Table of Contents
Summary
- The ability to create alert policies for sensitive data activities on endpoints in Microsoft Defender will be retired, shifting detection and alerting to Microsoft Purview DLP.
- Organizations using Microsoft Defender XDR to monitor sensitive data activities on endpoints will be affected, along with admins managing alert policies.
- Specific endpoint-sensitive data activities, such as copying to removable media and uploading to third-party apps, will be removed from alerting in Microsoft Defender.
- New alert policies cannot include these activities, and existing policies will cease to generate alerts after the specified date.
- Organizations are encouraged to transition to Microsoft Purview DLP for detecting and alerting on these activities and to review current alert policies.
Admin Impact: High
User Impact: Low
Release Start: 16 Feb 2026
Release End: 23 Mar 2026
Services: Defender XDR, Purview
Category: Plan for change
Tags: User Adoption, Admin Action, Retirement
History
1/14/2026 Item Added to Message Center
Microsoft Message
Introduction
We’re retiring the ability to create alert policies and generate DLP alerts for sensitive data activities on endpoints in the Microsoft Defender portal. This change unifies endpoint data loss prevention (DLP) detection and alerting under Microsoft Purview DLP, giving organizations a more consistent experience and access to advanced enforcement and investigation capabilities in Microsoft Defender XDR.
When this will happen
- February 16, 2026: Sensitive data activity options will be removed from new alert policy creation in the Microsoft Defender portal.
- March 23, 2026: Existing alert policies using these activities will stop generating alerts.
How this affects your organization
Who is affected:
- Organizations that use alert policies in Microsoft Defender XDR to monitor sensitive data activities on endpoints.
- Admins who create or manage alert policies in the Microsoft Defender portal.
What will happen:
- The following endpoint-sensitive data activities will be retired and removed from alerting in the Microsoft Defender portal:
- Copying sensitive data to removable media, remote shares, or the clipboard
- Uploading sensitive files to third-party apps or services
- Accessing sensitive files with unallowed apps
- New alert policies cannot use these activities after February 16, 2026.
- Existing alert policies will stop generating alerts after March 23, 2026.
- These activities will not be re-enabled in the Defender portal after retirement.
- Organizations can continue to detect and alert on these activities using Microsoft Purview DLP, which supports:
- Alerting and incident creation
- User notifications through policy tips
- Activity blocking and restriction
- Unified investigation of DLP and security alerts in Microsoft Defender XDR
- Purview DLP alerts for these endpoint activities appear in the Defender XDR experience for triage and investigation.
What you can do to prepare
- Review existing Microsoft Defender alert policies to identify any that use the retiring activities.
- Re-create required alerting using Microsoft Purview DLP policies.
- Notify security operations and helpdesk teams about the retirement and the shift to Purview DLP.
- Update internal documentation that references these Defender alert policies.
- Review endpoint DLP configuration and policy guidance: Get started with endpoint data loss prevention | Microsoft Purview | Microsoft Learn.
- If none of your Defender alert policies rely on these activities, no action is required.
Compliance considerations
No compliance considerations identified. Review as appropriate for your organization.