The Admin has create MIP labels with protection that are set to auto apply via the DLP Endpoint Agent, yet the label is never applied. While MIP Labels without protection apply perfectly.

DLP 15.8.x

DLP 16.x

MIP

Logs show:

File: edpa.log
Source: AgentServices.AIPManagementService
Message: WriteLabel:Failed to write label for user********, file:**********, error:Label requires ad-hoc protection, but protection has not yet been set.

The error: :Label requires ad-hoc protection, but protection has not yet been set. is occurring because the MIP Label was created with  Let users assign permissions when they apply the label option which is not supported with DLP. 

The MIP Label needs to be updated in the O365 portal to use the Assign permissions now option instead of Let users assign permissions when they apply the label option

As outlined in the Product Advisory: Configuring Access Control In Microsoft Purview Sensitivity Labels For Use With Symantec Data Loss Prevention

Microsoft Purview, formerly known as Microsoft Information Protection, recently added the Let users assign permissions when they apply the label option to the Assign permissions now or let users decide? setting on the Access control page of sensitivity label configurations.

The integration between Symantec Data Loss Prevention and Microsoft Purview does not support the Let users assign permissions when they apply the label option. Symantec recommends that customers use the previously supported Assign permissions now option until further notice.

This applies to Symantec Data Loss Prevention versions 15.8 and later.