The Era of "Can You Reproduce That?" is Finally Over
Introducing Always-on Diagnostics for Endpoint DLP - because your data security shouldn't feel like detective work.
If you've ever managed endpoint data security, you know this story by heart.
If a critical Endpoint Data Loss Prevention policy fails.
-You open a support ticket.
- The response?
- "Can you reproduce the issue on that endpoint?"
Three emails later, you're still collecting logs while your team loses precious time, and the underlying problem remains a mystery.
Today, that changes.
Why We Built This (And Why It Matters)
At Microsoft Purview/ Data Security, we've watched thousands of our customers struggle with the same fundamental problem:
-reactive troubleshooting in a proactive world.
You need answers when incidents happen, not when you can recreate them weeks later.
So, we asked ourselves: What if your endpoints were always ready to tell you exactly what went wrong, when it happened, and why?
Always-on Diagnostics for Endpoint DLP is our answer, and it's now available in public preview for Windows Endpoints.
How It Actually Works
Once enabled, Always-on Diagnostics continuously captures comprehensive Endpoint DLP diagnostic data for up to 90 days, storing it locally in a highly compressed tamper-proof and proprietary format. When something goes wrong, you already have the complete story.
Smart Data Capture
We don't just log everything and hope for the best. Our new sense tracer zeroes in on what truly matters: critical diagnostic details, failures, edge cases, and unexpected events that actually impact your DLP policies. Less noise, more signal.
Privacy-First Design
All diagnostic data stays on your endpoints until you actively choose to share it. We've built privacy and security into the foundation, not as an afterthought.
Zero-Friction Access
Phase 1 (Available Now):
When you need logs for troubleshooting, simply run our enhanced MDECA tool. No admin permissions required. No "please reproduce this while we're watching." Just comprehensive diagnostic data from the past 90 days, ready when you are.
Phase 2 (Coming Soon):
Admins can retrieve diagnostic traces directly from endpoints and selectively upload them to Microsoft through the Purview Portal at the time of an investigation request such as submitting a support ticket, without disrupting end users or impacting their productivity. This eliminates the need for user coordination while maintaining seamless troubleshooting capabilities
The Result
This eliminates the traditional back-and-forth of issue reproduction and log collection, dramatically reducing support ticket resolution time while keeping your users focused on their work.
Security & Privacy-First Design
What this means for your day-to-day:
For Data Security Teams:
- Support tickets resolve faster
- No more back-and-forth log collection
- First-attempt diagnostics actually work for endpoint
Getting Started Takes Minutes, Not Hours
Prerequisites
You'll need a supported Windows version (supported versions: link) and an existing Microsoft Endpoint DLP license. That's it.
Setup
- Navigate to Microsoft Purview → Settings → Data Loss Prevention → Always-on diagnostics
2. Configure your storage preferences (we recommend 90 days, 1024MB)
3. Your existing policies immediately benefit from enhanced diagnostics
When You Need Support
- Download the preview version of the Microsoft Defender for Endpoint (MDE) Client Analyzer on the endpoint device.
2. Extract the content of the downloaded MDEClientAnalyzer.zip file to any folder.
3. Open a command prompt and navigate to the extracted folder.
Note: You don't need administrative privileges to retrieve diagnostic logs. If you run the tool without admin rights, you might see access warnings. You can safely ignore them.
4. Type MDEClientAnalyzer.cmd -r -t -m 0.
5. Accept EULA agreement to continue.
6. When prompted, provide a file name of the report used during log collection. Specifying the full file path.
Note: If you receive an access warning because you're not in admin mode, you can safely ignore it.
7. Once the trace files are collected, a results summary (MDEClientAnalyzer.htm) is displayed. Review the following setting to verify that always-on feature was enabled:
|
Setting |
Value |
|
Sensetracer always-on enabled |
Yes |
FAQ
Q1: What is the recommended storage limit for Always-On Diagnostics?
The recommended storage limit is 1024 MB, which provides a balanced and optimized retention window for diagnostic logs without excessive resource or disk space consumption.
Q2: What is the guard rail range for configuring storage?
The supported guard rail range is 500 MB to 1500 MB.
This means:
- Minimum: 500 MB - suitable for lightweight environments or constrained systems.
- Maximum: 1500 MB – ideal for high-volume diagnostics or extended retention needs.
Q3: What happens when the configured storage limit is reached?
- Older logs are automatically deleted to make room for new ones, meaning the oldest logs are purged first.
- The system ensures that the most recent and relevant diagnostic data is retained for support and troubleshooting.
Q4. How long does it take for Always-On Diagnostics to reflect on scoped devices?
- Changes to Always-On Diagnostics configurations typically reflect on onboarded devices within 45 minutes to 1 hour, in alignment with the policy sync SLA.
The Road Ahead
This is just the beginning. Phase 1 brings comprehensive Windows endpoint diagnostics eliminating the need to reproduce the issue when submitting an investigation request or raising a support ticket.
With Subsequent Phase of the functionality, admins can initiate on demand log collection of ‘Always-on diagnostic logs’ from onboarded endpoints without intervening with user operations. Release ID :112851
Also, we are extending the functionality of Phase 1 to macOS endpoints, coming soon.
We're not just building features: we're reimagining how enterprise data security should work. Release ID: 112852
Why This Matters Beyond Microsoft
Every data security team deserves tools that work with them, not against them.
Tools that provide answers, not more questions.
Tools that respect both your time and your users' productivity.
Always-on Diagnostics represents a fundamental shift from reactive troubleshooting to proactive intelligence.
It's how we believe data security should work in 2025 and beyond.
Try It Today
Always-on Diagnostics is available in public preview for all Microsoft Endpoint DLP customers.
No special access required, no waitlists - just better troubleshooting starting today.
Ready to get started?
Check out our comprehensive documentation at Always-on diagnostics for endpoint DLP | Microsoft Learn.
Questions? Our engineering team is actively monitoring feedback and ready to help you implement this new capability.
Because your security team has better things to do than play detective.
Have feedback or questions about Always-on Diagnostics? We'd love to hear from you. Reach out to our team or share your thoughts in the Microsoft Tech Community.
— Arun Kumar Thiagarajan, Senior Product Manager from The Microsoft Purview Team
— John Lin, Principal Architect from The Microsoft Purview Team
Microsoft