Data Security Posture Management for AI
A special thanks to Chris Jeffrey for his contributions as a peer reviewer to this blog post. Microsoft Purview Data Security Posture Management (DSPM) for AI provides a unified location to monitor how AI Applications (Microsoft Copilot, AI systems created in Azure AI Foundry, AI Agents, and AI applications using 3 rd party Large Language Models). This Blog Post aims to provide the reader with a holistic understanding of achieving Data Security and Governance using Purview Data Security and Governance for AI offering. Purview DSPM is not to be confused with Defender Cloud Security Posture Management (CSPM) which is covered in the Blog Post Demystifying Cloud Security Posture Management for AI. Benefits When an organization adopts Microsoft Purview Data Security Posture Management (DSPM), it unlocks a powerful suite of AI-focused security benefits that helps them have a more secure AI adoption journey. Unified Visibility into AI Activities & Agents DSPM centralizes visibility across both Microsoft Copilots and third-party AI tools—capturing prompt-level interactions, identifying AI agents in use, and detecting shadow AI deployments across the enterprise. One‑Click AI Security & Data Loss Prevention Policies Prebuilt policies simplify deployment with a single click, including: Automatic detection and blocking of sensitive data in AI prompts, Controls to prevent data leakage to third-party LLMs, and Endpoint-level DLP enforcement across browsers (Edge, Chrome, Firefox) for third-party AI site usage. Sensitive Data Risk Assessments & Risky Usage Alerts DSPM runs regular automated and on-demand scans of top-priority SharePoint/E3 sites, AI interactions, and agent behavior to identify high-risk data exposures. This helps in detecting oversharing of confidential content, highlight compliance gaps and misconfigurations, and provides actionable remediation guidance. Actionable Insights & Prioritized Remediation The DSPM for AI overview dashboard offers actionable insights, including: Real-time analytics, usage trends, and risk scoring for AI interactions, and Integration with Security Copilot to guide investigations and remediation during AI-driven incidents. Features and Coverage Data Security Posture Management for AI (DSPM-AI) helps you gain insights into AI usage within the organization, the starting point is activating the recommended preconfigured policies using single-click activations. The default behavior for DSPM-AI is to run weekly data risk assessments for the top 100 SharePoint sites (based on usage) and provide data security admins with relevant insights. Organizations get an overview of how data is being accessed and used by AI tools. Data Security administrators can use on-demand classifiers as well to ensure that all contents are properly classified or scan items that were not scanned to identify whether they contain any sensitive information or not. AI access to data in SharePoint site can be controlled by the Data Security administrator using DSPM-AI. The admin can specify restrictions based on data labels or can apply a blanket restriction to all data in a specific site. Organizations can further expand the risks assessments with their own custom data risk assessments, a feature that is currently in preview. Thanks to its recommendations section, DSPM-AI helps data security administrators achieve faster time to value. Below is a sample of the policy to “Capture interactions for enterprise AI apps” that can be created using recommendations. More details about the recommendations that a Data Security Administrator can expect can be found at the DSPM-AI Documentation, these recommendations might be different in the environment based on what is relevant to each organization. Following customers’ feedback, Microsoft have announced during Ignite 2025 (18-21 Nov 2025, San Francisco – California) the inclusion of these recommendations in the Data Security Posture Management (DSPM) recommendations section, this helps Data Security Administrators view all relevant data security recommendations in the same place whether they apply to human interactions, tools interactions, or AI interactions of the data. More details about the new Microsoft Purview Data Security Posture Management (DSPM) experience are published in the Purview Technical Blog site under the article Beyond Visibility: The new Microsoft Purview Data Security Posture Management (DSPM) experience. After creating/enabling the Data Security Policies, Data Security Administrators can view reports that show AI usage patterns in the organization, in these reports Data Security Administrators will have visibility into interaction activities. Including the ability to dig into details. In the same reports view, Data Security Administrators will also be able to view reports regarding AI interactions with data including sensitive interactions and unethical interactions. And similar to activities, the Data Security Administrator can dig into Data interactions. Under reports, Data Security Administrators will also have visibility regarding risky user interaction patterns with the ability to drill down into details. Adaption This section provides an overview of the requirements to enable Data Security Posture Management for AI in an organization’s tenant. License Requirements The license requirements for Data Security Posture Management for AI depends on what features the organization needs and what AI workloads they expect to cover. To cover Interaction, Prompts, and Response in DSPM for AI, the organization needs to have a Microsoft 365 E5 license, this will cover activities from: Microsoft 365 Copilot, Microsoft 365 Copilot Chat, Security Copilot, Copilot in Fabric for Power BI only, Custom Copilot Studio Agents, Entra-registered AI Applications, ChatGPT enterprise, Azure AI Services, Purview browser extension, Browser Data Security, and Network Data Security. Information regarding licensing in this article is provided for guidance purposes only and doesn’t provide any contractual commitment. This list and license requirements are subject to change without any prior notice and readers are encouraged to consult with their Account Executive to get up-to-date information regarding license requirements and coverage. User Access Rights requirements To be able to view, create, and edit in Data Security Posture Management for AI, the user should have a role or role group: Microsoft Entra Compliance Administrator role Microsoft Entra Global Administrator role Microsoft Purview Compliance Administrator role group To have a view-only access to Data Security Posture Management for AI, the user should have a role or role group: Microsoft Purview Security Reader role group Purview Data Security AI Viewer role AI Administrator role from Entra Purview Data Security AI Content Viewer role for AI interactions only Purview Data Security Content Explorer Content Viewer role for AI interactions and file details for data risk assessments only For more details, including permissions needed per activity, please refer to the Permissions for Data Security Posture Management for AI documentation page. Technical Requirements To start using Data Security Posture Management for AI, a set of technical requirements need to be met to achieve the desired visibility, these include: Activating Microsoft Purview Audit: Microsoft Purview Audit is an integrated solution that help organizations effectively respond to security events, forensic investigations, internal investigations, and compliance obligations. Enterprise version of Microsoft Purview data governance: Needed to support the required APIs to cover Copilot in Fabric and Security Copilot. Installing Microsoft Purview browser extension: The Microsoft Purview Compliance Extension for Edge, Chrome, and Firefox collects signals that help you detect sharing sensitive data with AI websites and risky user activity activities on AI websites. Onboard devices to Microsoft Purview: Onboarding user devices to Microsoft Purview allows activity monitoring and enforcement of data protection policies when users are interacting with AI apps. Entra-registered AI Applications: Should be integrated with the Microsoft Purview SDK. More details regarding consideration for deploying Data Security Posture Management for AI can be found in the Data Security Posture Management for AI considerations documentation page. Conclusion Data Security Posture Management for AI helps Data Security Administrators gain more visibility regarding how AI Applications (Systems, Agents, Copilot, etc.) are interacting with their data. Based on the license entitlements an organization has under its agreement with Microsoft, the organization might already have access to these capabilities and can immediately start leveraging them to reduce the potential impact of any data-associated risks originating from its AI systems.Central Forms repository
Hi, I want to create forms to be used company wide. We have locked Forms licensing down so that all staff cannot create forms, we want all data to be stored centrally and this way we know where all data is. If I create a Form, it creates it under my account. I if leave the organisation, this may be lost. What is the best way to create corporately used forms centrally?, i.e. not under an individual user account Thank you for your time, OllieMigrate to Win 11 before or after changing HDD?
Good morning Windows 10 offers me to upgrade to Windows 11, but I want to change my hard drive to upgrade to an SSD. Regarding the license, in what order should I take it? Another question, is the migration done via an update, or do you have to download an ISO?
Windows 11 - Windows Update - Automatic restart after update
Hello We migrated our systems to Windows 11 24H2 from Windows 10. We encountered a problem with Windows 11 24H2 automatically restarting after installing an update. A message appears that the system will restart in 15 minutes. The user can click a different time. After a few minutes, the message that the system will restart appears again. How do I disable automatic restarting after installing the update? We have set the active hours for the system and the "No auto-restart with logged on users for scheduled automatic updates installations" option. When we had Windows 10, the system would not restart. After installing the December update for Windows 11, the system forced a restart. The problem occurs on all computers. How do I disable automatic restart? Update via Wsus. Windows Update configured via GPO
No 'go back' option on security update from 4 days ago
I'm trying to roll back security update KB5074109, which has made it impossible for me to use InDesign, which is the main programme I use for my job. It's a known issue - all my files are backed up on Dropbox/OneDrive and the update has changed how file locking / write permissions work (InDesign can still open files (read access), but failed when saving (write/overwrite), which triggers Error Code 2) - and I can't afford to be unable to work until Windows gets around to fixing it. Only issue - the update was installed on the 16th and it's now the 20th. Only 4 days ago but there's no 'go back' option in settings to uninstall the update - it's not even greyed out, just completely not there. Please help, thanks!I have Administrator rights but can't turn on location services...HELP! ;-)
My account shows that I have administrator rights, but Location Services is greyed out. How can I get that working? I'm not tech-savvy, so I'm not very good at searching, or at least finding the right words for the question. Thanks!Security Baseline for M365 Apps for enterprise v2512
Security baseline for Microsoft 365 Apps for enterprise (v2512, December 2025) Microsoft is pleased to announce the latest Security Baseline for Microsoft 365 Apps for enterprise, version 2512, is now available as part of the Microsoft Security Compliance Toolkit. This release builds on previous baselines and introduces updated, security‑hardened recommendations aligned with modern threat landscapes and the latest Office administrative templates. As with prior releases, this baseline is intended to help enterprise administrators quickly deploy Microsoft recommended security configurations, reduce configuration drift, and ensure consistent protection across user environments. Download the updated baseline today from the Microsoft Security Compliance Toolkit, test the recommended configurations, and implement as appropriate. This release introduces and updates several security focused policies designed to strengthen protections in Microsoft Excel, PowerPoint, and core Microsoft 365 Apps components. These changes reflect evolving attacker techniques, partner feedback, and Microsoft’s secure by design engineering standards. The recommended settings in this security baseline correspond with the administrative templates released in version 5516. Below are the updated settings included in this baseline: Excel: File Block Includes External Link Files Policy Path: User Configuration\Administrative Templates\Microsoft Excel 2016\Excel Options\Security\Trust Center\File Block Settings\File Block includes external link files The baseline will ensure that external links to workbooks blocked by File Block will no longer refresh. Attempts to create or update links to blocked files return an error. This prevents data ingestion from untrusted or potentially malicious sources. Block Insecure Protocols Across Microsoft 365 Apps Policy Path: User Configuration\Administrative Templates\Microsoft Office 2016\Security Settings\Block Insecure Protocols The baseline will block all non‑HTTPS protocols when opening documents, eliminating downgrade paths and unsafe connections. This aligns with Microsoft’s broader effort to enforce TLS‑secure communication across productivity and cloud services. Block OLE Graph Functionality Policy Path: User Configuration\Administrative Templates\Microsoft Office 2016\Security Settings\Block OLE Graph This setting will prevent MSGraph.Application and MSGraph.Chart (classic OLE Graph components) from executing. Microsoft 365 Apps will instead render a static image, mitigating a historically risky automation interface. Block OrgChart Add‑in Policy Path: User Configuration\Administrative Templates\Microsoft Office 2016\Security Settings\Block OrgChart The legacy OrgChart add‑in is disabled, preventing execution and replacing output with an image. This reduces exposure to outdated automation frameworks while maintaining visual fidelity. Restrict FPRPC Fallback in Microsoft 365 Apps Policy Path: User Configuration\Administrative Templates\Microsoft Office 2016\Security Settings\Restrict Apps from FPRPC Fallback The baseline disables the ability for Microsoft 365 Apps to fall back to FrontPage Server Extensions RPC which is an aging protocol not designed for modern security requirements. Avoiding fallback ensures consistent use of modern, authenticated file‑access methods. PowerPoint: OLE Active Content Controls Updated Policy Path: User Configuration\Administrative Templates\Microsoft PowerPoint 2016\PowerPoint Options\Security\OLE Active Content This baseline enforces disabling interactive OLE actions, no OLE content will be activate. The recommended baseline selection ensures secure‑by‑default OLE activation, reducing risk from embedded legacy objects. Deployment options for the baseline IT Admins can apply baseline settings in different ways. Depending on the method(s) chosen, different registry keys will be written, and they will be observed in order of precedence: Office cloud policies will override ADMX/Group Policies which will override end user settings in the Trust Center. Cloud policies may be deployed with the Office cloud policy service for policies in HKCU. Cloud policies apply to a user on any device accessing files in Office apps with their AAD account. In Office cloud policy service, you can create a filter for the Area column to display the current Security Baselines, and within each policy's context pane the recommended baseline setting is set by default. Learn more about Office cloud policy service. ADMX policies may be deployed with Microsoft Intune for both HKCU and HKLM policies. These settings are written to the same place as Group Policy, but managed from the cloud. There are two methods to create and deploy policy configurations: Administrative templates or the settings catalog. Group Policy may be deployed with on premise AD DS to deploy Group Policy Objects (GPO) to users and computers. The downloadable baseline package includes importable GPOs, a script to apply the GPOs to local policy, a script to import the GPOs into Active Directory Group Policy, updated custom administrative template (SecGuide.ADMX/L) file, all the recommended settings in spreadsheet form and a Policy Analyzer rules file. GPOs included in the baseline Most organizations can implement the baseline’s recommended settings without any problems. However, there are a few settings that will cause operational issues for some organizations. We've broken out related groups of such settings into their own GPOs to make it easier for organizations to add or remove these restrictions as a set. The local-policy script (Baseline-LocalInstall.ps1) offers command-line options to control whether these GPOs are installed. "MSFT Microsoft 365 Apps v2512" GPO set includes “Computer” and “User” GPOs that represent the “core” settings that should be trouble free, and each of these potentially challenging GPOs: “DDE Block - User” is a User Configuration GPO that blocks using DDE to search for existing DDE server processes or to start new ones. “Legacy File Block - User” is a User Configuration GPO that prevents Office applications from opening or saving legacy file formats. "Legacy JScript Block - Computer" disables the legacy JScript execution for websites in the Internet Zone and Restricted Sites Zone. “Require Macro Signing - User” is a User Configuration GPO that disables unsigned macros in each of the Office applications. If you have questions or issues, please let us know via the Security Baseline Community or this post. Related: Learn about Microsoft Baseline Security Mode
help with windir and system32 in quality enviroment
about a month ago i reinstalled windows 11 ( home) and so far not got older updates as i try to reset the windows updater i discover in one step ( after the rename of softwaredistribution and catroot steps) has windir and system 32 shown below cd /d %windir%\system32 than has abunch of regsvr32 dll to register anyway a error shows in red ( command prompt) saying cant be located or found in summary) so find how to fix it and no problems until after its fixed! when i apply this fix ( all profiles tab in box and add) the command prompt ( cmd) is gone cant open nor is windows key and x to bring up that list ( task manager commpand prompt, device manager etc...) and defrag is not able to run either to open the cmd ( command prompt ) i have to use windows key and r for box and than gives message im not administrator or words to that affect find fix for that but rather strange anyway ( not the other missing things) how do i go and fix this issue ? note i had to delete the fix above to get normal working functions again i cant find anything that mentions this or a fix i dont understand how a "fix " can affect or disable things this is link to show the step i mentioned i.e step 5 https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/additional-resources-for-windows-update
Secure Boot Certificate Updates via InTune Policy
We are currently having issues applying the settings required to install secure boot cert updates using the InTune policy method. A brief overview to quickly explain : We are a reasonably large company managing a mix of over 10,000 Windows and iOS devices. Our Windows devices come from the supplier with the Professional edition of Windows pre-installed, this is then changed via an Enterprise key as part of our Autopilot enrolment process and activated via our users subscription license. To all sense and purposes Windows looks and feels like the Enterprise edition, indeed if you check using winver, system settings and activation status for example then Windows tells us that it is the Enterprise edition. However, if you check the licensing using slmgr /dli it shows that the licensing has been reverted back to the OEM Professional edition as pre-installed by the supplier on purchase. This may have always been the case but until very recently has gone unnoticed. Whilst testing the rollout of an InTune policy to allow secure boot cert updates as detailed here : Microsoft Intune method of Secure Boot for Windows devices with IT-managed updates - Microsoft Support , this is failing because the policy is rejected by licensing error : MDM PolicyManager: Policy is rejected by licensing, Policy: (ConfigureMicrosoftUpdateManagedOptIn), Area: (SecureBoot), Result:(0x82B00006) Unknown Win32 Error code: 0x82b00006 InTune reporting directly on the policy shows this as error 65000 We are able to change the key by using slmgr and a combination of MAK\KMS\OEM but whatever keys are applied this always reverts to being the OEM Professional key after the device has been restarted. I have seen that there is a group policy method for setting the required settings for the secure boot cert updates to work, this however seems a very backward approach by Microsoft in an area where they are trying to promote a cloud-first policy. Indeed since we rolled out Windows 11, we as an organisation have been moving anything that we can to cloud in readiness for retirement of our on-prem estate. Microsoft's response to my recent support request was that this is expected behaviour, which to all sense and purposes is not what i would class as a solution. Has anyone else had the same issues when using the InTune policy method, and was a solution found or did you have to return to the dark ages and resort to group policy? There seem to be lots of posts online referring to access to specific registry keys being blocked going as far back as 2024, the suggested script to resolve these permissions and suggested KB articles have not resolved the issue.
