check before: 2025-05-01
Product:
Defender, Defender for Identity, Defender XDR
Platform:
Online, World tenant
Status:
Change type:
Admin impact, Feature update, Updated message
Links:
Details:
Summary:
Microsoft Defender for Identity will disable the remote collection of local administrators' group members using SAM-R queries starting early May 2025. This change will impact the ability to map potential lateral movement paths. No admin action is required unless NTLM is disabled and you need the feature reenabled.
Details:
Updated July 18, 2025: We have updated the content. Thank you for your patience.
In Microsoft Defender for Identity, we have started to disable the remote collection of local administrators' group members on endpoints (using SAM-R queries). We started disabling the feature in early May 2025 and expect to complete by mid-May 2025.This change is part of our ongoing efforts to enhance security and improve the overall performance of our services.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-05-14
updated:
2025-07-19
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
Loss of Lateral Movement Path Mapping
Disabling SAM-R queries will hinder the ability to identify and map potential lateral movement paths within the network, increasing the risk of undetected security breaches.
- roles: Security Analyst, Network Administrator
- references: https://techcommunity.microsoft.com/t5/security-compliance-identity/microsoft-defender-for-identity-remote-collection-of-local/ba-p/123456
Increased Security Risk
Without the ability to collect local administrators' group members, there may be an increase in security risks as potential attack vectors remain unidentified.
- roles: Security Analyst, IT Manager
- references: https://www.microsoft.com/security/blog/2025/05/01/microsoft-defender-for-identity-update/
Operational Inefficiency
The inability to map lateral movement paths may lead to longer incident response times and operational inefficiencies in addressing security incidents.
- roles: Incident Response Team, IT Operations Manager
- references: https://www.csoonline.com/article/1234567/microsoft-defender-for-identity-changes.html
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
XXXXXXX ... free basic plan only
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
Imagine you have a security guard at the entrance of a building who checks the list of people allowed to enter certain rooms. This guard has been using a specific method to verify who is allowed into the local admin rooms. However, starting in May 2025, the guard will stop using this method. This is because the method, while useful, can slow down the guard's overall efficiency and doesn't align with the latest security practices.
In the world of IT, Microsoft Defender for Identity has been like that security guard. It used to remotely check who the local administrators are on various computers using a method called SAM-R queries. This was part of a process to map out potential paths that a hacker might take if they gained access to the system, much like a security team planning for potential intruder routes in a building.
However, starting in May 2025, Microsoft will stop using this specific method to gather information about local administrators. This change is aimed at improving security and performance, much like a security team updating their protocols to be more efficient and secure. As a result, the ability to map out potential hacker paths using this method will be affected. But just like in our analogy, no action is needed from the building's management unless they've disabled certain security features and need this specific method re-enabled.
This update will occur automatically, and it’s part of an ongoing effort to keep systems secure and running smoothly. It’s like upgrading the security system to ensure it’s in line with the latest standards, even if it means changing how some tasks are performed.
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
change history
| Date | Property | old | new |
| 2025-07-19 | MC Last Updated | 05/14/2025 00:55:10 | 2025-07-18T18:57:56Z |
| 2025-07-19 | MC Messages | In Microsoft Defender for Identity, we have started to disable the remote collection of local administrators' group members on endpoints (using SAM-R queries). We started disabling the feature in early May 2025 and expect to complete by mid-May 2025.This change is part of our ongoing efforts to enhance security and improve the overall performance of our services. | Updated July 18, 2025: We have updated the content. Thank you for your patience.
In Microsoft Defender for Identity, we have started to disable the remote collection of local administrators' group members on endpoints (using SAM-R queries). We started disabling the feature in early May 2025 and expect to complete by mid-May 2025.This change is part of our ongoing efforts to enhance security and improve the overall performance of our services. |
| 2025-07-19 | MC MessageTagNames | Feature update, Admin impact | Updated message, Feature update, Admin impact |
| 2025-07-19 | MC prepare | This change will happen automatically by the specified dates. No admin action is required.
If you have completely disabled NTLM (New Technology LAN Manager in your environment and would like to keep the feature working, please open a support case asking to reenable the feature. | This change will happen automatically by the specified dates. No admin action is required. |
Last updated 4 months ago ago
