Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Purview Always-on diagnostics feature automatically records comprehensive trace logs, saving you time and enabling faster troubleshooting. When you open a Microsoft Support case for an endpoint data loss prevention (DLP) issue, you might be asked to provide diagnostic logs. Setting up data collection and reproducing the issue can be time-consuming. With always-on diagnostics, these logs are already recorded, eliminating the need to reproduce issues, streamlining the process and allowing for quicker resolution.
To begin automatic logging, you need to turn on and configure the feature. Specify the number of days (30, 60, 90) for logging and allocate storage between 500-1500 MB. In the event of a support call, you can retreive the logs using the Microsoft Defender for Endpoint (MDE) Client Analyzer tool.
Important
This feature is only supported on Windows.
Supported Windows operating systems
| OS | Version | Minimum Build |
|---|---|---|
| Windows 11 | 24H2 | Build 26100.4202 |
| Windows 11 | 23H2 | Build 22621.5039 and 22631.5039 |
| Windows 11 | 22H2 | Build 22621.5039 and 22631.5039 |
| Windows 10 | 22H2 | Build 19045.5917 |
| Windows 10 | 21H2 | Build 19045.5917 |
| Windows Server 2025 | - | Build 26100.4066 |
Permissions
- Compliance administrator
- Compliance data administrator
- Information Protection
- Information Protection Admin
- Security administrator
Turn on Always-on diagnostics
- Sign in to the Microsoft Purview portal
- Navigate to Settings > Data Loss Prevention > Always-on diagnostics (preview).
- Select On.
- Set cache storage period. 90 days are recommended.
- Set maximum storage for device. Range must be between 500-1500 MB.
- Select Save.
Retrieve diagnostics logs
If you open a Microsoft Support case for an endpoint data loss prevention (DLP) issue and are asked to provide diagnostic logs, use the Microsoft Defender for Endpoint (MDE) Client Analyzer tool.
Download the preview version of the Microsoft Defender for Endpoint (MDE) Client Analyzer on the endpoint device.
Extract the content of the downloaded MDEClientAnalyzer.zip file to any folder.
Open a command prompt and navigate to the extracted folder.
Note
You don't need administrative privileges to retrieve diagnostic logs. If you run the tool without admin rights, you might see access warnings. You can safely ignore them.
Type MDEClientAnalyzer.cmd -r -t -m 0.
Accept EULA agreement to continue.
When prompted, provide a file name of the report used during log collection. Specifying the full file path.
Note
If you receive an access warning because you're not in admin mode, you can safely ignore it.
Once the trace files are collected, a results summary (MDEClientAnalyzer.htm) is displayed. Review the following setting to verify that always-on feature was enabled:
| Setting | Value |
|---|---|
| Sensetracer always-on enable | Yes |
The logs are saved under \MDEClientAnalyzerResult subfolder. You can submit the logs to Microsoft support.
For additional diagnostic logging methods, see Analyze endpoint DLP diagnostic logs\
See also
Self-help diagnostics for Microsoft Purview
Collect endpoint DLP diagnostic logs