Services
Affected Platforms
Summary
Microsoft Purview Endpoint DLP will soon classify Azure RMS–protected Office documents, enabling consistent DLP policy enforcement on encrypted files starting early April 2026. This enhances content inspection without changing user workflows, requiring Endpoint DLP client version 4.18.26030 or higher.
Details
Introduction
Microsoft Purview Endpoint Data Loss Prevention (Endpoint DLP) will now be able to classify Office documents protected with Azure Rights Management Services (Azure RMS). This improvement ensures encrypted Office files are included in content inspection so DLP policies can be applied consistently, strengthening endpoint data protection.
This message is associated with Microsoft 365 Roadmap ID 500895.
When this will happen:
General Availability (Worldwide): Rollout will begin in early April 2026 and is expected to complete by mid-May 2026.
How this affects your organization:
Who is affected:
- Organizations using Microsoft Purview Endpoint DLP
- Windows devices onboarded to Endpoint DLP
- Office documents protected with Azure RMS
- Admins managing Purview DLP and Information Protection policies
What will happen:
- Endpoint DLP will scan and classify Azure RMS–protected Office files.
- Classification occurs when:
- A protected Office file is used in an application, or
- Just‑in‑time classification is enabled.
- Based on the detected classification, existing DLP policies will be evaluated and enforced.
- There is no change to user workflow beyond improved policy coverage.
- This feature respects existing DLP and Information Protection policies.
- The feature is available once supported client versions are deployed; no new policy creation is required.
What you can do to prepare:
- Deploy Endpoint DLP client version 4.18.26030 or higher.
- Review existing DLP policies to understand enforcement behavior.
- Communicate this change to security and compliance stakeholders.
Compliance considerations:
| Question | Explanation |
|---|---|
| Does the change alter how existing customer data is processed, stored, or accessed? | Endpoint DLP will now inspect and classify the contents of Azure RMS–protected Office documents on Windows endpoints, expanding the scope of content analysis. |
| Does the change modify Data Loss Prevention (DLP) policies or enforcement? | Existing Endpoint DLP policies may now be evaluated and enforced on RMS‑protected Office documents that were previously excluded from classification. |
| Does the change alter how admins can monitor, report on, or demonstrate compliance activities? | DLP alerts, audit signals, and reporting may now include events related to RMS‑protected Office documents, improving compliance visibility. |
| Does the change modify encryption methods or key management? | While encryption and key management remain unchanged, Endpoint DLP now evaluates content within Azure RMS–protected Office files for classification and policy enforcement. |