Control 1.17: Endpoint Data Loss Prevention (Endpoint DLP)
Control ID: 1.17
Pillar: Security
Regulatory Reference: GLBA 501(b) Safeguards Rule, FINRA 4511(a), FINRA 3110(b), FINRA Notice 25-07, SOX 404(a), SEC 17a-4(f), SEC Regulation S-P (17 CFR 248.30), OCC Bulletin 2011-12, NIST SP 800-53 Rev. 5 (SC-7, SC-28, MP-7), PCI DSS 4.0 §9.4
Last UI Verified: April 2026
Governance Levels: Baseline / Recommended / Regulated
Objective
Extend Microsoft Purview DLP policies to Windows and macOS endpoints to prevent sensitive financial data from being transferred to removable media, uploaded to unauthorized cloud services, copied to restricted applications, or printed without authorization.
Why This Matters for FSI
- GLBA 501(b) / 16 CFR Part 314 (Safeguards Rule): Endpoint DLP helps meet the requirement to implement administrative, technical, and physical safeguards that protect customer NPI from unauthorized access or transfer at the device boundary (USB, removable media, personal cloud, clipboard).
- FINRA Rule 4511(a) and SEA Rule 17a-4(f): Helps prevent unauthorized exfiltration of books and records from registered representatives' endpoints, supporting the integrity of records that must be preserved in non-rewriteable, non-erasable (WORM) form.
- FINRA Notice 25-07 (AI supervision): Recommended for real-time monitoring and policy enforcement on endpoint interactions with generative AI tools, including browser-based prompt submissions to ChatGPT, Gemini, Claude, DeepSeek, and other unmanaged AI services.
- FINRA Rule 3110(b) (Supervisory System): Required for evidencing technical supervisory controls that detect and prevent the off-channel transfer of customer data and firm records.
- SOX 404(a): Device-level data transfer restrictions support management's assertion of effective internal controls over financial reporting (ICFR).
- SEC Regulation S-P (17 CFR 248.30): Aids in protecting nonpublic personal information from unauthorized disclosure by blocking exfiltration vectors at the endpoint.
- OCC Bulletin 2011-12 / Fed SR 11-7 (Model Risk Management): When AI agents process customer data on endpoints, DLP enforcement supports the model risk management requirement to control input/output data flows.
- NIST SP 800-53 Rev. 5 (SC-7 Boundary Protection, SC-28 Data-at-Rest Protection, MP-7 Media Use): Endpoint DLP capabilities map directly to these required control families.
- PCI DSS 4.0 §9.4: Restricts removable media access for systems handling cardholder data.
No companion solution by design
Not all controls have a companion solution in FSI-AgentGov-Solutions; solution mapping is selective by design. This control is operated via native Microsoft admin surfaces and verified by the framework's assessment-engine collectors. See the Solutions Index for the catalog and coverage scope.
Control Description
This control establishes endpoint protection through:
- Device Onboarding - Onboard Windows/macOS devices to Microsoft Purview via Defender for Endpoint
- Restricted Applications - Block sensitive data access by unauthorized applications (personal email, messaging, cloud storage)
- USB and Removable Media Control - Block or audit transfers to removable storage devices
- Cloud Upload Protection - Block uploads to personal cloud services (Dropbox, Google Drive, iCloud)
- Network Share Restrictions - Block transfers to unauthorized network locations
- Just-in-Time Protection - Maintain policy enforcement during network outages
- Browser-Based DLP for Edge for Business - Monitor and restrict sensitive data pasted into AI web applications (ChatGPT, Gemini, DeepSeek, etc.) directly in Microsoft Edge for Business. This capability operates independently of Defender for Endpoint device onboarding, significantly simplifying deployment for organizations that have not completed full MDE rollout. Configured by adding "Microsoft Edge for Business" as a DLP location in Purview policies.
- Network Data Security (SASE/SSE) - Enforce DLP policies at the network level through Microsoft Entra Global Secure Access (the umbrella product that includes Microsoft Entra Internet Access and Microsoft Entra Private Access). This complements endpoint DLP by detecting and blocking sensitive data in network traffic destined for unmanaged AI applications, providing coverage for scenarios where endpoint agents are not present. Requires Microsoft Entra Suite or standalone Global Secure Access license.
Key Configuration Points
- Onboard Windows 10/11 and macOS devices to Microsoft Purview via Microsoft Defender for Endpoint (Intune-managed onboarding package, Group Policy, or local script). Onboarding package is downloaded from Microsoft Purview > Settings > Device onboarding.
- Configure restricted apps and app groups (Notepad++, WinRAR, Telegram, Discord, personal email clients, consumer Dropbox/Google Drive sync clients) under Purview > Data Loss Prevention > Endpoint DLP settings > Restricted apps and app groups.
- Define allowed USB devices by Vendor ID / Product ID / Instance ID under Purview > Data Loss Prevention > Endpoint DLP settings > Removable storage device groups (corporate-encrypted drives only for Zone 3).
- Configure Service domain groups for unauthorized cloud and AI services under Endpoint DLP settings > Service domains.
- Configure Browser and domain restrictions to sensitive data for unsupported and supported browsers (block sensitive data in Chrome and Firefox; require Edge for Business with policy enforcement).
- Set endpoint actions per zone (Audit, Block with override, or Block) on each DLP rule's Devices location.
- Enable Always audit file activity for devices and Just-in-time protection under Endpoint DLP settings to maintain enforcement during network outages.
- Enable Microsoft Edge for Business as a DLP location to monitor inline AI prompt submissions, file uploads, and paste actions on managed and unmanaged devices signed in with the work profile (no Defender for Endpoint onboarding required).
- Configure DLP for Windows Recall on Copilot+ PCs to prevent sensitive data from being captured into Recall snapshots (currently enrolled via the Endpoint DLP settings preview controls).
- Configure Microsoft Entra Global Secure Access security profiles with DLP policy linkage to enforce data protection on network traffic to unmanaged AI and cloud services, providing coverage for unmanaged devices and BYOD.
- Assign least-privilege roles: Purview Compliance Admin for DLP policy authoring, Entra Security Admin for device onboarding, Intune Administrator for client deployment.
Zone-Specific Requirements
| Zone | Requirement | Rationale |
|---|---|---|
| Zone 1 (Personal Productivity) | Device onboarding required; audit-only for USB, cloud upload, print, and clipboard; Bluetooth allowed; Edge for Business inline AI prompt DLP recommended (audit mode) to surface shadow AI usage; just-in-time protection enabled | Low-risk individual productivity scenarios; emphasis on visibility and user awareness without disrupting workflows |
| Zone 2 (Team Collaboration) | Device onboarding required; block with override (with business justification) for USB and personal cloud upload; audit clipboard and print; Bluetooth blocked for sensitive content; Edge for Business inline AI prompt DLP recommended (block-with-override) including upload restrictions to unmanaged GenAI; just-in-time protection enabled; Global Secure Access network DLP recommended | Team-level collaboration data warrants enforcement with controlled overrides for legitimate business needs |
| Zone 3 (Enterprise Managed) | Device onboarding required; block (no override) for USB, personal cloud upload, and clipboard to restricted apps; block Bluetooth and unauthorized RDP/network shares; Edge for Business inline AI DLP required in block mode for unmanaged GenAI prompts and uploads, with redirect to sanctioned Microsoft 365 Copilot; Global Secure Access network DLP required; DLP for Windows Recall enabled where Copilot+ PCs are deployed; just-in-time protection enabled | Customer-facing, regulated, and high-sensitivity workloads require strict enforcement aligned to FINRA 3110, SEC 17a-4, and GLBA 501(b) |
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Purview Compliance Admin | Create and manage Endpoint DLP policies |
| Entra Security Admin | Manage device onboarding, Defender for Endpoint configuration |
| Intune Administrator | Deploy client configuration, device control policies |
| Compliance Officer | Review violation reports, approve override workflows |
Related Controls
| Control | Relationship |
|---|---|
| 1.5 - DLP and Sensitivity Labels | Core DLP policy foundation |
| 1.13 - Sensitive Information Types | SIT definitions for detection |
| 1.15 - Encryption | BitLocker device encryption |
| 1.12 - Insider Risk | Correlates with endpoint activities |
Implementation Playbooks
Step-by-Step Implementation
This control has detailed playbooks for implementation, automation, testing, and troubleshooting:
- Portal Walkthrough — Step-by-step portal configuration
- PowerShell Setup — Automation scripts
- Verification & Testing — Test cases and evidence collection
- Troubleshooting — Common issues and resolutions
Verification Criteria
Confirm control effectiveness by verifying:
- Target Windows and macOS devices appear in Microsoft Purview > Settings > Device onboarding with healthy status and recent last-seen timestamps
- USB transfer of a test document containing a sensitive information type (e.g., U.S. SSN) is blocked or audited per the zone configuration, and the action is recorded with device, user, file, and SIT match details
- Cloud upload of sensitive content to an unauthorized service (Dropbox, Google Drive, iCloud, personal OneDrive) triggers the configured action with policy tip
- Edge for Business inline DLP intercepts a sensitive prompt or file upload to an unmanaged AI web application (e.g., ChatGPT, Gemini) per Zone 2/3 requirements, and (Zone 3) redirects the user to Microsoft 365 Copilot when configured
- Global Secure Access security profiles intercept sensitive data sent to unmanaged AI endpoints over the network path (Zone 2 recommended, Zone 3 required), with events visible in Defender XDR > Investigation & response > Activity log
- Just-in-time protection enforces policy during simulated network outage (block disconnected device from internet, retry restricted action)
- Violation events appear in Microsoft Purview > Solutions > Data Loss Prevention > Activity explorer within 15–30 minutes with full device, user, file, sensitive content, and rule match details suitable for audit evidence
- Role assignments follow least privilege: Purview Compliance Admin owns DLP policies; Entra Security Admin owns device onboarding; Power Platform Admin is not assigned to DLP configuration
Additional Resources
- Microsoft Learn: Learn about Endpoint DLP
- Microsoft Learn: Get started with Endpoint DLP
- Microsoft Learn: Configure Endpoint DLP settings
- Microsoft Learn: Learn about just-in-time protection
- Microsoft Learn: Get started with just-in-time protection
- Microsoft Learn: Learn about DLP for Cloud Apps in Edge for Business
- Microsoft Learn: Understand DLP in Microsoft Edge for Business
- Microsoft Learn: Device control with Defender for Endpoint
- Microsoft Learn: Onboard Windows devices to Defender for Endpoint
- Microsoft Learn: Onboard macOS devices to Microsoft Purview
- Microsoft Learn: Global Secure Access overview
- Microsoft Learn: Use DLP policies for non-Microsoft cloud apps
Updated: April 2026 | Version: v1.4.0 | UI Verification Status: Current