Let’s go through the process of onboarding a device into Microsoft Purview and then set up an Endpoint DLP policy and see how it appears to users and administrators. To onboard a Windows device, go to the Microsoft Purview admin portal. Click on settings at the very bottom of the menu blade on the left. Click device onboarding. If no devices have yet been onboarded, you’ll need to turn on device onboarding. This message is just telling us that devices onboarded with Microsoft Defender for endpoint will also appear in this device list – which is what you’d expect. And one more confirmation for good measure. Although “this might take a while” does seem a little vague. When devices are onboarded through Microsoft Defender, you need to turn device monitoring on for Endpoint DLP to work. We can see that device monitoring is on by default here, as there is the option to turn it off. Interesting. Click on onboarding. Our OS options are Windows 10 and macOS. No Windows 11 option, but we all know Windows 11 is Windows 10 with racing stripes. I’m going to onboard a machine, so I’ll select the local script option and download the package.

Before we run the script, let’s have a look at it. I can see we need to run this as admin, and a good deal of the script is adding entries to the registry, specifically the addition of Windows advanced threat protection. I’ll open a command prompt as administrator and run the script. Clearly, this is the same script used for onboarding machines to Microsoft Defender, which makes sense, but is also a little confusing after the previous messages we’ve seen in the Purview portal. Now I’ve waited a few minutes, but my machine isn’t showing up under devices, which is a little disturbing. I can run a PowerShell script to detect a newly onboarded defender endpoint device. The script closes automatically if successful and posts an alert in the portal. Let’s give it a go and see if there are any errors. I’ll open a PowerShell terminal as administrator as the script needs elevated privileges, paste it in, and run it. Ah, I need to turn off my antivirus software. Let’s try that again. Ok, the window shut without any fanfare, which is apparently a sign of success. My devices list is still empty, so let’s have a look at Alerts. Ok, here’s a new alert, but it doesn’t look like anything to do with device onboarding. Although, a default alert is generated when there is a change in the compliance score. Based on the alert’s timing, I could count it as a win.  I’m not overly concerned, as I’m Azure AD registered and meet all the software requirements. While I don’t have an E5 subscription, I am using the Purview compliance trial, so I could be an edge case, or maybe there’s a bug of some kind – which is not unheard of.

In the absence of errors, let’s press ahead and create a DLP policy targeting devices. This will be a custom policy monitoring content that’s been tagged with a sensitivity label. Under data loss prevention, select policies and click Create policy. Under categories, select custom and then custom policy under templates. Then click next. I’ll name the policy Project Bluebook, which is the name of the sensitivity label. And click next. I’ll stick with the full directory and click next. Locations will just be devices, so I’ll turn off everything else and click next. Now we’ll create the policy rules. Give the rule a name and add a condition. For the rule to be triggered by a sensitivity label, select content contains and then add sensitivity labels. From the sensitivity labels blade, select the label of interest. For me, it’s project BB. Now we select the action to perform when the rule condition is met, which will be audit or restrict activities on devices. The first or top action is service domain and browser activities, where you can configure how users interact or not with certain cloud services and internet domains. You can add restrictions in the form of groups of domains that have been set up with sensitivity service domain groups under Endpoint DLP settings.

I’ll leave service domain and browser activities as audit only, but under file activities for all apps, I’ll change the checked options to block with override. Next, I’ll turn on user notifications and set the incident report notification level to low. Click save to complete the rule setup. Here’s a summary of what we’ve created and an opportunity to add further rules. Click next. Policy mode allows you to test it out, postpone its deployment, or turn it on right away. I’ll turn it on now, which is any time from now to an hour away. Click next and then submit, followed by done.

On my desktop, I’ve got a Word document called creditcard.docx which has been tagged with the sensitivity label Project BlueBook. I’ll copy and paste it to the removable USB drive E. I get two messages. One from Windows Explorer telling me I can’t do it, and one from the Endpoint DLP policy, which gives me the ability to override the restriction with the allow button. Back in the portal, under alerts, we see the corresponding alert. Having a look at activity explorer, we can see the DLP rule matched and the file copied to removable media events.