You know that feeling when you finally log a support ticket and the first thing they ask is,
Can you reproduce the issue and send us the logs?
Yeah… I’ve been there a lot. Ugh. The classic back-and-forth we all secretly dread! If you’ve worked with Endpoint DLP in Microsoft Purview, you probably know exactly what I’m talking about.
But here’s something that genuinely made my life easier lately — Microsoft rolled out this Always-on diagnostics feature (still in preview), and I’ve been using it for a bit now. And I have to say… It’s actually super helpful. Troubleshooting doesn’t feel like such a chore anymore.
Why Real-Time Endpoint Diagnostics Matter More Than Ever
For years, endpoint diagnostics has been a reactive process. An issue occurs, and we scramble to capture the evidence after the fact. This is especially painful with “transient” issues, those annoying little glitches that appear once and then vanish into the ether, never to be seen again (at least, not until the next urgent deadline).
The old method was a time sink for everyone involved:
- The user has to stop working and try to remember what caused the issue, basically playing the role of an accidental QA tester.
- The admin (you!) steps in, enabling extra logging or asking the user to replicate the problem—if that’s even possible.
- Microsoft support gets logs that might be incomplete or totally miss the real issue, leading to delays and long email threads.
This new “always-on” approach in Microsoft Purview flips the script entirely. Instead of reacting to problems after they strike, you’ve already got continuous background logs ready to go.
With this feature turned on, logs are already being collected in the background, 24/7. So, the next time something goes wrong, you don’t need to reproduce the issue, you just grab the logs and send them. Done.
Always-On Diagnostics in Microsoft Purview
At its core, always-on diagnostics for Endpoint DLP sounds exactly like this. It’s a feature for Windows devices that persistently records comprehensive trace logs in the background.
Always-on diagnostics automatically logs DLP activity and trace files on your endpoint devices, so you don’t have to wait for an issue to occur to begin collecting logs.
- It saves time.
- It makes troubleshooting way less frustrating.
- It cuts down the endless back-and-forth with support.
The logs are stored locally on the user’s device for a configurable period (30, 60, or a recommended 90 days). This long retention period is fantastic because it allows you to investigate issues that may have been reported days or even weeks after they occurred.
It’s especially useful for capturing intermittent or hard-to-reproduce problems without requiring users or admins to manually recreate them.
How to Enable Always-on Diagnostics in Microsoft 365
The best part about this feature is that setting it up is incredibly simple. You’ll need to be in the Microsoft Purview portal with appropriate roles (Compliance admin, Information Protection admin, etc.). Here’s how to get it running:
- Sign in to the Microsoft Purview portal.
- Head over to Settings > Data Loss Prevention > Always-on diagnostics (preview).
3. You’ll see a simple toggle. Go ahead and switch it to On.
4. Next, you’ll set the cache storage period. You get options for 30, 60, or 90 days.
👉 My tip: I strongly recommend going with 90 days. This gives you a massive three-month window to investigate historical incidents. It’s a lifesaver for identifying patterns or tricky intermittent issues.
5. Then, you need to set the maximum storage for the device. This is the space you’re allocating on each endpoint for these logs. The range is between 500 MB and 1500 MB. 1500 MB is a small price to pay for this level of diagnostic power, so I’d lean towards the higher end if your device storage allows.
6. Click Save.
You’ve just enabled it for your entire fleet of supported Windows devices. The feature is rolling out in Public Preview in June 2025 and is expected to be generally available by September 2025.
How to Retrieve Logs Using the MDE Client Analyzer
Let’s say a user reports a DLP block, and you need to grab the logs to share with Microsoft Support. Here’s how to do it using the Microsoft Defender for Endpoint (MDE) Client Analyzer:
- Download the tool: MDEClientAnalyzer.zip
- Open Command Prompt and use cd to move into the folder where you extracted the tool.
- Run this command:
MDEClientAnalyzer.cmd -r -t -m 0
4. Accept the EULA and enter a filename + path for the report.
️ You might see some warnings if you’re not an admin. No stress—just ignore them.
5. Once it’s done, it will generate:
- A report file: MDEClientAnalyzer.htm
- A folder: MDEClientAnalyzerResult containing all the logs
6. Zip up the MDEClientAnalyzerResult folder and send it to Microsoft Support.
💡 Bonus Tip: Before sending, open the .htm report file and double-check this line to confirm always-on diagnostics is active:
Sensetracer always-on enable: Yes
Should You Enable It?
If you’re still thinking about it, my answer is: Absolutely, yes.
If you’re using Microsoft Purview Endpoint DLP, this one’s a no-brainer. It’s a simple but powerful upgrade that makes life a lot easier for anyone managing endpoint security. Always-on diagnostics solves a long-standing pain we’ve all just kind of tolerated—missing logs, unreliable repro steps, endless support loops. This flips that completely.
So go ahead—flip that toggle in Microsoft Purview. If you’re already using this in preview, I’d love to know your experience! Have you tried pulling the logs yet?
