← Back
(Updated) Automatic Windows event auditing configuration now available for unified sensors (V3.x)
MC1187403 · build prod-20251231-200323
Category
stayInformed
Severity
normal
Major change
False
Last modified
2025-11-19 17:36:40
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
Services
Microsoft Defender XDR
Tags
Updated message, New feature, Admin impact
Master tags
Admin, Security
Roadmap IDs

One-line summary

A new opt-in feature for automatic event-auditing configuration in Defender for Identity unified sensors (V3.x) will be available starting mid-December 2025, simplifying deployment and policy enforcement.

Similar updates

More like this

Details

Summary
An opt-in feature for automatic Windows event-auditing configuration in Defender for Identity unified sensors (V3.x) will be available mid-December 2025. It simplifies deployment by auto-applying required settings, affects all sensors in a tenant, requires admin activation, and addresses specific auditing health issues.

Body (from Message Center)

Updated November 19, 2025: We have updated the timeline. Thank you for your patience.

[Introduction]

We’re introducing a new opt-in feature for automatic event-auditing configuration in Defender for Identity unified sensors (V3.x). This enhancement simplifies deployment by allowing admins to automatically apply the required Windows event-auditing settings on their sensors. It reduces manual post-deployment steps and ensures consistent policy enforcement across all onboarded sensors.

[When this will happen:]

General Availability (Worldwide, GCC, GCCH, and DoD): The auditing opt-in feature will be available starting mid-December 2025 (previously mid-November), with rollout expected to complete within the same timeframe.

General Availability (Worldwide, GCC, GCCH, and DoD): The related auditing health alerts will be released gradually by mid-January 2026 (previously mid-December).

[How this affects your organization:]

Who is affected:
Admins managing Defender for Identity unified sensors (V3.x) in Microsoft 365 tenants.

What will happen:

  • A new opt-in setting will be available in both the UI and via Graph API.
  • In the UI, this option will appear under Defender for Identity Settings → Advanced features.
  • Once enabled, the automatic configuration feature will:
    • For new sensor activations: automatically apply all required Windows event-auditing settings during activation.
    • For existing onboarded sensors: automatically apply auditing settings only if misconfigured, and dismiss the related health issues.
  • The opt-in applies to all unified sensors in the tenant.
  • This feature is not enabled by default and requires admin action.
  • No changes will occur unless admins choose to enable the feature.
Relevant auditing configurations health issues covered:
  • NTLM auditing is not enabled
  • Directory Services Advanced Auditing is not enabled as required
  • Directory Services Object Auditing is not enabled as required
  • Auditing on the Configuration container is not enabled as required
  • Auditing on the ADFS container is not enabled as required

[What you can do to prepare:]

No action is required unless you choose to enable the feature.

If you plan to opt in:

  • Review your unified sensor deployment strategy.
  • Enable the opt-in setting via the UI or Graph API.
  • Communicate the change to relevant IT and security teams.
  • Update internal documentation if you track auditing configurations.

To review the required auditing configurations for Defender for Identity unified sensors (V3.x)

For details about the relevant auditing health issues

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Review unified sensor deployment strategy",
      "Enable opt-in setting via UI or Graph API if desired",
      "Communicate changes to IT/security teams",
      "Update internal documentation if needed"
    ],
    "ai_master_tags": [
      "Admin",
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "A new opt-in feature for automatic event-auditing configuration in Defender for Identity unified sensors (V3.x) will be available starting mid-December 2025, simplifying deployment and policy enforcement.",
    "ai_topics": [
      "Defender"
    ],
    "category": "stayInformed",
    "details_map": {
      "Summary": "An opt-in feature for automatic Windows event-auditing configuration in Defender for Identity unified sensors (V3.x) will be available mid-December 2025. It simplifies deployment by auto-applying required settings, affects all sensors in a tenant, requires admin activation, and addresses specific auditing health issues."
    },
    "id": "MC1187403",
    "importance": 1,
    "is_major_change": false,
    "last_modified": "2025-11-19T17:36:40Z",
    "ms_products": [
      "Defender"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Defender XDR"
    ],
    "severity": "normal",
    "tags": [
      "Updated message",
      "New feature",
      "Admin impact"
    ],
    "title": "(Updated) Automatic Windows event auditing configuration now available for unified sensors (V3.x)"
  }
}