← Back
Endpoint Data Loss Prevention: Always-on diagnostics for Windows Endpoints (Phase 2)
MC1181277 · build prod-20251231-200323
Category
stayInformed
Severity
normal
Major change
False
Last modified
2025-10-29 06:55:09
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
Services
Microsoft 365 suite, Microsoft Purview
Tags
New feature, Admin impact
Master tags
Admin, Security
Roadmap IDs
499431

One-line summary

Always-on diagnostics for Windows endpoints lets admins retrieve and upload diagnostic traces via Purview for faster DLP investigations, with no user disruption. Public preview starts October 2025.

Similar updates

More like this
MC1182008 Microsoft Purview: Inline protection for sensitive data shared over the network with non-Microsoft SASE integrations
Microsoft Purview: Inline protection for sensitive data shared over the network with non-Microsoft SASE integrations Purview DLP integrates with iboss and Netskope SASE platforms to inspect and protect inline web traffic, extending DLP to unmanaged cloud apps and generative AI, starting mid-November 2025. Microsoft Purview Data Loss Prevention.
MC1181769 Microsoft Purview: Integration with Entra GSA Internet Access to enable sensitive file filtering at the network layer
Microsoft Purview: Integration with Entra GSA Internet Access to enable sensitive file filtering at the network layer Public preview of Purview DLP integration with Entra Global Secure Access enables network-layer inspection and enforc... [Introduction] To help organizations better protect sensitive files in transit, we're introducing a public.
MC1182689 (Updated) Microsoft Purview | New Copilot Security Controls in Microsoft Admin Center
(Updated) Microsoft Purview | New Copilot Security Controls in Microsoft Admin Center Microsoft Purview adds new DLP and security features in Admin Center to help admins monitor and control Copilot data sharing, with public preview starting mid-November 2025. Updated November 12, 2025: We have updated the content. [Introduction] To help.
MC1199763 Microsoft Purview | Data Security Investigations – Introducing new purge mitigation action
Microsoft Purview | Data Security Investigations – Introducing new purge mitigation action Microsoft Purview Data Security Investigations adds a purge action for admins to quickly delete sensitive or overshared content during investigations, available by default and respecting existing policies. [Introduction] We’re introducing a new purge.
MC1047912 (Updated) Microsoft Purview: New Purview Data Security Investigations (DSI) solution
(Updated) Microsoft Purview: New Purview Data Security Investigations (DSI) solution Microsoft Purview Data Security Investigations (DSI), an AI-powered tool for deep data security analysis and incident response, will reach general availability starting October 2025. Microsoft Purview Data Security Investigations (DSI) is a new AI-powered.
MC1191257 (Updated) New Microsoft Purview data security posture management experience
(Updated) New Microsoft Purview data security posture management experience Purview DSPM evolves with unified AI-driven data security, enhanced reporting, intelligent Copilot agents, and 3rd-party integrations; classic experiences and policies remain unchanged. [Introduction] Microsoft is introducing a major evolution of Purview Data Security.

Details

RoadmapIds
499431
Summary
Microsoft is introducing Always-on diagnostics for Windows endpoints (Phase 2) in Endpoint Data Loss Prevention, enabling admins to retrieve and selectively upload diagnostic traces via the Purview portal without user disruption. Rollout starts October 2025 (preview) and February 2026 (general availability). No immediate action required.
Platforms
Desktop, Web

Body (from Message Center)

[Introduction]

To support faster, more seamless investigations, Microsoft is introducing Always-on diagnostics for Windows endpoints (Phase 2). This enhancement allows admins to retrieve diagnostic traces directly from Windows devices and selectively upload them to Microsoft via the Purview portal—without disrupting end users. This update is based on customer feedback to reduce friction during support escalations and improve troubleshooting efficiency.

This message is associated with Roadmap ID 499431.

[When this will happen:]

Public Preview (Worldwide): Rollout begins in late October 2025 and completes by late October 2025.
General Availability (Worldwide): Rollout begins in mid-February 2026 and completes by late February 2026.

[How this affects your organization:

  • Who is affected: Admins managing Endpoint Data Loss Prevention (DLP) on Windows endpoints via Microsoft Purview.
  • What will happen:
    • Admins can retrieve Always-on diagnostic traces from Windows endpoints.
    • Traces can be selectively uploaded to Microsoft through the Purview portal during investigations (e.g., support ticket submission).
    • No user interaction or disruption is required, and admins can reference the upload request number to Microsoft Support for investigations.
    • The feature enhances eDLP troubleshooting capabilities without impacting Information worker productivity.
    • This capability is integrated into the existing Endpoint DLP experience.

[What you can do to prepare:]

  • No immediate action is required to enable this feature.
  • Communicate this capability to your security and helpdesk teams to streamline future investigations.
  • Update internal documentation if you maintain support workflows involving Endpoint DLP.
  • Learn more: Always-on diagnostics for endpoint DLP | Microsoft Learn

[Compliance considerations:]

QuestionExplanation
Does the change store new customer data, if so, where, and is the data cached or permanently stored?Diagnostic traces will be uploaded to Microsoft during investigations. These are selectively uploaded by admins and stored in Microsoft systems for support purposes.
Does the change include an admin control and, can it be controlled through Entra ID group membership?Yes, there is an admin control. Access is role-based (Global, Compliance, Security Admin) and managed via Entra ID roles

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Inform security and helpdesk teams",
      "Update internal DLP support documentation"
    ],
    "ai_master_tags": [
      "Admin",
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "Always-on diagnostics for Windows endpoints lets admins retrieve and upload diagnostic traces via Purview for faster DLP investigations, with no user disruption. Public preview starts October 2025.",
    "ai_topics": [
      "Microsoft 365",
      "Purview",
      "Windows",
      "Entra"
    ],
    "category": "stayInformed",
    "details_map": {
      "Platforms": "Desktop, Web",
      "RoadmapIds": "499431",
      "Summary": "Microsoft is introducing Always-on diagnostics for Windows endpoints (Phase 2) in Endpoint Data Loss Prevention, enabling admins to retrieve and selectively upload diagnostic traces via the Purview portal without user disruption. Rollout starts October 2025 (preview) and February 2026 (general availability). No immediate action required."
    },
    "id": "MC1181277",
    "importance": 1,
    "is_major_change": false,
    "last_modified": "2025-10-29T06:55:09Z",
    "ms_products": [
      "Microsoft 365",
      "Purview"
    ],
    "platforms": "Desktop, Web",
    "roadmap_ids": [
      "499431"
    ],
    "services": [
      "Microsoft 365 suite",
      "Microsoft Purview"
    ],
    "severity": "normal",
    "tags": [
      "New feature",
      "Admin impact"
    ],
    "title": "Endpoint Data Loss Prevention: Always-on diagnostics for Windows Endpoints (Phase 2)"
  }
}