Always-on diagnostics for Endpoint DLP – Turned on by default

Starting mid-April 2026, Always-on diagnostics for Endpoint DLP will be enabled by default on Windows devices, storing diagnostic logs locally for 90 days to aid troubleshooting. Admins can opt out anytime via Microsoft Purview. This improves issue resolution but may affect investigation efficiency if disabled.

[Introduction]

Starting in the second week of April 2026, Always-on diagnostics for Endpoint Data Loss Prevention (DLP) will be turned on by default for onboarded Windows devices in Microsoft Purview. Endpoint DLP diagnostic traces including policy evaluation logs, file classification results, enforcement actions, and error states are stored locally on the device in a secure, compressed proprietary format for up to 90 days. This collection helps eliminate the need to reproduce issues during Microsoft Support investigations. The ability to request that Microsoft collects critical diagnostic data as part of a support case will also be enabled. Endpoint diagnostic logs that you choose can then be securely shared with Microsoft for troubleshooting, reducing investigation effort and accelerating time to resolution for Endpoint DLP issues.

[When this will happen:]

General Availability (Worldwide): This change will go into effect mid-April 2026

[How this affects your organization:]

Who is affected:

• Organizations using Endpoint Data Loss Prevention (DLP) on Windows devices
• Admins managing Endpoint DLP settings in Microsoft Purview

What will happen:

• From the date of this Message Center post through the second week of April 2026, admins may choose to opt out of this setting in the Microsoft Purview portal. If an admin opts out during this period, their selection will be respected, and the setting will remain unchanged.
• If no action is taken, diagnostics will be automatically enabled in the second week of April 2026, after which admins can opt out at any time via the existing settings.

Note: Opting out of Always-on diagnostics may hinder your ability to effectively troubleshoot issues that arise in Endpoint Data Loss Prevention scenarios. Without this feature, organizations may experience prolonged investigation times, reduced visibility into policy behavior, and increased difficulty identifying and resolving Endpoint DLP issues. Keeping Always-on diagnostics enabled helps support the security, reliability, and operational stability of your environment.

[What you can do to prepare:]

• No action is required if you want to keep the default behavior.
• Review your organization’s diagnostic and data collection policies.
• If you want to opt out before the default change:
  • Go to Microsoft Purview portal
  • Navigate to Endpoint DLP settings
  • Disable Always-on diagnostics
• Communicate this change to security, compliance, and helpdesk teams

Learn more:

• Always-on diagnostics for endpoint DLP | Microsoft Learn
• Always-on diagnostics troubleshooting blog
• Always-on diagnostics blog

[Compliance considerations:]

Question	Explanation
Does the change store new customer data, and if so, where?	Endpoint DLP diagnostic logs (including policy evaluation, classification results, enforcement actions, and error states) are stored locally on Windows devices in a secure, compressed proprietary format for up to 90 days.
Does the change alter how admins can monitor, report on, or demonstrate compliance activities?	Admins gain enhanced troubleshooting capabilities by collecting and selectively sharing Endpoint DLP diagnostic data with Microsoft during support cases - eliminating the need to reproduce issues or engage end users, and improving investigation efficiency.
Does the change include an admin control?	Admins can opt out of Always-on diagnostics at any time through existing Endpoint DLP settings in the Microsoft Purview portal.