Historically, some security teams have struggled with the challenge of troubleshooting issues with endpoint DLP. Investigations can often slow down because reproducing issues, collecting traces, and aligning on context can be tedious. With always-on diagnostics in Purview endpoint data loss prevention (DLP), our goal has been simple: make troubleshooting seamless, and effortless—without ever disrupting the information worker.
Today, we’re excited to share new enhancements to always-on diagnostics for Purview endpoint DLP. This is the next step in our journey to modernize supportability in Microsoft Purview and dramatically reduce admin friction during investigations.
Where We Started: Introduction of continuous diagnostic collection
Earlier this year, we introduced continuous diagnostic trace collection on Windows endpoints (support for macOS endpoints coming soon). This eliminated the single largest source of friction: the need to reproduce issues.
- With this capability: Logs are captured persistently for up to 90 days
- Information workers no longer need admin permissions to retrieve traces
- Admins can submit complete logs on the first attempt
- Support teams can diagnose transient or rare issues with high accuracy
In just a few months, we saw resolution times drop dramatically. The message was clear: Always-on diagnostics is becoming a new troubleshooting standard.
Our Newest Enhancements: Built for Admins. Designed for Zero Friction.
The newest enhancements to always-on diagnostics unlock the most requested capability from our IT and security administrators:
the ability to retrieve and upload always-on diagnostic traces directly from devices using the Purview portal — with no user interaction required.
This means:
- Admins can now initiate trace uploads on demand
- No interruption to information workers and their productivity
- No issue reproduction sessions, minimizing unnecessary disruption and coordination
- Every investigation starts with complete context
Because the traces are already captured on-device, these improvements now help complete the loop by giving admins a seamless, portal-integrated workflow to deliver logs to Microsoft when needed.
This experience is now fully available for customers using endpoint DLP on Windows.
Why This Matters
As a product team, our success is measured not just by usage, but by how effectively we eliminate friction for customers.
Always-on diagnostics minimizes the friction and frustration that has historically affected some customers.
- No more asking your employee or information worker to "can you reproduce that?" and share logs
- No more lost context
- No more delays while logs are collected after the fact
How it Works
- Local trace capture
Devices continuously capture endpoint DLP diagnostic data in a compressed, proprietary format, and this data stays solely on the respective device based on the retention period and storage limits configured by the admin. Users no longer need to reproduce issues during retrieval—everything the investigation requires is already captured on the endpoint.
- Admin-triggered upload
Admins can now request diagnostic uploads directly from the Purview portal, eliminating the need to disrupt users. Upload requests can be initiated from multiple entry points, including:
- Alerts (Data Loss Prevention → Alerts → Events)
- Activity Explorer (Data Loss Prevention → Explorers → Activity explorer)
- Device Policy Status Page (Settings → Device onboarding → Devices)
From any of these locations, admins can simply choose Request device log, select the date range, add a brief description, and submit the request. Once processed, the device’s always-on diagnostic logs are securely uploaded to Microsoft telemetry as per customer-approved settings. Admins can include the upload request number in their ticket with Microsoft Support, and sharing this number removes the need for the support engineer to ask for logs again during the investigation.
This workflow ensures investigations start with complete diagnostic context.
- Privacy & compliance considerations
- Data is only uploaded during admin-initiated investigations
- Data adheres to our published diagnostic data retention policies
- Logs are only accessible to the Microsoft support team, not any other parties
We Want to Hear From You
Are you using always-on diagnostics? We'd love to hear about your experience. Share your feedback, questions, or success stories in the Microsoft Tech Community, or reach out to our engineering team directly.
Making troubleshooting effortless—so you can focus on what matters, not on chasing logs.
Microsoft