On DLP 16.1, If you are using the Apply MIP Classification Protect action during a High-Speed Discovery scan, and the scan fails to apply MIP labels to files, it may be due to a proxy with a custom certificate, which is causing connectivity issues between the Worker Nodes and MIP servers.

DLP 16.1

In Worker Node logs check "SymantecDLPDetector*.log" and search for errors like:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed

In Scan errors, there are errors like:

Failed to apply MIP classification due to an authentication error: 
'java.util.concurrent.ExecutionException: 
com.microsoft.aad.msal4j.MsalClientException: java.net.ConnectException:
 Connection refused: connect'. For more information, see the Symantec 
Data Loss Prevention Help Center.

Make sure that access to MIP urls are not blocked by firewalls or proxy servers. For more details please refer to DLP Fails to Obtain MIP Labels from Azure and Allow the Azure portal URLs on your firewall or proxy server

If any of the above errors are reported then please follow the steps from High Speed MIP Classification - Proxy support to import custom certificates in the JAVA certificate store on all Worker Nodes.