The Problem with Blanket USB Blocks
Every security team eventually arrives at the same conclusion: USB ports are an unacceptable data exfiltration vector. The naive response is to disable USB storage via Group Policy or Intune device restriction profiles. This works until the CFO cannot print, the warehouse team cannot use barcode scanners, and the design department cannot access their graphics tablets. Within a week, exceptions proliferate and the policy is effectively dead.
Microsoft Purview Endpoint DLP offers a fundamentally better approach: policy-aware, content-inspecting USB controls that block sensitive data from reaching removable storage while allowing legitimate peripheral use.
Architecture Overview
Endpoint DLP runs as part of the Microsoft Defender for Endpoint sensor. There is no additional agent to deploy. The sensor hooks into Windows file I/O operations and inspects content against your Purview DLP policies before the write operation completes.
Prerequisites:
- Microsoft 365 E5 or Microsoft 365 E5 Compliance
- Devices onboarded to Microsoft Defender for Endpoint
- Windows 10 1809+ or Windows 11
- Endpoint DLP enabled in the Purview compliance portal
Navigate to Microsoft Purview > Data loss prevention > Endpoint DLP settings to configure global settings before creating policies.
Sensitive Service Domains
Before touching USB controls, configure your sensitive service domains. These are cloud services where paste/upload of sensitive content should be controlled. Navigate to Endpoint DLP settings > Browser and domain restrictions.
Add domains like:
- Personal email: mail.google.com, outlook.live.com
- Cloud storage: dropbox.com, box.com, drive.google.com
- AI tools: chat.openai.com, bard.google.com
- Paste sites: pastebin.com, ghostbin.com
Mark your corporate domains (*.sharepoint.com, *.onmicrosoft.com) as allowed service domains so that normal business operations are unaffected.
USB Block with Peripheral Exceptions
The key to a workable USB policy is device class exceptions. USB devices identify themselves with a device class code. Storage devices are class 0x08. Printers are class 0x07. HID devices (keyboards, mice) are class 0x03.
In Endpoint DLP settings > USB devices, configure:
- Default action for removable storage: Block
- Exceptions by device class:
- 0x03 (HID) - Allow
- 0x07 (Printer) - Allow
- 0x0E (Video) - Allow (for webcams)
- 0x01 (Audio) - Allow
You can also allowlist specific USB storage devices by hardware ID for approved encrypted drives:
# Find the hardware ID of a connected USB device
Get-PnpDevice -Class DiskDrive | Where-Object {$_.FriendlyName -like "*USB*"} | Select-Object InstanceId, FriendlyName
# Example output:
# InstanceId: USB\VID_0781&PID_5583\12345678
# This VID/PID identifies a SanDisk Extreme encrypted drive
Add the VID/PID combination to the allowed removable storage devices list in the Purview portal.
Browser Upload Restrictions
Endpoint DLP can restrict uploads in both Edge (natively) and Chrome/Firefox (via the Microsoft Purview extension). Configure this under Endpoint DLP settings > Browser and domain restrictions.
For Chrome and Firefox, deploy the Purview browser extension via Intune:
- Chrome: Extension ID
echcggldkblhodogklpincgchnpgcdco - Firefox: Deploy via ADMX policy
Once installed, the extension intercepts file upload operations and evaluates them against your DLP policies. If a user attempts to upload a document labelled "Highly Confidential" to a personal Gmail attachment, the upload is blocked with a policy tip.
Application Restrictions
This is where Endpoint DLP becomes genuinely powerful. You can prevent copy/paste of sensitive content into specific applications.
Navigate to Endpoint DLP settings > Restricted apps and app groups. Create an app group called "Personal and Unmanaged Apps":
- WhatsApp Desktop:
WhatsApp.exe - Telegram:
Telegram.exe - Signal:
Signal.exe - Personal Notepad alternatives:
notepad++.exe(if not corporate-approved) - PowerShell ISE:
powershell_ise.exe(prevent script-based exfiltration)
When a user copies content from a document labelled "Confidential" or higher and attempts to paste into a restricted app, the paste operation is blocked.
# Monitor Endpoint DLP policy matches via the unified audit log
Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-7) -EndDate (Get-Date) -Operations "EndpointDlpPolicyMatch" -ResultSize 5000 | ForEach-Object {
$auditData = $_.AuditData | ConvertFrom-Json
[PSCustomObject]@{
Timestamp = $_.CreationDate
User = $_.UserIds
Action = $auditData.Operation
FileName = $auditData.ObjectId
PolicyName = $auditData.PolicyDetails.PolicyName
Enforcement = $auditData.PolicyDetails.EnforcementMode
}
} | Export-Csv -Path "C:\Audit\endpoint-dlp-matches.csv" -NoTypeInformation
Enforcement Modes: Audit First, Then Block
This is non-negotiable: never deploy Endpoint DLP in block mode on day one. The recommended deployment sequence:
Phase 1: Audit Only (Weeks 1-4)
Create your DLP policy in Microsoft Purview > Data loss prevention > Policies. Set the enforcement mode to Audit only. This logs all policy matches without blocking any user action. Use this phase to tune false positives.
Phase 2: Audit with User Notification (Weeks 5-8)
Switch to Audit with policy tips. Users see a toast notification when they trigger a policy, but the action is not blocked. This trains users to recognise what constitutes a policy violation.
Phase 3: Block with Override (Weeks 9-12)
Enable Block with override. The action is blocked by default, but the user can provide a business justification to proceed. All overrides are logged and reviewed weekly.
Phase 4: Block (Week 13+)
Remove the override option. The action is hard-blocked. By this point, false positives should be minimal and users understand the boundaries.
Device Groups for Phased Rollout
Do not roll out to the entire organisation simultaneously. Create device groups in Defender for Endpoint and scope your DLP policies accordingly.
Navigate to Microsoft Defender portal > Settings > Endpoints > Device groups. Create groups:
- DLP-Pilot - IT security team devices (10-20 devices)
- DLP-EarlyAdopters - Willing business units (50-100 devices)
- DLP-Phase1 - High-risk departments (Finance, Legal, HR)
- DLP-AllDevices - Organisation-wide
Scope your Endpoint DLP policy to each group sequentially, spending at least two weeks per group.
Intune Integration
Endpoint DLP and Intune device compliance work in concert. The recommended Intune compliance policies require:
- Defender for Endpoint risk score: Medium or below
- Defender for Endpoint onboarding status: Onboarded
- BitLocker encryption: Required
Devices that fall out of compliance are blocked from accessing Microsoft 365 via Conditional Access, which means the Endpoint DLP sensor is always running on any device that has access to corporate data.
# Verify Endpoint DLP onboarding status across devices
Get-MgDeviceManagementManagedDevice -Filter "operatingSystem eq 'Windows'" | Select-Object DeviceName, ComplianceState, LastSyncDateTime | Where-Object {$_.ComplianceState -ne "compliant"} | Format-Table -AutoSize
Real Incident: The USB Drop That Did Not Work
A client in the engineering sector reported that a contractor had been observed connecting a personal USB drive to a corporate laptop. With Endpoint DLP in block mode, the drive mounted (it was allowed as a mass storage device for that device group during pilot) but every file copy operation involving documents labelled "Confidential" or above was blocked. The audit log captured the contractor's twelve failed attempts over thirty minutes. That log became the evidence pack for the subsequent disciplinary process and contract termination.
Without Endpoint DLP, those files would have walked out the door.
Closing Recommendations
Endpoint DLP is the most operationally impactful workload in the Purview suite, but it requires patience. Audit first, tune aggressively, communicate with users, and phase your rollout by device group and department. The goal is not to block everything, it is to block the right things while keeping the business running.