Purview Endpoint DLP Policy Sync: AI-Powered Device Investigation and Coverage Insights
REPORT: The Issue and Its New Solution
Microsoft Purview’s Endpoint Data Loss Prevention (Endpoint DLP) has historically presented a visibility gap: admins could view policy assignments, but lacked deep insight into policy sync status, enforcement coverage, or device-level failures. This led to blind spots—devices with stale or missing policies, users bypassing enforcement, and admins left guessing why their DLP rollout wasn’t consistent across the estate.
As of September CY2026, a major feature has reached General Availability: AI-powered Policy Sync & Device Health Investigation for Endpoint DLP. This upgrade surfaces real-time device policy sync progress, highlights enforcement gaps, explains root causes (network, OS, user state, etc.), and offers tailored remediation guidance. Admins can now proactively identify impacted devices, track sync trends, and resolve issues before data loss risk escalates.
Find this feature in the Microsoft Purview compliance portal under Data loss prevention → Endpoint DLP → Policy sync health. Programmatic access is available via Microsoft.Graph’s new /security/dataLossPrevention/deviceSyncStatus endpoint, and in the latest Microsoft.Graph.Security PowerShell module.
WHAT’S NEW THIS CYCLE
- AI-powered Policy Sync & Device Health Investigation (GA, September 2026) — Real-time visibility into DLP policy deployment per device, including sync status, last sync time, enforcement state, and root cause analysis for failures (network, agent health, OS compatibility, user session).
- Device-level Remediation Recommendations — Automated suggestions for admins to diagnose and resolve sync issues, surfaced in both the Purview portal and via Graph API.
- Graph API Endpoint:
/security/dataLossPrevention/deviceSyncStatus— Query device sync status, filter by policy, device, or user, with pagination support. - PowerShell Support:
Get-MgSecurityDataLossPreventionDeviceSyncStatus— New cmdlet inMicrosoft.Graph.Securitymodule. - Admin Center Path: Microsoft Purview compliance portal → Data loss prevention → Endpoint DLP → Policy sync health.
THE UPGRADE: Productivity, Security, and Cost Benefits
- Productivity: Admins no longer chase sync issues blind—AI pinpoints affected devices, root causes, and remediation steps. This reduces troubleshooting time from days to minutes.
- Security: Coverage gaps are visible instantly. DLP is genuinely enforced where intended, not just on paper. Data exfiltration risks are proactively contained.
- Cost: Fewer manual audits, less risk of regulatory fines, and faster incident response mean measurable savings in both IT labor and compliance costs.
IMPACT: Who and What Is Affected
This change impacts any tenant deploying Endpoint DLP—especially large organizations with diverse device fleets (Windows 10/11, hybrid/external users, remote endpoints). Key risks addressed:
- Undetected Policy Drift: Devices not receiving new DLP policies or losing enforcement, exposing data to unauthorized access or exfiltration.
- Shadow Gaps: Devices offline, misconfigured, or lacking agent health previously went unnoticed. Now, admins see precise sync failures and can act before data loss.
- Regulatory Audit: Demonstrable coverage and enforcement—critical for GDPR, CCPA, HIPAA, and sector-specific compliance.
EDUCATE: Endpoint DLP Policy Sync and Device Health Concepts
Endpoint DLP operates by pushing policy packages to enrolled devices via Microsoft Defender for Endpoint and Entra ID device management. Sync occurs when the device is online, the DLP agent is healthy, and the user is active. Failures can stem from:
- Network issues (VPN, proxy, offline)
- OS incompatibility or outdated agent
- User session anomalies (local vs. cloud identities)
- Device misconfiguration (Intune compliance, Defender onboarding)
AI-powered investigation aggregates telemetry from the device, policy server, and user session, correlates failures, and generates actionable diagnostics. Policy sync health metrics are now surfaced both visually and via API for automation and integration.
DETECT: Auditing Device Policy Sync Status (PowerShell)
Use the Microsoft.Graph.Security module (minimum v1.23.0) for auditing. The following script lists all devices with sync failures for a specified DLP policy, paginates results, and includes error handling. It does not modify any data.
# Requires Microsoft.Graph.Security module
# Authenticate interactively
Connect-MgGraph -Scopes 'SecurityDataLossPrevention.Read.All'
# Parameters
$PolicyId = 'your-policy-id-here'
$PageSize = 50
$Page = 1
$FailedDevices = @()
try {
do {
$Response = Get-MgSecurityDataLossPreventionDeviceSyncStatus -PolicyId $PolicyId -Top $PageSize -Skip (($Page - 1) * $PageSize)
foreach ($Device in $Response.Value) {
if ($Device.SyncStatus -ne 'Success') {
$FailedDevices += [PSCustomObject]@{
DeviceName = $Device.DeviceName
UserPrincipalName = $Device.UserPrincipalName
SyncStatus = $Device.SyncStatus
LastSyncTime = $Device.LastSyncTime
RootCause = $Device.RootCause
Recommendation = $Device.Recommendation
}
}
}
$Page++
} while ($Response.'@odata.nextLink')
} catch {
Write-Warning "Failed to retrieve device sync status: $_"
}
# Output results
$FailedDevices | Format-Table -AutoSize
Notes: Results are paginated (default 50 per page). Replace $PolicyId with your policy GUID. This script is read-only and suitable for production auditing.
REMEDIATE SAFELY: Fixing Sync Issues Without Risk
Remediation must be based on reviewed output. Do not bulk modify devices from a live query. Instead, use the device-level recommendations output above to guide stepwise actions:
- For network failures: Instruct users to reconnect and retry policy sync.
- For agent health issues: Use Intune to push Defender agent updates (with
-WhatIfin all production scripts). - For compliance drift: Review device compliance policy in Entra ID and Intune; remediate individually.
Example: To push agent update (dry run only):
# Example: Intune device remediation - dry run
# Requires Microsoft.Graph.DeviceManagement
# (Replace $DeviceId with reviewed device ID)
$DeviceId = 'reviewed-device-id'
Invoke-MgDeviceManagementManagedDeviceRemoteAction -ManagedDeviceId $DeviceId -Action 'UpdateDefenderAgent' -WhatIf
Only after manual review should you remove -WhatIf for targeted remediation. Never auto-correct based on an unfiltered bulk query.
PORTAL EQUIVALENT
In the Microsoft Purview compliance portal, navigate to Data loss prevention → Endpoint DLP → Policy sync health. Here, you can view real-time device sync status, filter by policy or device, and access remediation guidance. The same diagnostics are available via the Graph API and PowerShell as described above.
WHAT’S COMING IN THE NEXT 90 DAYS
- Automated Remediation Workflows (Preview: Q1 CY2027): Scheduled for public preview, admins will be able to author remediation flows (via Power Automate) triggered by sync failure events from Purview DLP.
- Role-Based Access Controls for DLP Diagnostics: Enhanced RBAC in Purview (Q4 CY2026) to separate DLP policy management from device health diagnostics, supporting least privilege.
- Intune Integration for DLP Sync Health: Deeper device compliance overlays in Endpoint Manager (Intune), showing DLP sync state per device in the device inventory.
- Graph API Expansion: Additional endpoints for historical sync trends and alerting.
RECOMMENDATION: Actionable Takeaways
- Review Endpoint DLP policy sync health now; proactively remediate devices using AI-powered diagnostics.
- Integrate Graph-based audits into your regular compliance checks; automate alerting for coverage gaps.
- Prepare for upcoming automated remediation flows—plan for Power Automate integration to expedite response.
- Audit RBAC for Purview diagnostics; ensure device health data is accessible to the right admin roles.
Prioritize visibility: Policy sync health is now a first-class compliance metric. Don’t let silent device drift undermine your DLP enforcement.