M365 Archive
Back to latest version
You're viewing a historical snapshot from Dec 9, 2025. This is not the latest version.

Metadata at Dec 9, 2025

Message ID

MC1193410

View in Message Center

Published

Dec 9, 2025

Service

Microsoft Defender XDR

Tag

Feature update
Admin impact
View the latest version See what changed since this version

MC1193410 - Automatic Windows event auditing configuration availability for unified sensors (V3.x)

Message Center

What changed since this version

removed textadded text

Updated January 6, 2026: We have updated the timeline. Thank you for your patience. 

Introduction

We’re introducing a new opt-in feature for automatic event-auditing configuration in Microsoft Defender for Identity unified sensors (v3.x). This enhancement simplifies deployment by automatically applying the required Windows event-auditing settings on sensors, reducing manual post-deployment steps and ensuring consistent policy enforcement across all onboarded sensors.

When this will happen:

  • General Availability (Worldwide, GCC, GCCH, and DoD): The auditing opt-in feature will be available starting mid-January 2026 (previously early January 2026,January), with rollout expected to complete by mid-end of January 2026.2026 (previously mid-January). Until then, it will remain disabled in the portal.
  • Related auditing health alerts will also roll out gradually starting mid-January 2026 (previously early January 2026,January), completing by mid-end of January 2026.2026 (previously mid-January).

How this affects your organization:

Who is affected: Admins managing Defender for Identity unified sensors (v3.x) in Microsoft 365 tenants.

What will happen:

  • A new opt-in setting will be available in both the UI and via Graph API.
  • In the UI, this option will appear under Defender for Identity Settings → Advanced features.
  • Once enabled, the automatic configuration feature will:
    • For new sensor activations: Automatically apply all required Windows event-auditing settings during activation.
    • For existing onboarded sensors: Automatically apply Windows event-auditing settings only if misconfigured and dismiss related health issues.
  • After enabling the toggle, the automatic configuration process may take up to 24 hours to apply across all applicable Identity Unified sensors (v3.x).
  • This feature is not enabled by default and requires admin action. No changes will occur unless admins choose to enable the feature.

Relevant auditing configurations health issues covered:

  • NTLM auditing is not enabled
  • Directory Services Advanced Auditing is not enabled as required
  • Directory Services Object Auditing is not enabled as required
  • Auditing on the Configuration container is not enabled as required
  • Auditing on the ADFS container is not enabled as required

What you can do to prepare:

No action is required unless you choose to enable the feature.

If you plan to opt in:

  • Review your unified sensor deployment strategy.
  • Enable the opt-in setting via the UI or Graph API.
  • Communicate the change to relevant IT and security teams.
  • Update internal documentation if you track auditing configurations.

Learn more:

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.

Snapshot from Dec 9, 2025

Introduction

We’re introducing a new opt-in feature for automatic event-auditing configuration in Microsoft Defender for Identity unified sensors (v3.x). This enhancement simplifies deployment by automatically applying the required Windows event-auditing settings on sensors, reducing manual post-deployment steps and ensuring consistent policy enforcement across all onboarded sensors.

When this will happen:

  • General Availability (Worldwide, GCC, GCCH, and DoD): The auditing opt-in feature will be available starting early January 2026, with rollout expected to complete by mid-January 2026. Until then, it will remain disabled in the portal.
  • Related auditing health alerts will also roll out gradually starting early January 2026, completing by mid-January 2026.

How this affects your organization:

Who is affected: Admins managing Defender for Identity unified sensors (v3.x) in Microsoft 365 tenants.

What will happen:

  • A new opt-in setting will be available in both the UI and via Graph API.
  • In the UI, this option will appear under Defender for Identity Settings → Advanced features.
  • Once enabled, the automatic configuration feature will:
    • For new sensor activations: Automatically apply all required Windows event-auditing settings during activation.
    • For existing onboarded sensors: Automatically apply Windows event-auditing settings only if misconfigured and dismiss related health issues.
  • After enabling the toggle, the automatic configuration process may take up to 24 hours to apply across all applicable Identity Unified sensors (v3.x).
  • This feature is not enabled by default and requires admin action. No changes will occur unless admins choose to enable the feature.

Relevant auditing configurations health issues covered:

  • NTLM auditing is not enabled
  • Directory Services Advanced Auditing is not enabled as required
  • Directory Services Object Auditing is not enabled as required
  • Auditing on the Configuration container is not enabled as required
  • Auditing on the ADFS container is not enabled as required

What you can do to prepare:

No action is required unless you choose to enable the feature.

If you plan to opt in:

  • Review your unified sensor deployment strategy.
  • Enable the opt-in setting via the UI or Graph API.
  • Communicate the change to relevant IT and security teams.
  • Update internal documentation if you track auditing configurations.

Learn more:

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.