Oct 28 2022 02:12 AM - edited Oct 28 2022 02:13 AM
The new local admin lock (KB5020282—Account lockout available for built-in local administrators (microsoft.com)) is great but locks not detected (shown) by Defender Endpoint. I tried the new function and after it locks it generates an event ID 4740. But i noticed this is not being picked up although the server is onboarded.
We do not have all the systems connected to OMS and this is also not going to happen soon. For now we will pick the event up with SCOM. But would be nice that this alert shows up in the endpoint for defender portal.