Troubleshoot and Manage Microsoft Purview Data Loss Prevention for your Endpoint Devices

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Endpoint Data Loss Prevention (Endpoint DLP) is part of the Microsoft Purview Data Loss Prevention (DLP) suite of features you can use to discover and protect sensitive items across Microsoft 365 services. Microsoft Endpoint DLP allows you to detect and protect sensitive content across onboarded Windows 10, Windows 11 and macOS devices. Learn more about all of Microsoft's DLP offerings.

 

Welcome to our comprehensive guide to assist you in navigating any potential challenges with your endpoint devices for Microsoft Purview Endpoint DLP! This playbook provides detailed instructions for effectively managing your Endpoint DLP setup and resolving situations that could compromise its effectiveness. Tailored to enhance your understanding of device health, this resource empowers you to implement self-remediation actions, ensuring you can address concerns on your own.

 

Step 1: Verify Your Device Health Status

The device onboarding page serves as your one-stop destination for monitoring the current status of all your onboarded devices. In the effort to evaluate the health of your devices, it’s crucial to understand the device configuration and policy synchronization status. When assessing the device configuration and policy sync status, there are three possible scenarios you may encounter, each requiring specific actions for resolution:

 

 

Configuration status

Policy sync status

ErikaAcon_0-1709769425149.png

 

This status indicates that your device’s configuration is up to date with the recommended settings. No further action is needed.

Your device has successfully synced with the latest policy updates. No further action is needed.

ErikaAcon_1-1709769425153.png

 

Certain settings need attention. In this scenario, follow the provided remediation guidance to enable the required settings.

 

The device has not synced with the latest policy updates. To address this, identify the policies pending syncing to investigate. *Please note that policy updates may take up to 2 hours to reflect on the device onboarding dashboard. (For immediate policy sync verification, refer to Remediation Option #2)

 

ErikaAcon_2-1709769425153.png

 

Your device does not have the necessary OS version to provide visibility into its properties. To address this, install the required OS version on your device.

Your device does not have the necessary OS version to provide visibility into its properties. To address this, install the required OS version on your device.

 

Begin by examining the columns displaying these statuses and utilize the filtering options to tailor your investigation. You should ensure that your devices are correctly configured to support Microsoft Purview Endpoint DLP. Various configuration attributes must be enabled to ensure that the configuration status is considered up to date. These attributes include behavior monitoring, real-time protection (for Windows devices), accessibility, and full disk access (for macOS). To verify this, apply the configuration status filter and select “Not Updated” to pinpoint devices that require attention due to disabled configurations.

 

Ensuring that policies have successfully synced across all devices is essential. To verify this, you can utilize the policy sync status filter and select “Not Updated” to view the devices that have not been updated with the latest policy changes yet. Let’s look at an example:

 

ErikaAcon_0-1709771803185.png

 

ErikaAcon_4-1709769451798.png

ErikaAcon_5-1709769462632.png

 

In the example above, both the configuration and policy sync status are flagged as “Not Updated.” Here’s what this means:

  • Configuration Status: This indicates that certain settings need attention. In this scenario, Real Time Protection needs to be enabled. To address this, follow the provided remediation guidance, which includes detailed instructions on how to enable this setting.
  • Policy Sync Status: This indicates that the device hasn’t synced with the latest policy updates. Specifically, it hasn’t downloaded the latest policy version of Edisco Policy 7.

*Please note that policy updates may take up to 2 hours to reflect on the device onboarding dashboard. However, for situations requiring immediate verification of policy sync, such as high-frequency testing in pilot for a specific set of devices, please refer to remediation option #2.

 

Step 2: Verifying Additional Device Attributes

It’s important to go beyond just assessing the configuration and policy sync status. Thoroughly examining additional device attributes on the device onboarding page is essential for gaining a comprehensive understanding of each device. By leveraging the available device details, you can proactively ensure that all your devices are operating at their best:

 

Device Attribute

Notes

Last seen

The most recent time the device was detected online.

Last policy sync time

Timestamp of the previous instance when the device downloaded (“synced”) the latest policy versions.

OS

Current Operating System.

Defender engine version

Version of the antivirus engine.

Defender Mocamp version

Version of the Defender client or “Microsoft Malware Protection Center.”

MDATP device ID

Unique identifier assigned to this device.

Valid user

Confirmation of an authenticated user found.

Sensitive Data Activity

View all sensitive data activity for this device in the last 30 days.

Advanced classification bandwidth usage exceeded

Shows if the bandwidth usage limit for Advanced Classification has been exceeded in the past 24 hours.

Endpoint DLP status

Shows if Endpoint DLP is enabled or disabled for the device.

 

ErikaAcon_6-1709769525346.png

 

Now, let’s dive into another example:

ErikaAcon_7-1709769537621.png

 

In the example provided, both the configuration and policy sync statuses are flagged as “Not Available.” This indicates a common issue:

  • Missing OS version: Your device does not have the necessary OS version, which impedes its ability to provide visibility into its properties. To address this, install the required OS version on your device. Detailed instructions on how to install it can be found in the provided link.

 

Troubleshooting High-Frequency Testing Scenarios

If you’re conducting high-frequency testing, which involves a small test setup for a limited number of users and frequent policy changes before deployment in the production environment, you may need to quickly verify policy sync for testing purposes. This verification might be required much earlier than the information flows into your device onboarding page since policy updates can take up to two hours to reflect on the device onboarding dashboard. To meet this need, we have DisplayDlpPolicy.exe, a tool that you can run directly on the user device to immediately verify successful policy sync.

 

ErikaAcon_8-1709769555967.png

 

Here’s how to interpret the output after running the command:

Download timestamp

ErikaAcon_9-1709769570160.png

 

This line indicates the download timestamp when the policy was downloaded to the device, providing exact date and time when the policy versions were retrieved into the machine.

Last policy update time (in Purview portal)

ErikaAcon_10-1709769570162.png

 

This line denotes the timestamp when the policy was last updated in the Purview portal. It reflects the moment when modifications were made to the policy. 

 

Names of the policies and rules currently downloaded on the device

ErikaAcon_11-1709769570172.png

 

You can also view the names of the policies and rules currently enforced on the device.

 

 

Common Scenario:

If you’ve created a new policy or modified an existing one and want to ensure it reaches the device, utilize the DisplayDlpPolicy.exe tool to confirm.

Successful

Check that the download timestamp is more recent than the last policy update time (in Purview portal). This indicates that the device has successfully downloaded the latest policy updates.

 

The device onboarding page can take up to 2 hours to reflect the policy-sync status as “Updated”. If you have confirmed that the device has downloaded the policy update, no further action is required on your part. Please wait for the device onboarding page to update the policy sync status accordingly.

 

Unsuccessful

If the device has not successfully downloaded the latest policy versions, proceed to submit a support ticket. 

 

Evidence Collection for Support Analysis:

After completing the troubleshooting steps outlined earlier, and if self-remediation hasn’t been successful, it’s time to gather evidence for comprehensive support analysis. Here’s how we would recommend you gather the evidence before you raise a support case.

 

Navigate to the device onboarding page and select the device you want to investigate. Within the device details section, you’ll find important device properties that should be included (if applicable) when submitting a support ticket:

  • OS
  • Defender engine version
  • Defender client version
  • Device ID
  • Valid user

Don’t forget to take advantage of the link provided to learn how to collect device logs using the MDE Client Analyzer.

 

ErikaAcon_12-1709769624814.png

 

By collecting and providing this essential information, you empower our support teams to a more efficient issue resolution. Mastering the process of diagnosing and resolving Microsoft Purview Endpoint DLP issues is crucial. By leveraging the step-by-step guidance outlined in this playbook, you’ve equipped yourself with insights into identifying, troubleshooting, and remedying common issues. With the tools and knowledge provided, you’re well prepared to maintain your Microsoft Purview Endpoint DLP setup with confidence.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.