Microsoft Patents a File Protection System That Follows Files Across Devices

By Patentlyze Team · Updated May 29, 2026

What if your file's access rules traveled with it — no matter where it ended up? Microsoft is patenting a system that bakes permissions directly into the file itself, so even a copy on someone else's machine knows who's allowed to open it.

What Microsoft's persistent file protection actually does

Imagine you share a confidential budget spreadsheet with a colleague. They forward it to someone outside the company, who opens it on a personal laptop. With most systems, your original access restrictions stay behind — the file is now loose in the wild.

Microsoft's patent describes a system that prevents exactly that. Instead of storing access rules in a central server or folder-level setting, it bakes security metadata directly into the file at the moment the file is created or first protected. That metadata — which defines who can open, edit, or share the file — rides along with the content everywhere it goes.

Critically, the file itself stays unencrypted in terms of readable content, but the security wrapper is always present. When any app tries to open it on any device, the system checks the embedded rules first. If you're not authorized, you get limited access — or none at all. The protection persists even after the file is edited or copied.

How security metadata stays bound to file content

The patent describes a file protection framework that operates at the endpoint (the individual device) rather than relying on a network-connected policy server to enforce access control in real time.

Here's the core mechanism:

• Security information metadata is generated for a file — this metadata encodes the access rights and permissions (who can read, edit, print, forward, etc.).
• That metadata is bound to the unencrypted file content, creating what the patent calls a protected unencrypted file — the content is readable in the right context, but the security wrapper is inseparable from it.
• When any application on any device requests access to the file, the local file protection system intercepts the request, reads the embedded metadata, and decides what level of access — if any — to grant.
• The binding persists through edits. If someone modifies the file, the metadata doesn't get stripped out — it stays attached.

The "system-wide" framing is important here: rather than protecting files only inside a specific app (like Microsoft Word with IRM), this approach aims to enforce protections at the OS level, so any application that tries to touch the file gets evaluated against the same ruleset. This is closer to a trusted container approach than traditional app-layer DLP (data loss prevention).

What this means for enterprise data leakage control

For enterprise IT teams, the persistent headache with data loss prevention is that controls tend to break the moment a file leaves the managed environment — emailed out, saved to a USB drive, or opened in a third-party app. This patent targets that exact gap by making the file itself the enforcement point, not the network perimeter.

If Microsoft ships something based on this, it could meaningfully strengthen Microsoft Purview (its information protection and compliance platform) by extending reliable access control to unmanaged devices and non-Microsoft applications. For users, the practical effect would be that sensitive files you receive simply can't be opened in unauthorized ways — even if your IT department has no visibility into the device you're using.

Editorial commentary on a publicly published patent application. Not legal advice.