Endpoint DLP-sensitive data alerting retiring in Defender; use Purview DLP

Microsoft is retiring endpoint-sensitive data alerting in the Microsoft Defender portal by March 23, 2026. Organizations must switch to Microsoft Purview DLP for alerting, enforcement, and investigation of sensitive data activities on endpoints. Existing Defender alert policies will stop generating alerts after this date.

[Introduction]

We’re retiring the ability to create alert policies and generate DLP alerts for sensitive data activities on endpoints in the Microsoft Defender portal. This change unifies endpoint data loss prevention (DLP) detection and alerting under Microsoft Purview DLP, giving organizations a more consistent experience and access to advanced enforcement and investigation capabilities in Microsoft Defender XDR.

[When this will happen]

• February 16, 2026: Sensitive data activity options will be removed from new alert policy creation in the Microsoft Defender portal.
• March 23, 2026: Existing alert policies using these activities will stop generating alerts.

[How this affects your organization]

Who is affected:

• Organizations that use alert policies in Microsoft Defender XDR to monitor sensitive data activities on endpoints.
• Admins who create or manage alert policies in the Microsoft Defender portal.

What will happen:

• The following endpoint-sensitive data activities will be retired and removed from alerting in the Microsoft Defender portal:
• Copying sensitive data to removable media, remote shares, or the clipboard
• Uploading sensitive files to third-party apps or services
• Accessing sensitive files with unallowed apps
• New alert policies cannot use these activities after February 16, 2026.
• Existing alert policies will stop generating alerts after March 23, 2026.
• These activities will not be re-enabled in the Defender portal after retirement.
• Organizations can continue to detect and alert on these activities using Microsoft Purview DLP, which supports:
• Alerting and incident creation
• User notifications through policy tips
• Activity blocking and restriction
• Unified investigation of DLP and security alerts in Microsoft Defender XDR
• Purview DLP alerts for these endpoint activities appear in the Defender XDR experience for triage and investigation.

[What you can do to prepare]

• Review existing Microsoft Defender alert policies to identify any that use the retiring activities.
• Re-create required alerting using Microsoft Purview DLP policies.
• Notify security operations and helpdesk teams about the retirement and the shift to Purview DLP.
• Update internal documentation that references these Defender alert policies.
• Review endpoint DLP configuration and policy guidance: Get started with endpoint data loss prevention | Microsoft Purview | Microsoft Learn.
• If none of your Defender alert policies rely on these activities, no action is required.

[Compliance considerations]

No compliance considerations identified. Review as appropriate for your organization.