Control 1.17: Endpoint Data Loss Prevention (Endpoint DLP)

Overview

Control ID: 1.17 Control Name: Endpoint Data Loss Prevention (Endpoint DLP) Pillar: Security Regulatory Reference: GLBA 501(b), FINRA 4511, SOX 404, SEC Reg S-P, PCI DSS 4.0 Setup Time: 2-3 hours

Purpose

Endpoint Data Loss Prevention extends Microsoft Purview DLP policies to Windows and macOS devices, providing protection against data exfiltration at the device level. For Copilot Studio deployments, Endpoint DLP ensures that sensitive information accessed or generated by agents cannot be copied to removable media, uploaded to unauthorized cloud services, or transferred via unsanctioned applications. This is critical for FSI organizations where MNPI, customer PII, and trading data require protection even on managed endpoints.

This control addresses key FSI requirements:

• Removable Media Control: Block sensitive data transfer to USB drives
• Cloud Upload Protection: Prevent unauthorized cloud service uploads
• Clipboard Protection: Block copy/paste of sensitive content to unmanaged apps
• Print Restriction: Control printing of documents containing sensitive data
• Network Egress Monitoring: Detect data leaving via network shares

---

Prerequisites

Primary Owner Admin Role: Purview Compliance Admin Supporting Roles: Entra Security Admin

Required Licenses

License	Purpose
Microsoft 365 E5 or E5 Compliance	Endpoint DLP feature
Microsoft Defender for Endpoint P2	Device onboarding and integration
Windows 10/11 Enterprise (1809+)	Windows endpoint support
macOS 11.0+ (Big Sur)	macOS endpoint support

Required Permissions

Permission	Scope	Purpose
Compliance Administrator	Microsoft Purview	Create and manage Endpoint DLP policies
Endpoint DLP Administrator	Microsoft Purview	Manage endpoint-specific settings
Security Administrator	Microsoft 365 Defender	Device onboarding and management
Intune Administrator	Microsoft Intune	Deploy client configuration

Dependencies

• Control 1.5: DLP and Sensitivity Labels - Core DLP policies
• Control 1.13: Sensitive Information Types - SIT definitions
• Control 1.15: Encryption - BitLocker for device encryption

Pre-Setup Checklist

• [ ] Microsoft Defender for Endpoint deployed
• [ ] Devices onboarded to Microsoft Purview
• [ ] Sensitivity labels and DLP policies configured
• [ ] Sensitive Information Types defined
• [ ] BitLocker enabled on Windows devices

---

Governance Levels

Baseline (Level 1)

Implement Endpoint DLP for Tier 2+ agents; monitor device-level data transfers.

Recommended (Level 2-3)

Advanced Endpoint DLP with USB/removable media controls; network monitoring.

Regulated/High-Risk (Level 4)

Comprehensive Endpoint DLP with device full disk encryption (BitLocker); real-time alerting.

---

Setup & Configuration

Step 1: Enable Device Onboarding for Endpoint DLP

Portal Path: Microsoft Purview → Settings → Device onboarding

1. Navigate to Microsoft Purview (compliance.microsoft.com)
2. Select Settings → Device onboarding
3. Verify Device Status:
4. Check that devices are onboarded via Microsoft Defender for Endpoint
5. Review device count and onboarding status
6. If not onboarded:
7. Download onboarding package for your deployment method
8. Options: Group Policy, Intune, Configuration Manager, local script
9. Configure Onboarding Settings:
10. Sample collection: Enable for regulated environments
11. Telemetry: Enable advanced diagnostics

Step 2: Configure Endpoint DLP Settings

Portal Path: Microsoft Purview → Data loss prevention → Endpoint DLP settings

1. Navigate to Microsoft Purview → Data loss prevention
2. Select Endpoint DLP settings
3. Configure Global Settings:

Restricted apps: - Click Restricted apps - Add applications that shouldn't access sensitive content:

notepad++.exe
winrar.exe
telegram.exe
discord.exe
personal_email_client.exe

- Configure action: Block or Audit only

1. Restricted app groups:

2. Create groups for easier management:

   • "Unauthorized Cloud Storage" (dropbox.exe, googledrive.exe, etc.)
   • "Personal Communication" (whatsapp.exe, signal.exe, etc.)
   • "Unmanaged Browsers" (if applicable)

3. Unallowed Bluetooth apps:

4. Add Bluetooth transfer applications if data transfer via Bluetooth is a concern

5. Browser and domain restrictions:

6. Click Browser and domain restrictions to sensitive data
7. Add allowed domains (corporate apps)
8. Block personal webmail domains

Step 3: Configure File Path Exclusions

Portal Path: Microsoft Purview → Data loss prevention → Endpoint DLP settings → File path exclusions

1. In Endpoint DLP settings, click File path exclusions
2. Add Exclusions for Legitimate Business Paths:

   C:\Program Files\YourTradingApp\*
   C:\Windows\System32\*
   C:\ProgramData\Microsoft\*
   

3. Exclude Specific Processes:
4. Add trusted business applications that handle sensitive data
5. Document justification for each exclusion
6. Review Existing Exclusions:
7. Audit exclusions quarterly
8. Remove any unnecessary exclusions

Step 4: Create Endpoint DLP Policy for FSI Data

Portal Path: Microsoft Purview → Data loss prevention → Policies → Create policy

1. Navigate to Data loss prevention → Policies
2. Click + Create policy
3. Choose Template or Custom:
4. Select Custom policy for FSI-specific controls

5. Or start with Financial category template

6. Name the Policy:

7. Name: "FSI Endpoint DLP - Sensitive Data Protection"

8. Description: "Protects financial services sensitive data at endpoint level"

9. Assign Admin Units: (if using)

10. Select appropriate organizational units

11. Choose Locations:

12. Enable Devices (required for Endpoint DLP)

13. Optionally include SharePoint, OneDrive, Exchange for unified policy

14. Define Policy Settings:

15. Select Create or customize advanced DLP rules

16. Click Next → Create Rule:

17. Rule name: "Block USB Transfer of Customer PII"

Conditions: - Content contains: - Sensitive information types: SSN, Credit Card, Bank Account - Sensitivity labels: Confidential, Highly Confidential

Actions for Endpoint: - Audit or restrict activities on Windows devices: - Copy to removable USB: Block - Copy to network share: Block - Upload to cloud service: Block with override - Copy to clipboard: Audit only - Print: Block with override - Copy/move using unallowed Bluetooth app: Block - Copy/move using RDP: Audit only

1. Configure Notification:
2. Enable user notifications
3. Customize notification text for FSI context

4. Enable policy tips

5. Configure Incident Reports:

   • Send to: DLP-Incidents@yourdomain.com
   • Include user and activity details
   • Set severity per zone

Step 5: Create Policy for MNPI Protection

Portal Path: Microsoft Purview → Data loss prevention → Policies → Create policy

1. Click + Create policy
2. Name: "MNPI Endpoint Protection - Zero Transfer"
3. Conditions:
4. Sensitivity label equals: "MNPI - Material Non-Public"
5. OR Custom SIT for MNPI indicators
6. Endpoint Actions:
7. Copy to removable USB: Block
8. Copy to network share: Block
9. Upload to cloud service: Block
10. Copy to clipboard: Block (strict for MNPI)
11. Print: Block
12. Access by unallowed apps: Block
13. No Override: For MNPI, configure without user override option
14. Alerts: High severity, immediate notification to Compliance

Step 6: Configure USB and Removable Media Controls

Portal Path: Microsoft Intune → Endpoint security → Device control

1. Navigate to Microsoft Intune Admin Center (intune.microsoft.com)
2. Select Endpoint security → Device control
3. Click + Create Policy
4. Platform: Windows 10 and later

5. Profile: Device control

6. Configure Device Control Settings:

7. Removable Storage Access Control:

   • Default policy: Deny all
   • Allow specific approved USB devices by hardware ID

8. Create Allowed Devices Group:

   <!-- Example: Allow corporate-issued encrypted USB drives -->
   <DeviceControl>
     <AllowedDevices>
       <Device>
         <VendorId>XXXX</VendorId>
         <ProductId>YYYY</ProductId>
         <SerialNumber>Encrypted-*</SerialNumber>
       </Device>
     </AllowedDevices>
   </DeviceControl>
   

9. Assign Policy:

10. Target security groups containing Tier 2/3 users
11. Pilot with small group first

Step 7: Configure Network Share Restrictions

Portal Path: Microsoft Purview → Data loss prevention → Endpoint DLP settings → Network share groups

1. In Endpoint DLP settings, click Network share groups
2. Create Network Share Groups:
3. Group name: "Unauthorized Network Locations"
4. Paths: Add unauthorized network shares

   \\personal-nas\*
   \\home-server\*
   \\192.168.*\*
   

5. Configure in DLP Policy:
6. Block copy to "Unauthorized Network Locations" group
7. Allow copy to approved corporate shares only

Step 8: Enable Just-in-Time Protection

Portal Path: Microsoft Purview → Data loss prevention → Endpoint DLP settings → Just-in-time protection

1. In Endpoint DLP settings, click Just-in-time protection
2. Enable Just-in-Time Protection:
3. Provides fallback protection when cloud connectivity is unavailable
4. Ensures policy enforcement during network outages
5. Configure Fallback Behavior:
6. Default action when policy cannot be evaluated: Block
7. Cache policy for offline enforcement

---

PowerShell Configuration

Check Device Onboarding Status

# Connect to Microsoft Graph
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"

# Get onboarded devices count
$devices = Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'" |
    Where-Object { $_.ComplianceState -eq "compliant" }

Write-Host "=== Device Onboarding Status ===" -ForegroundColor Cyan
Write-Host "Total Windows Devices: $($devices.Count)"

# Check for Defender for Endpoint status
$devicesSummary = $devices | Group-Object { $_.AadRegistered } |
    Select-Object @{N='AAD Registered';E={$_.Name}}, @{N='Count';E={$_.Count}}

$devicesSummary | Format-Table -AutoSize

Export Endpoint DLP Violations

# Connect to Exchange Online (for audit logs)
Connect-ExchangeOnline

# Connect to Security & Compliance
Connect-IPPSSession

# Search for Endpoint DLP violations
$startDate = (Get-Date).AddDays(-30)
$endDate = Get-Date

$endpointViolations = Search-UnifiedAuditLog -StartDate $startDate -EndDate $endDate `
    -Operations "DLPEndPointNotification" `
    -ResultSize 5000

# Parse and format results
$violations = $endpointViolations | ForEach-Object {
    $auditData = $_.AuditData | ConvertFrom-Json
    [PSCustomObject]@{
        Timestamp = $_.CreationDate
        User = $_.UserIds
        Device = $auditData.DeviceName
        PolicyName = $auditData.PolicyMatchInfo.PolicyName
        RuleName = $auditData.PolicyMatchInfo.RulesTriggered.RuleName
        Action = $auditData.ActionType
        SensitiveInfoType = ($auditData.SensitiveInfoTypeData | ConvertTo-Json -Compress)
        FilePath = $auditData.SourceLocationType
    }
}

# Export report
$violations | Export-Csv -Path "EndpointDLP_Violations_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

# Summary
Write-Host "=== Endpoint DLP Violation Summary ===" -ForegroundColor Cyan
Write-Host "Total Violations: $($violations.Count)"
$violations | Group-Object Action | Format-Table Name, Count
$violations | Group-Object PolicyName | Format-Table Name, Count

Configure Endpoint DLP via Graph API

# Connect to Microsoft Graph with appropriate permissions
Connect-MgGraph -Scopes "InformationProtectionPolicy.ReadWrite.All", "Policy.ReadWrite.All"

# Get existing DLP policies
$dlpPolicies = Invoke-MgGraphRequest -Method GET `
    -Uri "https://graph.microsoft.com/v1.0/informationProtection/policy/labels"

# Display policies
Write-Host "=== Current DLP Policies ===" -ForegroundColor Cyan
$dlpPolicies.value | ForEach-Object {
    Write-Host "Policy: $($_.name)"
    Write-Host "  ID: $($_.id)"
    Write-Host "  IsActive: $($_.isActive)"
    Write-Host ""
}

# Note: Full Endpoint DLP configuration requires Security & Compliance PowerShell
# Use Connect-IPPSSession for policy management

Monitor USB Device Activity

# Query Windows Event Log for USB device connections
$usbEvents = Get-WinEvent -FilterHashtable @{
    LogName = 'Microsoft-Windows-Kernel-PnP/Device Configuration'
    Id = 400, 410  # Device connected/configured
} -MaxEvents 100 -ErrorAction SilentlyContinue

# Parse USB events
$usbActivity = $usbEvents | ForEach-Object {
    [PSCustomObject]@{
        Timestamp = $_.TimeCreated
        EventId = $_.Id
        DeviceInfo = $_.Message
    }
}

Write-Host "=== Recent USB Device Activity ===" -ForegroundColor Cyan
$usbActivity | Format-Table Timestamp, EventId -AutoSize

# Get Defender for Endpoint device control events
$defenderEvents = Get-WinEvent -FilterHashtable @{
    LogName = 'Microsoft-Windows-Windows Defender/Operational'
    Id = 1160  # Device control event
} -MaxEvents 100 -ErrorAction SilentlyContinue

if ($defenderEvents) {
    Write-Host "`n=== Defender Device Control Events ===" -ForegroundColor Cyan
    $defenderEvents | Select-Object TimeCreated, Message | Format-Table -AutoSize
}

---

Financial Sector Considerations

Regulatory Alignment

Regulation	Requirement	Endpoint DLP Implementation
GLBA 501(b)	Safeguard customer NPI	Block USB/cloud transfer of NPI
FINRA 4511	Books and records protection	Prevent unauthorized data removal
SOX 404	Internal controls	Device-level data transfer restrictions
SEC Reg S-P	Customer privacy	Block exfiltration via endpoint
PCI DSS 4.0	Protect cardholder data	Restrict removable media access
SEC 17a-4	Record preservation	Prevent destruction via transfer

Zone-Specific Configuration

Configuration	Zone 1 (Personal Productivity)	Zone 2 (Team Collaboration)	Zone 3 (Enterprise Managed)
USB Transfer	Audit only	Block with override	Block (no override)
Cloud Upload	Audit only	Block with override	Block (no override)
Clipboard	Allowed	Audit only	Block for labeled content
Print	Allowed	Audit only	Block with override
Network Share	Audit only	Block unauthorized	Block unauthorized
Bluetooth	Allowed	Blocked	Blocked
RDP Copy/Paste	Allowed	Audit only	Blocked
Restricted Apps	Limited	Extensive list	Extensive + strict

FSI Use Case Example

Scenario: Trading Floor Workstation Protection

Requirements:

• Traders access MNPI and customer order flow
• High risk of data exfiltration
• Regulatory examination preparedness

Endpoint DLP Implementation:

1. USB Devices:
2. All USB storage blocked (no override)
3. Only corporate-encrypted drives allowed (by hardware ID)

4. USB keyboard/mouse allowed

5. Cloud Services:

6. Personal cloud storage blocked (Dropbox, Google Drive, iCloud)
7. Corporate OneDrive allowed

8. Audit all uploads to M365

9. Applications:

10. Personal email clients blocked
11. Unauthorized messaging apps blocked

12. Only approved trading applications allowed

13. Print/Clipboard:

14. Print blocked for MNPI-labeled documents
15. Clipboard blocked for copying to non-corporate apps

16. Screenshots blocked for labeled content

17. Network:

18. Transfer to non-corporate network shares blocked
19. VPN required for remote access

Regulatory Benefit:

• Demonstrates data protection controls to SEC/FINRA
• Evidence for SOX 404 internal control testing
• Reduces insider threat risk significantly

---

Verification & Testing

Verification Steps

1. Device Onboarding Verification:
2. [ ] Target devices appear in Microsoft Purview
3. [ ] Device health status is healthy

4. [ ] Policy sync status is current

5. USB Transfer Test:

6. [ ] Insert USB drive on test device
7. [ ] Attempt to copy file with sensitive data
8. [ ] Verify block/audit per policy

9. [ ] Check notification appears to user

10. Cloud Upload Test:

11. [ ] Open browser to personal cloud storage
12. [ ] Attempt to upload labeled document
13. [ ] Verify block/audit per policy

14. [ ] Check policy tip displayed

15. Clipboard Test:

16. [ ] Copy sensitive content from Office app
17. [ ] Attempt paste to restricted application

18. [ ] Verify action per policy

19. Audit Log Verification:

20. [ ] Violations appear in Purview
21. [ ] Alerts generated as configured
22. [ ] Reports include device details

Compliance Checklist

• [ ] Endpoint DLP policies deployed to all Tier 2/3 devices
• [ ] USB and removable media controls active
• [ ] Restricted app list maintained
• [ ] Alerts configured for high-severity violations
• [ ] Monthly violation reports generated
• [ ] BitLocker enabled on all Windows devices

---

Troubleshooting & Validation

Issue 1: Endpoint DLP Policy Not Enforcing

Symptoms: Users can transfer sensitive data without blocks

Resolution:

1. Verify device is onboarded to Microsoft Purview
2. Check device sync status in Purview portal
3. Restart Defender for Endpoint service
4. Verify policy is assigned to user's group
5. Check for conflicting policies with lower priority

Issue 2: Excessive False Positives

Symptoms: Legitimate transfers blocked, user complaints

Resolution:

1. Review sensitive information type accuracy
2. Add file path exclusions for business apps
3. Tune confidence levels in SIT definitions
4. Create exception rules for specific workflows
5. Consider "Audit only" for new SITs initially

Issue 3: Policy Not Syncing to Devices

Symptoms: Policy shows as "Not synced" for devices

Resolution:

1. Check network connectivity to Microsoft services
2. Verify Defender for Endpoint connectivity
3. Force policy sync via registry or GPO
4. Check for proxy/firewall blocking
5. Restart Microsoft Defender service

Issue 4: Mac Devices Not Protected

Symptoms: macOS endpoints not enforcing policies

Resolution:

1. Verify macOS is 11.0 or later
2. Check Defender for Endpoint installed on Mac
3. Grant full disk access to Defender
4. Verify device is onboarded in Purview
5. Check macOS-specific policy settings

---

Additional Resources

• Endpoint DLP overview
• Onboard devices to Endpoint DLP
• Configure Endpoint DLP settings
• Create Endpoint DLP policy
• Device control with Defender for Endpoint
• Troubleshoot Endpoint DLP

---

Related Controls

Control ID	Control Name	Relationship
1.5	DLP and Sensitivity Labels	Core DLP policy foundation
1.13	Sensitive Information Types	SIT definitions for detection
1.15	Encryption	BitLocker device encryption
1.12	Insider Risk	Correlates with endpoint activities
1.16	IRM for Documents	Document-level protection

---

Support & Questions

For implementation support or questions about this control, contact:

• AI Governance Lead (governance direction)
• Compliance Officer (regulatory requirements)
• Technical Implementation Team (platform setup)

---

Updated: Dec 2025
Version: v1.0 Beta (Dec 2025)
UI Verification Status: ❌ Needs verification