Microsoft has pulled back the rollout of expanded optical character recognition (OCR) capabilities in its Purview Endpoint Data Loss Prevention service, even as the official roadmap marks the feature as "Launched." The company confirmed on May 20, 2026 that the deployment is on hold, leaving administrators uncertain about when they can reliably scan images embedded in Office documents, compressed archives, and hybrid PDFs.

What Actually Got Paused

Endpoint DLP already scans standalone image files—JPEG, PNG, BMP, TIFF—and image-only PDFs for sensitive data like credit card numbers or health records. The now-stalled update was meant to extend OCR deeper: into pictures pasted inside Word, Excel, and PowerPoint files (.docx, .xlsx, .pptx); into archives such as .zip, .rar, and .7z; and into hybrid PDFs that mix selectable text with embedded images.

This matters because a screenshot of a patient form dropped into a .docx, or a spreadsheet exported as a .jpg inside a .zip, would previously pass through DLP rules unnoticed. Without OCR that looks inside these containers, your policies to block transmission of financial or personally identifiable information have a gaping hole.

Microsoft initially rolled out preview availability in April 2026 with general availability expected in June 2026 for standard multi-tenant environments. But a status note added to Microsoft 365 Roadmap item 381750 on May 20 reads: "Rollout is paused and will resume soon."

Why the "Launched" Tag Is Misleading

The same roadmap entry currently shows a status of "Launched," which implies that the feature is ready for everyone. That discrepancy has already caused confusion among IT teams. In practice, the feature is not broadly available; tenants may see it sporadically, or not at all. The note comes directly from Microsoft and supersedes the roadmap signal, but you have to read carefully to catch it.

For organizations that rely on Purview to protect sensitive data at endpoints, this is more than an administrative annoyance. Policies that depend on embedded-image scanning cannot be trusted until the rollout resumes and Microsoft confirms full availability.

How We Got Here

The push to scan images within compound file formats isn't new. Purview's OCR engine has been gradually improving, first tackling standalone image formats, then expanding to cover more file types. The April 2026 preview hinted that embedded-image scanning was arriving soon, and many admins began testing it in their own environments.

The pause, however, suggests engineering or performance issues. Microsoft hasn't shared details beyond the roadmap note, but it's common for large-scale OCR rollouts to hit snags: scanning images embedded in archives takes more compute, and ensuring accuracy without excessive bandwidth consumption is a balancing act.

Recall that endpoint OCR already comes with bandwidth caps: a default daily allowance of 1,024 MB per device, as per the Microsoft Learn documentation. When images are buried inside ZIPs or DOCXs, the scanning process might strain those limits or cause latency. Microsoft might be retooling to avoid user complaints.

What You Need to Do Right Now

If you're an admin managing Endpoint DLP, here are four steps to take today:

  1. Check your current OCR settings. Verify that endpoint OCR is turned on and that your Sensitive Information Types (SITs) are correctly configured for standalone images. Don't yet write policies that assume embedded images will be caught.
  2. Review bandwidth and exclusions. The default 1,024 MB per device daily limit might need adjustment based on your user base and typical file sizes. Also, ensure that you've excluded any folders or paths that should not be scanned, because once the new capability goes live, it will respect those exclusions.
  3. Prepare test files. Create a set of documents that include screenshots with dummy sensitive data inside Word, Excel, PowerPoint, ZIP, and hybrid PDFs. When the feature becomes available in your tenant, you can immediately validate whether your existing policies trigger.
  4. Monitor the official sources. Add roadmap ID 381750 to your watchlist and keep an eye on the Microsoft 365 Message Center. If you see a new advisory or a status change, you'll want to act quickly to update your controls.

Also, note that endpoint OCR requires Syntex pay-as-you-go billing to be configured at the tenant level, even if you don't deploy Syntex itself. Without that billing setup, OCR won't run regardless of policy definitions.

The catch: you can't force the update. Since the rollout is paused at Microsoft's end, no amount of tenant-level tweaking will enable embedded-image OCR. You must wait for the green light.

What This Means for Different Audiences

For home users or anyone not administering enterprise DLP, this pause is invisible. Purview Endpoint DLP is not a consumer product.

For IT teams in regulated industries—healthcare, finance, government—the delay is more painful. These organizations often rely on endpoint DLP as a last line of defense against data leaks via email, cloud sync, or USB drives. The inability to scan embedded images leaves a risk surface that attackers or careless employees can exploit.

For security auditors, this means updating risk assessments to note the limitation. If your compliance requires "all electronic communications" to be scanned for sensitive data, you may need compensating controls until the feature is live.

The Outlook

Microsoft says the rollout will resume "soon," but that's a word we've learned to take with a grain of salt. Past pauses on similar roadmap features have sometimes lasted weeks, other times months. The company hasn't provided a revised timeline, so the best you can do is stay informed.

Given the complexity of scanning embedded images at scale, a careful, phased re-release seems likely. Keep your test files ready, and be prepared to adjust your bandwidth limits and exception lists once the feature begins flowing to your tenant.

In the meantime, rely on your existing DLP rules for what's actually working: standalone images and image-only PDFs are still protected. For embedded content, consider additional user education or alternative controls such as container-level sensitivity labels or encryption to reduce risk.

One final note: the roadmap page itself includes a link to the official learn.microsoft.com documentation on OCR in Purview. That documentation might not yet reflect the paused status, so double-check the most recent date on any article you consult. And as always, treat roadmap entries as directional, not as guarantees, until you see the feature light up in your own compliance portal.