Decoupling Microsoft Purview Data Loss Prevention (DLP) Process form Microsoft Defender for Endpoint on Windows Devices
If you use a Firewall (Windows or 3rd party), non-Microsoft anti-malware, or application control solution and had to add the Microsoft Defender for Endpoint process to an allowlist to run, then an additional process (“MpDlpService.exe”) will need to be added to your allowlist.
Starting June 2024, we will be decoupling the Microsoft Purview Data Loss Prevention (DLP) process from the Microsoft Defender for Endpoint (MDE) process on Windows devices. It is important to note that this is purely a backend process decoupling effort and there will be NO changes to the current deployment process for Microsoft Purview DLP.
Currently, Microsoft Purview DLP capabilities for Windows endpoint devices are shipped as a part of Microsoft Defender for Endpoint updates so that customers do not have to install any additional agents to use the latest DLP features for Windows endpoints. To onboard your Windows machine see Get started with Endpoint data loss prevention | Microsoft Learn. Once a Windows machine is onboarded to Microsoft Purview DLP, customers can see an active process “MsMpEng.exe” running in the Task Manager. This process provides access to both Defender for Endpoint and DLP capabilities.
Going forward, as part of decoupling the processes, customers will see two distinct processes — “MpDlpService.exe” for Microsoft Purview DLP and “MsMpEng.exe” exclusively for Microsoft Defender for Endpoint — instead of a single process on their Windows device. This decoupling of the two processes is intended to improve the stability and performance of Microsoft Purview DLP on Windows 10 and 11, and our ability to more precisely troubleshoot and debug performance issues.
When this will happen:
Microsoft will roll begin rolling out Microsoft Defender version 4.18.24060 in end-May 2024 and expect to complete by early-July 2024.
How this will affect your organization:
There are NO changes in how Microsoft DLP for endpoint updates is delivered to supported Windows 10 and 11 devices. Even after this change DLP updates for Windows endpoint devices will continue to be shipped as a part of Microsoft Defender for Endpoint updates. There is no impact on how Microsoft Purview DLP capabilities protect sensitive content on your endpoint devices.
Currently, you only see one process, “MsMpEng.exe” covering Microsoft Defender for Endpoint as well as Microsoft Purview DLP capabilities as shown below.
After installing the 4.18.2406 build, you will see a new process called “MpDlpService.exe” in addition to the existing process “MsMpEng.exe.”
What you need to do to prepare:
In most cases, no action is required from customers. However, if you use a Firewall (Windows or 3rd party), non-Microsoft anti-malware, or application control solution and had to add the Microsoft Defender for Endpoint process to an allowlist to run, then an additional process (“MpDlpService.exe”) will need to be added to your allowlist. This will allow the Microsoft Purview DLP to run in the customer’s environment without issue.
No Comments