Announcing General Availability: Unified identity and endpoint sensor

This milestone streamlines the deployment of on-premises identity security by unifying our endpoint and identity protection into a single sensor, pre-installed and ready for activation on Domain Controllers running Windows Server 2019 or newer.

What Is a sensor? What’s new about this version?

Viewed through a cybersecurity lens, a “sensor” is a software component that monitors and protects critical infrastructure. Serving as one of the first lines of defense against threat actors, they continuously scan corporate resources for malicious activity or misconfigurations to ensure your organization remains secure.

Like many security solutions, Microsoft Defender relies on sensors to gain visibility into the endpoints and on-premises identity infrastructure within your environment. The telemetry they provide — plus unmatched Microsoft Threat Intelligence — enables us to help security professionals better detect and respond to potential threats targeting their domains. Individually, the insights into the endpoints and users are extremely valuable. But when used in tandem, they provide a holistic view and protection for identity infrastructure.

V3.x takes this co-existence a step further and merges the components, eliminating the need for installing and maintaining two distinct sensors. For qualifying Domain Controllers, it’s fast and simple to activate with a click of a button, optimized for performance, and is embedded within the Windows operating system.

What does this mean for customers?

New customers can now easily activate identity protections on critical on-premises identity infrastructure by deploying v3.x to eligible Domain Controllers in a matter of clicks. This streamlined approach reduces deployment complexity, minimizes configuration errors, and accelerates time-to-protection. It also allows security teams to focus on threat detection and response instead of managing infrastructure prerequisites. Additional benefits include:

• Built into the OS – The sensor is now part of Windows Server 2019 and later (with the latest cumulative update), eliminating many of the prerequisites required by earlier sensor versions. 
• “One-click” activation – Once your domain controller is onboarded to Defender for Endpoint for Servers, enabling identity protections can be done in just a matter of clicks within the Defender portal. You no longer need to download and distribute the sensor deployment packages, installing .NET dependencies, configuring NPCAP for interoperability, or opening ports for Network Name Resolution (NNR).
• Increased automation –  You can even enable automatic activation for all domain controllers that meet the requirements, ensuring continuous protection with zero extra effort.

How to get started:

1. Review the prerequisites listed within our documentation to determine if you are eligible to deploy v3.x
2. If you meet all the pre-requisites, use the detailed activation guide here to activate v3.x.
3. Once activated we recommend you opt-in to apply unified sensor Remote Procedure Call (RPC) audit tags. By applying these tag, you enable advanced identity detections that rely on RPC monitoring via the Windows Filtering Platform (WFP). This unlocks additional alerts and visibility for identity-based threats.

What's next? 

Join us at Microsoft Ignite in San Francisco on November 17–21, or online, November 18–20, for deep dives and practical labs to help you maximize your Microsoft Defender investments and to get more from the Microsoft capabilities you already use. Security is a core focus at Ignite this year, with the Security Forum on November 17th, deep dive technical sessions, theater talks, and hands-on labs designed for security leaders and practitioners

Featured sessions

• BRK237: Identity Under Siege: Modern ITDR from Microsoft
  Join experts in Identity and Security to hear how Microsoft is streamlining collaboration across teams and helping customers better protect, detect, and respond to threats targeting your identity fabric.
• BRK240 – Endpoint security in the AI era: What's new in Defender
  Discover how Microsoft Defender’s AI-powered endpoint security empowers you to do more, better, faster.
• BRK236 – Your SOC’s ally against cyber threats, Microsoft Defender Experts
  See how Defender Experts detect, halt, and manage threats for you, with real-world outcomes and demos.
• LAB541 – Defend against threats with Microsoft Defender
  Get hands-on with Defender for Office 365 and Defender for Endpoint, from onboarding devices to advanced attack mitigation.

Explore and filter the full security catalog by topic, format, and role: aka.ms/SessionCatalogSecurity.

Why attend?
Ignite is the place to learn about the latest Defender capabilities, including new agentic AI integrations and unified threat protection. We will also share future-facing innovations in Defender, as part of our ongoing commitment to autonomous defense.

Security Forum—Make day 0 count (November 17)
Kick off with an immersive, in person preday focused on strategic security discussions and real-world guidance from Microsoft leaders and industry experts. Select Security Forum during registration.

Register for Microsoft Ignite >