Updated July 18, 2025: We have updated the content. Thank you for your patience.
In Microsoft Defender for Identity, we have started to disable the remote collection of local administrators' group members on endpoints (using SAM-R queries). We started disabling the feature in early May 2025 and expect to complete by mid-May 2025.This change is part of our ongoing efforts to enhance security and improve the overall performance of our services.
How this will affect your organization:
This feature performs remote queries to identify local administrators on the remote machines contacting the servers where the Defender for Identity sensor is installed. The details collected are used to build the potential lateral movement paths map.
Disabling this feature will impact the ability to map potential lateral movement paths (using SAM-R queries) because the data used to calculate potential lateral movement paths will no longer be collected by the Defender for Identity sensor.
What you need to do to prepare:
This change will happen automatically by the specified dates. No admin action is required.
If you have completely disabled NTLM (New Technology LAN Manager in your environment and would like to keep the feature working, please open a support case asking to reenable the feature.