Microsoft 365 Alert – Service Degradation – Microsoft Defender XDR – Some users’ Device Control policies are getting applied inconsistently in Microsoft Defender for Endpoint – ONGOING

09/03/2026 8:25:00 AM

NHSmail Reference: INC46767270

Microsoft Reference: DZ1246124

Issue Status: ONGOING

Issue Description: Some users’ Device Control policies are getting applied inconsistently in Microsoft Defender for Endpoint.

More info: Impact is specific to a subset of users using secure identifier (SIDs) for EntraID with Device Control policies on Windows devices accessing Microsoft Graph API in Microsoft Defender for Endpoint.

Current Update: 30/03/2026 8:40:00 AM – Microsoft has completed deployment of the first fix to reduce the chances of device control policies not processing as expected. Their monitoring shows improvements in service behavior following this deployment. They are now preparing the second fix for deployment and based on our current estimates, they suspect deployment will begin on April 8, 2026, and complete by April 15, 2026.

Scope of impact: Your organization is affected by this event, and a subset of users attempting to use secure identifier (SIDs) for EntraID with Device Control policies on Windows devices in Microsoft Defender for Endpoint are impacted. This information may be updated as our investigation continues.

Root cause: A configuration change related to retrieving data for Device control on Windows devices is causing an increased usage of Microsoft Graph API, preventing requests from getting processed.

Next update by: Friday, April 10, 2026, at 7:00 PM UTC