Forum Discussion
Purview -> DLP -> Settings -> Endpoint DLP Settings
I have configured Browser and Domain Restrictions to sensitive data, with a condition as a sensitivity label. I used the Allow for a whitelist for sites, and all others should be blocked. I created and assigned a DLP. I assigned the DLP to sharepoint/Onedrive/devices, allsites/all users&groups/all users&groups. The sensitivity label is published\assigned. But it is not blocking the web sites.
What am I missing? My understanding is that DLP policies should inherit the DLP settings by default.
I cannot seem to 'on-board' devices in Purview. As it is greyed out.
I have MS Business Premium, which includes MS Defender for Business, MS InTune.
Go to Defender portal setting to enable web content filter the go the web content filter session to create a policy, ensure intune connector is enabled and your devices are properly onboarded to intune.
WCF is a general setting that goes by whatever MS decides, there is not visibility into what sites it blocks or allows.
Hi @learnazuread, I think there few factors involved here,
- Licensing
I can confirm defender for business under business premium is working well at the endpoing protection part.
Endpoint DLP Require some higher licenses, thats why endpoint dlp onboard is grayed out. Ex: M365 E5, Information protection and governance E5
2. Features
If you just want to block or allow sites defender for business can help there, confirm if you have enabled "network protection", if you are looking to Block sites based on contents you need endpoint dlp.
Based on this can you confirm what are the features Exactly needed. So, can help you where you need support exactly. :)
Hi. Appreciate the response. We were using WIP before and would like the same functionality and possibly expand on it. Given my research, reading and site configurations - I believe this is all doable. I have further been directed by microsoft techs to get Defender for Endpoint stand alone license and the configurations should 'kickin' which has not happened when i purchased a Defender for Endpoint for one user for testing.
Core needs:
-have a whitelist of sites, and block others based on file sensitivity label. I believe this is done by "Browser and domain restrictions to sensitive data".
-allow\block apps from accessing data based on file sensitivity label.
-disable printing and other actions if needed of sensitive files
I think I may be on a new thread of why it is not working. We have one license for Defender for Endpoint and many for Defender for Business. Apparently we cannot mix licenses and it will revert to the lowest license. Not sure at this point - but going to get more Endpoint licenses and see if this fixes the issue.
Hi learnazure_ad learnazure_ad Thanks for clarifying, I think WIP is mostly outdated. Next solution you have is Defender for Endpoint + Microsoft Purview, In Business Premium, you have defender for business (Likely same functionality as Defender for Endpoint P2. Obviously with some limitations). However, defender comes in Business Premium is sufficient to get the defender function required. Your website blocking based on sensitive data, as I said you need Information Protection and Governance E5, which provide Endpoint DLP capability. If we drilled down to website blocking when sensitive data available, 1. We can block uploading data to a external website 2. Block website if required, This require purview browser extension and purview endpoint DLP capability. Your "mixed license" scenario does not apply as Defender for Business is sufficient to work on your scenario. There is another scenario where as we call WCF, web content filtering based on categories such as Gambling, Gaming etc. you can achieve that functionality through Defender for Business.
Hi @leanazure_ad It's look like your licenses does not support Endpoint DLP capability, so you cannot restrict your websites even though you have sensitive information. Truly Endpoint DLP providing exceptional list of controls that can be implemented throughout organization. Defender for Endpoint P2 is not directly providing you the access to block websites when sensitive data is available. However, you get access to web content filtering capability. Therefore, you need to demarcate difference between Endpoint Protection and Endpoint DLP. Endpoint DLP comes with licenses like Information Protection and Governance E5.
We were previously getting this with MS Business Premium via MS InTune Windows Information Protection. If MS plan is to move these features to E5+teams, at 2x or more cost - this is not a viable solution. 3rd part software offers the same features for much much less.
Hi learnazure_ad,
The DLP policy isn't working because you might be missing a few setup steps. First, check that the "Endpoint DLP" feature is properly configured and enabled in the Microsoft 365 compliance center. Also, ensure that the devices are onboarded in Defender for Endpoint. Since you're using MS Defender for Business, make sure that it's fully integrated with Purview for device management. The greyed-out "onboard" option might be due to missing permissions or incomplete setup in Defender for Endpoint. Lastly, verify the correct assignment of the DLP policy to your device profiles, as DLP policies need to be explicitly applied to devices in Purview.
Let me know if you're still having issues so we can move forward.
Regards
We do not have Defender for Endpoint - is this what is missing?
Hey learnazure_ad,
Yes, Defender for Endpoint is a key component for managing and enforcing Endpoint DLP settings. Without Defender for Endpoint, the device management features in Purview may not function as expected. Since you’re using MS Business Premium, you might not have Defender for Endpoint included, as it’s part of Microsoft 365 E5 or Defender for Business. You’d need to upgrade or integrate Defender for Endpoint to enable full DLP functionality across devices.
Regards
