← Back
(Updated) Automatic Windows event auditing configuration now available for unified sensors (V3.x)
MC1187403 · build prod-20251231-200323
Category
stayInformed
Severity
normal
Major change
False
Last modified
2025-11-19 17:36:40
Summary source
Azure OpenAI (gpt-4.1)
Action by (Graph)
Action by (AI)
Services
Microsoft Defender XDR
Tags
Updated message, New feature, Admin impact
Master tags
Security
Roadmap IDs

One-line summary

A new opt-in feature for automatic event-auditing configuration in Defender for Identity unified sensors (V3.x) will be available starting mid-December 2025, simplifying deployment and policy enforcement.

Similar updates

More like this
MC1193410 Automatic Windows event auditing configuration availability for unified sensors (V3.x)
Automatic Windows event auditing configuration availability for unified sensors (V3.x) A new opt-in feature in Defender for Identity unified sensors (v3.x) will automate Windows event-auditing configuration, simplifying deployment and ensuring consistent policy enforcement starting January 2026. [Introduction] We’re introducing a new opt-in.
MC1187390 Unified sensor (v3.x) – new Remote Procedure Call (RPC) configuration health alert for Microsoft Defender for Identity
Unified sensor (v3.x) – new Remote Procedure Call (RPC) configuration health alert for Microsoft Defender for Identity Defender for Identity adds RPC Configuration Health Alert for v3.x sensors, enabling proactive misconfiguration detection and advanced identity detections via the Unified Sensor RPC Audit tag. ...ber 19, 2025: We have updated.
MC1169078 Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities
Microsoft Defender for Cloud Apps: Improvements to threat protection capabilities Defender for Cloud Apps expands dynamic threat detection, replacing legacy policies with new, research-driven detections; rollout starts early November 2025 and completes by end of November. [Introduction:] To improve threat detection accuracy and responsiveness,.
MC1187386 Microsoft Defender for Identity alerts transitioning to XDR-based detection platform
Microsoft Defender for Identity alerts transitioning to XDR-based detection platform Defender for Identity classic alerts will shift to the XDR detection platform starting mid-December 2025; update workflows and alert exclusions to use new XDR Detector IDs. [Introduction] Microsoft Defender for Identity classic alerts will transition to the XDR.
MC1189685 Power Platform - Improved security for column-level audit events in Microsoft Purview
Power Platform - Improved security for column-level audit events in Microsoft Purview Audit events for columns with security restrictions in Microsoft Purview will filter before-and-after values in logs starting December 1, 2025, enhancing sensitive data protection. We are announcing enhancements to the handling of audit events that capture,.
MC1194061 IP address changes in Defender for Identity v2.x sensor communication
IP address changes in Defender for Identity v2.x sensor communication Defender for Identity v2.x sensors will use new IPs from the AzureAdvancedThreatProtection range starting mid-December 2025; update firewall rules if restricting outbound IPs. [Introduction] As part of ongoing infrastructure and security improvements, Microsoft Defender for.

Details

Summary
An opt-in feature for automatic Windows event-auditing configuration in Defender for Identity unified sensors (V3.x) will be available mid-December 2025. It simplifies deployment by auto-applying required settings, affects all sensors in a tenant, requires admin activation, and addresses specific auditing health issues.

Body (from Message Center)

Updated November 19, 2025: We have updated the timeline. Thank you for your patience.

[Introduction]

We’re introducing a new opt-in feature for automatic event-auditing configuration in Defender for Identity unified sensors (V3.x). This enhancement simplifies deployment by allowing admins to automatically apply the required Windows event-auditing settings on their sensors. It reduces manual post-deployment steps and ensures consistent policy enforcement across all onboarded sensors.

[When this will happen:]

General Availability (Worldwide, GCC, GCCH, and DoD): The auditing opt-in feature will be available starting mid-December 2025 (previously mid-November), with rollout expected to complete within the same timeframe.

General Availability (Worldwide, GCC, GCCH, and DoD): The related auditing health alerts will be released gradually by mid-January 2026 (previously mid-December).

[How this affects your organization:]

Who is affected:
Admins managing Defender for Identity unified sensors (V3.x) in Microsoft 365 tenants.

What will happen:

  • A new opt-in setting will be available in both the UI and via Graph API.
  • In the UI, this option will appear under Defender for Identity Settings → Advanced features.
  • Once enabled, the automatic configuration feature will:
    • For new sensor activations: automatically apply all required Windows event-auditing settings during activation.
    • For existing onboarded sensors: automatically apply auditing settings only if misconfigured, and dismiss the related health issues.
  • The opt-in applies to all unified sensors in the tenant.
  • This feature is not enabled by default and requires admin action.
  • No changes will occur unless admins choose to enable the feature.
Relevant auditing configurations health issues covered:
  • NTLM auditing is not enabled
  • Directory Services Advanced Auditing is not enabled as required
  • Directory Services Object Auditing is not enabled as required
  • Auditing on the Configuration container is not enabled as required
  • Auditing on the ADFS container is not enabled as required

[What you can do to prepare:]

No action is required unless you choose to enable the feature.

If you plan to opt in:

  • Review your unified sensor deployment strategy.
  • Enable the opt-in setting via the UI or Graph API.
  • Communicate the change to relevant IT and security teams.
  • Update internal documentation if you track auditing configurations.

To review the required auditing configurations for Defender for Identity unified sensors (V3.x)

For details about the relevant auditing health issues

[Compliance considerations:]

No compliance considerations identified, review as appropriate for your organization.

Raw JSON (for debugging)

Expand/collapse the full payload below.
Show/hide raw 
{
  "snapshot_item": {
    "action_required_by": null,
    "ai_action_required_by": null,
    "ai_actions": [
      "Review unified sensor deployment strategy",
      "Enable opt-in setting via UI or Graph API if desired",
      "Communicate changes to IT/security teams",
      "Update internal documentation if needed"
    ],
    "ai_master_tags": [
      "Security"
    ],
    "ai_model": "gpt-4.1",
    "ai_summary": "A new opt-in feature for automatic event-auditing configuration in Defender for Identity unified sensors (V3.x) will be available starting mid-December 2025, simplifying deployment and policy enforcement.",
    "ai_topics": [
      "Defender"
    ],
    "category": "stayInformed",
    "details_map": {
      "Summary": "An opt-in feature for automatic Windows event-auditing configuration in Defender for Identity unified sensors (V3.x) will be available mid-December 2025. It simplifies deployment by auto-applying required settings, affects all sensors in a tenant, requires admin activation, and addresses specific auditing health issues."
    },
    "id": "MC1187403",
    "importance": 1,
    "is_major_change": false,
    "last_modified": "2025-11-19T17:36:40Z",
    "ms_products": [
      "Defender"
    ],
    "platforms": null,
    "roadmap_ids": [],
    "services": [
      "Microsoft Defender XDR"
    ],
    "severity": "normal",
    "tags": [
      "Updated message",
      "New feature",
      "Admin impact"
    ],
    "title": "(Updated) Automatic Windows event auditing configuration now available for unified sensors (V3.x)"
  }
}