Back to Announcements

Microsoft 365 Alert – Service Degradation – Microsoft Defender XDR – Users relying on Microsoft Defender for Identity Sensor V2 protection had reduced identity attack protection – RESOLVED

Announcements Arpan Das

13/01/2026 08:59:00 AM

NHSmail Reference: INC46722228

Microsoft Reference: DZ1216968

Issue Status: RESOLVED

Issue Description: Users relying on Microsoft Defender for Identity Sensor V2 protection had reduced identity attack protection.

More info: Specifically, users leveraging Microsoft Defender for Identity Sensor V2 with proxy settings had reduced protection against identity-based attacks on domain controllers and identity services.

This affected protection for domain controllers and identity services such as Active Directory Certificate Services (ADCS), Active Directory Federation Services (ADFS), and Active Directory Connect.

To manually restore machines on the impacted build 2.254.19099.36287 to a healthy state, admins should run the following script as Administrator (Elevated) to restore the SensorConfiguration and ensure the updater service continues to operate as intended:

Copy-Item “$env:ProgramW6432\Azure Advanced Threat Protection Sensor\2.253.19052.52260\SensorConfiguration.json” “$env:ProgramW6432\Azure Advanced Threat Protection Sensor\2.254.19099.36287\SensorConfiguration.json” -Force
sc.exe config AATPSensorUpdater start= delayed-auto
Start-Service -Name “AATPSensorUpdater”

Final Update: 13/01/2026 08:44:00 AM Microsoft has completed the deployment of their fix throughout the affected environment. However, they have identified that a subset of proxy machines remain in a suboptimal disconnected state due to an issue with the impacted build 2.254.19099.36287. Admins experiencing residual impact with machines still on this build should run the script provided in the updated “More info” section above to ensure full remediation. Admins in need of further assistance with resolving residual impact can reach out to our support representatives.

Scope of impact: Your organization was affected by this event, and all users relying on Microsoft Defender for Identity Sensor V2 protection that used proxy configuration were impacted.

Root cause: A recent Microsoft Defender for Identity service update caused Sensor V2 instances that rely on proxy connections to lose their configuration, resulting in disconnection and impact.

Next Steps: Microsoft are reviewing their update testing and validation methods to better identify code issues such as this prior to deployment to prevent similar impact in the future.

back to top