Share via

The MS Purview DLP policies are currently not triggering on the shared Azure Virtual Desktop (AVD) session hosts.

Cloud Admin - SidduReddy Kondappagari 0 Reputation points
2026-04-07T16:06:00.37+00:00

The MS Purview DLP policies are currently not triggering on the shared Azure Virtual Desktop (AVD) session hosts. This behavior is due to the inherent limitations of multi‑session AVD environments, where multiple users share the same device identity, causing Endpoint DLP controls to function inconsistently or fail to initiate altogether.

Your support in enabling the next steps would be greatly appreciated, and it will help us move forward efficiently.

Microsoft Security | Microsoft Purview
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-07T16:06:24.72+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Endpoint DLP is supported on multi-session Azure Virtual Desktop (AVD) session hosts, but there are important limitations and configuration dependencies that can cause policies to appear not to trigger.

    Key points and limitations for AVD

    1. Platform support
      • Endpoint DLP supports Windows 10/11 multi-session on AVD for versions 21H2 and 22H2.
      • Windows Server 2019 and Windows Server 2022 session hosts are also supported in single and multi-session scenarios.
      See the onboarding matrix for AVD:
      • Azure Virtual Desktop (AVD), Windows 10/11: Multi session supported for 21H2, 22H2.
    2. Known limitations in virtualized environments
      • Clipboard monitoring in browsers on AVD:
        • Copy to Clipboard and enforcing Endpoint DLP via browsers in AVD cannot be monitored.
        • The same egress operation is monitored only when performed via Remote Desktop Session (RDP), not inside a browser session.
      • USB handling in virtualized environments:
        • USB storage devices are treated as network shares.
        • To monitor “Copy to USB” on AVD, the DLP policy must include Copy to network share as an activity.
        • In Activity explorer and alerts, these events appear as Copy to a network share, not as USB.
      These limitations can make it appear that DLP is not triggering when, in fact, the specific activity type or channel is not covered by the policy or is not supported.
    3. Validate device onboarding and policy sync Even in AVD multi-session, Endpoint DLP policies are evaluated for users logging into onboarded devices. If policies are not triggering, confirm the following for the session hosts: a. Device onboarding status
      • In the Microsoft Purview portal, go to Settings (gear icon) > Device onboarding > Devices.
      • Locate the AVD session host(s) and check Configuration status:
        • If status is Updated, the device is correctly configured.
        • If Not available or Not updated, follow the remediation steps shown in the device details pane.
      b. Policy sync status
      • In the same Devices view, check Policy sync status for the session hosts:
        • If status is Updated, the latest DLP policies have reached the device.
        • If Not updated or Not available, follow the remediation guidance in the details pane and the workflow diagram.
      • Optionally review the Policy status report under Data loss prevention > Overview to see overall policy sync health.
    4. Confirm policy scope and locations
      • Endpoint DLP policies must have Devices selected as a location and must be scoped to the users who are logging into the AVD session hosts.
      • Policies are evaluated when a scoped user logs onto an onboarded device. If the user or group is not in scope, no Endpoint DLP actions will trigger on that session host.
    5. Check endpoint DLP settings that affect behavior
      • In the Purview portal, go to Data loss prevention > Overview > Data loss prevention settings > Endpoint settings.
      • Review:
        • Cloud egress restrictions
        • Application-based restrictions
        • File path exclusions
        • Browser and domain restrictions
      • Misconfigured exclusions or browser/domain settings can cause expected activities on AVD to be ignored.
    6. Use Activity explorer and diagnostics to verify
      • Use Activity explorer to confirm whether any endpoint activities from the AVD hosts are being logged (for example, Copy to network share, file uploads, etc.).
      • If policies still do not behave as expected for in-scope users/devices, open a Microsoft support case and use Always-on diagnostics for endpoint DLP to collect trace logs from the affected session hosts, as per the documented workflow. These logs are collected and analyzed by Microsoft Support to identify configuration or platform issues.

    Summary of practical next steps

    1. Confirm AVD session hosts are on supported OS versions (Windows 10/11 21H2 or 22H2 multi-session, or supported Windows Server versions).
    2. Verify each session host is onboarded and shows Configuration status = Updated.
    3. Verify Policy sync status = Updated for those hosts.
    4. Ensure DLP policies:
      • Include Devices as a location.
      • Are scoped to the correct users/groups using the AVD hosts.
      • Include Copy to network share if monitoring USB in AVD.
    5. Account for known limitations:
      • Clipboard and enforcement via browsers on AVD are not monitored; rely on RDP-level monitoring where applicable.
    6. Use Activity explorer to validate events and, if needed, engage Microsoft Support with Endpoint DLP trace logs for deeper investigation.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.