Endpoint DLP Settings Demo
Start course

This course focuses on how data loss prevention policies are used with endpoints within Microsoft 365. Much of the demonstrations will happen within the Microsoft Purview portal, and will show scripts running locally with the command and PowerShell terminals.

Learning Objectives

  • Understand the types of protection offered by endpoint DLP policies on devices
  • Learn how to onboard a device to endpoint DLP
  • Learn how to create a DLP policy to control and report activities on a device

Intended Audience


This is an intermediate-level course so an understanding of the fundamentals of Microsoft 365 would be beneficial.


Endpoint DLP settings, under data loss prevention, is where you can fine-tune how DLP policies interact with devices. Turning on advanced classification scanning and protection will provide a better experience for users by sending data classification results back to the local device. You can say which of the device’s local folders should be excluded from endpoint DLP policies, along with specifying restricted apps and which Bluetooth apps should be prohibited. Browser and domain restrictions to sensitive data contain three subsections. Unallowed browsers enable you to specify which web browsers are prohibited and will redirect the user to Microsoft Edge. Service domains have an allowed or blocked action related to added domains. Allow will not enforce DLP policies on the listed sites but will audit activities. Conversely, block will apply DLP policies to listed domains. Be aware that service domains settings are only enforced by Microsoft Edge or Google Chrome running the Microsoft Purview Chrome Extension. You can see why this setting is right next to unallowed browsers. Having said that, note that Chrome will not be blocked if it has the Purview extension installed, giving it Edge functionality and control. You can configure up to 50 service domains. 

Sensitive service domains enable you to audit, block, and block with override users when they attempt to print, copy data, save as local files, or upload sensitive data to a website listed here. Multiple domains can be added to a group, which can be added to the DLP policy rule.


There are settings related to most of the actions you can set up as part of  DLP policy rules, except for an explicit remote desktop setting. We have Always audit file activity for devices to set file monitoring behavior with regard to policy settings. We’ve got printer, removeable USB devices, and network shares, along with VPN settings.

About the Author
Learning Paths

Hallam is a software architect with over 20 years experience across a wide range of industries. He began his software career as a  Delphi/Interbase disciple but changed his allegiance to Microsoft with its deep and broad ecosystem. While Hallam has designed and crafted custom software utilizing web, mobile and desktop technologies, good quality reliable data is the key to a successful solution. The challenge of quickly turning data into useful information for digestion by humans and machines has led Hallam to specialize in database design and process automation. Showing customers how leverage new technology to change and improve their business processes is one of the key drivers keeping Hallam coming back to the keyboard.