Merge pull request #5617 from MicrosoftDocs/main

[AutoPublish] main to live - 11/16 22:37 PST | 11/17 12:07 IST

Author: m365-skilling-repo-management[bot]

defender-for-identity/deploy/configure-windows-event-collection.md

@@ -1,7 +1,7 @@
 ---
 title: Configure audit policies for Windows event logs | Microsoft Defender for Identity
 description: This article describes how to configure audit policies for Windows event logs as part of deploying a Microsoft Defender for Identity sensor.
-ms.date: 06/04/2025
+ms.date: 11/05/2025
 ms.topic: how-to
 ms.reviewer: rlitinsky
 ---
@@ -23,9 +23,13 @@ Defender for Identity generates health issues for each of these scenarios if the
 Before you start creating new event and audit policies, we recommend that you run the following PowerShell command to generate a report of your current domain configurations:
 
 ```powershell
-New-MDIConfigurationReport [-Path] <String> [-Mode] <String> [-OpenHtmlReport]
+New-MDIConfigurationReport -Path "C:\Reports" -Mode Domain -Identity "DOMAIN\ServiceAccountName" -OpenHtmlReport
 ```
 
+> [!NOTE]
+> When using `-Mode Domain`, include the `-Identity` parameter to avoid an interactive prompt.
+> For more information, see: [New-MDIConfigurationReport](/powershell/module/defenderforidentity/new-mdiconfigurationreport?view=defenderforidentity-latest&preserve-view=true).
+
 In the preceding command:
 
 - `Path` specifies the path to save the reports to.

defender-for-identity/whats-new.md

@@ -25,6 +25,14 @@ For updates about versions and features released six months ago or earlier, see
 
 ## November 2025
 
+Defender for Identity now offers an opt-in automatic event-auditing configuration for unified sensors (V3.x). This feature streamlines deployment by automatically applying required Windows auditing settings to new sensors and fixing misconfigurations on existing ones. Admins can enable the option in the Defender for Identity Settings -> Advanced Features or via Graph API. The capability and its related health alerts will roll out globally beginning mid-November 2025.
+**Releated Health alerts:**
+- NTLM Auditing is not enabled 
+- Directory Services Advanced Auditing is not enabled as required 
+- Directory Services Object Auditing is not enabled as required 
+- Auditing on the Configuration container is not enabled as required 
+- Auditing on the ADFS container is not enabled as required
+
 ### New security posture assessment: Change password for on-prem account with potentially leaked credentials (Preview)
 
 The new security posture assessment lists users whose valid credentials have been leaked. For more information, see: [Change password for on-prem account with potentially leaked credentials (Preview)](/defender-for-identity/security-posture-assessments/accounts#change-password-for-on-prem-account-with-potentially-leaked-credentials-preview)