Share via

Help protect files that Endpoint Data Loss Prevention doesn't scan

This article uses the process you learned in Design a data loss prevention policy to show you how to create a Microsoft Purview Data Loss Prevention (DLP) policy that helps prrotect files that Endpoint DLP doesn't support. Work through these scenarios in your test environment to familiarize yourself with the policy creation UI.

Important

This article presents a hypothetical scenario with hypothetical values. It's only for illustrative purposes. Substitute your own sensitive information types, sensitivity labels, distribution groups, and users.

How you deploy a policy is as important policy design. This article shows you how to use the deployment options so that the policy achieves your intent while avoiding costly business disruptions.

Apply controls to all unsupported files

Note

Apply controls to all unsupported files, is in preview.

Use this scenario to apply Audit, Block, or Block with override controls on user activities for files that aren't on the Monitored files list without enumerating all the file extensions through the File extension is condition. Use this configuration to create a blanket policy to place controls on files like .mp3, .wav, and .dat.

Caution

The ability to apply controls to all files is a powerful capability. If you implement it without proper caution, it might have unintended consequences. Test this policy in a nonproduction environment before deploying it to your production environment. This example also shows how you can (optionally) exclude specific file extensions from the scope of the policy.

Important

This feature only supports the following action types:

  • Upload to a restricted cloud service domain
  • Copy to a removable USB device
  • Copy to a network share
  • Print

Policy intent statement and mapping

There are many types of files that endpoint DLP doesn't scan, more than we can track. We don't know if there is sensitive information in those files, and so we want to have a checkpoint in place before our user try to copy those files to a USB device or to a network share. We don't want to disrupt users workflow for the abc file type which is well known to us and poses no threat of data leakage.

Statement Configuration question answered and configuration mapping
“There are many types of files that endpoint DLP doesn't scan,...” - Administrative scope: Full directory
- Where to monitor: Data stored in connected sources, Devices
- Scope: Allusers, groups, devices, device groups
"...We don't want to disrupt users workflow for the abc file type which is well known to us and poses no threat of data leakage." - Endpoint settings: create a Unsupported file extension exclusions list and add the file extension abc to the list.
"...more than we can track. We don't know if there is sensitive information in those files, and so we want to have a checkpoint in place before they try to copy those files to a USB device or to a network share..."
- Conditions for a match: Document could not be scanned
action : select audit or restrict activities on devices
- clear Upload to a restriced cloud service domain or access from an unallowed browser
- select Apply restrictions to specific activity
- select Copy to a removable USB device, and Block with override
- select Copy to a network share and Block with override
- clear Copy to clipboard, Print, Copy or move using unallowed Bluetooth app, and Copy or move using RDP
- select file could not be scanned.
- select apply restrictions to only unsupported file extensions.

Important

The difference between this feature and the File extension is condition is:

  • Endpoint DLP scans content for File extension is condition. For example, you see Sensitive info type value on the event or alert; on the other hand, this feature doesn't scan file content.
  • File extension is condition triggering content scanning might consume higher machine resource, like CPU and memory, and might cause application performance issue for some file types.

Add a file type to Unsupported file extension exclusions

Use this setting to exclude file extensions from the policy.

  1. Sign in to the Microsoft Purview portal
  2. Open Settings > Data Loss Prevention > Endpoint DLP settings > Unsupported file extension exclusions.
  3. Select Add file extensions.
  4. Provide extensions.
  5. Select Save.
  6. Close the item.

Configure policy actions

  1. Sign in to the Microsoft Purview portal.
  2. Open Data Loss Prevention > Policies.
  3. Select Data stored in connected sources.
  4. Select Create policy and select the Custom from the Categories then Custom policy template from Regulations.
  5. Name your new policy and provide a description.
  6. Select Full directory under Admin units.
  7. Scope the location to Devices only.
  8. Create a rule where:
    1. In Conditions:
      1. Select Document could not be scanned.
    2. In Actions:
      1. Select Audit or restrict activities on devices.
      2. Clear Upload to a restriced cloud service domain or access from an unallowed browser.
      3. Select Apply restrictions to specific activity.
      4. Select Copy to a removable USB device, and Block with override.
      5. Select Copy to a network share, and Block with override.
      6. Clear Copy to clipboard, Print, Copy or move using unallowed Bluetooth app, and Copy or move using RDP.
      7. Select Apply restrictions to only unsupported file extensions.
  9. Save.
  10. Choose Turn on the policy immediately. Choose Next.
  11. Review your settings and choose Submit.

Important

You can't use Document could not be scanned together with other conditions in this scenario.