As always, there are some technical requirements for running Endpoint DLP in your Microsoft environment. These are basically the same as before, but as a reminder we will go through them once more.
Microsoft Endpoint DLP is available in the following license subscriptions:
- Microsoft 365 E5
- Microsoft 365 A5
- Microsoft 365 E5 Compliance
- Microsoft 365 A5 Compliance
- Microsoft 365 E5 Information Protection and Governance
- Microsoft 365 A5 Information Protection and Governance
Furthermore, the licensing bit is not all the requirements, as usual. You also need to have a supported Windows 10 installation on your computers for the feature to work. The supported Windows 10 versions are Windows 10 x64 build 1809 or later.
Beyond the operating system being on the supported level, you also need to have a supported version of the Windows built-in antimalware client. The supported levels of antimalware client are Antimalware Client Version 4.18.2009.7 or more recent releases.
Note
There is no requirement for the Windows Security components, such as Credential Guard, Tamper Protection, and so on, to be in active mode in order to run Endpoint DLP. You can run it independently of the Windows Security status; however, Real-time protection and Behavior monitor must be enabled.
There are some Windows updates that are not specifically a requirement for onboarding a device to Endpoint DLP; however, as they contain important fixes for issues, they should be installed prior to using the product:
- Windows 10 1809 – KB4559003, KB4577069, KB4580390
- Windows 10 1903 or 1909 – KB4559004, KB4577062, KB4580386
- Windows 10 2004 – KB4568831, KB4577063
- For devices running Office 2016 – KB4577063
The devices must be in in one of these states when it comes to Azure Active Directory:
- Azure Active Directory joined
- Hybrid Azure Active Directory joined
- Azure Active Directory registered
Now, with the requirements all figured out, we will proceed with our first topic of the chapter, which will guide us through how to configure policies for endpoints.
Onboarding devices to Endpoint DLP
To start using Endpoint DLP, we must onboard our devices to the solution to see them in the compliance center and get alerts if they are in breach of a DLP policy, a topic we will cover next!
For starters, we must onboard our devices to Endpoint DLP using one of the following methods:
- Local script (this option is meant for proof of concept (PoC) scenarios or demos)
- Group policy
- Microsoft Endpoint Configuration Manager
- Mobile Device Management/Microsoft Intune
- VDI onboarding scripts for non-persistent machines
Given how your environment is configured, you should choose the method that aligns best with how you currently deploy software.
Note
We need to have local administrator privileges on the device that we are going to onboard to Endpoint DLP.
The following steps will guide you through how to onboard a device to Endpoint DLP using a local script; if you are interested in guidance for the other deployment methods listed, please refer to https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-endpoints?view=o365-worldwide:
- Sign in to the Microsoft compliance center.
- On the left-hand side of your screen, navigate to the Settings area and select Device onboarding:
Figure 8.1 – The location of the Device onboarding settings in the Microsoft compliance center
3. Select the method you want to use for onboarding devices to Endpoint DLP under Onboarding and Deployment method:
Figure 8.2 – The available deployment methods as presented in the Microsoft compliance center
4. As stated in the introduction to these steps, we are going to choose Local script as the deployment method in this case. Select it and click Download package, which will start a download of a .zip file containing a .cmd script called DeviceComplianceLocalOnboardingScript.cmd:
Figure 8.3 – Clicking on Download package to download the onboarding script
Once download starts, we will choose the location to save the .zip file as usual with downloads:
Figure 8.4 – Once download is initiated, you can see the .zip file as mentioned in step 4 and choose a location to save it
5. The callout in the compliance center can be discarded in this scenario as we are only onboarding a single computer to our Endpoint DLP solution. But, as stated, the same deployment scenarios are in use here as for Microsoft Defender for Endpoint, and the guidance is the same for onboarding to the compliance center solutions.
6. Once we have saved our.zip file to our computer hard drive, we need to extract the content and run the script provided:
Figure 8.5 – The .cmd script downloaded from the compliance center, ready to be used!
7. I find the easiest way to start the script is to start an elevated Command Prompt, navigate to the folder where the script is located, and execute the script:
Figure 8.6 – Using an elevated Command Prompt to execute the script, to make sure that you are running it as administrator
8. And we have successfully onboarded our device to the Endpoint DLP solution. Please note that although the script states it has been onboarded to Microsoft Defender for Endpoint, this is not the case. This is simply a typo from Microsoft in this case.
9. If we head back to the Devices portion of the Device onboarding page, we should see our device in the list:
Figure 8.7 – The Devices list shows us all of the onboarded devices in Endpoint DLP
This concludes the topic of onboarding devices to Endpoint DLP using the Local script method. Up next, we will take a deeper look at what settings we can configure in Endpoint DLP.
Leave a Reply