Skip to content

Commit eaca5ca

Browse files
paulinbarpaulinbar
authored
Merge pull request #5504 from MicrosoftDocs/paulinbar-patch-1
Update date and LSA Policy notes in documentation
2 parents 3ef614f + 953306e commit eaca5ca

File tree

1 file changed

+5
-2
lines changed

1 file changed

+5
-2
lines changed

defender-endpoint/respond-machine-alerts.md

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,7 @@ ms.service: defender-endpoint
55
ms.author: painbar
66
author: paulinbar
77
ms.localizationpriority: medium
8-
ms.date: 09/01/2025
8+
ms.date: 11/05/2025
99
manager: bagol
1010
audience: ITPro
1111
ms.collection:
@@ -19,6 +19,7 @@ appliesto:
1919
- Microsoft Defender for Business
2020

2121
---
22+
2223
# Take response actions on a device
2324

2425

@@ -362,7 +363,9 @@ When an identity in your network might be compromised, you must prevent that ide
362363
> Blocking incoming communication with a "contained" user is supported on onboarded Microsoft Defender for Endpoint Windows 10 and 11 devices (Sense version 8740 and higher), Windows Server 2019+ devices, and Windows Servers 2012R2 and 2016 with the modern agent.
363364
364365
> [!IMPORTANT]
365-
> Once a **Contain user** action is enforced on a domain controller, it starts a GPO update on the Default Domain Controller policy. A change of a GPO starts a sync across the domain controllers in your environment. This is expected behavior, and if you monitor your environment for AD GPO changes, you may be notified of such changes. Undoing the **Contain user** action reverts the GPO changes to their previous state, which will then start another AD GPO synchronization in your environment. Learn more about [merging of security policies on domain controllers](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj966251(v=ws.11)#merging-of-security-policies-on-domain-controllers).
366+
> As part of the active protection provided by Microsoft Defender for Endpoint, a distributed mechanism can apply LSA Policy to prevent compromised users from accessing machines in your organization. Currently, when this policy is applied on Domain Controllers, it may cause Group Policy synchronization activity across domain controllers.
367+
>
368+
> We are gradually rolling out a new solution by integrating with new OS APIs. This deployment will be phased and thoroughly tested to ensure stability and security. During this rollout, LSA Policy enforcement on your servers will be temporarily removed to prevent potential GPO sync. This change will remain in effect until the rollout is complete.
366369
367370
### How to contain a user
368371

0 commit comments

Comments
 (0)