Microsoft Purview DLP Service Component (mpdlpservice.exe) v4.18.26010.5 Crashes Linked to mpdlp.dll – UPDATED!

Status: 🟡 Mitigated (Feature Rollback) • Fix Pending

ControlUp’s crash anomaly detection identified an increased rate of crashes affecting the Microsoft Purview DLP Service component, specifically the mpdlpservice.exe process in version 4.18.26010.5. The crashes consistently fault in the mpdlp.dll module and have been observed across a steadily growing number of organizations since early March.

This pattern was identified through analysis of anonymized, aggregate telemetry and suggests a broader issue affecting the Data Loss Prevention service component rather than isolated endpoint-specific conditions.

This crash pattern has been observed across more than 130 organizations and is classified as low severity.

Impacted environments may experience:

• Repeated crashes of the mpdlpservice.exe process
• Reduced reliability of the Windows Defender Data Loss Prevention (DLP) component
• Potential interruption of background policy enforcement or sensitive data inspection
• Increased noise in endpoint monitoring or crash analytics systems

While the direct impact on end users is not yet clear, instability in this service is likely to interfere with the expected functionality of the DLP component within Microsoft’s security stack.

At the time of this finding, no clear resolution path or validated workaround has been published.

Organizations observing this pattern should:

• Identify endpoints running mpdlpservice.exe version 4.18.26010.5
• Monitor crash trends related to mpdlpservice.exe and mpdlp.dll
• Correlate crash activity with recent Windows updates or Defender platform changes
• Review Microsoft guidance and release notes for updates related to Purview DLP or Defender service stability

Where possible, it may also be useful to compare affected systems against recent operating system update activity and DLP configuration changes.

Available online reports suggest the issue may be associated with recent Windows updates, including references to KB5079473 and KB5074109. There are also indications that the behavior may be related to the service transition of legacy endpoint-sensitive data alerting in the Microsoft Defender portal.

This finding highlights how changes in supporting security services, even when not immediately visible to end users, can affect the stability and expected behavior of enterprise protection frameworks. ControlUp will continue monitoring this crash signature globally and update this finding as more guidance or remediation becomes available.

Update (March 2026)

Microsoft has provided additional context regarding this issue. The crashes were linked to a specific feature within the Microsoft Purview DLP service.

According to Microsoft, the problematic feature has been rolled back via a configuration change, and a permanent fix is planned in an upcoming release of mpdlp.dll.

Organizations that were experiencing this behavior should monitor their environments to confirm whether crash frequency has decreased following this rollback.