Microsoft 365 Message Center Archive

MC1181277 - Endpoint Data Loss Prevention: Always-on diagnostics for Windows Endpoints (Phase 2)

Message ID

MC1181277

View in Message Center

Service

Microsoft 365 suite
Microsoft Purview

Published

Oct 29, 2025

Tag

New feature
Admin impact

Roadmap ID

499431

View in M365 Roadmap

Platforms

Desktop
Web

Summary

Microsoft is introducing Always-on diagnostics for Windows endpoints (Phase 2) in Endpoint Data Loss Prevention, enabling admins to retrieve and selectively upload diagnostic traces via the Purview portal without user disruption. Rollout starts October 2025 (preview) and February 2026 (general availability). No immediate action required.

More information

Introduction

To support faster, more seamless investigations, Microsoft is introducing Always-on diagnostics for Windows endpoints (Phase 2). This enhancement allows admins to retrieve diagnostic traces directly from Windows devices and selectively upload them to Microsoft via the Purview portal—without disrupting end users. This update is based on customer feedback to reduce friction during support escalations and improve troubleshooting efficiency.

This message is associated with Roadmap ID 499431.

When this will happen:

Public Preview (Worldwide): Rollout begins in late October 2025 and completes by late October 2025.
General Availability (Worldwide): Rollout begins in mid-February 2026 and completes by late February 2026.

[How this affects your organization:

  • Who is affected: Admins managing Endpoint Data Loss Prevention (DLP) on Windows endpoints via Microsoft Purview.
  • What will happen:
    • Admins can retrieve Always-on diagnostic traces from Windows endpoints.
    • Traces can be selectively uploaded to Microsoft through the Purview portal during investigations (e.g., support ticket submission).
    • No user interaction or disruption is required, and admins can reference the upload request number to Microsoft Support for investigations.
    • The feature enhances eDLP troubleshooting capabilities without impacting Information worker productivity.
    • This capability is integrated into the existing Endpoint DLP experience.

What you can do to prepare:

  • No immediate action is required to enable this feature.
  • Communicate this capability to your security and helpdesk teams to streamline future investigations.
  • Update internal documentation if you maintain support workflows involving Endpoint DLP.
  • Learn more: Always-on diagnostics for endpoint DLP | Microsoft Learn

Compliance considerations:

QuestionExplanation
Does the change store new customer data, if so, where, and is the data cached or permanently stored?Diagnostic traces will be uploaded to Microsoft during investigations. These are selectively uploaded by admins and stored in Microsoft systems for support purposes.
Does the change include an admin control and, can it be controlled through Entra ID group membership?Yes, there is an admin control. Access is role-based (Global, Compliance, Security Admin) and managed via Entra ID roles