Microsoft will bring optical character recognition to Microsoft Purview Endpoint Data Loss Prevention in US government cloud environments, enabling agencies and contractors to scan images for sensitive content on managed Windows devices. The feature, listed on the Microsoft 365 Roadmap under ID 160008, is now targeted for general availability in October 2026 across GCC, GCC High, and Department of Defense clouds.
This closes a long-standing inspection gap: sensitive data printed on a screen and captured as a screenshot or stored in a scanned document has been effectively invisible to DLP rules that only parse machine-readable text. Once enabled, Purview OCR will pull text from supported image files, compare it against existing classifiers, and audit, warn, or block users trying to move that data outside approved boundaries.
The October date is not a launch announcement; the roadmap entry, last updated July 13, 2026, remains in development. Still, it gives compliance and security teams inside regulated agencies a 15-month lead to understand the feature’s mechanics, costs, and deployment requirements.
What’s actually changing on the endpoint
Endpoint DLP OCR adds a new inspection tier that sits between the file system and the cloud-based Purview classification engine. When a user opens, copies, uploads, prints, or otherwise interacts with a supported image file—locally, over the network, or via a permitted browser—the client can call OCR services in the Microsoft cloud, extract text, and run that text through the same sensitive-information types and trainable classifiers already configured for documents.
Microsoft lists five supported endpoint formats:
- JPEG and JPG
- PNG
- BMP
- TIFF
- Image-only PDF
That last category requires clarification. A PDF that contains only scanned pages qualifies; a hybrid PDF with both searchable text and embedded images may not trigger OCR for the image portions. Administrators should not assume parity with the broader OCR scanning available in Exchange, SharePoint, and OneDrive, where Microsoft documents wider format and embedded-image support.
Importantly, the roadmap specifies “managed Windows devices.” Current Purview documentation already describes OCR scanning for both Windows and macOS endpoints in commercial tenants, but the government cloud milestone is scoped to Windows. Organizations running macOS in GCC or DoD environments should check updated documentation closer to release.
The platform is listed as “Web” because administrators configure the capability through the Microsoft Purview portal. Enforcement, however, occurs on the onboarded device, monitoring actions such as:
- Uploads to restricted cloud services
- Transfers to removable storage
- Printing
- Clipboard use
- Network-share activity
- Access through unapproved browsers or apps
What this means for security teams: a wider net for existing rules
The largest operational benefit is policy reuse. An agency that already scans for credit card numbers, taxpayer identifiers, or classified codes inside email and Office files does not need to rebuild detection logic for images. The same sensitive-information types and trainable classifiers will match text extracted from screenshots, faxes, or photographed documents.
But the feature does not merely extend coverage; it fundamentally alters the risk surface. A social security number typed into a Word document is one thing. The same number displayed on a screen, captured with Windows+Shift+S, and pasted into a webmail compose window is quite another—and has been, until now, largely immune to automated enforcement. OCR erases that distinction.
Government IT shops should also recognize that this is a parity milestone, not a Purview innovation. Commercial Microsoft 365 tenants have had access to endpoint DLP OCR for some time. The October 2026 date represents the moment when GCC, GCC High, and DoD instances catch up. As with many government-cloud releases, the delay stems from additional compliance validations and service-boundary constraints.
The catch: costs, limits, and network surprises
OCR scanning is not a free checkbox. Microsoft bills Purview OCR on a pay-as-you-go basis, where each standalone image counts as one transaction and each page of an image-only PDF counts separately. A 20-page scanned PDF generates 20 transactions. A large-scale deployment across thousands of endpoints can accumulate costs quickly if images flow through common workflows without proper scoping.
The feature also introduces a daily bandwidth cap of 1,024 MB per device. Once a device hits that limit, scanning stops for the remainder of the day unless an administrator raises the allowance. For endpoints that routinely handle high-resolution medical images, engineering diagrams, or bulk scanned archives, this limit may need adjustment before enabling enforcement policies.
Caching provides some relief. Microsoft Learn documentation describes a local endpoint cache that stores the hash of each scanned image together with detected classifier information. The cache persists for 30 days and can prevent redundant scanning fees when the same image is handled multiple times on one device. However, caching is per-endpoint, not tenant-wide, so do not count on it as a deduplication strategy across a fleet.
Other hard limits include:
- Maximum file size: 50 MB
- Minimum and maximum image dimensions (not publicly specified beyond “supported”)
- Only images created or modified after OCR is enabled are scanned; the feature is not a retroactive discovery tool for files already at rest on endpoints.
Network configuration adds another layer. Windows endpoints must be able to reach the Microsoft-hosted storage endpoints that process the OCR requests. Environments that restrict outbound connections to only approved Microsoft services may need firewall rule updates. A misconfigured network path can leave administrators believing images are protected when evaluation never completes.
How to prepare: an action plan before October 2026
For government cloud tenants, the immediate recommendation is not to wait for GA but to start a controlled pilot cycle well in advance. The following steps can position a team to activate OCR-enabled policies quickly once the feature lights up:
- Confirm endpoint onboarding. Every device that will run OCR must be onboarded to Purview and have the endpoint DLP client active. Verify that your current deployment scope covers the workstations and servers where image-based data moves.
- Audit image-heavy workflows. Identify where screenshots, scanned forms, faxed documents, and exported case files enter and leave managed endpoints. Pay special attention to remote desktop sessions, virtual machines, scanning stations, and browser download folders.
- Review your existing DLP rule set. List every sensitive-information type and trainable classifier in use. For each, decide whether image-based detection would be valuable or whether it will simply generate false positives. Consider creating dedicated rules for image scenarios with different thresholds or actions.
- Estimate transaction volume and cost. Using representative samples of image files in typical user workflows, calculate how many OCR transactions a broad deployment would trigger per month. Microsoft’s current pricing should be available in the Purview pricing documentation; model the budget accordingly.
- Test network access and bandwidth. From a sample set of endpoints, ensure that the required cloud endpoints are reachable and that daily bandwidth limits are realistic for your environment. You may need to increase the cap or selectively enable OCR for high-volume devices.
- Start in audit mode. Do not flip directly from “off” to “block.” Enable OCR for a subset of devices, choose “audit” as the policy action, and let Activity Explorer and DLP alerts accumulate data for at least two weeks. Look for which images actually match policies, which actions users attempt, and whether legitimate business processes are being flagged.
- Evaluate accuracy. OCR performance varies dramatically with image quality, font, contrast, and resolution. A dimly lit photograph of a form will produce different results than a clean screenshot. Correlate DLP matches with the original images to gauge how reliably your classifiers work on visual content.
- Layer exclusions and network controls. Use endpoint DLP path exclusions to skip folders that contain nothing but benign screenshots (e.g., a shared “meme” folder). Configure restricted app groups and network boundaries to limit OCR inspection to the highest-risk channels.
Outlook: what comes after October 2026
Assuming Microsoft hits the planned date, government cloud customers will finally have a feature that commercial tenants have used for years. The real work, however, will begin after GA, when agencies measure ROI, refine rules, and adjust to the new volume of alerts that image-based detection generates. As always, roadmap dates can shift; the entry’s “in development” status means teams should watch for the move to “rolling out” or a revised date update. And for macOS shops inside government clouds, the roadmap’s silence on that platform likely means a separate entry will appear later—or that the initial release is deliberately Windows-only. Either way, the countdown has started.