also use following settings to fine-tune JIT protection:

  • Control copying to clipboard: Turn this on if you want to prevent users from copying content to the clipboard while JIT protection is evaluating the file.

Note

Turning on Control copying to clipboard might impact user's productivity. Be sure to test the impact on productivity before turning this setting on.

  • App exclusions for Windows: Apps you include here won't be evaluated by JIT protection on Windows devices.

  • File path exclusions for Windows: Files in these locations won't be evaluated by JIT protection.

Note

The difference between the file path exclusions setting here and the Data loss prevention > Settings > Endpoint settings > File path exclusions for Windows setting is that:

  • The file path exclusions setting here only excludes specific file paths from JIT protection. In all other cases, Microsoft Purview still applies Endpoint DLP classification and protection for files in those folders.
  • The File path exclusions for Windows setting found via Data loss prevention > Settings > Endpoint settings > File path exclusions for Windows prevents Purview from applying Endpoint DLP classification and protection for files under the specified folders.
  • File extension exclusions: Files with these extensions aren't evaluated by JIT protection.
  • Step 5: Deploy JIT protection in 'Block users from completing actions' for the 'Fallback action in case of failure' setting

This configuration only controls the enforcement mode that DLP should apply when classification fails. No matter which value you select here, the relevant telemetry displays in activity explorer.