The MS Purview DLP policies are currently not triggering on the shared Azure Virtual Desktop (AVD) session hosts.

Thank you for your response.

In our current environment, we have approximately 400 users, and 4 shared VM hosts that are used across all users. These VM hosts do not have dedicated host IDs or IP addresses per user, as they are part of a shared infrastructure.

We are currently attempting to install the Microsoft Purview compliance package so that these VM hosts become visible under the Devices section in the Purview portal. However, despite the installation, the shared VM hosts are not appearing in the Devices area, which is preventing us from proceeding further with the configuration and compliance workflows.

In contrast, the setup works as expected in Personal environments, where each system has a dedicated host ID and IP address, allowing the devices to be detected and displayed correctly in Purview.

Due to the shared nature of our VM hosts, device visibility in Purview is currently a blocker, and we are seeking guidance on how to properly onboard or represent shared VM hosts within Microsoft Purview so that compliance features can be enabled and managed effectively.

• • Are you seeing any events at all in Activity Explorer from those AVD hosts? - No, not showing up.
  • Which specific activity (copy to USB, upload, clipboard, etc.) is not triggering? for AI tools block in Windows/ except copilot.

@Cloud Admin - SidduReddy Kondappagari Thanks for sharing the details - you’re right that AVD multi-session setups can behave differently with Endpoint DLP, but in most cases policies should still trigger if everything is configured correctly.

A few things I’d suggest checking on your side:

• Device onboarding: Make sure the AVD session hosts are properly onboarded and showing as healthy/updated in Purview
• Policy scope: Confirm the DLP policy includes Devices as a location and is scoped to the users logging into those AVD hosts
• Policy sync: Check if the latest policies are actually synced to the session hosts

Also, just to call out a couple of known behaviors in AVD:

• Some actions (especially browser-based copy/clipboard) are not fully monitored in multi-session environments
• USB activity may show up as network share activity, so policies need to account for that

To narrow this down, it would really help if you can confirm:

• Are you seeing any events at all in Activity Explorer from those AVD hosts?
• Which specific activity (copy to USB, upload, clipboard, etc.) is not triggering?

If everything looks correct but still no triggers, we may need to collect endpoint diagnostics logs from one of the session hosts and take it further with the product team.

Happy to help you validate this step-by-step.

Endpoint DLP is supported on multi-session Azure Virtual Desktop (AVD) session hosts, but there are important limitations and configuration dependencies that can cause policies to appear not to trigger.

Key points and limitations for AVD

1. Platform support
   • Endpoint DLP supports Windows 10/11 multi-session on AVD for versions 21H2 and 22H2.
   • Windows Server 2019 and Windows Server 2022 session hosts are also supported in single and multi-session scenarios.
   See the onboarding matrix for AVD:
   • Azure Virtual Desktop (AVD), Windows 10/11: Multi session supported for 21H2, 22H2.
2. Known limitations in virtualized environments
   • Clipboard monitoring in browsers on AVD:
     • Copy to Clipboard and enforcing Endpoint DLP via browsers in AVD cannot be monitored.
     • The same egress operation is monitored only when performed via Remote Desktop Session (RDP), not inside a browser session.
   • USB handling in virtualized environments:
     • USB storage devices are treated as network shares.
     • To monitor “Copy to USB” on AVD, the DLP policy must include Copy to network share as an activity.
     • In Activity explorer and alerts, these events appear as Copy to a network share, not as USB.
   These limitations can make it appear that DLP is not triggering when, in fact, the specific activity type or channel is not covered by the policy or is not supported.
3. Validate device onboarding and policy sync Even in AVD multi-session, Endpoint DLP policies are evaluated for users logging into onboarded devices. If policies are not triggering, confirm the following for the session hosts: a. Device onboarding status
   • In the Microsoft Purview portal, go to Settings (gear icon) > Device onboarding > Devices.
   • Locate the AVD session host(s) and check Configuration status:
     • If status is Updated, the device is correctly configured.
     • If Not available or Not updated, follow the remediation steps shown in the device details pane.
   b. Policy sync status
   • In the same Devices view, check Policy sync status for the session hosts:
     • If status is Updated, the latest DLP policies have reached the device.
     • If Not updated or Not available, follow the remediation guidance in the details pane and the workflow diagram.
   • Optionally review the Policy status report under Data loss prevention > Overview to see overall policy sync health.
4. Confirm policy scope and locations
   • Endpoint DLP policies must have Devices selected as a location and must be scoped to the users who are logging into the AVD session hosts.
   • Policies are evaluated when a scoped user logs onto an onboarded device. If the user or group is not in scope, no Endpoint DLP actions will trigger on that session host.
5. Check endpoint DLP settings that affect behavior
   • In the Purview portal, go to Data loss prevention > Overview > Data loss prevention settings > Endpoint settings.
   • Review:
     • Cloud egress restrictions
     • Application-based restrictions
     • File path exclusions
     • Browser and domain restrictions
   • Misconfigured exclusions or browser/domain settings can cause expected activities on AVD to be ignored.
6. Use Activity explorer and diagnostics to verify
   • Use Activity explorer to confirm whether any endpoint activities from the AVD hosts are being logged (for example, Copy to network share, file uploads, etc.).
   • If policies still do not behave as expected for in-scope users/devices, open a Microsoft support case and use Always-on diagnostics for endpoint DLP to collect trace logs from the affected session hosts, as per the documented workflow. These logs are collected and analyzed by Microsoft Support to identify configuration or platform issues.

Summary of practical next steps

1. Confirm AVD session hosts are on supported OS versions (Windows 10/11 21H2 or 22H2 multi-session, or supported Windows Server versions).
2. Verify each session host is onboarded and shows Configuration status = Updated.
3. Verify Policy sync status = Updated for those hosts.
4. Ensure DLP policies:
   • Include Devices as a location.
   • Are scoped to the correct users/groups using the AVD hosts.
   • Include Copy to network share if monitoring USB in AVD.
5. Account for known limitations:
   • Clipboard and enforcement via browsers on AVD are not monitored; rely on RDP-level monitoring where applicable.
6. Use Activity explorer to validate events and, if needed, engage Microsoft Support with Endpoint DLP trace logs for deeper investigation.

References:

• Get started with endpoint data loss prevention
• Microsoft Purview service description
• Always-on diagnostics for endpoint DLP
• Configure endpoint data loss prevention settings
• Step 7. Implement data loss prevention (DLP) with information protection capabilities
• Troubleshooting endpoint data loss prevention configuration and policy sync