Purview Insider Risk Management: How to Capture Forensic Evidence on Intune Enrolled Devices

David R. Bergquist II

Senior Cloud Solutions Architect

Insider risks are a growing threat to organizations, especially in the era of remote work and cloud-based services. Insider risks can be caused by malicious actors who intentionally steal or leak sensitive data, sabotage systems, or compromise accounts. They can also be caused by negligent or compromised users who accidentally or unknowingly expose data, violate policies, or fall victim to phishing or malware attacks.

To effectively manage insider risks, organizations need to have a comprehensive solution that can monitor user activity, detect anomalous behavior, alert security teams, and respond to incidents. Moreover, they need to have a reliable way to collect and preserve forensic evidence that can support investigations and legal actions.

In this blog post, I will show you how to configure Purview Insider Risk Management to collect forensic evidence on managed devices enrolled in Intune. I will demonstrate how to use Microsoft Intune to install the agent required to capture forensic evidence on enrolled Windows devices.

What is Purview Insider Risk Management?

Purview Insider Risk Management (IRM) is a cloud-based compliance solution designed to help organizations detect, investigate, and act on malicious and inadvertent activities that pose insider risks. It correlates various signals to identify potential risks such as intellectual property theft, data leakage, and security violations. IRM leverages advanced analytics, machine learning, and user and entity behavior analytics (UEBA) to monitor user activity across various data sources, such as Microsoft 365, Azure, SharePoint, OneDrive, Teams, Exchange, and more.

IRM Forensic Evidence provides security teams with visual insights into potential insider data security incidents. It includes customizable event triggers and built-in user privacy protection controls, providing a thorough investigation path to insider data risks, such as unauthorized data exfiltration of sensitive information.

Purview Insider Risk Management can help you:

Identify and prioritize insider risk indicators, such as data exfiltration, policy violations, account compromise, unauthorized access, and more.
Alert security teams and stakeholders about potential insider incidents and provide them with rich contextual information and actionable insights.
Automate response actions, such as sending notifications, applying policies, blocking access, revoking permissions, and more.
Generate comprehensive reports and dashboards that provide visibility into insider risk posture, trends, and incidents.
Comply with regulatory and legal requirements, such as GDPR, HIPAA, PCI DSS, and more.

In addition to the capabilities outlined above, adding Forensic Evidence to IRM can provide additional visual context to security teams aiding their investigations. Activities such as printing files, creating, or copying files to USB, creating, or transferring files to a network share, and even using a browser to upload files to the web.

Prequisites

Licensing:

The add-on is available for organizations with any of the following licenses: Microsoft 365 E5, Microsoft 365 E5 Compliance, or Microsoft 365 E5 Insider Risk Management.
20GB storage trial plan is available until the 20GB is used up (no time expiry). Additional information regarding capacity and billing can be found here.

Supported Platforms:

Windows 10/11 Enterprise (64-bit (AMD or Intel)

Physical Devices:

Hardware	Minimum Requirement
RAM	Minimum of 8 GB (at least 2 GB should be available for client usage)
CPU	Intel i5 or above and AMD Ryzen 5 or above
Graphics	Compatible with DirectX 11 or later, with a WDDM 1.0 driver or later (currently only integrated graphics cards supported)
Disk	Minimum of 10 GB of disk storage
Display	Minimum screen resolution of 1920 x 1080

Virtual Devices:

Hardware	Minimum Requirement
RAM	Minimum of 16 GB (at least 2 GB should be available for client usage)
CPU	Minimum of eight vCPU processors or equivalent
Disk	Minimum of 10 GB of disk storage
Display	Minimum screen resolution of 1920 x 1080

Permissions/Role Groups required for viewing, submitting, and approving forensic evidence. To assign these roles to users or groups, you need to use the Purview portal. To learn more about how to assign roles and manage permissions in Purview Insider, see the documentation here.

Purview Role Group	Capability
Insider Risk Management	Configure and view everything inside IRM.
Insider Risk Management Admins	Configure polices, access analytics insights and submit forensic capturing requests.
Insider Risk Management Investigators	Access and investigate cases, alerts, and forensic evidence captures.
Insider Risk Management Auditors	View & export audit logs.
Insider Risk Management Approvers	Only review, approve, or reject forensic collection requests.

How Do You Capture Forensic Evidence on Microsoft Intune Enrolled Devices?

You must onboard devices to the Purview compliance portal and install the Purview agent to devices to start capturing content. For the purposes of this article, we will onboard devices via the Purview compliance portal and use Microsoft Intune to push out and install the Purview Forensic client. We will download the Purview client, wrap it with the Microsoft Win32 Content Prep Tool (Intunewin), and push the packaged client out to the intended devices. The client will be used to onboard and capture activity on approved users’ Windows devices.

Onboarding Devices

Onboard device via the Purview Portal: Settings -> Device onboarding -> Devices and onboard your devices. It may take a couple of hours before devices show up.

Installing the Agent

Download the Purview Forensic client.

Access the Purview portal: Solutions -> Insider Risk Management -> Forensic Evidence -> Client Installation -> Microsoft Purview Client for Windows and click on “Download installation package (x64 version) to download the client (mspvorch-latest-x64.msi).”
You can obtain Intunewin here. Once installed, you can use the following command example to package the Purview client:
- .\IntuneWinAppUtil -c “C:\Intunewin\Source\PurviewClient” -s “C:\Intunewin\Source\PurviewClient\mspvorch-latest-x64.msi” -o “C:\Intunewin\Output”
Once packaged (mspvorch-latest-x64.intunewin), you can deploy the Purview client to Intune enrolled Windows devices:
- Via the Intune Admin portal: Apps -> By platform -> Windows -> + Add -> App type -> Windows app (Win32).
- Select the Purview app package created previously (mspvorch-latest-x64.intunewin).

App Information:
- Update the name, description, and publisher information.

Program:
- Leave all defaults and set device restart behavior to “Determine based on return codes.”

Requirements: Configure the operating system architecture (64-bit) and minimum operating system.

Detection Rules: Manually configure the detection rule to use “MSI.” The MSI product code should auto-populate.

Assignments: Assign the required group of users to the application and submit.

Once deployed, you can monitor the install via the applications “Overview” or via the devices Managed Apps portal.

Configure Purview IRM Forensic Evidence

Access the Purview Portal -> Solutions -> Insider Risk Management -> Forensic Evidence.
Enable “Forensic evidence capturing:”
- Decide when to start and stop capturing activity. You can also dictate the upload bandwidth limit, office line capturing cache limit, and if you want to allow deletion of forensic user data, by and administrator or investigator:

Create a Forensic Evidence Policy:
- In this example, we will create a Forensic Evidence Policy to capture all activities. You can also choose specific activities such as printing files, mounting USB, copying files to USB, and enhanced phishing protection activities. Specific applications and websites can be excluded.

Capacity and Billing – Sign up for the 20GB trial plan (or purchase a payment plan). Additional info here.

Create a forensic evidence request:
- Forensic evidence -> User management -> Manage forensic evidence requests –> Create a request. Once requested, you (or a designated approver) will have to approve the request in for the devices to start capturing.
  - Add the users and groups whose activity you want to start capturing.

Select a policy (e.g., All Activities):

Provide a justification for the request (required).

You can choose to notify the users about the forensic gathering (optional). You must create a notification template, then finish creating the template by submitting.

Approve Pending Requests:
- Forensic evidence -> Pending requests:
  - Approve the request by selecting a user clicking on “Review:”

Approve (or reject) the request(s):

Once approval has been completed, the approved users will show up under Forensic evidence -> User management -> Approved users and groups:

You can monitor device health under Forensic Evidence -> Device Health:

You can monitor device health under Forensic Evidence -> Device Health Forensic Evidence Captures.
- To view forensic evidence captures, click on the “Review captured clips” button.

You can view all forensic captures on the users device. You can play back the triggered events (on each display) as well as see all individual events in the timeline. Forensic evidence can be exported as MP4 files (10 at a time).

You can also check to see if Purview forensic agent is installed and running on the device:
- File explorer: C:\Program Files\Microsoft Purview

Task Manager: Microsoft Purview Client and Microsoft Purview Client Orchestrator Module.

Services: You will see Microsoft Purview Client Service running:

Conclusion

Insider risks are a serious challenge for organizations, and they require a comprehensive and effective solution. Purview Insider and Intune can provide you with such a solution, by helping you monitor user activity, detect insider threats, alert and respond to incidents, and collect and preserve forensic evidence. By integrating Purview Insider and Intune, you can enhance your insider risk management capabilities and protect your organization from insider threats.

We hope you found this blog post helpful and informative. If you have any questions, feedback, or require assistance, please contact us here or complete the form below. Thank you for reading!

Interested in learning more about preventing Insider Risks?

Contact our team of experts today to discuss how to better secure your data!

Managed IT Services

IT Management Solutions​

Cloud Management Solutions​

Backup & Disaster Recovery

Managed Security​

Strengthen Security

Data Security

Threat Detection & Response​

Risk Management

Secure Connectivity

Accelerate with AI​

AI Solutions​

Generative AI​

Intelligent Analytics​

App Development

Improve Collaboration​

Collaboration Tools​

Unified Communications​

Modernize Infrastructure​

Hybrid Cloud

Networking

Data Center​

Optimize Cloud Operations​

Infrastructure & Platforms​

Virtual Desktop​

Data Protection​

Drive Decisions with Data​

Data Architecture

Data Engineering

Insight & Analytics​

Transform Your Business

Organizational Change Management​

Strategic Advisory Services​

Licensing Optimization

Quick Links

Our Strategic Advantage

Customer Success Stories

Schedule a Consultation

Support Hub

Submit a Support Request

Contact Us