Microsoft Purview Endpoint DLP: How to Deploy Data Loss Prevention for Windows Endpoints

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Cloud DLP stops sensitive data from leaving through monitored cloud channels -- Exchange, SharePoint, Teams. Endpoint DLP extends coverage to the data paths cloud DLP cannot see: USB storage, local printing, screen capture, clipboard operations, and non-corporate cloud storage accessed via browser. Together they close the primary exfiltration paths. The deployment is straightforward if MDE is already deployed -- Endpoint DLP is activated via Purview compliance portal settings, no additional agent installation required.
Prerequisites: MDE Onboarding and License Verification
Endpoint DLP requires: Microsoft Defender for Endpoint (MDE) onboarded on the target Windows devices (the MDE sensor is the enforcement mechanism), Windows 10 RS5 (1809) or later, Windows 11 (any version), and a Microsoft 365 E5 or Microsoft 365 E5 Compliance license (or standalone Purview DLP add-on). Verify MDE onboarding status in the MDE portal (security.microsoft.com > Assets > Devices) -- only MDE-enrolled devices can be managed by Endpoint DLP. Verify license in the Microsoft 365 admin center: the user account must have an E5 or E5 Compliance license for the DLP policy to be enforced on their device. Without the license, DLP policies are not applied even if MDE is enrolled. Enable Endpoint DLP: in the Purview compliance portal (compliance.microsoft.com), navigate to Data Loss Prevention > Endpoint DLP settings. Enable the 'Device onboarding' option -- this is a separate toggle from MDE onboarding and must be explicitly enabled for Purview to manage DLP enforcement on MDE-enrolled devices.
Understand Endpoint DLP Monitored Activities
Endpoint DLP can monitor and optionally block the following activities on Windows endpoints: Upload to cloud service or access by unallowed browser -- detects sensitive file upload to personal cloud storage (Dropbox, Google Drive) or access via non-approved browsers. Copy to USB removable storage -- detects sensitive file copy to USB drives. Print -- detects printing of sensitive documents from any application. Copy to clipboard -- detects sensitive content being copied to clipboard. Copy to network share -- detects sensitive file copy to network shares outside the corporate environment. Access by unallowed applications -- detects when sensitive files are opened by non-approved applications (e.g., personal email client). Screen capture -- detects screenshot applications capturing content containing sensitive data. Each activity can be set to: Audit only (log the event, do not block), Block with override (block the activity but allow the user to provide a business justification to proceed), or Block (hard block, no override). Start every activity in Audit mode during the pilot -- this reveals legitimate business processes before you inadvertently block them.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
Create an Endpoint DLP Policy
In Purview compliance portal > Data Loss Prevention > Policies > Create policy. Select a policy template (Financial data, GDPR, PII, HIPAA, or custom) -- the template defines which sensitive information types the policy detects. On the 'Locations' step: select 'Devices' and choose the device groups or all devices with Endpoint DLP enabled. On the 'Policy settings' step: configure the DLP rule conditions (sensitive information type detected: credit card numbers, SSN, passport numbers, etc.) and the actions to take when a match is detected. For Endpoint DLP actions: select 'Restrict activities on devices' and configure per-activity responses (audit / block with override / block for each activity type). On the 'Test or run the policy' step: choose 'Test it out first' -- this runs the policy in simulation mode and populates the DLP activity explorer with what would have been triggered, without any user-facing enforcement. Run simulation mode for 2-4 weeks before switching to enforcement.
Configure Allowed and Unallowed Domains and Applications
Endpoint DLP policies can be scoped to allow or block specific cloud services and applications. Allowed cloud storage services: list corporate-approved cloud services (corporate OneDrive, SharePoint Online) where file uploads are permitted regardless of sensitive content type. Unallowed cloud services: list personal or unapproved services (personal Dropbox, personal Google Drive) where upload of sensitive content is blocked. Configure in Endpoint DLP settings > Unallowed cloud service domains. Allowed browsers: specify corporate-approved browsers (Edge with profile sign-in, Chrome with Device ID enforcement) where browser-based cloud uploads are monitored. Block unallowed browsers from accessing sensitive content. Application-based restrictions: configure per-application sensitivity -- applications like the corporate email client, approved cloud storage desktop apps, and approved document management tools are allowed to access sensitive files. Personal email clients, unapproved sync clients, and screen capture tools can be restricted.
Monitor Endpoint DLP Activity and Investigate Incidents
Endpoint DLP events appear in Purview compliance portal > Data Loss Prevention > Activity explorer. Filter by: activity type (upload, USB copy, print), user, device, sensitive information type, policy triggered, and date range. The Activity Explorer shows the specific file name, the sensitive content type detected (e.g., 5 credit card numbers found), the activity (USB copy), and whether it was allowed, blocked, or overridden with justification. For incident investigation: a user who has been copying sensitive files to USB weekly for three months shows up as a pattern in Activity Explorer -- this is an insider threat indicator. Integrate with Sentinel: Endpoint DLP events are available via the Microsoft Purview data connector in Sentinel. Create analytics rules for: user who triggered 10+ DLP events in the past 24 hours (excessive sensitive data handling), USB copy of sensitive files by a user who submitted their resignation last week (departing employee exfiltration risk), DLP block override with the same justification text repeated 5 times in one hour (gaming the justification workflow).
The bottom line
Endpoint DLP closes the data exfiltration gaps that cloud DLP cannot see: USB, print, clipboard, and personal cloud storage. The deployment leverages the existing MDE sensor with no additional agent. Always deploy in audit mode first to baseline legitimate activity before switching to block. Monitor the DLP Activity Explorer for pattern-of-life anomalies that indicate insider threat or compromised endpoint exfiltration.
Frequently asked questions
Does Endpoint DLP work on macOS and Linux?
Endpoint DLP has partial macOS support -- it can monitor file activities and browser upload on macOS devices enrolled in MDE. The macOS coverage is not as comprehensive as Windows (fewer activity types supported). Linux Endpoint DLP support is limited as of mid-2026. Check the current Microsoft documentation for the specific supported activities per OS version, as coverage expands with each Purview update.
Can Endpoint DLP detect data in encrypted files or password-protected archives?
No. Endpoint DLP inspects file content at the point of the activity trigger (when a file is being copied to USB, for example). If the file is encrypted before the copy occurs (a ZIP file with a password applied in advance, or an already-encrypted container), Endpoint DLP cannot inspect the contents and will not detect sensitive data within it. Encrypted containers are a known bypass for all content-inspection-based DLP. Mitigate this by monitoring for encryption tool usage (7-Zip, WinRAR creating password-protected archives) combined with subsequent file movements using behavioral analytics rather than content inspection.
How does Endpoint DLP handle false positives -- blocking legitimate business activity?
False positives are the primary reason to deploy in audit mode first. During audit mode, review Activity Explorer for flagged activities and identify legitimate business workflows (HR team regularly printing salary reports, finance team copying quarterly data to a USB for an external auditor). For each legitimate workflow: create a policy exception (add the user or device group to a DLP exception), adjust the sensitive information type detection confidence threshold, or configure an override justification workflow so the business process can proceed with documented justification. Do not deploy in block mode until the false positive rate in audit mode is under 5% of events.
Does Endpoint DLP enforce policies when the device is offline?
Yes. Endpoint DLP policies are cached on the device and enforced offline. When the device cannot reach the Purview service, the most recently cached policy continues to be enforced. DLP events that occur offline are cached locally and uploaded to the Purview activity log when connectivity is restored. The offline enforcement window is 30 days by default -- after 30 days offline, some policy behaviors may change. For remote or frequently offline endpoints (field laptops, air-gapped workstations), verify that policy cache refresh occurs when the device does connect.
Can Endpoint DLP block specific users or applications from DLP policies?
Yes. DLP policies support exclusions at multiple levels: specific users or groups can be excluded from a policy, and specific applications can be added to the 'allowed apps' list for a sensitive information type. A common example: add your data loss prevention software itself (like a backup agent) to the allowed apps list so it can access sensitive files without triggering a DLP block. Additionally, DLP policies can be scoped to specific device groups in Intune -- you can create stricter DLP policies for high-risk user segments (finance, HR) while applying baseline policies to the rest of the organization. Use scoped policies to avoid false positives for legitimate business workflows before expanding to organization-wide enforcement.
How do you investigate a Purview endpoint DLP alert to determine whether a data exfiltration incident actually occurred?
Purview endpoint DLP alerts surface in the Microsoft Purview compliance portal under Activity Explorer and in Microsoft Defender for Endpoint alerts. Investigation sequence: start with the DLP alert details to identify the triggered policy, the sensitive information type detected, the file name, and the activity (copy to USB, upload to cloud, print). Determine whether the activity was blocked or audited-only -- blocked activities stopped the exfiltration, audited-only activities mean the data left. Check the Entra ID and MDE device timeline for the user around the alert timestamp: did the user copy additional files not caught by DLP (files without the matching sensitive info type), connect a USB device, upload to personal cloud storage, or email files? Correlate with the user's recent activity in Insider Risk Management (IRM) if licensed -- IRM aggregates DLP events, browser uploads, SharePoint downloads, and Teams activity into a risk score. If the DLP alert was blocked, verify the file was not also exfiltrated through an unmonitored channel (personal webmail via browser that DLP does monitor, but a non-corporate browser installed by the user). Document the investigation findings in the Microsoft Purview alert management workflow for audit purposes.
Sources & references
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
