Microsoft is closing a long-standing blind spot in its data loss prevention for Windows endpoints. According to a new entry on the Microsoft 365 Roadmap (ID 562992), Microsoft Purview Endpoint DLP will begin detecting and protecting sensitive files located in commonly excluded Windows folders—specifically Temp and AppData—starting with its September 2026 rollout. The change marks a significant shift in policy architecture: folders once deliberately ignored to avoid performance hits and alert noise will no longer serve as safe harbors for confidential data.
What’s Actually Changing
Currently, Endpoint DLP allows administrators to exclude file paths from monitoring, alerting, and enforcement. These exclusions are often deliberately broad, covering locations like C:\Users\*\AppData and C:\Windows\Temp because they are high-churn directories filled with browser caches, installer temp files, log data, and application staging areas. Microsoft’s own documentation states plainly that files in excluded locations are not audited, and newly created or modified files there are not subject to DLP enforcement.
The Roadmap item, still marked “in development” as of July 7, 2026, promises a new capability: “detect and protect sensitive files stored in commonly excluded Windows folders.” In plain terms, the default behavior for these system folders is set to change. Endpoint DLP will no longer automatically ignore them. Instead, it will examine the sensitivity of files that land in Temp and AppData and apply policy actions—such as audit, warn, or block—when those files attempt to leave the endpoint via monitored channels like USB, network shares, browsers, or clipboard.
Crucially, Microsoft has not yet described how this will interact with existing custom exclusions. The roadmap wording suggests the change targets “commonly excluded” folders—likely meaning the default exclusions that many organizations never modified. Custom exclusions created by admins for specific applications may remain intact, but that detail remains unconfirmed.
Why Temp and AppData Are Not Just Background Noise
The phrase “commonly excluded Windows folders” undersells the scale of the issue. AppData is the backstage of the modern Windows desktop. It holds application settings, session state, cached email attachments, browser download temporary storage, and collaboration client sync data. Temp directories are the loading docks where apps stage files during operations: extracting compressed archives, rendering print jobs, converting documents, uploading through web forms. In a browser-first work environment, a file’s journey often passes through one or both of these locations without the user ever consciously saving it there.
Consider common workflows: opening an email attachment may unpack it to a Temp folder before rendering. Dragging a file from a zip archive to a USB drive first extracts it to Temp. Uploading a document to a cloud service via a browser copies it to the browser’s cache. If Endpoint DLP only watches Documents, Desktop, OneDrive, and known business paths, it is modeling a cleaner operating system than the one users actually touch. That gap has real consequences. Sensitive data moving through these transient locations can leave the endpoint without ever triggering a policy tip, block, or audit event—because the folder was excluded.
There’s also an attacker’s-eye view. Any path that defenders consciously ignore becomes attractive. Security teams learned this lesson with antivirus exclusions and backup staging paths. DLP exclusions are not malware exclusions, but the operational pattern is similar: if sensitive content can be staged, transformed, or uploaded from a location the policy engine does not inspect, coverage is only as strong as the workflow paths administrators remembered to include.
What This Means for You
For IT Administrators
The most immediate impact will be the need to test—and test thoroughly. Temp and AppData are noisy. They contain files that are created, modified, read, deleted, and recreated at high frequency by browsers, updaters, collaboration tools, Office apps, database clients, and third-party agents. Turning on protection without tuning could flood the security operations queue with low-value alerts from cache fragments or legitimate temporary copies. Endpoint performance may also suffer if the DLP agent suddenly begins scanning every file operation in those directories.
Microsoft will almost certainly provide new granular controls—perhaps separate toggles for default exclusions, audit-only modes, or file-type filters—but admins should plan to run pre-production tests, review existing sensitive information types, and possibly adjust policies to avoid false positives from benign application temp files. The single most important unanswered question is how the feature distinguishes between the default exclusions it intends to override and the deliberate custom exclusions an organization may have created for line‑of‑business software. Admins must insist on clear documentation of that interaction.
For Security Teams
This is a net win for visibility. Incident responders often find that sensitive data moved through Temp or AppData during exfiltration attempts, but DLP logs showed nothing because the path was excluded. With scanning enabled, activity explorer will surface those events, providing richer data for investigations. However, more signals also mean more correlation work. Teams should update playbooks to triage DLP incidents originating from these paths and distinguish between routine application behavior and genuine data movement.
For End Users
Ideally, nothing changes. If a policy is well tuned, a user extracting a sensitive report from an archive to a USB drive might see a policy tip—something they would not have seen before. But if policies are too strict, ordinary actions like saving an email attachment or exporting a report from an HR system could suddenly trigger blocks. Organizations will need to balance protection with usability, and communication from IT will be key.
How We Got Here
The roots of this update lie in the messy reality of endpoint computing. Endpoint DLP has always occupied a difficult place in the security stack. Unlike scanning a neatly governed SharePoint library or Exchange mailbox, endpoint DLP must understand data movement on busy, unpredictable devices. Exclusions were a practical compromise: exclude the noisiest folders to preserve performance and sanity, accept that they become blind spots, and hope that sensitive data mostly lives in managed locations.
Over time, that tradeoff grew more costly. The rise of browser‑based work, cloud‑native collaboration tools, and shadow SaaS meant that data routinely transited through Temp and AppData. Investigations into data leaks revealed that sensitive files often passed through excluded folders without a trace. Meanwhile, the broader enterprise conversation shifted toward data‑centric security. The arrival of AI tools like Microsoft 365 Copilot intensified the focus: organizations began asking harder questions about where their sensitive data actually lived, not just where the compliance team preferred it to live.
Microsoft has been incrementally hardening Endpoint DLP for years. It added network share coverage, browser and domain restrictions, evidence collection, and controls for unsupported file types. Each addition pushed the product toward the “moment of use” rather than the “place of storage.” Extending protection into commonly excluded folders is the next logical step—closing one of the last obvious gaps between Windows’ actual behavior and DLP’s enforcement model.
What to Do Now: Preparing for September 2026
Even though the GA date is over a year away, preparation should start now.
1. Audit your existing Endpoint DLP exclusions. Identify every file path exclusion currently in place. Are they default Windows paths or custom paths created for specific software? Document them and note which ones might be affected by the change.
2. Survey your Temp and AppData activity. Use available tools—Microsoft Defender for Endpoint advanced hunting, Process Monitor, or even a pilot DLP policy in audit mode targeting small user groups—to understand what types of files are being created in these folders by your core applications. This will help estimate the noise level you can expect.
3. Tighten sensitive information types and labels. If your DLP policies rely on overly broad SITs or labels are inconsistently applied, scanning Temp and AppData will generate many false positives. Use the lead time to improve your classification hygiene.
4. Plan a phased rollout. When the feature reaches public preview (likely months before GA), enable it in audit mode first. Use activity explorer to gauge impact, then gradually move to warn and block for the most critical data types.
5. Prepare your help desk. Be ready for user calls about actions they previously performed without friction. Have clear internal communication explaining the change and why it matters.
6. Monitor Microsoft’s communication channels. Watch the Microsoft 365 admin center, Message Center posts, the Purview documentation hub, and the Security blog for specifics on how the feature interacts with existing exclusions, performance considerations, and deployment best practices.
Looking Ahead
This update is more than a folder expansion. It signals Microsoft’s intent to make Endpoint DLP truly activity‑based rather than location‑dependent. In a world where a file’s path is often temporary and invisible to the user, protection must follow the data, not the directory. If executed well, this change will significantly reduce leaks through overlooked channels and make endpoint data protection more credible in compliance audits. If executed poorly—with excessive false positives or unexpected performance hits—it could undermine trust in the product.
The September 2026 timetable gives organizations a generous window for preparation. The real measure of success will be whether Microsoft delivers clear documentation, predictable controls, and a transparent interaction model with existing exclusions. For Windows administrators, security teams, and compliance officers alike, the countdown to a more complete DLP begins now.