Control 1.17: Endpoint Data Loss Prevention (Endpoint DLP)
Control ID: 1.17 Pillar: Security Regulatory Reference: GLBA 501(b), FINRA 4511, SOX 404, SEC Reg S-P, PCI DSS 4.0 Last UI Verified: February 2026 Governance Levels: Baseline / Recommended / Regulated Last Verified: 2026-02-03
Objective
Extend Microsoft Purview DLP policies to Windows and macOS endpoints to prevent sensitive financial data from being transferred to removable media, uploaded to unauthorized cloud services, copied to restricted applications, or printed without authorization.
Why This Matters for FSI
- GLBA 501(b): Blocks USB and cloud transfer of customer NPI from endpoints
- FINRA 4511: Helps prevent unauthorized removal of books and records
- SOX 404: Device-level data transfer restrictions support internal controls
- SEC Reg S-P: Blocks exfiltration of customer privacy data via endpoint
- PCI DSS 4.0: Restricts removable media access for cardholder data
Control Description
This control establishes endpoint protection through:
- Device Onboarding - Onboard Windows/macOS devices to Microsoft Purview via Defender for Endpoint
- Restricted Applications - Block sensitive data access by unauthorized applications (personal email, messaging, cloud storage)
- USB and Removable Media Control - Block or audit transfers to removable storage devices
- Cloud Upload Protection - Block uploads to personal cloud services (Dropbox, Google Drive, iCloud)
- Network Share Restrictions - Block transfers to unauthorized network locations
- Just-in-Time Protection - Maintain policy enforcement during network outages
- Browser-Based DLP for Edge for Business - Monitor and restrict sensitive data pasted into AI web applications (ChatGPT, Gemini, DeepSeek, etc.) directly in Microsoft Edge for Business. This capability operates independently of Defender for Endpoint device onboarding, significantly simplifying deployment for organizations that have not completed full MDE rollout. Configured by adding "Microsoft Edge for Business" as a DLP location in Purview policies.
- Network Data Security (SASE/SSE) - Enforce DLP policies at the network level through Microsoft Entra Global Secure Access (the umbrella product that includes Microsoft Entra Internet Access and Microsoft Entra Private Access). This complements endpoint DLP by detecting and blocking sensitive data in network traffic destined for unmanaged AI applications, providing coverage for scenarios where endpoint agents are not present. Requires Microsoft Entra Suite or standalone Global Secure Access license.
Key Configuration Points
- Onboard devices via Defender for Endpoint (Group Policy, Intune, or local script)
- Configure restricted apps list (Notepad++, WinRAR, Telegram, Discord, personal email)
- Create app groups for unauthorized cloud storage and personal communication tools
- Define allowed USB devices by hardware ID (corporate-encrypted drives only)
- Configure network share groups for unauthorized locations
- Set endpoint actions per zone: Audit, Block with override, or Block (no override)
- Enable just-in-time protection for offline enforcement
- Monitor DLP for Windows Recall on Copilot+ PCs (Preview) — a new capability that extends endpoint DLP policies to Windows Recall snapshots, helping prevent sensitive data capture in AI-generated recall summaries
- Browser-based DLP: Enable Edge for Business as a DLP location in Purview policies to monitor AI web app interactions without requiring device onboarding
- Network DLP: Configure Microsoft Entra Global Secure Access security profiles to enforce DLP on network traffic to unmanaged AI applications
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal) | Audit-only for USB/cloud; clipboard allowed; print allowed; Bluetooth allowed; browser-based DLP recommended for personal AI use monitoring | Low risk, awareness-focused |
| Zone 2 (Team) | Block with override for USB/cloud; audit clipboard; audit print; Bluetooth blocked; browser-based DLP + network DLP recommended | Team data requires protection |
| Zone 3 (Enterprise) | Block (no override) for USB/cloud; block clipboard for labeled content; block Bluetooth/RDP; full endpoint + browser + network DLP required | Customer-facing requires strict controls |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Purview Compliance Admin | Create and manage Endpoint DLP policies |
| Entra Security Admin | Manage device onboarding, Defender for Endpoint configuration |
| Intune Administrator | Deploy client configuration, device control policies |
| Compliance Officer | Review violation reports, approve override workflows |
Related Controls
| Control | Relationship |
|---|---|
| 1.5 - DLP and Sensitivity Labels | Core DLP policy foundation |
| 1.13 - Sensitive Information Types | SIT definitions for detection |
| 1.15 - Encryption | BitLocker device encryption |
| 1.12 - Insider Risk | Correlates with endpoint activities |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- Target devices appear in Microsoft Purview with healthy status
- USB transfer of labeled document is blocked/audited per policy
- Cloud upload to unauthorized service triggers block/audit
- User receives policy tip notification explaining the restriction
- Violation events appear in Purview activity explorer with device details
Additional Resources
- Microsoft Learn: Endpoint DLP overview
- Microsoft Learn: Onboard devices to Endpoint DLP
- Microsoft Learn: Configure Endpoint DLP settings
- Microsoft Learn: Device control with Defender for Endpoint
Updated: February 2026 | Version: v1.2 | UI Verification Status: Current