check before: 2025-05-01
Product:
Defender, Defender for Identity, Defender XDR
Platform:
Online, World tenant
Status:
Change type:
Feature update, Admin impact
Links:
Details:
Summary:
Microsoft Defender for Identity will disable the remote collection of local administrators' group members using SAM-R queries starting early May 2025. This change will impact the ability to map potential lateral movement paths. No admin action is required unless NTLM is disabled and you need the feature reenabled.
Details:
In Microsoft Defender for Identity, we have started to disable the remote collection of local administrators' group members on endpoints (using SAM-R queries). We started disabling the feature in early May 2025 and expect to complete by mid-May 2025.This change is part of our ongoing efforts to enhance security and improve the overall performance of our services.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-05-14
updated:
2025-05-14
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
Starting in May 2025, Microsoft Defender for Identity will stop using SAM-R queries for remote checks of local administrators on network computers, requiring users who have disabled NTLM and still need this feature to contact Microsoft support to reactivate it.
Direct effects for Operations**
Loss of Lateral Movement Path Mapping
Disabling SAM-R queries will hinder the ability to identify potential lateral movement paths, making it difficult to detect and respond to security threats effectively.
- roles: Security Analyst, IT Administrator
- references: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/microsoft-defender-for-identity-what-s-new-in-2025/ba-p/123456
Increased Security Risk
Without the ability to map local administrators, organizations may face increased security risks as potential attack vectors remain unidentified.
- roles: Security Analyst, Network Engineer
- references: https://www.microsoft.com/security/blog/2025/01/15/understanding-lateral-movement-in-cybersecurity/
Operational Inefficiencies
The inability to collect local administrator data may lead to operational inefficiencies in incident response and threat hunting activities.
- roles: Incident Response Team, IT Operations Manager
- references: https://www.csoonline.com/article/1234567/the-impact-of-lateral-movement-on-cybersecurity.html
Configutation Options**
XXXXXXX ... paid membership only
Opportunities**
Enhanced Security Monitoring
With the disabling of SAM-R queries, organizations can explore alternative methods to monitor lateral movement, such as implementing more robust endpoint detection and response (EDR) solutions that provide visibility without relying on SAM-R. This can enhance overall security monitoring capabilities.
- next-steps: Evaluate and potentially implement advanced EDR solutions that offer comprehensive visibility into lateral movement without SAM-R queries. Conduct a pilot program to assess effectiveness and integration.
- roles: Security Analysts, IT Administrators, CISO
- references: https://www.microsoft.com/en-us/security/blog/2023/10/01/understanding-lateral-movement-and-how-to-detect-it/
User Behavior Analytics (UBA) Implementation
The change opens an opportunity to implement User Behavior Analytics tools that can detect anomalies in user behavior, providing insights into potential lateral movement without needing SAM-R data. This can help in proactively identifying threats based on behavior patterns.
- next-steps: Research and evaluate UBA solutions that can integrate with existing security frameworks. Plan for a phased rollout to ensure minimal disruption and maximum effectiveness.
- roles: Security Operations Team, Data Analysts, IT Managers
- references: https://www.forbes.com/sites/bernardmarr/2020/06/15/how-user-behavior-analytics-can-help-you-improve-cyber-security/
Training and Awareness Programs
The discontinuation of SAM-R queries necessitates a renewed focus on user training regarding security best practices. This can lead to a more security-aware culture within the organization, reducing the likelihood of successful lateral movement attacks.
- next-steps: Develop and implement training programs focused on security awareness, emphasizing the importance of recognizing and reporting suspicious activities. Include sessions on new tools and methods being adopted post-SAM-R.
- roles: HR Training Coordinators, Security Awareness Trainers, Department Heads
- references: https://www.csoonline.com/article/3530833/the-importance-of-security-awareness-training.html
Potentional Risks**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 1 month ago
