Updated November 19, 2025: We have updated the timeline. Thank you for your patience.
Introduction
We’re introducing a new
Remote Procedure Call (RPC) Configuration Health Alert for sensors v3.x in Microsoft Defender for Identity. This capability proactively monitors RPC configuration across your environment, helping administrators quickly identify and remediate misconfigurations that could impact detection accuracy or security posture. Additionally, applying the Unified Sensor RPC Audit tag enables advanced identity detections, improving security visibility and unlocking additional detection capabilities.
When this will happen:
General availability (Production, GCC, GCCH): We will begin rolling out early
January 2026 (previously early December
20252025) and expect to complete by mid-
January 2026 (previously mid-December
2025.2025).
How this affects your organization:
- Who is affected: Admins managing Microsoft Defender for Identity v3.x sensors.
- What will happen:
- A new health alert will monitor RPC configuration status on v3.x sensors.
- Applying the Unified Sensor RPC Audit tag will enforce configuration on existing and future v3.x sensors that match rule criteria.
- The tag will be visible in Device Inventory and Advanced Hunting, providing transparency and auditing capabilities.
- This feature improves detection accuracy and overall security coverage.
What you can do to prepare:
To apply the
RPC Audit tag on your v3.x sensors:
- In the Microsoft Defender portal, navigate to: System > Settings > Microsoft Defender XDR > Asset Rule Management.
- Select Create a new rule.
- Enter a Rule name and Description, then set conditions using Device name, Domain, or Device tag. Ensure the Defender for Identity v3.x sensor is deployed on targeted devices.
- Add the tag Unified Sensor RPC Audit.
- Review and submit the rule.
For more details, refer to
Microsoft Defender for Identity documentation.
Compliance considerations:
No compliance considerations identified; review as appropriate for your organization.