Table of Contents
Summary
- A new opt-in feature for automatic event-auditing configuration will be introduced in Defender for Identity unified sensors (V3.x).
- Admins can enable the feature through the UI or Graph API, impacting all unified sensors in the tenant.
- The feature automates the application of required Windows event-auditing settings for new sensor activations and existing sensors that are misconfigured.
- No changes will occur unless admins actively choose to enable the feature.
- Relevant auditing health issues will be addressed by this enhancement.
Admin Impact: Medium
User Impact: Low
Release Start: 15 Nov 2025
Release End: 31 Dec 2025
Services: Defender XDR
Category: Stay informed
Tags: New Feature, Admin Action
History
11/17/2025 Item Added to Message Center
Microsoft Message
Updated November 19, 2025: We have updated the timeline. Thank you for your patience.
Introduction
We’re introducing a new opt-in feature for automatic event-auditing configuration in Defender for Identity unified sensors (V3.x). This enhancement simplifies deployment by allowing admins to automatically apply the required Windows event-auditing settings on their sensors. It reduces manual post-deployment steps and ensures consistent policy enforcement across all onboarded sensors.
When this will happen
- General Availability (Worldwide, GCC, GCCH, and DoD): The auditing opt-in feature will be available starting mid-December 2025 (previously mid-November), with rollout expected to complete within the same timeframe.
- General Availability (Worldwide, GCC, GCCH, and DoD): The related auditing health alerts will be released gradually by mid-January 2026 (previously mid-December).
How this affects your organization
Who is affected:
Admins managing Defender for Identity unified sensors (V3.x) in Microsoft 365 tenants.
What will happen:
- A new opt-in setting will be available in both the UI and via Graph API.
- In the UI, this option will appear under Defender for Identity Settings → Advanced features.
- Once enabled, the automatic configuration feature will:
- For new sensor activations: automatically apply all required Windows event-auditing settings during activation.
- For existing onboarded sensors: automatically apply auditing settings only if misconfigured, and dismiss the related health issues.
- The opt-in applies to all unified sensors in the tenant.
- This feature is not enabled by default and requires admin action.
- No changes will occur unless admins choose to enable the feature.
Relevant auditing configurations health issues covered:
- NTLM auditing is not enabled
- Directory Services Advanced Auditing is not enabled as required
- Directory Services Object Auditing is not enabled as required
- Auditing on the Configuration container is not enabled as required
- Auditing on the ADFS container is not enabled as required
What you can do to prepare
No action is required unless you choose to enable the feature.
If you plan to opt in:
- Review your unified sensor deployment strategy.
- Enable the opt-in setting via the UI or Graph API.
- Communicate the change to relevant IT and security teams.
- Update internal documentation if you track auditing configurations.
To review the required auditing configurations for Defender for Identity unified sensors (V3.x)
For details about the relevant auditing health issues
Compliance considerations
No compliance considerations identified, review as appropriate for your organization.