Good afternoon, 

I am running into an issue with DLP protecting endpoints, the following are the findings:

In purview:

– Real-Time Monitoring Enabled

– Behavior Monitoring Enabled

The devices are using CrowdStrike as the active AV client and the Defender AV client is in EDR Block Mode however when testing Policies that should restrict USB, Printing, and Copy and Paste of Sensitive Data the policies are not being enforced. The test device is not generating any alerts or notifications in the Purview portal or Toast Notifications. 

Policies are enforced via GPO:

– Real Time Monitoring

– Behavior Monitoring 

Endpoints have Windows Defender FW and Crowdstrike enabled, but have been disabled on the test device.

Any insights on why the devices are showing in the MDE Portal that RTM and BM are disabled

​Good afternoon,  I am running into an issue with DLP protecting endpoints, the following are the findings: In purview:- Real-Time Monitoring Enabled- Behavior Monitoring Enabled The devices are using CrowdStrike as the active AV client and the Defender AV client is in EDR Block Mode however when testing Policies that should restrict USB, Printing, and Copy and Paste of Sensitive Data the policies are not being enforced. The test device is not generating any alerts or notifications in the Purview portal or Toast Notifications.  Policies are enforced via GPO: – Real Time Monitoring- Behavior Monitoring  Endpoints have Windows Defender FW and Crowdstrike enabled, but have been disabled on the test device.Any insights on why the devices are showing in the MDE Portal that RTM and BM are disabled   Read More

​