Endpoint DLP Advances: Sensitivity Label Detection Within Archive Files (ZIP, RAR) Now Generally Available

REPORT: Endpoint DLP Now Classifies Sensitivity Labels Inside Archives
Microsoft has announced general availability (GA) for a significant Endpoint Data Loss Prevention (DLP) feature in Purview: Automatic detection of sensitivity labels on files inside archive formats (e.g., .zip, .rar, .7z). As of August CY2026 (M365 Roadmap #566617), endpoint DLP policy enforcement now inspects the contents of supported archives, not just their outer wrappers. This upgrade allows controls—such as blocking, auditing, or warning on file activity—to be triggered by sensitivity labels within the container, instead of only what’s visible at the archive level.
Previously, Endpoint DLP treated archives as opaque: policy logic could only see the archive’s name, extension, and outer file properties. Sensitive content hidden inside a .zip could evade detection if the parent archive was unlabeled or generically labeled. Now, Endpoint DLP unpacks archives (within supported size and depth limits), scans for sensitivity labels on internal files, and enforces policies accordingly—regardless of the archive’s outer label.
IMPACT: Who Is Affected, Where Risk Increases
This update impacts all organizations with Endpoint DLP deployed via Microsoft Purview Data Loss Prevention, especially those in regulated industries (finance, healthcare, legal) and organizations subject to GDPR, CCPA, or sectoral data handling rules. Staff who routinely compress files for transfer—such as finance, HR, or engineering users—are now subject to granular policy enforcement based on the actual content inside archives.
Risk scenario: Previously, a user could exfiltrate sensitive content by compressing them (e.g., labeling a file “Confidential” and zipping it with innocuous files). DLP could only act on the .zip archive as a whole, not on its labeled contents. With this change, copy-to-USB, printing, upload, and sharing actions are blocked or audited for archives containing labeled files, even if the archive itself appears benign.
EDUCATE: How Endpoint DLP Sensitivity Label Detection in Archives Works
Endpoint DLP extends Microsoft Purview’s policy enforcement to endpoints running Microsoft Defender for Endpoint (MDE) with DLP enabled. With this release, the DLP engine on Windows devices recursively scans inside supported archive formats:
- Supported formats: .zip, .rar, .7z (and select others)
- Detection method: Archive is opened in a controlled sandbox; each file is scanned for Microsoft Purview sensitivity labels (applied via MIP – Microsoft Information Protection)
- Policy logic: If any file inside the archive has a matching label (e.g., “Highly Confidential”), DLP policies for that label are enforced on all actions involving the archive (copy, print, upload, etc.)
- Limits: There may be file count, size, or nesting depth restrictions for performance/security—check Microsoft’s docs for current thresholds
This update brings Endpoint DLP closer to parity with Exchange, SharePoint, and Teams, which already inspect content inside attachments for sensitive info and labels.
DETECT: PowerShell Audit for Archive DLP Label Detection Coverage
To audit which devices in your organization are eligible for this enhanced DLP functionality, use the modern Microsoft.Graph modules to check:
- Devices onboarded to Defender for Endpoint
- Devices with DLP enabled
- Windows version/build (minimum: Windows 10 21H2 or later; see Microsoft docs for precise support matrix)
Here’s a script to list all eligible endpoints with error handling and pagination:
# Requires Microsoft.Graph.DeviceManagement module
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"
$devices = @()
$nextLink = $null
try {
do {
$response = if ($null -eq $nextLink) {
Get-MgDeviceManagementManagedDevice -Top 100
} else {
Invoke-MgGraphRequest -Uri $nextLink -Method GET
}
$batch = if ($response.value) { $response.value } else { $response }
$devices += $batch
$nextLink = $response.'@odata.nextLink'
} while ($nextLink -ne $null)
}
catch {
Write-Error "Error retrieving managed devices: $_"
}
# Output devices with DLP and Defender for Endpoint enabled
$eligibleDevices = $devices | Where-Object {
$_.operatingSystem -eq "Windows" -and
$_.osVersion -match "^10\.0\." -and # Windows 10/11
$_.isCompliant -eq $true -and
$_.userPrincipalName -ne $null
}
$eligibleDevices | Select-Object deviceName, userPrincipalName, osVersion, complianceState | Format-Table
Note: This script audits device eligibility for DLP/Defender. To check active DLP policy assignments, use Microsoft.Graph.InformationProtectionPolicy cmdlets. Pagination via @odata.nextLink is required for tenants with >100 devices.
REMEDIATE SAFELY: Testing and Expanding DLP Policies for Archives
To leverage this feature, review and update your DLP policies to ensure they account for labeled content inside archives. Always run changes in audit-only mode first (no enforcement), then switch to block or restrict after confirming expected behavior. Never bulk-modify or auto-enforce based on live queries.
# Example: Set a DLP policy to audit (not block) USB copy for "Confidential"-labeled files in archives
# Requires Microsoft.Graph.InformationProtection.Policy module
# This cmdlet is illustrative—replace with actual policy editing as per your tenant
Set-MgInformationProtectionPolicy -PolicyId <policy-id> -Actions @{ "Audit" = $true; "Block" = $false } -WhatIf
Always use -WhatIf to preview changes, then apply to a pilot group before organization-wide enforcement.
PORTAL EQUIVALENT: Where to Find This in M365 Admin Center
- Microsoft Purview Portal: Data loss prevention > Endpoint DLP settings > Policy configuration
- Configure or edit a policy, then review the “Archive file content inspection” option (now defaulted to ‘On’ for eligible tenants)
- Audit logs and incident alerts: Purview compliance portal > DLP alerts & Activity explorer
- Device status: Microsoft 365 Defender > Devices > Device inventory
WHAT’S NEW THIS CYCLE
- Feature: Endpoint DLP detection of sensitivity labels inside archives (GA August 2026, Preview July 2026)
- Admin Center Path: Purview portal > Data loss prevention > Endpoint DLP
- PowerShell/API: Microsoft.Graph.InformationProtectionPolicy, device audit via Microsoft.Graph.DeviceManagement
WHAT’S COMING IN THE NEXT 90 DAYS
- Purview DLP unified incident management: Automatic correlation between endpoint, Exchange, and SharePoint DLP triggers (preview Q4 2026)
- Adaptive policy tuning: AI-based recommendations for DLP thresholds and false positive reduction (preview late 2026)
- Enhanced archive format support: Planned addition of .tar.gz and password-protected archive scanning (roadmap Q1 2027)
- Teams/SharePoint endpoint awareness: Archive DLP triggers will surface as signals in Teams/SharePoint DLP incident dashboards (in testing)
THE UPGRADE: Why This Matters
- Security: Closes a major loophole where sensitive content could be hidden within archives and evade DLP
- Productivity: Reduces manual review workload for security teams; automated enforcement based on actual content, not just file wrappers
- Compliance: Stronger evidentiary trail for regulated exfiltration events; easier to prove due diligence
- Cost: Fewer false negatives—and thus fewer costly breaches or compliance incidents
Admins gain granular, confidence-inspiring controls that finally match how users work with files in the real world.
RELATED CHANGES: Full Workflow Impact
- Audit and incident logs now show file-in-archive triggers, including which labeled file(s) caused the policy event
- Purview DLP analytics dashboards updated to break out archive-related events
- Entra ID Conditional Access can now use DLP incident triggers—including archive content—as policy signals (pilot feature)
- Defender for Endpoint device inventory flags DLP/Archive-enabled endpoints for easy targeting
RECOMMENDATION: What Admins Should Do Next
- 1. Review Endpoint DLP policies: Ensure rules for labeled content include files inside archives
- 2. Audit endpoint eligibility: Confirm devices are running supported Windows versions and have Defender for Endpoint/DLP enabled
- 3. Pilot and report: Enable archive content inspection in audit mode, monitor alerts/events, and tune policies for noise reduction
- 4. Communicate change: Notify users that archive exfiltration is now visible to DLP, to avoid accidental violations
- 5. Track roadmap: Prepare for upcoming unified incident management and adaptive tuning in the Purview compliance portal
Prioritize closing this longstanding DLP gap—then use new analytics to optimize your risk posture.