MC1187403: Automatic Windows event auditing configuration now available for unified sensors (V3.x)
Defender for Identity unified sensors (V3.x) will offer an opt-in feature from mid-Nov 2025 to automatically configure Windows event-auditing settings, simplifying deployment and ensuring consistent policies. Admins must enable this feature manually; it applies to all sensors and addresses specif...
[Introduction]
We’re introducing a new opt-in feature for automatic event-auditing configuration in Defender for Identity unified sensors (V3.x). This enhancement simplifies deployment by allowing admins to automatically apply the required Windows event-auditing settings on their sensors. It reduces manual post-deployment steps and ensures consistent policy enforcement across all onboarded sensors.
[When this will happen:]
General Availability (Worldwide, GCC, GCCH, and DoD): The auditing opt-in feature will be available starting mid-Nov 2025, with rollout expected to complete within the same timeframe.
General Availability (Worldwide, GCC, GCCH, and DoD): The related auditing health alerts will be released gradually by mid-December 2025.
[How this affects your organization:]
Who is affected:
Admins managing Defender for Identity unified sensors (V3.x) in Microsoft 365 tenants.
What will happen:
- A new opt-in setting will be available in both the UI and via Graph API.
- In the UI, this option will appear under Defender for Identity Settings → Advanced features.
- Once enabled, the automatic configuration feature will:
- For new sensor activations: automatically apply all required Windows event-auditing settings during activation.
- For existing onboarded sensors: automatically apply auditing settings only if misconfigured, and dismiss the related health issues.
- The opt-in applies to all unified sensors in the tenant.
- This feature is not enabled by default and requires admin action.
- No changes will occur unless admins choose to enable the feature.
Relevant auditing configurations health issues covered:
- NTLM auditing is not enabled
- Directory Services Advanced Auditing is not enabled as required
- Directory Services Object Auditing is not enabled as required
- Auditing on the Configuration container is not enabled as required
- Auditing on the ADFS container is not enabled as required
[What you can do to prepare:]
No action is required unless you choose to enable the feature.
If you plan to opt in:
- Review your unified sensor deployment strategy.
- Enable the opt-in setting via the UI or Graph API.
- Communicate the change to relevant IT and security teams.
- Update internal documentation if you track auditing configurations.
To review the required auditing configurations for Defender for Identity unified sensors (V3.x)
For details about the relevant auditing health issues
[Compliance considerations:]
No compliance considerations identified, review as appropriate for your organization.