Endpoint DLP settings, under data loss prevention, is where you can fine-tune how DLP policies interact with devices. Turning on advanced classification scanning and protection will provide a better experience for users by sending data classification results back to the local device. You can say which of the device’s local folders should be excluded from endpoint DLP policies, along with specifying restricted apps and which Bluetooth apps should be prohibited. Browser and domain restrictions to sensitive data contain three subsections. Unallowed browsers enable you to specify which web browsers are prohibited and will redirect the user to Microsoft Edge. Service domains have an allowed or blocked action related to added domains. Allow will not enforce DLP policies on the listed sites but will audit activities. Conversely, block will apply DLP policies to listed domains. Be aware that service domains settings are only enforced by Microsoft Edge or Google Chrome running the Microsoft Purview Chrome Extension. You can see why this setting is right next to unallowed browsers. Having said that, note that Chrome will not be blocked if it has the Purview extension installed, giving it Edge functionality and control. You can configure up to 50 service domains. 

Sensitive service domains enable you to audit, block, and block with override users when they attempt to print, copy data, save as local files, or upload sensitive data to a website listed here. Multiple domains can be added to a group, which can be added to the DLP policy rule.

There are settings related to most of the actions you can set up as part of  DLP policy rules, except for an explicit remote desktop setting. We have Always audit file activity for devices to set file monitoring behavior with regard to policy settings. We’ve got printer, removeable USB devices, and network shares, along with VPN settings.