M365 Archive
Back to latest version
You're viewing a historical snapshot from May 13, 2025. This is not the latest version.

Metadata at May 13, 2025

Message ID

MC1073068

View in Message Center

Published

May 13, 2025

Service

Microsoft Defender XDR

Tag

Feature update
Admin impact
View the latest version See what changed since this version

MC1073068 - Microsoft Defender for Identity: We will disable collection of local administrators' group members (using SAM-R)

Message Center

What changed since this version

removed textadded text

Updated July 18, 2025: We have updated the content. Thank you for your patience.

In Microsoft Defender for Identity, we have started to disable the remote collection of local administrators' group members on endpoints (using SAM-R queries). We started disabling the feature in early May 2025 and expect to complete by mid-May 2025.This change is part of our ongoing efforts to enhance security and improve the overall performance of our services.

How this will affect your organization:

This feature performs remote queries to identify local administrators on the remote machines contacting the servers where the Defender for Identity sensor is installed. The details collected are used to build the potential lateral movement paths map.

Disabling this feature will impact the ability to map potential lateral movement paths (using SAM-R queries) because the data used to calculate potential lateral movement paths will no longer be collected by the Defender for Identity sensor.

What you need to do to prepare:

This change will happen automatically by the specified dates. No admin action is required.

If you have completely disabled NTLM (New Technology LAN Manager in your environment and would like to keep the feature working, please open a support case asking to reenable the feature.

Snapshot from May 13, 2025

In Microsoft Defender for Identity, we have started to disable the remote collection of local administrators' group members on endpoints (using SAM-R queries). We started disabling the feature in early May 2025 and expect to complete by mid-May 2025.This change is part of our ongoing efforts to enhance security and improve the overall performance of our services.

How this will affect your organization:

This feature performs remote queries to identify local administrators on the remote machines contacting the servers where the Defender for Identity sensor is installed. The details collected are used to build the potential lateral movement paths map.

Disabling this feature will impact the ability to map potential lateral movement paths (using SAM-R queries) because the data used to calculate potential lateral movement paths will no longer be collected by the Defender for Identity sensor.

What you need to do to prepare:

This change will happen automatically by the specified dates. No admin action is required.

If you have completely disabled NTLM (New Technology LAN Manager in your environment and would like to keep the feature working, please open a support case asking to reenable the feature.