Manage DLP Policies

Applies to: Exchange Server 2013, Exchange Online

Topic Last Modified: 2012-10-03

You can view, change, or remove existing data loss prevention (DLP) policies in Microsoft Exchange Server 2013, using the Exchange Administration Center (EAC) or the Exchange Management Shell.

For additional management tasks related to DLP, see DLP Procedures.

For more information about The Exchange Management Shell, see Exchange Management Shell.

What do you need to know before you begin?

Estimated time to complete each procedure: 15-60 minutes
You need to be assigned permissions before you can perform this procedure or procedures. To see what permissions you need, see the “Data loss prevention (DLP)” entry in the Messaging Policy and Compliance Permissions topic.
For any DLP policy, you can select one of three modes:
- Enforce Rules within the policy are evaluated for all messages and supported file types. Mail flow can be disrupted if data is detected that meets the conditions of the policy. All actions described within the policy are taken.
- Test DLP policy with Policy Tips Rules within the policy are evaluated for all messages and supported file types. Mail flow will not be disrupted if data is detected that meets the conditions of the policy. That is, messages are not blocked. If Policy Tips are configured, they are shown to users.
- Test DLP policy without Policy Tips Rules within the policy are evaluated for all messages and supported file types. Mail flow will not be disrupted if data is detected that meets the conditions of the policy. That is, messages are not blocked. If Policy Tips are configured, they are not shown to users.
An individual rule within a DLP policy can have its own mode settings. When the mode of a policy is different than the mode of a rule within that policy, the rule setting has priority and will be evaluated according to its mode.
For information about keyboard shortcuts that may apply to the procedures in this topic, see Keyboard Shortcuts in the Exchange Admin Center.

Tip:
Having problems? Ask for help in the Exchange forums. Visit the forums at: Exchange Server, Exchange Online, or Exchange Online Protection

What do you want to do?

View the details of an existing DLP policy

You may need to view the rules and actions of an existing DLP policy that you have already established for your organization. This can be useful if you experience unexpected mail flow issues or if your organization changes the way sensitive information needs to be monitored.

Use the EAC to view the details within an existing DLP policy

In the EAC, navigate to Compliance management > Data loss prevention.
Double-click one of the policies that appear in your list of policies, or highlight one item and click Edit .
On the Edit DLP policy page, click Rules.

Tip:
You can create a DLP policy and leave it in a non-activated or disabled mode. In this mode, a policy is not enforced and you can change any predicates, actions, or values associated with its rules before you test or begin enforcing it.

Use the Shell to view the details within an existing DLP policy

This example returns information about the fictitious DLP policy named Employee Numbers. The command is piped to the Format-List cmdlet to display the detailed configuration of the specified DLP policy.

	Copy Code
Get-DlpPolicy "Employee Numbers" \| Format-List

For syntax and parameter information, see Get-DlpPolicy.

Change a DLP policy

You can change an existing DLP policy by modifying either the name of the policy or the rules that govern the effects of the policy. An example rule change might include adding custom disclaimer text to a message body and RMS protection for messages sent within a specific domain and that are detected to have sensitive information. If you are using DLP policy templates, keep in mind that these are only one of the features in Exchange 2013 that can help you design and apply a robust policy and compliance system for your messaging environment.

Use the EAC to change an existing DLP policy

In the EAC, navigate to Compliance management > Data loss prevention.
Double-click one of the template-based policies that appear in your list of policies or highlight one item and click Edit .
On the Edit DLP policy page, click Rules.
To change an existing rule, highlight the rule and click Edit .
To add a new blank rule that you can fully customize, click New .
To add a rule about sender notification, blocking messages, or allowing overrides, click the arrow next to the New icon.
To remove a rule, highlight the rule and click Delete .
Click Save to finish modifying the policy and save your changes.

Use the Shell to change an existing DLP policy

You can specify the action and notification level of a policy using the Exchange Management Shell. This example sets the mode for a fictitious DLP policy named Employee Numbers so that the actions are not enforced and notification messages are not displayed.

	Copy Code
Set-DlpPolicy "Employee Numbers" -Mode Audit

For syntax and parameter information, see Set-DlpPolicy.

Delete a DLP policy

You can permanently remove a DLP policy using the EAC. Once you’ve deleted a policy, it will no longer be enforced and none of the rules and actions will be saved.

Alternatively, you can set the operational state or mode of a policy to Test DLP policy without Policy Tips. This stops it from being enforced in your message environment, but preserves the detailed configuration settings of the policy itself. This can be useful if there is a possibility that you will need to enforce the policy again in the future.

Use the EAC to delete an existing DLP policy

In the EAC, navigate to Compliance management > Data loss prevention.
Select the policy you want to remove in your list of policies, and then click Delete .

Use the Shell to delete an existing DLP policy

This example removes the fictitious DLP policy named Employee Numbers.

	Copy Code
Remove-DlpPolicy "Employee Numbers"

For syntax and parameter information, see Remove-DlpPolicy.

For more information

Data Loss Prevention

Policy Tips