Microsoft Defender for Identity: We will disable collection of local administrators’ group members (using SAM-R)

Microsoft Defender for Identity will disable the remote collection of local administrators’ group members using SAM-R queries starting early May 2025. This change will impact the ability to map potential lateral movement paths. No admin action is required unless NTLM is disabled and you need the feature reenabled. In Microsoft Defender for Identity, we have started to disable the remote collection of local administrators’ group members on endpoints (using SAM-R queries). We started disabling the feature in early May 2025 and expect to complete by mid-May 2025.This change is part of our ongoing efforts to enhance security and improve the overall performance of our services. How this will affect your organization: This feature performs remote queries to identify local administrators on the remote machines contacting the servers where the Defender for Identity sensor is installed. The details collected are used to build the potential lateral movement paths map. Disabling this feature will impact the ability to map potential lateral movement paths (using SAM-R queries) because the data used to calculate potential lateral movement paths will no longer be collected by the Defender for Identity sensor. What you need to do to prepare: This change will happen automatically by the specified dates. No admin action is required. If you have completely disabled NTLM (New Technology LAN Manager in your environment and would like to keep the feature working, please open a support case asking to reenable the feature. Message ID: MC1073068

The post Microsoft Defender for Identity: We will disable collection of local administrators’ group members (using SAM-R) appeared first on M365 Admin.