Complete Introduction to Endpoint DLP – Microsoft 365
Welcome! Back in November 2020, Microsoft announced the general availability of Endpoint Data Loss Prevention (DLP), being the new kid on the block (pun intended!), I want to introduce you to Endpoint DLP, highlight it’s pro’s and con’s, how to onboard devices and get you started with configuring your very own Endpoint DLP policies and settings.
What is Endpoint DLP?
M365 Endpoint DLP is Microsoft’s take on securing data leakage directly from the device itself, built on the same DLP sensitive information types or sensitivity labels that you potentially already have in place within the Compliance Portal, Endpoint DLP can prevent and \ or audit accidental or deliberate data leakages, the following activities are currently supported:
Activity | Actions available |
---|---|
Uploading to a 3rd party Cloud Service | Report and Restrict |
Unallowed browser access | Report and Restrict |
Copy to other applications | Report and Restrict |
Copy to USB Media | Report and Restrict |
Copy to Network Drive | Report and Restrict |
Printing | Report and Restrict |
Creating an item | Reporting Only |
Renaming an item | Reporting Only |
Only certain file types are supported at present (Endpoint DLP captures any changes to the file extensions or file names via the MIME protocols):
- Word files
- PowerPoint files
- Excel files
- PDF files
- .csv files
- .tsv files
- .txt files
- .rtf files
- .c files
- .class files
- .cpp files
- .cs files
- .h files
- .java files
No additional agents are required, it’s all built-in from Windows 10 1809 and onwards for a complete description of the service, see this Microsoft article.
Prerequisites
You’ll need the following before enabling Endpoint DLP:
- Devices must be Windows 10 1809 x64 + (With the September cumulative updates installed).
- Devices must be joined to Azure Active Directory or Hybrid AD Joined.
- Devices must have the Antimalware client version of 4.18.2009.7 or newer (even if it’s disabled).
- Devices running M365 Apps on the monthly enterprise channel running 2004-2008, must upgrade to 2009 or later.
- Devices running Office 2016, KB4577063 must be installed.
- Devices must have Microsoft Edge Chromium Edge installed.
- End-users must be licensed accordingly
- Microsoft 365 E5 or A5
- Microsoft 365 E5 or A5 Compliance
- Microsoft 365 E5 or A5 Information and Governance
Onboarding devices
Before we can enable Endpoint DLP policies, the endpoints themselves must either be onboarded into the Microsoft Defender for Endpoint service or onboarded directly into the compliance portal, I will demonstrate how to perform the latter in detail but the process is essentially the same for both.
Devices already onboarded into Microsoft Defender for Endpoints
If you already have your endpoints within Microsoft Defender for Endpoints, then no further action is required in terms of device onboarding but you must turn on device monitoring within the compliance portal, click Turn on Device Monitoring (Note: at this point, even though no DLP policies aren’t enabled, the endpoints will start being audited within the activity explorer).
Note the message, any devices that are already onboarded to the MDE will appear in the device list:
Device Onboarding into the Compliance Service
If devices are not enroled into the Microsoft Defender for Endpoint service and there are no plans to do so, then we need to directly onboard the devices into the Compliance Portal, first of all, we need to Turn on Device Onboarding, to do this, navigate to the compliance portal > Settings > Device onboarding and turn on the setting:
This can take approx. 15 – 30 minutes:
Then the Onboarding pane becomes available, you’ll see similar options as would for onboarding devices into Microsoft Defender for Endpoints, so if you’re familiar with that process, you’ll be right at home here. There’s 5 ways to onboard devices into the Compliance center, the most common being Local script (Ideal for testing), Group Policy, Configuration Manager and Microsoft Intune:
I will show you how to onboard devices via Microsoft Intune and Microsoft Endpoint Configuration Manager only, for this, select the relevant options and Download Package for the next steps.
Microsoft Intune Deployment
To onboard devices via Microsoft Intune, ensure that you have selected Mobile Device Management / Microsoft Intune from the deployment method and download the package:
With the package downloaded and unzipped, navigate to the MEMAC portal, create an Configuration Profile under Windows, select the profile type of Windows Defender ATP (Windows 10 Desktop):
Set an appropriate Name and Description, on the Configuration Settings page, select Onboard and select the .onboarding file as previously downloaded from the Compliance Center, all other settings can be left as defaults:
Next, select which users \ devices are to receive the assignment, after some time, once the configuration profile has been able to run against the device, the device will appear within the Compliance center, like so:
Microsoft Endpoint Configuration Manager Deployment
To onboard devices via Microsoft Intune, ensure that you have selected Microsoft Endpoint Configuration Manager from the deployment method and download the package:
Within your MECM console environment, navigate to the Assets and Compliance pane, Endpoint Protection, select Create Microsoft Defender ATP Policy:
Set a Name and Description for your ATP profile, ensuring to tick box the terms and conditions and select the policy type to Onboarding:
Browse to the .onboarding file as downloaded previously from the Compliance Center: (There is no requirement to enter workspace ID’s or keys):
All remaining options can be left as default, once the policy is created, deploy to your device collections (Recommendation is to deploy this policy to a subset of test devices), once deployed, the device should then be visible within the Compliance center devices view:
Configuring DLP Settings
Now that we have our devices onboarded into our Compliance Center, we need to configure our DLP Settings, do not confuse these with DLP Policies, those are different, more on that later. DLP settings are GLOBAL settings, these apply to all devices onboarded into the service, let’s break these down, here’s a full screenshot of the DLP settings page within the Compliance center, Data Loss Prevention, Endpoint DLP Settings:
File Path Exclusions
Pretty straight forward, these locations are exempt from any DLP policies that you later apply, you could choose to have no paths here and if you did choose to insert a few paths, I would recommend to not make these paths public knowledge, otherwise malicious activity could occur, leaving you open to potential data leakage, here’s an example of what I have set (Note: Make sure you check with your security personnel which paths, if any, need excluding):
To add an additional, simply click Add file path exclusion and a new window will appear, type in the path and select the plus symbol:
Unallowed Apps
Insert which applications you wish to take effect when selecting Access by unallowed apps and browsers setting within a DLP policy to block, block with override or audit when a protected file is accessed using one of these listed applications, in this example, I will block NotePad++.exe (Note: Only the executable name is applicable here, do not list file paths):
As above, click Add or edit unallowed apps to add or amend an entry, type in a friendly name and the executable name (.exe):
Browser and Domain Restrictions to Sensitive Data
This section is broken up into two subsections, Unallowed Browsers and Service Domains.
Unallowed Browsers
Adding browser executable names to this list will prevent protected content from being opened, a toast notification will appear to end-user asking them to use Edge Chromium instead if the DLP policy is set to Block.
Service Domains
This is a list of URL’s that you either Allow or Block sensitive information from being blocked or blocked with override when using the Edge Chromium browser, if the setting is set to block then end-users will not be able to upload sensitive information to those specific URL’s only. If set to allow, then end-users can only upload sensitive information be able to upload to those URL’s only. (Note: Wildcards are not supported here, you cannot add google.com, if you want to block drive.google.com, then you need to explicitly add this.
Once you have your DLP settings in place, it’s time to configure your actual Endpoint DLP policies.
Configuring DLP Policies
Within the Compliance portal, under Data Loss Prevention, Policies, create a new policy:
Select which category that you wish to prevent sensitive information from leaking the organisation, you could use a custom policy, which can be used in conjunction with your Sensitivity Labels, check with your organisation what type of information they wish to protect, for the purpose of this demo, I will select U.K Financial data template, which contains the following Sensitive Information Types:
- Credit Card Number
- EU Debit Card Number
- SWIFT Code
Set a Name and Description for the DLP policy (Best practice is to at least prefix your DLP policies with the locations and users for which the policy is applied, i.e Finance Dept – Endpoint DLP – U.K Financial Data):
On the locations page, it’s best practice to have a separate DLP policy per location type, to ensure all options, such as actions, exceptions, etc are available, for example, if you were to select both Exchange and SharePoint, then not all of the Exchange exceptions will be available to you but will be present if you were to just select Exchange, here’s what I mean, when both Exchange and SharePoint locations are selected, conditions available:
When Exchange is only selected:
Moving on, I will select Devices for Endpoint DLP, also note that you can only assign and exclude DLP policies to Users or Groups, devices aren’t applicable, even though we are utilising Endpoint DLP, all devices will receive all device type DLP policies, but the user in question performing the action will be subject to the restrictions, for this demo I will apply to all users:
Next page, choose to review and customise from the template or go advanced, I’ll pick the former:
The option to add additional sensitive information types is available, I don’t need to add any so I’ll move on:
Protection actions, this is where you can select if end-users receive notifications when their actions match the policy, you can customise the tips and email. I’ve made a change from the defaults for the number of sensitive items threshold, the default is 10, I’ve lowest this to 1, so in this example if even 1 credit card is detected, the DLP policy will take effect, you can have different actions per the number of detected breaches, for example, 1-5 allow with an override, but anything 6+ completely block.
You can also set up incident reports to email, you could use a shared mailbox here if required for legal purposes and send alerts to the Compliance and Security and Compliance centers if this DLP policy is triggered each time or a number of times within a given timeframe, here’s my settings for the sake of this demo, but run through these options with your security team or client:
On the Customize access and override settings page, you’ll see a new section Audit or restrict activities on Windows devices, this directly applicable to Endpoint DLP policies only, here’s what I’ve configured (Take a note of these for our demo later on):
Test or turn on the policy? Here’s the lowdown on the options, for the sake of this demo, I will turn it on straight away (This actually took 2+ hours to take effect in my demo tenant):
Review your settings and wait (Microsoft states 30 minutes or so, but I found this to actually be around 2 hours):
Testing
So at this point, you should be in a good place after onboarding a test device, configuring your DLP settings and policies, on the test device with an in-scope user, lets try to copy a file that contains sensitive information, this document contains dummy credit card numbers called Contoso Purchasing Data – Q1.xlsx, remember the configurations of the Endpoint DLP settings and our DLP policy.
Upload to Cloud Service Domains or access by unallowed browsers
Attempting to upload the sensitive Excel spreadsheet using Google Chrome to drive.google.com, as we’ve only specifically allowed drive.google.com URL and we’ve blocked Google Chrome as an unallowed browser via our DLP settings, even though we’ve allowed drive.google.com but we’re using Google Chrome the action is blocked with override as per the DLP policy, the following end-user experience is shown:
Now, let’s try uploading the same spreadsheet to drive.google.com but using Edge instead, this went straight through without any prompts:
Copying to clipboard
Within the Excel spreadsheet, I will copy to clipboard a few credit card numbers, notice that it allows me to do so, as there may be a legitimate reason for doing so, e.g. pasting into a different area of the same document, but if I were to paste this data into Notepad.exe, the toast notification appears blocking it as per out DLP policy:
Also, after clicking Review Files, it a window appears detailing from which application the action was blocked:
Copy to USB Removeable Media
I’m unable to show you this action as I’m working with a VM, but as per our DLP policies this action would be blocked and the toast notification would look very similar to coping to a network drive, a message stating ‘Saving to removable media with Contoso Purchasing Data – Q1.xlsx is not allowed‘.
Copying to Network Drive
Coping the entire excel spreadsheet to a network drive, a toast notification appears, giving me the option to allow as per our DLP policy where we selected Block with Override but informing me that I must repeat the action to take effect:
After allowing and pasting the file again, the document is present on my network location:
Access by unallowed apps
Attempting to open the sensitive Excel spreadsheet using NotePad++.exe is blocked as per our DLP policy and DLP settings:
Attempting to print the document is blocked:
Alerting \ Monitoring
Alerts
If alerting was configured within the DLP policy, these alerts will be present within the Compliance portal, DLP alerts view, from here you’ll be able to see the following alert detail:
Selecting the Events tab:
Drilling down into the event:
On the Sensitive Info Types tab:
Also, if admin email notifications were configured, these will appear like so:
Monitoring
Regardless of DLP policy settings, all actions are monitored on devices, these appear within the Activity Explorer within the Compliance center, the Activity Explorer data retention is currently 60 days and we can see what DLP policies were applied, what sensitive information types were detected, and what action was taken on an event and much more. (Note: there is approx 5 minutes delay between the action taking place and the activity being recorded within the Activity Explorer):
After selecting one of the activities, the following data is collected:
Tip: Using the activity explorer with DLP policies in audit mode only would be a great way of seeing what DLP policies and templates would be needed within your environment.
Important Considerations
A couple of observations that I’ve discovered that will assist you in troubleshooting or understanding some of the caveats that are presented when implementing Endpoint DLP via Microsoft 365, in no particular order:
- Endpoint DLP policies take approx. 2 hours to fully apply
- Endpoint DLP policies do not apply against documents that have sat on your devices for a long period of time, for example, if you have an Excel spreadsheet in your documents folder that contains credit card information if this file hasn’t been edited or created after the DLP policy was applied then the restrictions in your DLP policy will not apply, Endpoint DLP at present, only applies against new or modified files that occurred after the policy is applied, I personally ran into this behavior when testing, this may be a deal-breaker for many organisations at this point in time, however, I believe Microsoft is working on this and an update is expected in the next few months to also apply endpoint DLP policies on file read, rather than just files created or modified after the DLP policy is applied.
- At present, there is no way to allow exceptions for specific network locations or corporate only printers, the settings you see within the Endpoint DLP Settings are applied globally, be aware of this. I suspect that Microsoft will address this going forward.
- Any activities within the DLP policy configured to Block with Override, once the end-user has clicked allow on the toast notification, the action must be repeated by the end-user for the action to succeed.
- Auditable events within the Activity Explorer currently have a 60-day retention in place and activities typically have a 5-minute delay before being present within the Activity Explorer view.
- During our testing, if a sensitive document is added to a ZIP archive then the Endpoint DLP policies are not enforced. This is not expected behaviour and I suspect a fix will be rolled out by Microsoft shortly.
Resources
- https://docs.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-learn-about?view=o365-worldwide
- https://docs.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-getting-started?view=o365-worldwide
- https://docs.microsoft.com/en-us/microsoft-365/compliance/endpoint-dlp-using?view=o365-worldwide
- https://www.yammer.com/askipteam/#/home