-Many aspects of Endpoint data loss prevention (DLP) behavior are controlled by centrally configured settings. Settings are applied to all DLP policies for devices.

-

-You must configure these settings if you intend to control:

-## DLP settings

-Before you get started, you should set up your DLP settings.

-### Endpoint DLP Windows 10/11 and macOS settings

-### Advanced classification scanning and protection

-Advanced classification scanning and protection allows the more advanced Microsoft Purview cloud based data classification service to scan items, classify them and return the results to the local machine. This means you can take advantage of classification techniques like [exact data match](create-custom-sensitive-information-types-with-exact-data-match-based-classification.md) classification, and [named entities](named-entities-learn.md) in your DLP policies.

-When advanced classification is turned on, content is sent from the local device to the cloud services for scanning and classification. If bandwidth utilization is a concern, you can set a limit on how much can be used in a rolling 24 hour period. The limit is configured in Endpoint DLP settings and is applied per device. If you set a bandwidth utilization limit and it's exceeded, DLP stops sending the user content to the cloud. At this point data classification continues locally on the device but classification using exact data match, named entities, and trainable classifiers aren't available. When the cumulative bandwidth utilization drops below the rolling 24 hour limit, communication with the cloud services resumes.

-If bandwidth utilization isn't a concern, you select **No limit** to allow unlimited bandwidth utilization.

-> Support for advanced classification is available for Office (Word, Excel, PowerPoint) and PDF file types.

-> [!NOTE]

-> DLP policy evaluation always occurs in the cloud, even if user content is not being sent.

-> Advanced classification must be enabled to see contextual text for DLP rule matched events in Activity explorer. Learn more about contextual text at [Contextual summary](dlp-learn-about-dlp.md#contextual-summary). Be sure that you have applied KB5016688 for Windows 10 devices and KB5016691 for Windows 11 devices.

-### File path exclusions

-Open [Microsoft Purview compliance portal](https://compliance.microsoft.com) > **Data loss prevention** > **Endpoint DLP settings** > **File path exclusions**.

-You may want to exclude certain paths from DLP monitoring, DLP alerting, and DLP policy enforcement on your devices because they're too noisy or donΓÇÖt contain files you're interested in. Files in those locations won't be audited and any files that are created or modified in those locations won't be subject to DLP policy enforcement. You can configure path exclusions in DLP settings.

-#### Windows 10/11 devices

-You can use this logic to construct your exclusion paths for Windows 10/11 devices:

-#### macOS devices

-Similar to Windows 10/11 devices you can add your own exclusions for macOS devices.

-##### Recommended file path exclusions (preview)

-For performance reasons, Endpoint DLP includes a list of recommended file path exclusions for macOS devices. These exclusions are turned on by default. You can disable them if you want by toggling the **Include recommended file path exclusions for Mac** toggle. The list includes:

-### Set up evidence collection for file activities on devices (preview)

-DLP can copy items that match policies on devices to an [Azure storage account](/azure/storage/common/storage-account-overview.md). This is useful for auditing policy activity and troubleshooting why a specific item matched a policy. Use this section to add name and url of storage account. Before you enable this feature, you must create an Azure storage account and a container in the storage account and configuring permissions. As you configure this, keep in mind that you'll probably want to use a storage account that's in the same Azure region/geopolitical boundary as your tenant. You should also consider configuring [Azure storage account access tiers](/azure/storage/blobs/storage-blob-storage-tiers.md) and [Azure storage account pricing](/azure/storage/common/storage-account-overview#pricing.md).

-### Network share coverage and exclusions (preview)

-> To use **Network share coverage and exclusions** devices must have these updates applied:

-**Network share coverage and exclusions** extends endpoint DLP policies and actions to new and edited files on network shares and mapped network drives. If [just in time protection (preview)](endpoint-dlp-learn-about.md#just-in-time-protection-preview) is also enabled, it will also be extended to cover network shares and mapped drives when you enable network share coverage and exclusions. If you want to exclude a specific network path for all monitored devices, add the path value in **Exclude these network share paths**.

-|Enabled |Disabled |- DLP policies that are scoped to Devices are applied to all network shares and mapped drives that the device is connected to. [Devices actions](dlp-policy-reference.md#devices-actions) |

-|Disabled |Enabled |- Just in time protection is applied only to the files that are on storage devices that are local to the endpoint. |

-|Enabled |Enabled |- DLP policies that are scoped to Devices are applied to all network shares and mapped drives that the device is connected to. [Devices actions](dlp-policy-reference.md#devices-actions) </br>- Just in time protection is applied to all the network shares and mapped drives that the device is connected to. |

-**Network share coverage and exclusions** complements [DLP On-premises repository actions](dlp-on-premises-scanner-learn.md#dlp-on-premises-repository-actions).

-### Restricted apps and app groups

-#### Restricted apps

-**Restricted apps** (previously called **Unallowed apps**) is a list of applications that you create. You configure what actions DLP takes when a user uses an app on the list to ***access*** a DLP protected file on a device. It's available for Windows 10/11 and macOS devices.

-When **Access by restricted apps** is selected in a policy and a user uses an app that is on the restricted apps list to access a protected file, the activity is `audited`, `blocked`, or `blocked with override` depending on how you configured it. That is unless the same app is a member of a **Restricted app group**, then the actions configured for activities in the **Restricted app group** override the actions configured for the access activity for the **Restricted apps** list. All activity is audited and available to review in activity explorer.

-> Do not include the path to the executable, but only the executable name (such as browser.exe).

-> [!IMPORTANT]

-> The action (`audit`, `block with override`, or `block`) defined for apps that are on the restricted apps list only applies when a user attempts to ***access*** a protected item.

-#### File activities for apps in restricted app groups (preview)

-Restricted app groups are collections of apps that you create in DLP settings and then add to a rule in a policy. When you add a restricted app group to a policy, you can take the actions defined in this table.

-|Don't restrict file activity |Tells DLP to allow users to access DLP protected items using apps in the app group and don't take any actions when the user attempts to **Copy to clipboard**, **Copy to a USB removable drive**, **Copy to a network drive**, and **Print** from the app. |

-|Apply a restriction to all activity |Tells DLP to `Audit only`, `Block with override`, or `Block` when a user attempts to access a DLP protected item using an app that's in this app group |

-|Apply restrictions to a specific activity |This setting allows a user to access a DLP protected item using an app that is in the app group and allows you to select a default action (`Audit only`, `Block`, or `Block with override`) for DLP to take when a user attempts to **Copy to clipboard**, **Copy to a USB removable drive**, **Copy to a network drive**, and **Print**. |

-> Settings in a restricted app group override any restrictions set in the restricted apps list when they are in the same rule. So, if an app is on the restricted apps list and is a member of a restricted apps group, the settings of the restricted apps group is applied.

-#### How DLP applies restrictions to activities

-Interactions between **File activities for apps in restricted app groups**, **File activities for all apps** and the **Restricted app activities** list are scoped to the same rule.

-##### Restricted app groups overrides

-##### Restricted app activities and File activities for all apps

-The configurations of **Restricted app activities** and **File activities for all apps** work in concert if the action defined for **Restricted app activities** is either `Audit only`, or `Block with override` in the same rule. This is because actions defined for **Restricted app activities** only apply when a user accesses a file using an app that's on the list. Once the user has access, the actions defined for activities in **File activities for all apps** apply.

-Here's an example:

-If Notepad.exe is added to **Restricted apps** and **File activities for all apps** is configured to **Apply restrictions to specific activity** and both are configured like this:

-User A opens a DLP protected file using Notepad. DLP allows the access and audits the activity. While still in Notepad, User A then tries to copy to clipboard from the protected item, this works and DLP audits the activity. User A then tries to print the protected item from Notepad and the activity is blocked.

-##### File activities for all apps only

-If an app isn't in **File activities for apps in restricted app groups** or isn't in the **Restricted app activities** list or is in the **Restricted app activities** list with an action of `Audit only`, or 'Block with override`, any restrictions defined in the **File activities for all apps** are applied in the same rule.

-#### macOS devices

-Just like on Windows devices, you'll now be able to prevent macOS apps from accessing sensitive data by defining them in the **Restricted app activities** list.

-> Note that cross platform apps must be entered with their unique paths respective to the OS they are running on.

-1. On the macOS device, open **Activity Monitor**. Find and double-click the process you want to restrict

-2. Choose **Open Files and Ports** tab.

-3. For macOS apps, you need the full path name, including the name of the app.

-#### Protect sensitive data from cloud synchronization apps

-To prevent sensitive items from being synced to the cloud by cloud sync apps, like *onedrive.exe*, add the cloud sync app to the **Unallowed apps** list. When an unallowed cloud-sync app tries to access an item that is protected by a blocking DLP policy, DLP may generate repeated notifications. You can avoid these repeated notifications by enabling the **Auto-quarantine** option under **Unallowed apps**.

-##### Autoquarantine

-When enabled, Autoquarantine kicks in when an unallowed app attempts to access a DLP protected sensitive item. Autoquarantine moves the sensitive item to an admin configured folder and can leave a placeholder **.txt** file in the place of the original. You can configure the text in the placeholder file to tell users where the item was moved to and other pertinent information.

-You can use autoquarantine to prevent an endless chain of DLP notifications for the user and adminsΓÇösee [Scenario 4: Avoid looping DLP notifications from cloud synchronization apps with autoquarantine](endpoint-dlp-using.md#scenario-4-avoid-looping-dlp-notifications-from-cloud-synchronization-apps-with-auto-quarantine).

-### Unallowed Bluetooth apps

-Prevent people from transferring files protected by your policies via specific Bluetooth apps.

-#### Unallowed browsers

-For Windows devices you add browsers, identified by their executable names, that will be blocked from accessing files that match the conditions of an enforced a DLP policy where the upload to cloud services restriction is set to block or block override. When these browsers are blocked from accessing a file, the end users see a toast notification asking them to open the file through Microsoft Edge.

-3. For macOS apps, you need the full path name, including the name of the app.

-> [!NOTE]

-> The **Service domains** setting only applies to files uploaded using Microsoft Edge or Google Chrome with the [Microsoft Purview Chrome Extension](dlp-chrome-learn-about.md) installed.

-When the **Service domains** list is set to **Allow**, DLP policies won't be applied when a user attempts to upload a sensitive file to any of the domains on the list.

-If the list mode is set to **Allow**, any user activity involving a sensitive item and a domain that's on the list will be audited. The activity is allowed. When a user attempts an activity involving a sensitive item and a domain that *isn't* on the list then DLP policies, and the actions defined in the policies, are applied.

-User attempts to:

- - The user activity is allowed, audited, an event is generated, but it won't list the policy name or the triggering rule name in the event details, and no alert is generated.

-but if a user attempts to:

- - The policy is applied and the user activity is blocked. An event is generated, and an alert is generated.

-When the **Service domains** list is set to **Block**, DLP policies are applied when a user attempts to upload a sensitive file to any of the domains on the list.

-If the list mode is set to **Block**, when a user attempts an activity involving a sensitive item and a domain that is on the list then DLP policies, and the actions defined in the polices, are applied. Any activity involving a sensitive item and a domain that isn't on the list will be audited and the user activity is allowed.

-For example, with this configuration:

-User attempts to:

- - The user activity is blocked, but the user can override the block, an event is generated and an alert is triggered.

-but if a user attempts to:

- - The policy *isn't* applied and the user activity is audited. An event is generated, but it won't list the policy name or the triggering rule name in the event details, and no alert is generated.

-> When the service restriction mode is set to "Allow", you must have at least one service domain configured before restrictions are enforced.

-Summary table

-Use the FQDN format of the service domain without the ending `.` when you add a domain to the list.

-Up to 50 domains can be configured under Service domains.

-#### Sensitive service domains

-When you list a website in Sensitive services domains you can audit, block with override, or block users when they attempt to:

-For the print, copy data and save actions, each website must be listed in a website group and the user must be accessing the website through Microsoft Edge. For the upload action, the user can be using Microsoft Edge or Google Chrome with the Purview extension. Sensitive service domains is used with a DLP policy for Devices. You can also define website groups that you want to assign policy actions to that are different from the global website group actions. See, [Scenario 6 Monitor or restrict user activities on sensitive service domains](endpoint-dlp-using.md#scenario-6-monitor-or-restrict-user-activities-on-sensitive-service-domains) for more information.

-You can add maximum 50 websites into one group and can create maximum 20 groups.

-##### Supported syntax for designating websites in a website group

-Don't add protocol, for example, https://, file:// into the URL. You can use a flexible syntax to include and exclude domains, subdomains, websites, and subsites in your website groups.

-When you add a URL without a terminating `/`, that URL is scoped to that site and all subsites.

-This syntax applies to all http/https websites.

-Here are some examples:

-|URL that you add to the website group |URL will match | URL won't match|

-Up to 20 groups and 50 domains per group can be configured under Sensitive Service domains.

-### Additional settings for endpoint DLP

-#### Business justification in policy tips

-##### Customizing the options in the drop-down menu

-### Always audit file activity for devices

-File activity will always be audited for onboarded devices, regardless of whether they're included in an active policy.

-### Printer groups

-Use this setting to define groups of printers that you want to assign policy actions to that are different from the global printing actions. For example, say you want your DLP policy to block printing of contracts to all printers, except for printers that are in the legal department.

-You can add maximum 50 printers into one group and can create maximum 20 groups.

-This feature is available for devices running any of the following Windows versions:

-You define a printer by these parameters:

- - USB product ID - Get the Device Instance path value from the printer device property details in device manager. Convert it to Product ID and Vendor ID format, see [Standard USB identifiers](/windows-hardware/drivers/install/standard-usb-identifiers).

- - USB vendor ID - Get the Device Instance path value from the printer device property details in device manager. Convert it to Product ID and Vendor ID format, see [Standard USB identifiers](/windows-hardware/drivers/install/standard-usb-identifiers).

-You assign each printer in the group a **Display name**. The name only appears in the Purview console. So, continuing with the example, you would create a printer group named **Legal printers** and add individual printers (with an alias) by their friendly name, like `legal_printer_001`, `legal_printer_002` and `legal_color_printer`.

-You can multi-select the parameters to help you unambiguously identify a specific printer.

-You can assign these policy actions to the group in a DLP policy:

-#### Create a Printer group

-1. Open [Microsoft Purview compliance portal](https://compliance.microsoft.com) > **Data loss prevention** > **Endpoint DLP settings** > **Printer groups**.

-1. Give the printer an **Alias that will only appear here.

-The most common use case is to use printers groups as an allowlist as in the above example for allowing the printing of contracts only to printers that are in the legal department. After you define a printer group here, it's available to be used in your policies that are scoped to **Devices**. See, [Scenario 7 Authorization groups](endpoint-dlp-using.md#scenario-7-authorization-groups) for more information on configuring policy actions to use authorization groups.

-### Removable storage device groups

-Use this setting to define groups of removable storage devices, like USB thumb drives, that you want to assign policy actions to that are different from the global printing actions. For example, say you want your DLP policy to block copying of items with engineering specifications to all removeable storage devices, except for USB connected hard drives that are used to back up data and are then sent offsite.

-You can add maximum 50 removable storages into one group and can create maximum 20 groups.

-This feature is available for devices running any of the following Windows versions:

-You can define removeable storage devices by these parameters:

-You assign each removable storage device in the group an **Alias**. The alias is a name that only appears in the Purview console. So, continuing with the example, you would create a removable storage device group named **Backup** and add individual devices (with an alias) by their friendly name, like `backup_drive_001`, and `backup_drive_002`.

-You can multi-select the parameters and then the printer group will include all devices that satisfy those parameters.

-#### Create a Removable storage device group

-1. Select **Create removable storage device group**.

-1. Provide a **Group name**.

-1. Select **Add removable storage device**.

-1. Provide an **Alias**.

-1. Select the parameters and provide the values to unambiguously identify the specific device.

-1. Select **Add**.

-1. Add other devices to the group as needed.

-1. Select **Close**.

-The most common use case is to use removable storage devices groups as an allowlist as in the above example for allowing the copying of files only to devices that are in the **Backup** group. After you define a removable storage device group here, it's available to be used in your policies that are scoped to **Devices**. See, [Scenario 7 Authorization groups](endpoint-dlp-using.md#scenario-7-authorization-groups) for more information on configuring policy actions to use authorization groups. While scenario 7 uses printer authorization groups as an example, the principles are identical. The only thing that changes are the names of the groups and the actions you select.

-### Network share groups

-Use this setting to define groups of network share paths that you want to assign policy actions to that are different from the global network share path actions. For example, say you want your DLP policy to block when users attempt to save or copy protected files to network shares except the network shares in this group.

-This feature is available for devices running any of the following Windows versions:

-You include network share paths by defining the prefix that they all start with. For example:

- - '\\USers\user1\Desktop'

- - '\\USers\user1\user2\Desktop'

-You can assign these policy actions to the group in a DLP policy:

-#### Create a Network Share group

-The most common use case is to use network share group as an allowlist as in the above example for allowing users to save or copy protected files only to the network shares that are defined in the group. After you define a networks share group here, it's available to be used in your policies that are scoped to **Devices**. See, [Scenario 7 Authorization groups](endpoint-dlp-using.md#scenario-7-authorization-groups) for more information on configuring policy actions to use authorization groups.

-### VPN settings

-This feature is available for devices running any of these versions of Windows:

-

-When you list a VPN in **VPN Settings** you can assign these policy actions to them:

-These actions can be applied individually or collectively to these user activities:

-You define VPN by these parameters **Server address** or **Network address**.

-#### Get the Server address or Network address

-1. Run this cmdlet

-3. Running this cmdlet returns multiple fields and values.

-1. Find the **ServerAddress** field and record that value. You'll use this when you create a VPN entry in the VPN list.

-1. Find the **Name** field and record that value. The **Name** field maps to the **Network address** field when you create a VPN entry in the VPN list.

-#### Add a VPN

-1. Provide either the **Server address** or **Network address** from running Get-VpnConnection.

-See, [Scenario 8 Network exceptions](endpoint-dlp-using.md#scenario-8-network-exceptions-preview)for more information on configuring policy actions to use network exceptions.

-|Upload to cloud service, or access by unallowed browsers | Detects when a user attempts to upload an item to a restricted service domain or access an item through a browser. If they're using a browser that is listed in DLP as an unallowed browser, the upload activity will be blocked and the user is redirected to use Microsoft Edge. Microsoft Edge will then either allow or block the upload or access based on the DLP policy configuration. You can block, warn, or audit when protected files are prevented from or allowed to be uploaded to cloud services based on the allow/unallowed domains list in global settings. When the configured action is set to warn or block, other browsers (defined on unallowed browsers list under Global settings) are blocked from accessing the file. |Supported |Supported|Auditable and restrictable|

-|Copy to other app |Detects when a user attempts to copy information from a protected item and then paste it into another app, process or item. It also detects when a user copies and pastes content among files within the same app, process or item for Word, Excel, and PowerPoint.|Supported|Supported | Auditable and restrictable|

-|Create an item|Detects when a user creates an item.|Supported |Supported |Auditable|

-|Rename an item|Detects when a user renames an item.|Supported |Supported |Auditable|

-|Copy to clipboard| When this activity is detected, you can block, warn, or audit data the copying of protected files to a clipboard on an endpoint device. |Supported | Supported|Auditable and restrictable|

- If the **Always audit file activity for devices** setting is on, activities on any Word, PowerPoint, Excel, PDF, and .csv file are always audited even if the device is not targeted by any policy.

-Endpoint DLP monitors activity-based on MIME type, so activities will be captured even if the file extension is changed for these files types:

-Device management is the functionality that enables the collection of telemetry from devices and brings it into Microsoft Purview solutions like Endpoint DLP and [insider risk management](insider-risk-management.md). You'll need to onboard all devices you want to use as locations in DLP policies.

-If you have onboarded devices through [Microsoft Defender for Endpoint](../security/defender-endpoint/configure-machines-onboarding.md), those devices will automatically show up in the list of devices. This is because onboarding to Defender also onboards devices to DLP. You only need to **Turn on device monitoring** to use endpoint DLP.

-Endpoint DLP can use **Just in time protection** once it is enabled in **Microsoft Purview compliance console** > **Settings**.

-You can prevent a file from being permanently blocked if policy evaluation starts on a file, but doesn't complete. Use the **Just in time protection configuration** fallback setting to either **Allow** or **Block** egress activities if policy evaluation doesn't complete <!--in 30 seconds-->. You configure fallback settings in **Microsoft Purview compliance console** > **Settings** > **Just in time protection configuration** > **Decide what happens if JIT protection fails**.

-1. Check Activity explorer for data from the monitored endpoints. Set the location filter for devices and add the policy, then filter by policy name to see the impact of this policy; see [Get started with activity explorer](data-classification-activity-explorer.md), if needed.

-

-6. For the purposes of this scenario, choose **Send alert every time an activity matches the rule**.

-7. Choose **Save**.

-8. Retain all your previous settings by choosing **Next** and then **Submit** the policy changes.

-9. Attempt to share a test item that contains content that will trigger the U.S. Personally Identifiable Information (PII) Data condition with someone outside your organization. This should trigger the policy.

-10. Check Activity explorer for the event.

-1. Choose the **U.S. Personally Identifiable Information (PII) Data** policy that you created in scenario 1.

-## Scenario 4: Avoid looping DLP notifications from cloud synchronization apps with auto-quarantine

-## Before you begin scenario 4

-In this scenario, synchronizing files with the **Highly Confidential** sensitivity label to OneDrive is blocked. This is a complex scenario with multiple components and procedures. You will need:

-1. Configure the Endpoint DLP Auto-quarantine settings.

-### Configure Endpoint DLP unallowed app and Auto-quarantine settings

-1. Log in to the Windows 10 computer with the user account you specified in [Configure a policy to block OneDrive synchronization of files with the sensitivity label Highly Confidential](#configure-a-policy-to-block-onedrive-synchronization-of-files-with-the-sensitivity-label-highly-confidential) step 5.

-1. Create a folder whose contents will not be synchronized to OneDrive. For example:

-1. Open Microsoft Word and create a file in the auto-quarantine source folder. Apply the **Highly confidential** sensitivity label; see [Apply sensitivity labels to your files and email in Office](https://support.microsoft.com/topic/apply-sensitivity-labels-to-your-files-and-email-in-office-2f96e7cd-d5a4-403b-8bd7-4cc636bae0f9).

- > Opening autoquarantine doc 1.docx with this app is not allowed. The file will be quarantined to 'C:\Users\IsaiahLanger\Microsoft DLP\OneDrive'

-1. Check Activity explorer for data from the monitored endpoints. Set the location filter for devices and add the policy, then filter by policy name to see the impact of this policy; see [Get started with activity explorer](data-classification-activity-explorer.md), if needed.

-With Endpoint DLP and Microsoft Edge Web browser, you can restrict unintentional sharing of sensitive items to unallowed cloud apps and services. Edge understands when an item is restricted by an Endpoint DLP policy and enforces access restrictions.

-When you select **Devices** as a location in a properly configured DLP policy and use the Microsoft Edge browser, the unallowed browsers that you've defined in these settings will be prevented from accessing the sensitive items that match your DLP policy controls. Instead, users will be redirected to use Microsoft Edge which, with its understanding of DLP imposed restrictions, can block or restrict activities when the conditions in the DLP policy are met.

-This configuration will help ensure your data remains safe while also avoiding unnecessary restrictions that prevent or restrict users from accessing and sharing non-sensitive items.

-1. Create and scope a policy that is applied only to the **Devices** location. See, [Create and Deploy data loss prevention policies](dlp-create-deploy-policy.md) for more information on how to create a policy. Be sure to scope the **Admin units** to **Full directory**.

-## Scenario 6 Monitor or restrict user activities on sensitive service domains

-1. In the action select **Add or remove Sensitive site groups**.

-1. Select the **Sensitive site groups** you want. Any website under the group(s) you select here will be redirected to Edge when opened in Chrome browser (with Purview extension installed).

-1. Select the user activities you want to monitor or restrict and the actions you DLP to take in response to those activities.

-## Scenario 7 Authorization groups

-Authorization groups are mostly used as allow lists. You assigned policy actions to the group that are different than the global policy actions. In this scenario, we'll go through defining a printer group and then configuring a policy with block actions for all print activities except for the printers in the group. These procedures are essentially the same for **Removeable storage device groups**, and **Network share groups**.

-## Scenario 8 Network exceptions (preview)

-Network exceptions enables you to configure Allow, Audit only, Block with override, and Block actions to the file activities based on the network that users are accessing the file from. You can select from the [VPN settings](dlp-configure-endpoint-settings.md#vpn-settings) list you defined and **Corporate network** option. The actions can be applied individually or collectively to these user activities:

- - [Endpoint DLP policies can be applied to network shares](dlp-configure-endpoint-settings.md#network-share-coverage-and-exclusions-preview)

- - Support for [endpoint DLP policies in Azure virtual desktop, Citrix Virtual Apps and Desktops 7, Amazon virtual workspaces and Hyper-v environments](endpoint-dlp-getting-started.md#endpoint-dlp-support-for-virtualized-environments-preview)

-> This article is intended for enterprise admins and IT Pros who manage security settings for organizations. If you are not an enteprise admin or IT Pro but you have questions about block at first sight, see the [Not an enterprise admin or IT Pro?](#not-an-enterprise-admin-or-it-pro) section.

-|Configuration|Turn on/off data_loss_prevention|`mdatp config data_loss_prevention --value [enabled/disabled]`|

-|Health|Check for a spefic product attribute|`mdatp health --field [attribute: healthy/licensed/engine_version...]`|

-The following sections enumerate additional information about the service's data usage, compliance, and availability. For more information about Microsoft's commitment in valuing and protecting your data, visit the [Trust Center](https://aka.ms/trustcenter-dex4hunting) > scroll down to **Additional products and services** > **Managed Security Services** > [**Microsoft Defender Expert for Hunting**](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE51fRH).

->- See availability for the above enviroments here: [Microsoft Defender for Endpoint for US Government customers](/microsoft-365/security/defender-endpoint/gov?view=o365-worldwide&preserve-view=true)

-> EOP uses its own mail flow delivery agent to route messages to the Junk Email folder instead of using the junk email rule in the mailbox. The _Enabled_ parameter on the **Set-MailboxJunkEmailConfiguration** cmdlet has any effect on mail flow for Exchange Online mailboxes. EOP routes messages based on the actions set in anti-spam policies. The user's Safe Sender list and Blocked Senders continue to work as usual.

-> Users in the organization can't send email to these blocked domains and addresses. They'll receive the following non-delivery report (also known as an NDR or bounce message): `550 5.7.703 Your message can't be delivered because one or more recipients are blocked by your organization's tenant recipient block policy.` The entire message is blocked for all recipients of the message, even if only one recipient email address or domain is defined in a block entry.