Merge pull request #3820 from MicrosoftDocs/main

[AutoPublish] main to live - 05/19 04:29 PDT | 05/19 16:59 IST

Author: padmagit77

ATPDocs/deploy/remote-calls-sam.md

@@ -8,18 +8,11 @@ ms.topic: how-to
 # Configure SAM-R to enable lateral movement path detection in Microsoft Defender for Identity
 
 > [!IMPORTANT]
-> Remote collection of local administrators' group members on endpoints (using SAM-R queries) feature in Microsoft Defender for Identity will be disabled by mid-May 2025. This change will happen automatically by the specified dates. No admin action is required. 
+> The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. The change will occur automatically by the specified date, and no administrative action is required.
 > 
 
 Microsoft Defender for Identity mapping for [potential lateral movement paths](/defender-for-identity/understand-lateral-movement-paths) relies on queries that identify local admins on specific machines. These queries are performed with the SAM-R protocol, using the Defender for Identity [Directory Service account](directory-service-accounts.md) you configured.
 
-> [!NOTE]
-> This feature can potentially be exploited by an adversary to obtain the NTLM hash of the DSA account due to a Windows limitation in the SAM-R calls that allows downgrading from Kerberos to NTLM.
-> The new Defender for Identity sensor (version 3.x) is not affected by this issue as it uses different detection methods.
-> 
-> It is recommended to use a [low privileged DSA account](directory-service-accounts.md#grant-required-dsa-permissions). You can also [contact support](../support.md) to open a case and request to completely disable the [Lateral Movement Paths](../security-assessment-riskiest-lmp.md) data collection capability.
-> Please note that this will result in reduced data available for the [attack path feature in Exposure Management](/security-exposure-management/review-attack-paths).
-
 This article describes the configuration changes required to allow the Defender for Identity Directory Services Account (DSA) to perform the SAM-R queries.
 
 > [!TIP]

ATPDocs/understand-lateral-movement-paths.md

@@ -7,9 +7,13 @@ ms.topic: conceptual
 
 # Understand and investigate Lateral Movement Paths (LMPs) with Microsoft Defender for Identity
 
+> [!IMPORTANT]
+>  The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. The change will occur automatically by the specified date, and no administrative action is required.
+>
+
 Lateral movement is when an attacker uses non-sensitive accounts to gain access to sensitive accounts throughout your network. Lateral movement is used by attackers to identify and gain access to the sensitive accounts and machines in your network that share stored sign-in credentials in accounts, groups and machines. Once an attacker makes successful lateral moves towards your key targets, the attacker can also take advantage and gain access to your domain controllers. Lateral movement attacks are carried out using many of the methods described in [Microsoft Defender for Identity Security Alerts](alerts-overview.md).
 
-A key component of Microsoft Defender for Identity's security insights are Lateral Movement Paths or LMPs. Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. LMPs help you mitigate and prevent those risks in the future, and close attacker access before they achieve domain dominance.
+A key component of Microsoft Defender for Identity's security insights is Lateral Movement Paths or LMPs. Defender for Identity LMPs are visual guides that help you quickly understand and identify exactly how attackers can move laterally inside your network. The purpose of lateral movements within the cyber-attack kill chain are for attackers to gain and compromise your sensitive accounts using non-sensitive accounts. Compromising your sensitive accounts gets them another step closer to their ultimate goal, domain dominance. To stop these attacks from being successful, Defender for Identity LMPs give you easy to interpret, direct visual guidance on your most vulnerable, sensitive accounts. LMPs help you mitigate and prevent those risks in the future, and close attacker access before they achieve domain dominance.
 
 For example:
 

ATPDocs/whats-new.md

@@ -25,7 +25,7 @@ For updates about versions and features released six months ago or earlier, see
 ## May 2025
 
 ### Local administrators collection (using SAM-R queries) feature will be disabled
-Remote collection of local administrators' group members on endpoints (using SAM-R queries) feature in Microsoft Defender for Identity will be disabled by mid-May 2025. The details collected are used to build the potential lateral movement paths map. Alternative methods are currently being explored. This change will happen automatically by the specified dates. No admin action is required. 
+The remote collection of local administrators group members from endpoints using SAM-R queries in Microsoft Defender for Identity will be disabled by mid-May 2025. This data is currently used to build potential lateral movement path maps, which will no longer be updated after this change. An alternative method is being explored. The change will occur automatically by the specified date, and no administrative action is required.
 
 ### New Health Issue