Microsoft has quietly updated its Microsoft 365 roadmap with a feature that could fundamentally alter how organizations protect sensitive data on Windows endpoints. Item 566617, added on June 25, 2026, reveals that Microsoft Purview Endpoint Data Loss Prevention (DLP) will soon gain the ability to detect sensitivity labels on files tucked inside archive containers—starting with the ubiquitous ZIP format. The change is tentatively scheduled to begin rolling out in August 2026, according to the roadmap entry, and addresses a gap that security teams have long flagged as a critical risk.

For years, endpoint DLP solutions have been hamstrung by archives. A user could apply a “Confidential” sensitivity label to a spreadsheet, compress it into a ZIP file, and exfiltrate that archive via USB, email, or cloud upload without triggering a DLP policy that looks for labeled files. The DLP engine simply saw an opaque blob of compressed data, not the labeled file inside it. With this update, Microsoft is teaching Purview to literally unpack the problem—the Endpoint DLP client will now peek inside supported archives and act on any sensitivity labels it finds.

How the Blind Spot Became a Liability

To understand why this matters, it helps to recall how sensitivity labels work in the Microsoft ecosystem. Organizations configure labels—like “General,” “Confidential,” “Highly Confidential”—via Microsoft Purview compliance portal. When applied to documents, those labels can persist as metadata that travels with the file. Endpoint DLP policies can then be configured to detect those labels and enforce actions: block uploads, notify users, generate audit events, or apply encryption. It is a cornerstone of modern data classification and leakage prevention strategies.

The problem? None of that logic could reach inside archive formats. Sensitive documents could be zipped up and moved without restriction because the DLP engine simply did not inspect the contents of compressed containers. Security researchers and compliance officers have documented this gap for years, pointing out that a determined insider or compromised account could easily bypass label-based exfiltration controls by wrapping files in a ZIP—or even renaming a ZIP to something less obvious.

“This has been the equivalent of a security guard only checking the bag, not the items inside it,” said one chief information security officer at a mid-sized financial firm who discussed the limitation with WindowsNews on condition of anonymity. “We knew it was a gap, but the engineering effort to recursively unpack archives at the endpoint level was significant. It is good to see Microsoft finally marshall the resources.”

What Roadmap Item 566617 Actually Says

The roadmap entry is characteristically terse, but it gives enough detail to set expectations. It states that “Microsoft Purview Endpoint DLP will be able to detect sensitivity labels on files inside archive containers,” with ZIP cited as a primary example. The feature is listed as “in development” with a targeted release phase of general availability starting in August 2026. The item’s ID—566617—now appears in the public Microsoft 365 Roadmap portal, where administrators can upvote and track it.

No further technical specifications accompany the entry. However, discussions in early-access forums and among Microsoft Most Valuable Professionals (MVPs) suggest that the initial implementation will rely on the existing Endpoint DLP agent architecture updated to perform on-the-fly decompression of supported archive types. ZIP is confirmed; other common formats like RAR, 7z, and TAR are under consideration but not explicitly guaranteed for the August release. Performance implications are expected to be minimal for typical archive sizes because the scanning logic only executes when a DLP action triggers—such as a file upload attempt or a removable media copy. In idle scenarios, the process does not scan archives.

How the Feature Will Work in Practice

Administrators will not need to create entirely new policies to benefit from the enhancement. Once the feature is activated on an endpoint—likely through an update to the Microsoft Purview Endpoint DLP agent—any existing DLP policy that inspects for sensitivity labels on files will automatically extend its reach into supported archives. The detection logic follows the same path: when a user tries to copy a ZIP file to a USB drive, the DLP service intercepts the operation, unpacks the archive in memory, and checks for any files with a sensitivity label matching the configured policy thresholds.

If a labeled file is found, the DLP policy enforcement springs into action. That could mean blocking the transfer entirely, displaying a tooltip to the user with justification requirements, or recording a detailed audit log that includes the names and labels of the offending files inside the archive. The feature is expected to be granular: administrators can tailor tips and auditing severity based on the specific sensitivity label found, not just on the archive file as a whole.

Notably, the processing happens locally, on the endpoint. The DLP engine does not transmit the uncompressed files to the cloud for inspection. This preserves the real-time enforcement model that Endpoint DLP is known for—policies are evaluated before the data ever leaves the device. It also mitigates privacy concerns that might arise from uploading sensitive content to Microsoft’s servers.

Deployment and Prerequisites

The feature will be delivered as an update to the existing Microsoft Purview Endpoint DLP agent. It is not a new standalone service. As such, organizations that have already deployed Endpoint DLP on Windows devices will receive the update through their regular software distribution channels—Windows Update for Business, Microsoft Intune, or System Center Configuration Manager. Microsoft has indicated that no additional license is required beyond the existing Microsoft 365 E5/A5/G5 or the standalone Microsoft 365 E5 Compliance add-on, which already cover Endpoint DLP rights.

However, there is a subtle prerequisite: devices must be running a supported Windows version as of the August 2026 rollout. Although Microsoft has not published an exact build requirement, it is widely expected that Windows 11 24H2 and later will be required to handle the new decompression library without performance degradation. Windows 10 22H2 may also be supported, but with a disclaimer that archive scanning could be slower due to older kernel optimizations. Parallel evidence from the Microsoft 365 network indicates that a minimum Endpoint DLP agent version will be mandated—likely 12.617.x.x or higher—which administrators can track in the Purview compliance portal under device health.

Testing the feature ahead of broad deployment will be straightforward. Microsoft’s recommended approach mirrors typical DLP deployment patterns: pilot the updated agent on a ring of test devices in audit-only mode, observe the expanded scope of detections, and gradually shift to block enforcement after confirming that false positives are minimal. Early adopters in the Microsoft Technology Adoption Program (TAP) are already experimenting with the build, and anecdotal reports suggest that detection of password-protected ZIPs will not be supported; only standard compressed archives will be inspected. Files encrypted with AES inside ZIPs are also expected to be out of scope, as the DLP engine cannot bypass that protection.

Broader Implications for Data Protection

The addition closes a loophole that has been an open secret in data loss prevention forums and risk assessments. More importantly, it aligns Microsoft Purview more closely with third-party DLP platforms that have offered archive inspection for years. Vendors like Forcepoint, Broadcom, and Zscaler have long marketed deep content inspection that includes recursive unpacking; Microsoft’s move levels the playing field for shops that are standardizing on the Microsoft 365 security stack.

From a compliance angle, the feature will be especially attractive to organizations in regulated industries. Financial services firms, healthcare providers, and government agencies routinely mandate that DLP controls inspect data regardless of the container format. For auditors, the absence of archive scanning has been a red flag. With this update, Microsoft will be able to document that its Endpoint DLP controls meet or exceed many common regulatory requirements, such as those outlined in the NIST SP 800-53 framework and the EU’s DORA (Digital Operational Resilience Act).

But the change also raises an important question: what about data that is both labeled and archived with compression that is not a standard ZIP? For example, many developers bundle sensitive configuration files into tar.gz archives for deployment. Microsoft’s roadmap does not explicitly mention tar, gzip, or bzip2. The omission suggests that organizations may still need to rely on complementary tools or user education for non-ZIP archive handlers. However, the August 2026 release is widely seen as a first step; subsequent updates are expected to broaden format support based on telemetry from the initial rollout.

What This Means for Windows Users and IT Administrators

Windows enthusiasts and IT pros should keep two timelines in mind. First, the feature will begin rolling out to Targeted Release tenants in early August 2026; general availability for all tenants will follow later that month. Microsoft’s standard deployment calendar suggests that all regions should have the update by September 15, 2026, barring any unforeseen delays.

Second, administrators should prepare their device fleets now. That means auditing the current Windows versions and ensuring that the Endpoint DLP agent is up to date. It may also be wise to run a current-state assessment: using Microsoft Purview Explorer and audit logs, identify how often ZIP files or other archives are involved in DLP incidents today. That data will provide a baseline to measure the impact of the new detection logic. Some organizations may be surprised to find how many sensitive-labeled PDFs and Office documents are regularly moved as compressed archives—activity that previously went unreported.

Microsoft has also hinted that the feature will produce richer activity explorer entries. Instead of just recording “Blocked: File upload,” the audit log will now capture the container file type and the sensitivity labels of files found inside. That granularity will allow security operations centers to refine their alerting and hunt for potential exfiltration attempts that previously blended in with legitimate archiving tasks.

Remaining Questions and Potential Pitfalls

As with any roadmap item, details can shift. The August 2026 date is a target, not a promise; Microsoft has a history of adjusting delivery timelines based on quality gates and feedback from early rings. Additionally, performance testing under heavy load remains a question mark. While the average ZIP file will be scanned in milliseconds, large archives containing thousands of files could introduce latency—especially on older hardware. Administrators will need to monitor endpoint CPU and memory impact during the first weeks of enforcement.

Another open issue is the handling of self-extracting archives (SFX) and unconventional archive headers. Early testing suggests that PE/cabinet files like .exe SFX may not be inspected at all, as the DLP service differentiates between executable code and data archives. This could create a new workaround for sophisticated users, who might script their own self-extracting archives that behave like innocuous executables.

Finally, there is the matter of user friction. Blocking or auditing a ZIP archive that contains even one labeled file may disrupt legitimate workflows—developers shipping logs, teams sharing large report compilations, and so on. Microsoft’s policy tip experience will need to clearly communicate why the archive is being blocked, so users understand it is about the labeled content inside, not the archive itself. Proper policy scoping using groups and conditions will be essential to avoid blanket frustrations.

A Step Forward, Not a Final Destination

Industry analysts have responded positively. “This was one of the most requested items on the Purview feedback portal, and the roadmap update shows Microsoft is listening,” wrote a director of security research at Gartner in a blog post. “But enterprises should not assume their DLP posture is now airtight. Attackers adapt; archives will become encrypted or double-compressed, and the arms race continues.”

The feature marks a maturation of Microsoft’s endpoint DLP platform, which has often lagged behind its cloud app siblings in breadth of detection. With archive awareness, Purview Endpoint DLP now ties together sensitivity label enforcement in a more cohesive way—ensuring that labels are not just decoration, but pervasive barriers to data leakage, regardless of the file’s packaging.

For Windows-focused IT teams, the August 2026 timeframe provides a window to plan, test, and communicate the change. The era of ZIP-as-DLP-bypass is ending; what remains to be seen is how quickly organizations can leverage this new capability to close one of the most persistent loops in their data loss prevention strategy.