Microsoft Purview has auto-labeling policy for scanning Exchange mails, SharePoint and OneDrive files to applying the label for them. I wonder if it is possible to create something like auto-labeling policy for scanning end-user machine? If yes, what are the requirements?
Thank you for posting your question here. I understand you're looking for a solution to auto-label files stored on Endpoints, similar to the options for Exchange, SharePoint, and OneDrive.
Unfortunately, there is no direct tool that will scan data-at-rest on endpoints and apply a label based on content being matched.
However, there are a few options available to help with this:
You can automatically back-up the Known folders (Desktop, Documents, and Images) to OneDrive, which will help cut-back on the amount of files stored locally on the PC, and then they will be subject to OneDrive auto-labeling policies
You can configure auto-labeling within your sensitivity labels and as users interact with files on their endpoints, the files will be scanned and labeled accordingly
This is known as client-side labeling, the auto-labeling policies you're asking about is known as service-side labeling
Leverage Endpoint DLP to prevent unauthorized movements, such as putting the file on a USB, if the document is NOT labeled by using the "Content is not labeled" condition available for Endpoint DLP policies