New post-deployment configuration for unified sensors (preview)

Originally posted by Microsoft Sep 30, 2025 Uncategorized 0 Comments

Microsoft Defender for Identity introduces a new opt-in post-deployment configuration for unified sensors (v3.x) enabling RPC monitoring via the Unified Sensor RPC Audit tag. Rollout starts late September 2025, enhancing advanced identity detections with visibility in device inventory. No action needed unless enabling the feature.

Introduction

Unified Sensor RPC Audit

When this will happen:

late September 2025mid-October 2025

Preview (GCC, GCCH, and DoD): Rollout will begin in late September 2025 and is expected to complete in late October 2025.

How this affects your organization:

• Who is affected: This configuration option applies only to devices running the unified sensor (v3.x).
• What will happen:
  • A new configuration option will be available in Asset rule management.
  • Admins can apply the Unified Sensor RPC Audit tag to onboarded domain controllers running the unified sensor (v3.x).
  • Devices with this tag will have WFP-based RPC monitoring enabled.
  • Once applied, the configuration is enforced on existing and future devices that match the rule criteria.
  • Tagged devices will appear in Device inventory for visibility and auditing.
  • This feature is opt-in and not enabled by default.

What you can do to prepare:

• No action is required unless you want to enable the feature.
• If needed, enable the new configuration option by creating an asset management rule to apply the tag.
• Communicate this change to your security and compliance teams.

Learn more: Microsoft Defender for Identity sensor v3.x prerequisites (Preview)

Compliance considerations:

No compliance considerations identified, review as appropriate for your organization.

Message ID: MC1162274