Microsoft Purview Data Loss Prevention: Optical character recognition for images in Office and PDFs on Windows

Introduction

We are introducing optical character recognition (OCR) scanning support for Microsoft Purview Data Loss Prevention (DLP) on Windows endpoint devices. This enhancement enables DLP policies to detect sensitive information within images embedded inside Office documents and PDF files.

Previously, embedded images were skipped during endpoint DLP scanning, creating a detection blind spot. With this update, embedded images are OCR-processed, helping improve data protection coverage and reduce risk of accidental data exposure.

This message is associated with Microsoft 365 Roadmap ID 381750.

When this will happen:

• General Availability (Worldwide): Rollout will begin in mid-May 2026 and is expected to complete by late May 2026.

How this affects your organization:

Who is affected:

• Admins managing Microsoft Purview Data Loss Prevention
• Organizations using Endpoint DLP on Windows devices
• Users working with Word, Excel, PowerPoint, and PDF files on Windows endpoints

What will happen:

Once OCR is enabled for your organization, DLP policies applied to endpoint devices will be able to scan images embedded inside Office documents (Word, PowerPoint, Excel) and pdf files on Windows devices. This means:

• Sensitive data detection in embedded images: If a document contains an embedded image with sensitive information (such as credit card numbers, Social Security numbers, or financial data), DLP policies can now detect that data and enforce configured actions (audit, block, or block with override).
• Closes a detection blind spot: Previously, embedded images were entirely skipped during endpoint DLP scanning. This update ensures those images are processed using OCR and evaluated against your DLP policies.
• Cost implications: Enabling OCR incurs additional costs based on the volume of images scanned. Costs are charged per image scanned via Azure AI Services. Organizations can monitor OCR costs through:
  • The OCR cost dashboard in the Microsoft Purview compliance portal under Data loss prevention → Overview
  • Cost Management + Billing in the Azure portal, filtered by your Azure AI Services resource 

What you can do to prepare:

To take advantage of this feature, complete the following steps: 

1. Verify prerequisites:
   • Confirm Microsoft Sense Client version 10.8820.27904.1000 or later.
   • Run: MsSense.exe --version from C:\Program Files\Windows Defender Advanced Threat Protection.
   • Ensure Windows OS update KB5079473 is installed on endpoint devices.
2. Enable OCR in Microsoft Purview:
   1. Navigate to the Microsoft Purview compliance portal.
   2. Go to Data loss prevention → Overview → Data loss prevention settings.
   3. Under Optical Character Recognition (OCR), select Turn on OCR scanning.
   4. Select the appropriate Azure pay-as-you-go subscription and Azure AI Services resource.
   5. Select Save.
3. Review and update DLP policies:
   • Ensure policies include Devices as a location.
   • Consider testing with Test mode and policy tips before enforcing actions.
   • Verify sensitive information types are configured for detection in embedded images.
4. Set up billing and monitor costs:
   • Configure OCR billing before enabling the feature.
   • Review the OCR cost dashboard in Purview after enabling.
5. Assign appropriate roles:
   • Compliance Data Administrator
   • Compliance Administrator
   • Information Protection
   • Information Protection Admin

Learn more:

• Learn about optical character recognition in Microsoft Purview | Microsoft Learn
• Get started with Activity Explorer | Microsoft Learn
• Create and deploy a DLP policy | Microsoft Learn
• Learn about Endpoint DLP | Microsoft Learn

Compliance considerations: