The new local admin lock is great but locks not detected (shown) by Defender.

Regular Visitor

The new local admin lock (KB5020282—Account lockout available for built-in local administrators (microsoft.com)) is great but locks not detected (shown) by Defender Endpoint. I tried the new function and after it locks it generates an event ID 4740. But i noticed this is not being picked up although the server is onboarded.

 

We do not have all the systems connected to OMS and this is also not going to happen soon. For now we will pick the event up with SCOM. But would be nice that this alert shows up in the endpoint for defender portal.

0 Replies