💡 Our Technical Review in summary
Summary
- Microsoft is retiring the native capability to create alert policies and generate Data Loss Prevention (DLP) alerts for sensitive data activities on endpoints within the Microsoft Defender portal.
- This functionality is being consolidated into Microsoft Purview DLP to provide a unified investigation experience and more advanced enforcement capabilities (such as blocking and user notifications).
- The transition follows a two-stage retirement: new policy creation for these activities ends on February 16, 2026, and existing policies will cease generating alerts on March 23, 2026.
Impact
- Administrative Workflow: IT Admins and Security Operations (SecOps) teams will no longer manage endpoint sensitive data alerts via the “Alert policies” section of Microsoft Defender XDR.
- Feature Retirement: The following activities will no longer trigger alerts through Defender:
- Copying sensitive data to removable media (USB), network shares, or the clipboard.
- Uploading sensitive files to third-party cloud services or web apps.
- Accessing sensitive files using unauthorized or unallowed applications.
- Unified Experience: While the configuration moves to Purview, alerts will still be visible within the Microsoft Defender XDR dashboard for triage, ensuring that security signals remain integrated.
- Data Loss Risk: Organizations that do not migrate their alerting logic to Purview DLP before March 23, 2026, will experience a “blind spot” regarding sensitive data movement on endpoints.
Action Required
- Audit Current Policies: Review all active alert policies in the Microsoft Defender portal to identify those specifically targeting sensitive data activities on endpoints.
- Migrate to Purview DLP: Re-create the identified alerting logic within the Microsoft Purview compliance portal. Ensure that policies are configured for “Endpoint” locations.
- Configure Enforcement: Take advantage of Purview DLP features not available in the retiring Defender alerts, such as “Policy Tips” for user education and “Block” actions for proactive prevention.
- Update Documentation: Revise internal Standard Operating Procedures (SOPs), incident response playbooks, and helpdesk documentation to reflect the shift from Defender-based alerting to Purview DLP.
- Staff Training: Inform SecOps and compliance teams about the change in alert source and any differences in the Purview DLP alert metadata.
Microsoft Official Update
Service: N/A
Category: planForChange
Severity: normal
[Introduction]
We’re retiring the ability to create alert policies and generate DLP alerts for sensitive data activities on endpoints in the Microsoft Defender portal. This change unifies endpoint data loss prevention (DLP) detection and alerting under Microsoft Purview DLP, giving organizations a more consistent experience and access to advanced enforcement and investigation capabilities in Microsoft Defender XDR.
[When this will happen]
- February 16, 2026: Sensitive data activity options will be removed from new alert policy creation in the Microsoft Defender portal.
- March 23, 2026: Existing alert policies using these activities will stop generating alerts.
[How this affects your organization]
Who is affected:
- Organizations that use alert policies in Microsoft Defender XDR to monitor sensitive data activities on endpoints.
- Admins who create or manage alert policies in the Microsoft Defender portal.
What will happen:
- The following endpoint-sensitive data activities will be retired and removed from alerting in the Microsoft Defender portal:
- Copying sensitive data to removable media, remote shares, or the clipboard
- Uploading sensitive files to third-party apps or services
- Accessing sensitive files with unallowed apps
- New alert policies cannot use these activities after February 16, 2026.
- Existing alert policies will stop generating alerts after March 23, 2026.
- These activities will not be re-enabled in the Defender portal after retirement.
- Organizations can continue to detect and alert on these activities using Microsoft Purview DLP, which supports:
- Alerting and incident creation
- User notifications through policy tips
- Activity blocking and restriction
- Unified investigation of DLP and security alerts in Microsoft Defender XDR
- Purview DLP alerts for these endpoint activities appear in the Defender XDR experience for triage and investigation.
[What you can do to prepare]
- Review existing Microsoft Defender alert policies to identify any that use the retiring activities.
- Re-create required alerting using Microsoft Purview DLP policies.
- Notify security operations and helpdesk teams about the retirement and the shift to Purview DLP.
- Update internal documentation that references these Defender alert policies.
- Review endpoint DLP configuration and policy guidance: Get started with endpoint data loss prevention | Microsoft Purview | Microsoft Learn.
- If none of your Defender alert policies rely on these activities, no action is required.
[Compliance considerations]
No compliance considerations identified. Review as appropriate for your organization.
