Endpoint Data Loss Prevention: Always-on diagnostics for Windows Endpoints (Phase 2)

Originally posted by Microsoft Oct 29, 2025 Uncategorized 0 Comments

Microsoft is introducing Always-on diagnostics for Windows endpoints (Phase 2) in Endpoint Data Loss Prevention, enabling admins to retrieve and selectively upload diagnostic traces via the Purview portal without user disruption. Rollout starts October 2025 (preview) and February 2026 (general availability). No immediate action required.

To support faster, more seamless investigations, Microsoft is introducing Always-on diagnostics for Windows endpoints (Phase 2). This enhancement allows admins to retrieve diagnostic traces directly from Windows devices and selectively upload them to Microsoft via the Purview portal—without disrupting end users. This update is based on customer feedback to reduce friction during support escalations and improve troubleshooting efficiency.

This message is associated with Roadmap ID 499431.

When this will happen:

Public Preview (Worldwide): Rollout begins in late October 2025 and completes by late October 2025.

General Availability (Worldwide): Rollout begins in mid-February 2026 and completes by late February 2026.

How this affects your organization:

  • Who is affected: Admins managing Endpoint Data Loss Prevention (DLP) on Windows endpoints via Microsoft Purview.

  • What will happen:
    • Admins can retrieve Always-on diagnostic traces from Windows endpoints.

    • Traces can be selectively uploaded to Microsoft through the Purview portal during investigations (e.g., support ticket submission).

    • No user interaction or disruption is required, and admins can reference the upload request number to Microsoft Support for investigations.

    • The feature enhances eDLP troubleshooting capabilities without impacting Information worker productivity.

    • This capability is integrated into the existing Endpoint DLP experience.

What you can do to prepare:

  • No immediate action is required to enable this feature.

  • Communicate this capability to your security and helpdesk teams to streamline future investigations.

  • Update internal documentation if you maintain support workflows involving Endpoint DLP.
  • Learn more: Always-on diagnostics for endpoint DLP | Microsoft Learn

Compliance considerations:

Question Explanation
Does the change store new customer data, if so, where, and is the data cached or permanently stored? Diagnostic traces will be uploaded to Microsoft during investigations. These are selectively uploaded by admins and stored in Microsoft systems for support purposes.
Does the change include an admin control and, can it be controlled through Entra ID group membership? Yes, there is an admin control. Access is role-based (Global, Compliance, Security Admin) and managed via Entra ID roles

Message ID: MC1181277

Comments are closed.

Joao Ferreira

I've been working with Microsoft Technologies over the last ten years, mainly focused on creating collaboration and productivity solutions that drive the adoption of Microsoft Modern Workplace.

%d bloggers like this: