This chapter covers Endpoint Data Loss Prevention (Endpoint DLP) for Windows devices, a critical capability for protecting sensitive data on managed endpoints. For the MS-102 exam, questions about Endpoint DLP appear in the Security Threats domain (Objective 3.3) and typically account for 5–10% of the exam. You must understand how Endpoint DLP integrates with Microsoft 365 Compliance Center, how policies are configured and deployed, and how the agent enforces rules on Windows devices. This chapter provides the deep technical knowledge needed to answer scenario-based questions and avoid common traps.
Jump to a section
Imagine a high-security corporate office where every document that leaves a desk must be inspected by a guard stationed at each door. The guard has a set of rules: no documents with "Confidential" watermarks may exit, and any document containing credit card numbers must be shredded before leaving. The guard does not just check the document title; they scan the content page by page. If a document is allowed to leave, the guard stamps it with an audit timestamp and logs who took it. However, the guard cannot stop someone from memorizing the content and walking out—that's a different threat. In this analogy, the guard is the Endpoint DLP agent installed on each Windows device. The rules are DLP policies defined in Microsoft 365 Compliance Center. The agent intercepts file operations (copy, paste, print, USB transfer) and inspects the content using sensitive information types and machine learning classifiers. If a violation is detected, the agent blocks the action, shows a policy tip to the user, and reports the incident to the unified audit log. The agent does not inspect network traffic (that's network DLP) or cloud uploads (that's cloud DLP). It only controls data at rest and in use on the endpoint. The guard's log is the Activity Explorer, and the shredding action is the automatic encryption or blocking of the file. This mechanistic parallel makes it clear: Endpoint DLP is a content-aware, rule-based enforcement agent that operates at the OS level on Windows devices.
What is Endpoint DLP and Why It Exists
Endpoint Data Loss Prevention (Endpoint DLP) is a Microsoft 365 compliance feature that extends DLP capabilities to data in use on Windows devices. Traditional DLP solutions focus on data in transit (email, network traffic) and data at rest (SharePoint, OneDrive). However, sensitive data is often accessed and manipulated on endpoints—laptops, desktops, and servers—where users can copy, paste, print, or transfer files to removable media. Endpoint DLP fills this gap by monitoring and controlling these actions in real time.
The primary driver for Endpoint DLP is the need to prevent accidental or malicious data leaks from endpoints. For example, an employee might copy a customer list containing personal data to a USB drive, or paste confidential financial data into a personal email. Without endpoint controls, these actions go undetected. Endpoint DLP allows organizations to enforce policies that block, warn, or audit such activities based on the content's sensitivity.
How Endpoint DLP Works Internally
Endpoint DLP uses a lightweight agent installed on Windows 10/11 devices (build 1809 or later) or Windows Server 2019/2022. The agent is deployed via Microsoft Intune or Group Policy. Once installed, the agent integrates with the Windows operating system at the kernel level to intercept file operations and clipboard activities.
#### Agent Architecture
The agent consists of two main components:
- DLP Service: A Windows service (Microsoft DLP Service) that runs in the background and communicates with the Microsoft 365 Compliance Center to download policies and upload audit events.
- File System Filter Driver: A kernel-mode driver that intercepts file I/O operations such as Create, Write, Copy, Rename, and Delete. It also hooks clipboard operations for copy/paste.
When a user attempts to perform an action on a file (e.g., copy to USB), the filter driver captures the operation and passes the file content to the DLP service for inspection. The service evaluates the content against active policies using sensitive information types (SITs), trainable classifiers, and policy rules.
#### Policy Evaluation Flow
Action Trigger: The user performs an action on a file (e.g., copy, paste, print, save to removable media). The filter driver detects the action and pauses it.
Content Extraction: The DLP service reads the file content. For text-based files (e.g., Office documents, PDFs, text files), it extracts the text. For binary files, it may use iFilter or metadata.
Content Analysis: The service scans the content for sensitive data using SITs (e.g., credit card numbers, social security numbers, passport numbers) and trainable classifiers (e.g., financial data, health records). It also checks file properties like labels (Microsoft Information Protection sensitivity labels).
Policy Matching: The service evaluates the action against all applicable policies. Policies define conditions (e.g., "if content contains SSN and action is copy to removable media") and actions (e.g., block, block with override, audit only, or notify user with policy tip).
Enforcement: If a policy is matched, the agent enforces the configured action. For block actions, the file operation is prevented; the user sees a notification explaining why. For audit-only, the operation proceeds but is logged. For block with override, the user can justify the action (e.g., "This is a business need") and the override is logged.
Audit Logging: The DLP service sends an audit event to the Microsoft 365 unified audit log. Events include user, device, file name, action, policy matched, and justification (if override). These events appear in the Activity Explorer in the Compliance Center.
#### Key Components and Defaults
Policy Scope: Policies can target users or groups via Azure AD groups. They can also be scoped to devices managed by Intune or Configuration Manager.
Locations: Endpoint DLP policies apply to Windows devices only. They can be configured to monitor specific actions: Clipboard (copy to clipboard, copy from clipboard to unallowed app), Removable Media (copy to USB, SD card, external drive), Network Share (copy to network share), Printer (print to local or network printer), Bluetooth (transfer via Bluetooth), and Unallowed Apps (copy/paste to unallowed browsers or apps).
Unallowed Apps: Administrators can define a list of unallowed apps (e.g., personal email clients, cloud storage apps) using app names or executable paths. If a user copies sensitive data to an unallowed app, the action is blocked.
Policy Tips: Users see a notification in the system tray when an action is blocked or warned. The policy tip can include a custom message and a link to a training page.
Override: For block with override policies, users can provide a business justification. Overrides are logged and can be reviewed by administrators.
Default Action: If no policy matches, the action is allowed.
#### Configuration and Verification Commands
Endpoint DLP policies are configured in the Microsoft 365 Compliance Center under Data Loss Prevention > Policies. To create a policy, select "Endpoint DLP" as the location. You can also use PowerShell via the Security & Compliance Center PowerShell module.
To verify agent status on a device, use the following PowerShell command as administrator:
Get-Service -Name "Microsoft DLP Service" | Format-List Name, Status, StartTypeThe service should be running with StartType Automatic. You can also check the DLP agent version in the registry:
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Cloud Data Loss Prevention\Agent" | Select-Object VersionFor troubleshooting, review the DLP agent logs at %ProgramData%\Microsoft\Cloud Data Loss Prevention\Logs. Use Get-WinEvent to query the DLP operational log:
Get-WinEvent -LogName "Microsoft-Windows-CloudDataLossPrevention/Operational" | Select-Object TimeCreated, Id, Message#### Interaction with Related Technologies
Microsoft Information Protection (MIP): Endpoint DLP can use sensitivity labels to classify content. Labels can be applied automatically or manually. Policies can condition on labels (e.g., block copying of "Highly Confidential" labeled files).
Microsoft Defender for Endpoint: Endpoint DLP shares the same agent infrastructure as Defender for Endpoint on Windows. However, DLP policies are separate. Alerts from DLP can be correlated with Defender incidents via Microsoft 365 Defender.
Intune: Device configuration profiles can deploy the DLP agent and policy settings. Intune is the recommended method for managing Windows devices.
Activity Explorer: This is the central dashboard for viewing DLP events. It shows the top actions, users, and policies. Data is retained for 30 days by default.
Important Numbers and Defaults
Policy sync interval: The agent checks for policy updates every 90 minutes by default. This can be forced by restarting the DLP service.
Audit log retention: 90 days for DLP events in the unified audit log (requires appropriate licensing).
File size limit: The agent inspects files up to 100 MB. Larger files are skipped with an audit event.
Supported file types: Over 100 file types including Office documents, PDF, text, CSV, XML, HTML, RTF, and image files (via OCR).
Policy tip timeout: The policy tip notification remains visible for 30 seconds or until the user dismisses it.
Edge Cases and Exam Traps
Clipboard monitoring: Endpoint DLP can monitor clipboard operations, but it does not intercept screen captures or screenshots. The exam may test that DLP does not prevent screen grabs.
Removable media: Blocking copy to USB does not block reading from USB. Users can still open files from USB; only copying to USB is controlled.
Unallowed apps: The list of unallowed apps is defined by executable name or path. It does not block copy/paste to system apps like Notepad unless configured.
Multiple policies: If multiple policies apply, the most restrictive action is enforced. For example, if one policy blocks and another audits, the block takes precedence.
Policy inheritance: Policies are not inherited from parent groups; each policy must be explicitly assigned to users/groups.
Install DLP Agent on Device
Deploy the Endpoint DLP agent to Windows devices using Microsoft Intune or Group Policy. In Intune, create a device configuration profile for Windows 10/11, select 'Endpoint Protection' > 'Microsoft Defender for Endpoint' > 'Microsoft 365 Data Loss Prevention' and set 'Enable DLP' to Yes. The agent downloads automatically. Verify installation by checking for the 'Microsoft DLP Service' in services.msc. The agent must be installed on all devices where DLP enforcement is required. The exam may test that the agent is required for Endpoint DLP to function.
Configure DLP Policy in Compliance Center
In the Microsoft 365 Compliance Center, navigate to Data Loss Prevention > Policies > Create policy. Choose 'Endpoint DLP' as the location. Define the policy name, description, and scope (users/groups). Add conditions such as 'Content contains sensitive info types' (e.g., U.S. Social Security Number) and 'Actions' (e.g., Copy to removable media). Set the action to 'Block' or 'Block with override'. Configure policy tips. The policy must be saved and published. The agent will download the policy within 90 minutes or upon service restart.
Sync Policy to Endpoint Agent
The DLP agent on the endpoint checks for policy updates every 90 minutes via a secure connection to Microsoft 365. To force an immediate sync, restart the 'Microsoft DLP Service' on the device. Alternatively, the user can sign out and sign back in. The agent downloads the policy and stores it locally. If the device is offline, the last known policy remains in effect. The exam may ask about the default sync interval and how to force sync.
User Attempts a Blocked Action
A user tries to copy a file containing sensitive data (e.g., a spreadsheet with credit card numbers) to a USB drive. The file system filter driver intercepts the write operation. The DLP service extracts the content, scans for SITs, and finds a match. The policy condition is met. The agent blocks the write operation and displays a policy tip notification in the system tray: 'This action is blocked by your organization's data loss prevention policy.' The user cannot complete the action. The event is logged.
Audit Event Sent to Compliance Center
The DLP agent sends an audit event to the Microsoft 365 unified audit log. The event includes: user UPN, device name, file name and path, action attempted, policy name, rule name, SITs matched, and whether an override was attempted. The event appears in Activity Explorer within 15 minutes. Administrators can review these events to identify policy violations. The audit log is retained for 90 days. The exam may test that DLP events are visible in Activity Explorer.
Enterprise Scenario 1: Financial Services Firm Protecting PII
A large bank has 10,000 Windows laptops used by financial advisors who handle customer PII (social security numbers, account numbers). The compliance team needs to prevent data leaks via USB drives and personal email. They deploy Endpoint DLP with a policy that blocks copying of any file containing a U.S. Social Security Number (SIT) to removable media or to unallowed apps (e.g., personal Gmail, Dropbox). The policy allows override with a business justification for legitimate transfers (e.g., sending encrypted files to a partner). In production, the DLP agent is deployed via Intune to all managed devices. The policy is scoped to all users. Performance is negligible; the agent adds about 1% CPU overhead during file inspection. Common misconfigurations: forgetting to add all unallowed apps (e.g., missing the personal email client), or not testing the policy on a pilot group first. When misconfigured, legitimate business workflows are blocked, causing user frustration. The bank uses Activity Explorer to monitor overrides and identify potential insider threats.
Enterprise Scenario 2: Healthcare Organization Protecting PHI
A hospital network uses Endpoint DLP to protect Protected Health Information (PHI) on Windows workstations. They configure a policy that audits all print actions on files containing patient health information (e.g., diagnosis codes, medical record numbers). They also block copying PHI to network shares that are not authorized. The policy uses the 'U.S. Health Insurance Claim Number' SIT and a trainable classifier for medical records. The hospital has 5,000 devices. A challenge is that many devices are shared workstations; the DLP agent works per device, not per user. The policy is scoped to all devices. The hospital uses Microsoft Defender for Endpoint integration to correlate DLP events with malware alerts. A common issue: users copy PHI to network shares for printing, but the policy blocks it because the share is not in the allowed list. The IT team must maintain an allowed list of authorized shares. The exam may test that DLP can be scoped to devices, not just users.
Scenario 3: Legal Firm Protecting Confidential Documents
A law firm uses sensitivity labels to classify documents as 'Confidential' or 'Highly Confidential'. They configure Endpoint DLP to block printing of 'Highly Confidential' documents and to warn when copying them to USB. The policy condition uses the sensitivity label as a condition. The firm has 2,000 Windows devices. They also use unallowed apps to block copy/paste to web-based AI tools like ChatGPT. In production, they found that the DLP agent does not inspect files larger than 100 MB, so they had to split large documents. They also learned that clipboard monitoring only works for copy/paste, not for drag-and-drop or screenshots. The exam may test that sensitivity labels can be used as conditions in DLP policies.
MS-102 Exam Focus on Endpoint DLP
This topic is covered under Objective 3.3: Implement and manage data loss prevention (DLP). Specifically, the exam tests your ability to:
Configure Endpoint DLP policies for Windows devices
Understand the integration with Microsoft 365 Compliance Center
Troubleshoot common issues (agent not enforcing, policy not syncing)
Identify the scope of Endpoint DLP (actions, locations, unallowed apps)
#### Common Wrong Answers and Why Candidates Choose Them
'Endpoint DLP can block screenshots' – Candidates assume that because DLP monitors clipboard, it also blocks screen captures. In reality, Endpoint DLP does not intercept screen capture operations (e.g., Snipping Tool, Print Screen). The exam tests that DLP cannot prevent a user from taking a screenshot of sensitive data.
'Endpoint DLP policies apply to all devices automatically' – Candidates think that enabling DLP in the tenant automatically protects all devices. Actually, policies must be explicitly scoped to users/groups and devices must have the agent installed. The exam may present a scenario where a policy is created but not enforced because the agent is missing.
'Endpoint DLP can block copy to network shares' – While true, candidates often forget that the policy must specify the exact action. If the policy only blocks 'Copy to removable media', copying to a network share is allowed. The exam tests that each action must be individually configured.
'DLP policies sync immediately' – Candidates assume policy changes take effect instantly. The default sync interval is 90 minutes. The exam may ask how to force a sync (restart the DLP service).
#### Specific Numbers and Terms That Appear on the Exam
Default sync interval: 90 minutes
File size limit: 100 MB
Policy tip timeout: 30 seconds
Audit log retention: 90 days
Agent support: Windows 10/11 build 1809+, Windows Server 2019/2022
SITs: Over 200 built-in sensitive information types
Unallowed apps: Defined by executable name or path
#### Edge Cases and Exceptions
Offline devices: The agent uses the last cached policy when offline. Changes made while offline are queued and sent when the device reconnects.
Multiple policies: The most restrictive action applies. If one policy blocks and another audits, the block wins.
Override justification: If a policy allows override, the user can type a reason. The reason is logged and visible in Activity Explorer.
Clipboard monitoring: Only works for copy/paste operations. It does not block drag-and-drop or file save operations.
#### How to Eliminate Wrong Answers
If a scenario describes preventing data loss via screenshots, eliminate Endpoint DLP as the solution.
If a scenario involves unmanaged devices (non-Windows, not enrolled), Endpoint DLP cannot help.
If a scenario requires blocking email attachments, use Exchange DLP or Microsoft Purview Message Encryption, not Endpoint DLP.
If a scenario mentions policy not working, suspect agent not installed or policy not synced.
Endpoint DLP protects data in use on Windows devices by monitoring actions like copy to USB, print, clipboard, and unallowed apps.
The DLP agent must be installed on each Windows device; deployment is typically via Intune or Group Policy.
Policies are configured in Microsoft 365 Compliance Center and sync to endpoints every 90 minutes by default.
File inspection is limited to files up to 100 MB; larger files are skipped and logged.
Endpoint DLP cannot block screenshots or prevent data exfiltration via screen capture.
The most restrictive action applies when multiple policies match; block overrides audit.
Unallowed apps are defined by executable name or path; clipboard monitoring only works for copy/paste operations.
DLP events are visible in Activity Explorer and retained in the unified audit log for 90 days.
Override with business justification is supported for 'Block with override' policies.
Endpoint DLP integrates with Microsoft Information Protection (sensitivity labels) and Microsoft Defender for Endpoint.
These come up on the exam all the time. Here's how to tell them apart.
Endpoint DLP (Windows)
Monitors data in use on Windows endpoints (copy, paste, print, USB).
Requires agent installation on each device.
Policies can block or audit actions in real time.
Integrates with sensitivity labels and SITs.
Cannot inspect data at rest in cloud services.
Cloud DLP (Microsoft 365)
Monitors data at rest in SharePoint, OneDrive, and Exchange.
No agent required; works at the service level.
Policies can block sharing, apply encryption, or generate alerts.
Also integrates with sensitivity labels and SITs.
Cannot control actions on endpoints (e.g., USB copy).
Mistake
Endpoint DLP can block all forms of data exfiltration, including screenshots and printing.
Correct
Endpoint DLP can block printing (if configured) but cannot block screenshots. It monitors clipboard, removable media, network shares, Bluetooth, and unallowed apps. Screenshot prevention requires additional controls like Windows Information Protection (WIP) or third-party solutions.
Mistake
Endpoint DLP policies apply to all devices in the tenant automatically.
Correct
Policies must be explicitly scoped to users or groups. Additionally, the DLP agent must be installed on the device. Without the agent, policies are not enforced. The exam often tests this by presenting a scenario where a policy exists but is not working because the agent is missing.
Mistake
Endpoint DLP can inspect files larger than 100 MB.
Correct
The agent skips files larger than 100 MB and logs an audit event. This is a hard limit. For larger files, organizations must use other DLP solutions (e.g., cloud DLP for SharePoint). The exam may ask about the file size limit.
Mistake
Policy changes take effect immediately on endpoints.
Correct
The agent checks for policy updates every 90 minutes by default. To force an immediate sync, you must restart the Microsoft DLP Service or sign out/in. The exam may test the default sync interval.
Mistake
Endpoint DLP can block copy/paste to any application.
Correct
Only applications listed as 'unallowed apps' are blocked. The list is defined by executable name or path. Common unallowed apps include personal email clients, cloud storage apps, and AI tools. System apps like Notepad are not blocked unless added.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
The default sync interval is 90 minutes. The DLP agent on the endpoint checks for policy updates every 90 minutes. To force an immediate sync, restart the 'Microsoft DLP Service' on the device. The exam may ask this value directly.
No, Endpoint DLP cannot block screenshots. It monitors clipboard, removable media, network shares, Bluetooth, printing, and unallowed apps. Screenshot prevention is not a capability of Endpoint DLP. For that, you would need Windows Information Protection (WIP) or third-party solutions.
Endpoint DLP inspects files up to 100 MB. Files larger than 100 MB are skipped, and an audit event is logged. This is a hard limit. The exam may test this as a common gotcha.
The recommended method is via Microsoft Intune. Create a device configuration profile for Windows 10/11, select 'Endpoint Protection' > 'Microsoft Defender for Endpoint' > 'Microsoft 365 Data Loss Prevention' and set 'Enable DLP' to Yes. Alternatively, you can use Group Policy. The agent is part of the Microsoft Defender for Endpoint client.
Endpoint DLP can monitor: Clipboard (copy to clipboard, copy from clipboard to unallowed app), Removable Media (copy to USB, SD card, external drive), Network Share (copy to network share), Printer (print to local or network printer), Bluetooth (transfer via Bluetooth), and Unallowed Apps (copy/paste to unallowed applications).
Yes, Endpoint DLP policies can use Microsoft Information Protection sensitivity labels as conditions. For example, you can block printing of files labeled 'Highly Confidential'. This allows integration with your existing classification strategy.
The most restrictive action is enforced. For example, if one policy blocks an action and another audits it, the block takes precedence. If one policy blocks with override and another blocks without override, the stricter block (without override) applies.
You've just covered Endpoint DLP for Windows Devices — now see how well it sticks with free MS-102 practice questions. Full explanations included, no account needed.
Done with this chapter?