Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article provides detailed instructions for:
- Determining the device configuration and policy sync status values for Windows devices and macOS devices that are successfully onboarded into Microsoft Purview Data Loss Prevention (DLP).
- Identifying and resolving any issues with the configuration status and the policy sync status.
- Reviewing and understanding the device attribute that are available for each device and their meaning.
Device configuration and policy sync status values
Configuration status and the Policy sync status of all your onboarded devices have three possible values.
The Configuration status value shows you if the device is configured correctly, is sending a heartbeat signal to Purview, and the last time the configuration was validated. For Windows devices, configuration includes checking the status of Microsoft Defender Antivirus always-on protection and behavior monitoring.
The Policy sync status shows you if the device received the latest policy version, or if the corresponding policies synced successfully to the device.
| Field value | Configuration status | Policy sync status |
|---|---|---|
| Updated | Device health parameters are enabled and correctly set. This status indicates that the device's configuration is up to date with the recommended settings. | Device is up to date with the current versions of policies. |
| Not updated | Certain settings need attention. Follow the steps in the workflow diagram to address issues. You might need to enable the configuration settings for this device. Follow the procedures in Microsoft Defender Antivirus always-on protection | This device isn't synced the latest policy updates. It might take up to 2 hours for the status in the devices list to update. Follow the steps in the workflow diagram to address issues. |
| Not available | Device properties aren't available in the device list. This condition might be because the device doesn't meet the minimum OS version to provide visibility into its properties, or configuration, or if the device was just onboarded. Follow the steps in the workflow to address issues. | Device properties aren't available in the device list. This condition might be because the device doesn't meet the minimum OS version to provide visibility into its properties, or configuration, or if the device was just onboarded. Follow the steps in the workflow to address issues. System shows Not available if there is no Endpoint DLP policy. |
Important
Devices must be online for the policy update to happen. If the status isn't updating, check the last time the device was seen.
Device attribute details
To maintain overall device health from a DLP perspective, go beyond determining the configuration and policy sync status and troubleshooting any issues found. You need to understand the attributes of an onboarded device. The values for these attributes can provide useful information to help you track the device health.
| Device attribute | Note |
|---|---|
| Last seen | The most recent time that the device was determined to be online. |
| Last policy sync time | The timestamp of the previous instance when the device downloaded the latest policy versions. |
| OS | The current operating system. |
| Defender engine version | The version of the antivirus engine on the device. |
| Defender Mocamp version | The version of the Defender client. |
| MDATP device ID | The unique identifier assigned to this device. |
| Valid user | This indicates if the currently logged on user has a corresponding Entra ID account and is in scope of a DLP policy that's targeted at Devices. |
| Sensitive Data Activity | This provides a view all sensitive data activity for this device for the last 30 days. |
| Advanced classification bandwidth usage exceeded | This attribute shows if the bandwidth usage limit for Advanced Classification has been exceeded in the past 24 hours. |
| Endpoint DLP status | Shows if Endpoint DLP is enabled or disabled for the device. |
Access device attribute data using Advanced Hunting
In addition to viewing device attributes in the Microsoft Purview portal, you can access the same Endpoint DLP device data at scale by using Advanced hunting in the Microsoft Defender portal
Previously, you could only get device attribute data through the Export functionality on the Device onboarding page in the Microsoft Purview portal. This method required manual export each time you needed updated data.
By using Advanced Hunting, you can now:
Query device attribute data by using KQL
Retrieve up-to-date information without manual exports
Analyze device status across your environment
Integrate device data into custom dashboards and third-party reporting platforms
Access device data
To retrieve device attribute data:
Go to the Microsoft Defender portal
Navigate to Investigation & response > Hunting > Advanced hunting
Query the DeviceInfo table
Expand the
DlpInfocolumn to view Endpoint DLP device details
Here's a sample query
DeviceInfo
| where DlpInfo != ""
| project DlpInfo
Relationship to device attribute details
The fields in the DlpInfo column correspond directly to the device attributes described earlier. This correspondence enables you to investigate configuration and policy sync issues across multiple devices without relying on point-in-time exports.
Use this data to:
- Identify devices with invalid configurations
- Detect devices that aren't ready for Endpoint DLP enforcement
- Perform large-scale analysis beyond what the portal UI offers
Configuration and policy sync troubleshooting workflow
This diagram provides a workflow that walks you through the steps for diagnosing and resolving configuration and policy synchronization status for onboarded devices.
Check configuration status and resolve issues
- Sign in to the Microsoft Purview portal > Settings (gear icon in the upper right corner) > Device onboarding > Devices.
- Apply filters to narrow down the list of devices and simplify your investigation.
- Select a device to open the details pane for more information on the configuration status.
- If the status is Updated, the device is configured correctly. No further action is required. You can move on to Check policy sync status and resolve issues.
- If the status is Not available or Not updated, follow the remediation steps in the details pane and the steps in the workflow diagram.
Check policy sync status and resolve issues
- Sign in to the Microsoft Purview portal > Settings (gear icon in the upper right corner) > Device onboarding > Devices.
- Apply filters to narrow down the list of devices and simplify your investigation.
- Select a device to open the details pane for more information on the policy sync status.
- If the status is Updated, the device successfully received the latest policy version. No further action is required. You can move on to Check device details.
- If the status is Not updated or Not available, follow the remediation steps in the details pane and the steps in the workflow diagram.
Tip
You can see the overall status of how policy sync to devices is working on the Policy status report. The Policy status report is available in the Microsoft Purview compliance portal on the > Data loss prevention > Overview page.
Check device details
- Sign in to the Microsoft Purview portal > Settings (gear icon in the upper right corner) > Device onboarding > Devices.
- Apply filters to narrow down the list of devices and simplify your investigation.
- Select a device to open the details pane for more information on the specific device attributes under Device details.
Collect evidence for a support ticket
If self-remediation isn't successful, gather evidence and open a support ticket for comprehensive support analysis.
From the Device details section, record the values for these fields:
- OS
- Defender engine version
- Defender client version
- MDATP device ID
- Valid user
For more guidance, see: