Back to Announcements

Microsoft 365 Alert – Service Degradation – Microsoft Defender XDR – Some users’ Device Control policies are getting applied inconsistently in Microsoft Defender for Endpoint – ONGOING

Announcements Shagufta Naaz

09/03/2026 8:25:00 AM

NHSmail Reference: INC46767270

Microsoft Reference: DZ1246124

Issue Status: ONGOING

Issue Description: Some users’ Device Control policies are getting applied inconsistently in Microsoft Defender for Endpoint.

More info: Impact is specific to a subset of users using secure identifier (SIDs) for EntraID with Device Control policies on Windows devices accessing Microsoft Graph API in Microsoft Defender for Endpoint.

Current Update: 09/03/2026 8:25:00 AM Microsoft has received user reports indicating that a subset of users are seeing inconsistent results when using secure identifier (SIDs) for EntraID with Device Control policies on Windows devices accessing Microsoft Graph API in Microsoft Defender for Endpoint. They have identified that a configuration change related to retrieving data for Device control on Windows devices is causing an increased usage of Microsoft Graph API, preventing requests from getting processed and have developed a fix that contains guardrails that reduce the chances of device control policies from getting not properly processed and to fully resolve the issue. They are deploying our fix to our internal testing environment to ensure its effectiveness before deploying more broadly, and in the interim, and have disabled the impacting configuration change to remediate majority of the impact. In parallel, they are monitoring our service telemetry for an extended period of time to confirm the disabling of change is having the desired effect. They anticipate that the validation process will be completed and following deployment process will have begun by their next scheduled communications update.

Scope of impact: Your organization is affected by this event, and a subset of users attempting to use secure identifier (SIDs) for EntraID with Device Control policies on Windows devices in Microsoft Defender for Endpoint are impacted. This information may be updated as our investigation continues.

Root cause: A configuration change related to retrieving data for Device control on Windows devices is causing an increased usage of Microsoft Graph API, preventing requests from getting processed.

Next update by: Friday, March 13, 2026, at 7:00 PM UTC

back to top