Power Automate Desktop (PAD) is quietly sitting on most corporate laptops today. If you’re running Windows 11, it’s already there. Installed. Available. Ready to be launched by any user with a few clicks.
That might sound convenient, but from a governance and security perspective, it also raises a red flag. PAD gives users the power to build desktop automations that can interact with local files, applications, scripts, or even launch external processes. That’s a lot of capability packed into a tool that many organizations haven’t fully accounted for in their Power Platform strategy.
The good news? You no longer need Managed Environments to control it.
Thanks to recent Data Loss Prevention (DLP) enhancements, you can now restrict, control, or completely block the use of PAD across any environment, including the default one. That is a big win for IT admins and platform owners looking to stay ahead of risks.
What Changed
Before this update, controlling PAD through DLP policies was only possible in Managed Environments. That meant additional licensing and configuration requirements just to ensure desktop automation wasn’t running wild.
Now, desktop flow triggers and actions are included in DLP policies and can be governed at the tenant level. That means you can:
- Apply DLP rules even in the default environment
- Block all or specific desktop flow connectors
- Prevent creation or execution of desktop flows entirely
- Secure PAD usage without enabling Managed Environments
You can now create an effective barrier against unregulated automation, without changing your environment structure or incurring extra licensing costs.
Why This Matters More Than Ever
Let’s face it: most organizations still have their default environment wide open. It’s where most citizen developers start exploring Power Automate. It’s also where many PAD flows are quietly being built without oversight.
Combine that with the fact that Power Automate Desktop is pre-installed on Windows 11 machines, and you have a perfect storm: a powerful automation tool, readily available, and largely unrestricted by default.
By extending DLP policies to cover desktop flows, Microsoft has given security and governance teams a way to take control of this hidden risk.
What You Can Do Now
Here’s how you can take advantage of this update:
- Review your current DLP policies
Visit the Power Platform admin center and examine your existing policies. If PAD is not yet covered, now is the time to update them. - Create a policy that essentially blocks PAD in the default environment
You can allow PAD in specific environments (like your CoE or automation center), but block it everywhere else. - Communicate with your users
If people are actively using PAD for business-critical tasks, make sure they know where to go and how to get support before blocking it outright. - Monitor PAD usage
Use analytics, audit logs, or the Power Platform Center of Excellence Starter Kit to track where PAD is being used.
No More Excuses
This update is a clear signal. You now have the tools to take action — without needing to restructure your environments or invest in premium features.
If your organization cares about platform security, this is an easy win. Block what should not be used. Allow what is needed. Do it today, before a desktop flow turns into a data leakage nightmare.
