Microsoft just rolled out a major tweak to its Data Loss Prevention engine, ensuring Copilot can’t read any file tagged with a sensitivity label—whether the file lives in SharePoint, OneDrive, or on a local drive. This default block lets you keep confidential content out of the AI without extra configuration.
What the Update Does
The new rollout makes the Purview DLP engine read sensitivity labels directly from the client app. When a policy says “Don’t let Copilot process sensitivity‑labeled files,” the assistant simply refuses to run and shows a “Copilot can’t access this file” notice. No manual toggles or policy migrations are required; the feature is enabled by default for any tenant that already has a matching DLP rule.
Why the Change Matters
Previously, DLP rules only covered files stored in SharePoint and OneDrive. A labeled document opened locally could still be fed to Copilot, bypassing the protection. By extending the block to local devices, Microsoft eliminates that blind spot and gives organizations a single rule that protects data across the entire Office ecosystem.
Implications for IT and Security Teams
For security officers, the update removes a common attack vector: a user opening a confidential file in Word and clicking Copilot. The change reinforces compliance in regulated sectors such as finance, health care, and government. However, extending the block may generate a surge of “Copilot can’t help” tickets, so IT teams should audit label deployments, verify policy scopes, and update user training.
Operational Considerations
- Audit existing sensitivity‑label placements on endpoints.
- Confirm DLP policies are scoped to cover the labels you care about.
- Communicate to power users why Copilot may refuse to assist on certain files.
Practitioner’s Perspective
One senior information protection manager described the update as “the last gap in our DLP playbook.” He noted that engineers often kept critical design documents on local drives, and the new default block now says “no” wherever the file resides, simplifying enforcement and audit.
What to Do Now
Even though no manual toggle is needed, Microsoft recommends a quick review of your DLP policies that reference sensitivity labels. Make sure the rules still align with current business needs, and refresh any internal docs that explain Copilot’s behavior when a block occurs. If you haven’t enabled DLP for Copilot yet, you can add a rule in the Purview admin portal in minutes.
From a compliance angle, the extension aligns AI features with “data at rest and in use” protection frameworks. As you continue to rely on Copilot for drafting and brainstorming, you’ll appreciate the hard line that now protects confidential material across all storage locations.
