Government agencies and defense contractors running Microsoft 365 have a new tool to prevent data leaks from encrypted documents stored on Windows endpoints. Microsoft is rolling out Roadmap ID 503780, which allows Endpoint Data Loss Prevention (DLP) in Purview to classify Azure Rights Management (RMS)-protected Office files. The capability, now generally available for GCC, GCC High, and DoD clouds, ensures that local, encrypted Word, Excel, and PowerPoint files no longer evade inspection when users try to move, copy, or upload them.

What’s Changing with Endpoint DLP

Until now, Endpoint DLP—the component that monitors user actions like copying to a USB drive or uploading to a personal cloud service—could not inspect the content of Office documents encrypted with Azure RMS. The protection wrapper that keeps the file secure also blinded the security control meant to govern it. That gap forced administrators to rely on weaker signals, such as applied sensitivity labels, or to set overly broad rules that blocked all encrypted files indiscriminately.

Roadmap ID 503780 changes that. Starting with the June 2026 General Availability target, and rolling out through July 2026, Endpoint DLP can now classify Azure RMS-protected Office files stored on Windows devices. The trigger for classification is twofold: when a user opens or interacts with the file in an application, or when just-in-time (JIT) classification is enabled and a user action triggers evaluation. This means the moment a staff member opens a confidential contract or a classified spreadsheet, Purview can analyze the content and decide whether the subsequent action—printing, saving to a network share, pasting into a web form—violates DLP policy.

Microsoft’s announcement explicitly lists GCC, GCC High, and DoD as the eligible cloud instances. The rollout is in progress, last updated on July 8, 2026. Administrators in those environments should treat this as a live capability rather than a future improvement.

What This Means for Government Security Teams

For IT and security professionals in regulated agencies, this feature closes a real operational blind spot. Azure RMS encryption is often mandatory for sensitive documents, but many of those files never touch SharePoint or OneDrive. They sit on local drives, move via email attachments, or get downloaded from legacy repositories for offline work. Without endpoint classification, DLP policies had no visibility into what those documents contained, making it impossible to block high-risk transfers without also blocking routine work.

Now, when a user double-clicks a protected file, the Purview agent can inspect it and apply the organization’s DLP rules. For example, a financial spreadsheet marked as secret can be blocked from being copied to a USB stick or uploaded to a personal cloud account. An engineering whitepaper can be prevented from being printed without a watermark. These are not exotic attack scenarios; they are everyday actions that become dangerous when the file is sensitive.

The just-in-time aspect is particularly important. Many government workflows involve files that arrive fresh—from a partner, a sync client, or an extraction step. JIT classification allows the system to pause the risky action (like a file upload) just long enough to evaluate the content and decide. If the file is classified and matches a rule, the action is blocked; if it’s benign, it proceeds. Without the ability to read Azure RMS-protected files, JIT would be useless for an entire class of highly sensitive content.

The Road to Better Encryption-DLP Integration

The tension between persistent encryption and endpoint monitoring isn’t new. Azure RMS, part of Microsoft’s Information Protection suite, was designed to travel with the file, ensuring only authorized users can decrypt it. That’s great for confidentiality, but it creates a paradox for DLP: the very mechanism that keeps data safe also hides it from the tools meant to prevent leaks.

In commercial clouds, this has been less of an issue because many organizations keep documents in cloud storage where service-side DLP can act. But in government and defense, strict data sovereignty rules, air-gapped systems, and offline requirements mean that sensitive Office files often live on endpoints. Microsoft recognized the gap, creating the roadmap item in September 2025 and targeting June 2026 for availability. The lengthy development timeline reflects the complexity of weaving together rights management, Office client telemetry, DLP policy evaluation, and government deployment controls.

This rollout represents a shift toward contextual security: not just “is the file encrypted?” but “what is the user doing with this encrypted file, and is it allowed?” The classification trigger at point of use, rather than a constant background scan, aligns with how documents are actually handled in the field.

Action Plan for Administrators

If your tenant is in GCC, GCC High, or DoD, here’s how to put this to work immediately:

  • Check rollout status: Navigate to the Microsoft 365 admin center or Purview portal and verify that Endpoint DLP classification for Azure RMS-protected Office files is active in your environment. The feature is labeled “Rolling out,” so it may not be uniform across all tenants.
  • Build a pilot group: Select a handful of Windows devices that handle a typical mix of protected Office files. Avoid testing only in a pristine lab; include real-world conditions like offline files, email attachments, and documents from shared drives.
  • Test both classification triggers:
  • Open a known protected file in Word, Excel, or PowerPoint and then attempt a DLP-triggered action (e.g., copy to USB). Verify that the action is blocked or audited according to policy.
  • Enable just-in-time classification and repeat the test with a fresh file that hasn’t been previously scanned. Confirm that the system pauses the risky action and classifies the file before allowing or denying it.
  • Tune JIT behavior: JIT can temporarily block egress while classification runs. Measure how long evaluation takes in your environment and decide if you want to allow users to proceed after a timeout or keep the block until completion. Misconfiguration here can make DLP feel like random desktop interruptions.
  • Review existing DLP policies: Ensure that your rules have conditions that match classified content from these protected files. You might want to create or refine policies that specifically address encrypted documents, now that you can tell what’s inside.
  • Update runbooks for help desk: When users suddenly start seeing “This action is blocked” prompts for files they’ve always handled, support staff need to know it’s expected. Document the user-facing messages and how to log an exception if a policy is too aggressive.
  • Validate reporting: Check the Purview activity explorer or DLP reports to confirm that classification events for protected files are appearing. This will be crucial for incident response and audits.

What to Watch Next

This release is narrowly scoped to Office files on Windows in government clouds, but it sets a precedent. The integration of Azure RMS classification with endpoint DLP strengthens the overall Purview story and makes it more likely that Microsoft will expand support to other file types (like PDF), other platforms (macOS), and commercial tenants. No public commitments exist for those, but the engineering investment is clear.

In the bigger picture, data protection is moving toward a model where encryption and governance are not separate lanes but intertwined controls. This roadmap item is a small but important stitch that shows how Microsoft intends to handle the reality of protected data on endpoints. For government Windows environments, it’s a welcome fix that makes the security stack more cohesive—and that’s exactly what compliance officers and security architects need.