MC1162274 - New post-deployment configuration for unified sensors (preview)

Introduction

We’re introducing a new post-deployment configuration option for unified sensors (V3.x) in Microsoft Defender for Identity (preview). This update enhances security and enables advanced identity detections by allowing admins to apply the new Unified Sensor RPC Audit tag to domain controllers onboarded with the unified sensor (v3.x). This tag activates Remote Procedure Call (RPC) monitoring using the Windows Filtering Platform (WFP), which is required for advanced identity detections.

When this will happen:

Preview (Worldwide): Rollout will begin in late September 2025 and is expected to complete by mid-October 2025.

Preview (GCC, GCCH, and DoD): Rollout will begin in late September 2025 and is expected to complete in late October 2025.

How this affects your organization:

• Who is affected: This configuration option applies only to devices running the unified sensor (v3.x).
• What will happen:
  • A new configuration option will be available in Asset rule management.
  • Admins can apply the Unified Sensor RPC Audit tag to onboarded domain controllers running the unified sensor (v3.x).
  • Devices with this tag will have WFP-based RPC monitoring enabled.
  • Once applied, the configuration is enforced on existing and future devices that match the rule criteria.
  • Tagged devices will appear in Device inventory for visibility and auditing.
  • This feature is opt-in and not enabled by default.

What you can do to prepare:

• No action is required unless you want to enable the feature.
• If needed, enable the new configuration option by creating an asset management rule to apply the tag.
• Communicate this change to your security and compliance teams.

Learn more: Microsoft Defender for Identity sensor v3.x prerequisites (Preview)

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.