Endpoint DLP stopped working

Hi Emmanuel Adebayo,
it sounds like your Endpoint DLP policy that was blocking uploads to sensitive service domains (ChatGPT.com, Drive.Google.com, etc.) and generative-AI apps suddenly stopped enforcing. A few things can cause this “it-was-working and now it isn’t” behavior:

1. Policy assignment or publish status • Double-check in the Microsoft Purview compliance portal that your DLP policy is still Enabled and scoped to the right users/groups/devices. • Go to Data loss prevention > Endpoint DLP and confirm the policy’s last publish status shows “Success.”
2. Service-domain list configuration • Verify your “sensitive service domain” list still contains the exact domains you intend (e.g. chatgpt.com, drive.google.com). A typo or extra wildcard could mean the endpoint agent no longer matches the URL. • If you recently edited the list, re-publish the policy so agents pick up the updated list.
3. Endpoint agent health & check-in • On a test device, open Event Viewer → Applications and Services Logs → Microsoft → Windows → DataLoss Prevention → Admin. Look for any errors indicating the DLP agent failed to apply new policy or timed out. • Ensure the DLP agent service is running (Services.msc → “Microsoft DLP Service”) and the device has Internet access to the Purview service.
4. Fallback/time-out behavior • By design, some uploads will be allowed if the scan takes longer than the configured timeout (2 seconds by default). If the service or device was under heavy load, the agent may have skipped enforcement. • Check your timeout settings in the advanced rules of your policy and consider increasing the scan timeout if you see repeated timeouts in the logs.
5. Recent changes on clients or network • Have the devices been patched, had browsers updated, or switched to a different network/VPN? Changes can affect how URLs are reported to the endpoint agent. • If you’re filtering on Edge for Business or a custom browser extension, verify that it’s still correctly intercepting outbound calls.

Next-step troubleshooting

• On a repro device, try visiting one of the sensitive domains and watch the DataLoss Prevention event log in real time to see if the request is blocked or if the policy never even fires.

• Use PowerShell on the device:

Get-DlpCompliancePolicy –PolicyName “YourPolicyName” | fl

to confirm the policy settings as the agent sees them.

• If enforcement still doesn’t trigger, collect the event logs and agent logs from C:\ProgramData\Microsoft\Compliance\EPD\ and open a support case to dig deeper.

Hope these pointers help you pinpoint what changed. If you need more info, let me know:

• When exactly did enforcement stop? Any policy or client updates that day?
• Can you share snippets of the DLP event log around your test upload?

Reference list

1. Learn about Endpoint data loss prevention (Endpoint DLP) – https://learn.microsoft.com/purview/endpoint-dlp-learn-about
2. Microsoft Purview service description: Endpoint Data Loss Protection (DLP) – https://learn.microsoft.com/microsoft-365/servicedescriptions/microsoft-365-tenantlevel-services-licensing-guidance/microsoft-purview-service-description#microsoft-data-loss-prevention-endpoint-data-loss-protection-dlp
3. Purview DLP for cloud apps in the browser – https://learn.microsoft.com/purview/dlp-browser-dlp-learn

Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.