Unified sensor (v3.x) – new Remote Procedure Call (RPC) configuration health alert for Microsoft Defender for Identity

Message Center ID: MC1187390
Microsoft Defender XDR
Stay Informed
New feature Admin impact
December 2025 January 2026

Summary

Microsoft Defender for Identity will roll out a new RPC Configuration Health Alert for v3.x sensors starting January 2026. It monitors RPC settings, improves detection accuracy, and uses the Unified Sensor RPC Audit tag for configuration enforcement and visibility in Device Inventory and Advanced Hunting.

Details

Updated November 19, 2025: We have updated the timeline. Thank you for your patience.

[Introduction]

We’re introducing a new Remote Procedure Call (RPC) Configuration Health Alert for sensors v3.x in Microsoft Defender for Identity. This capability proactively monitors RPC configuration across your environment, helping administrators quickly identify and remediate misconfigurations that could impact detection accuracy or security posture. Additionally, applying the Unified Sensor RPC Audit tag enables advanced identity detections, improving security visibility and unlocking additional detection capabilities.

[When this will happen:]

General availability (Production, GCC, GCCH): We will begin rolling out early January 2026 (previously early December 2025) and expect to complete by mid-January 2026 (previously mid-December 2025).

[How this affects your organization:]

  • Who is affected: Admins managing Microsoft Defender for Identity v3.x sensors.
  • What will happen:
    • A new health alert will monitor RPC configuration status on v3.x sensors.
    • Applying the Unified Sensor RPC Audit tag will enforce configuration on existing and future v3.x sensors that match rule criteria.
    • The tag will be visible in Device Inventory and Advanced Hunting, providing transparency and auditing capabilities.
    • This feature improves detection accuracy and overall security coverage.

[What you can do to prepare:]

To apply the RPC Audit tag on your v3.x sensors:

  1. In the Microsoft Defender portal, navigate to: System > Settings > Microsoft Defender XDR > Asset Rule Management.
  2. Select Create a new rule.
  3. Enter a Rule name and Description, then set conditions using Device name, Domain, or Device tag. Ensure the Defender for Identity v3.x sensor is deployed on targeted devices.
  4. Add the tag Unified Sensor RPC Audit.
  5. Review and submit the rule.
For more details, refer to Microsoft Defender for Identity documentation.

[Compliance considerations:]

No compliance considerations identified; review as appropriate for your organization.

Change History

Published: November 17, 2025
Last Updated: November 19, 2025
November 19, 2025 at 6:30 PM Updated
Summary
Previous
Microsoft Defender for Identity introduces a new RPC Configuration Health Alert for v3.x sensors, rolling out December 2025. It monitors RPC settings, improves detection accuracy, and enables the Unified Sensor RPC Audit tag for enhanced security visibility and auditing via Device Inventory and Advanced Hunting.
New
Microsoft Defender for Identity will roll out a new RPC Configuration Health Alert for v3.x sensors starting January 2026. It monitors RPC settings, improves detection accuracy, and uses the Unified Sensor RPC Audit tag for configuration enforcement and visibility in Device Inventory and Advanced Hunting.
Last Updated Date
Previous
2025-11-17T23:49:38.800Z
New
2025-11-19T17:30:54.380Z
Tags
Previous
New feature,Admin impact
New
Updated message,New feature,Admin impact
Body Content
Previous

[Introduction]

We’re introducing a new Remote Procedure Call (RPC) Configuration Health Alert for sensors v3.x in Microsoft Defender for Identity. This capability proactively monitors RPC configuration across your environment, helping administrators quickly identify and remediate misconfigurations that could impact detection accuracy or security posture. Additionally, applying the Unified Sensor RPC Audit tag enables advanced identity detections, improving security visibility and unlocking additional detection capabilities.

[When this will happen:]

General availability (Production, GCC, GCCH): We will begin rolling out early December 2025 and expect to complete by mid-December 2025.

[How this affects your organization:]

  • Who is affected: Admins managing Microsoft Defender for Identity v3.x sensors.
  • What will happen:
    • A new health alert will monitor RPC configuration status on v3.x sensors.
    • Applying the Unified Sensor RPC Audit tag will enforce configuration on existing and future v3.x sensors that match rule criteria.
    • The tag will be visible in Device Inventory and Advanced Hunting, providing transparency and auditing capabilities.
    • This feature improves detection accuracy and overall security coverage.

[What you can do to prepare:]

To apply the RPC Audit tag on your v3.x sensors:

  1. In the Microsoft Defender portal, navigate to: System > Settings > Microsoft Defender XDR > Asset Rule Management.
  2. Select Create a new rule.
  3. Enter a Rule name and Description, then set conditions using Device name, Domain, or Device tag. Ensure the Defender for Identity v3.x sensor is deployed on targeted devices.
  4. Add the tag Unified Sensor RPC Audit.
  5. Review and submit the rule.
For more details, refer to Microsoft Defender for Identity documentation.

[Compliance considerations:]

No compliance considerations identified; review as appropriate for your organization.

New

Updated November 19, 2025: We have updated the timeline. Thank you for your patience.

[Introduction]

We’re introducing a new Remote Procedure Call (RPC) Configuration Health Alert for sensors v3.x in Microsoft Defender for Identity. This capability proactively monitors RPC configuration across your environment, helping administrators quickly identify and remediate misconfigurations that could impact detection accuracy or security posture. Additionally, applying the Unified Sensor RPC Audit tag enables advanced identity detections, improving security visibility and unlocking additional detection capabilities.

[When this will happen:]

General availability (Production, GCC, GCCH): We will begin rolling out early January 2026 (previously early December 2025) and expect to complete by mid-January 2026 (previously mid-December 2025).

[How this affects your organization:]

  • Who is affected: Admins managing Microsoft Defender for Identity v3.x sensors.
  • What will happen:
    • A new health alert will monitor RPC configuration status on v3.x sensors.
    • Applying the Unified Sensor RPC Audit tag will enforce configuration on existing and future v3.x sensors that match rule criteria.
    • The tag will be visible in Device Inventory and Advanced Hunting, providing transparency and auditing capabilities.
    • This feature improves detection accuracy and overall security coverage.

[What you can do to prepare:]

To apply the RPC Audit tag on your v3.x sensors:

  1. In the Microsoft Defender portal, navigate to: System > Settings > Microsoft Defender XDR > Asset Rule Management.
  2. Select Create a new rule.
  3. Enter a Rule name and Description, then set conditions using Device name, Domain, or Device tag. Ensure the Defender for Identity v3.x sensor is deployed on targeted devices.
  4. Add the tag Unified Sensor RPC Audit.
  5. Review and submit the rule.
For more details, refer to Microsoft Defender for Identity documentation.

[Compliance considerations:]

No compliance considerations identified; review as appropriate for your organization.

Never Miss a Microsoft 365 Update

Join thousands of IT professionals who rely on DeltaPulse for real-time Microsoft 365 change intelligence, automated notifications, and community insights.

View Full Details Sign Up Free