Decoupling Microsoft Purview Data Loss Prevention (DLP) Process form Microsoft Defender for Endpoint on Windows Devices

Originally posted by Microsoft May 22, 2024 Uncategorized 0 Comments

Starting June 2024, Microsoft Purview DLP will be separated from Microsoft Defender for Endpoint on Windows devices. This backend change will not affect the deployment process. Customers will see two distinct processes for DLP and Defender instead of one, improving stability and performance. No action is required for most customers.

Starting June 2024, we will be decoupling the Microsoft Purview Data Loss Prevention (DLP) process from the Microsoft Defender for Endpoint (MDE) process on Windows devices. It is important to note that this is purely a backend process decoupling effort and there will be NO changes to the current deployment process for Microsoft Purview DLP.

Currently, Microsoft Purview DLP capabilities for Windows endpoint devices are shipped as a part of Microsoft Defender for Endpoint updates so that customers do not have to install any additional agents to use the latest DLP features for Windows endpoints. To onboard your Windows machine see Get started with Endpoint data loss prevention | Microsoft Learn. Once a Windows machine is onboarded to Microsoft Purview DLP, customers can see an active process “MsMpEng.exe” running in the Task Manager. This process provides access to both Defender for Endpoint and DLP capabilities.

Going forward, as part of decoupling the processes, customers will see two distinct processes — “MpDlpService.exe” for Microsoft Purview DLP and “MsMpEng.exe” exclusively for Microsoft Defender for Endpoint — instead of a single process on their Windows device. This decoupling of the two processes is intended to improve the stability and performance of Microsoft Purview DLP on Windows 10 and 11, and our ability to more precisely troubleshoot and debug performance issues.

 When this will happen:

We will roll begin rolling out Microsoft Defender version 4.18.24060 in end-May 2024 and expect to complete by early-July 2024.

How this will affect your organization:

There are NO changes in how Microsoft DLP for endpoint updates is delivered to supported Windows 10 and 11 devices. Even after this change DLP updates for Windows endpoint devices will continue to be shipped as a part of Microsoft Defender for Endpoint updates. There is no impact on how Microsoft Purview DLP capabilities protect sensitive content on your endpoint devices.

Currently, you only see one process, “MsMpEng.exe” covering Microsoft Defender for Endpoint as well as Microsoft Purview DLP capabilities as shown below.

View image in new tab

After installing the 4.18.2406 build, you will see a new process called “MpDlpService.exe” in addition to the existing process “MsMpEng.exe.”

View image in new tab

 What you need to do to prepare:

In most cases, no action is required from customers. However, if you use a Firewall (Windows or 3rd party), non-Microsoft anti-malware, or application control solution and had to add the Microsoft Defender for Endpoint process to an allowlist to run, then an additional process (“MpDlpService.exe”) will need to be added to your allowlist. This will allow the Microsoft Purview DLP to run in the customer’s environment without issue.  

Message ID: MC793918

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: