check before: 2025-09-01
Product:
Defender, Defender for Identity, Defender XDR, Windows
Platform:
Online, US Instances, World tenant
Status:
Change type:
New feature, Admin impact
Links:
Details:
Summary:
Microsoft Defender for Identity introduces a new opt-in post-deployment configuration for unified sensors (v3.x) enabling RPC monitoring via the Unified Sensor RPC Audit tag. Rollout starts late September 2025, enhancing advanced identity detections with visibility in device inventory. No action needed unless enabling the feature.
Details:
[Introduction]
We're introducing a new post-deployment configuration option for unified sensors (V3.x) in Microsoft Defender for Identity (preview). This update enhances security and enables advanced identity detections by allowing admins to apply the new Unified Sensor RPC Audit tag to domain controllers onboarded with the unified sensor (v3.x). This tag activates Remote Procedure Call (RPC) monitoring using the Windows Filtering Platform (WFP), which is required for advanced identity detections.
[When this will happen:]
Preview (Worldwide): Rollout will begin in late September 2025 and is expected to complete by mid-October 2025.
Preview (GCC, GCCH, and DoD): Rollout will begin in late September 2025 and is expected to complete in late October 2025.
Change Category:
XXXXXXX ... free basic plan only
Scope:
XXXXXXX ... free basic plan only
Release Phase:
Created:
2025-09-30
updated:
2025-09-30
Task Type
XXXXXXX ... free basic plan only
Docu to Check
XXXXXXX ... free basic plan only
MS How does it affect me
XXXXXXX ... free basic plan only
MS Preperations
XXXXXXX ... free basic plan only
MS Urgency
XXXXXXX ... free basic plan only
MS workload name
XXXXXXX ... free basic plan only
summary for non-techies**
XXXXXXX ... free basic plan only
Direct effects for Operations**
RPC Monitoring Activation
If the new RPC monitoring feature is enabled without proper preparation, it may lead to unexpected performance issues on domain controllers due to increased resource usage from monitoring activities.
- roles: System Administrators, Network Engineers
- references: https://learn.microsoft.com/defender-for-identity/deploy/prerequisites-sensor-version-3, https://learn.microsoft.com/en-us/defender-for-identity/unified-sensor-overview
Device Inventory Visibility
Enabling the Unified Sensor RPC Audit tag without prior communication may cause confusion among security teams regarding device inventory changes, leading to potential mismanagement of security protocols.
- roles: Security Analysts, Compliance Officers
- references: https://learn.microsoft.com/defender-for-identity/deploy/prerequisites-sensor-version-3, https://learn.microsoft.com/en-us/defender-for-identity/unified-sensor-overview
Configutation Options**
XXXXXXX ... paid membership only
IT Security**
XXXXXXX ... paid membership only
explanation for non-techies**
XXXXXXX ... free basic plan only
** AI generated content. This information must be reviewed before use.
a free basic plan is required to see more details. Sign up here
A cloudsocut.one plan is required to see all the changed details. If you are already a customer, choose login.
If you are new to cloudscout.one please choose a plan.
Last updated 3 weeks ago ago
