All six changes are enabled by default in Windows 11 24H2 and 25H2 (26.02D). For Windows Server 2022 and 2025, these changes are expected to be enabled by 26.06B.

Here is a closer look at the six updates and why they matter.

1. Enhanced timestamps across Group Policy logs

Group Policy logs now include full date and time stamps in the format YYYY-MM-DD HH:MM:SS. This replaces partially timestamped entries that made precise correlation difficult.

Accurate timestamps make it significantly easier to line up Group Policy activity with:

• Event Viewer entries

• Network traces

• Security and authentication logs

• User reported timelines

Logs that benefit from this change:

• GPSVC (%windir%\debug\usermode\gpsvc.log)

• GPMC (%temp%\gpmgmt.log, %systemroot%\debug\usermode\gpmc.log)

• GPEdit (%windir%\debug\usermode\gpedit.log)

• ADMX and ADML processing (%temp%\AdmTmpl.log)

This improvement removes a long‑standing friction point when performing multi‑log investigations.

2. Registry.pol corruption detection

Group Policy now detects Registry.pol file corruption and surfaces clear indicators when it occurs. While remediation is still manual, detection is no longer silent. Registry.pol corruption can cause policies to fail without obvious explanation. With this update, administrators can quickly confirm whether corruption is the root cause instead of chasing environmental or permissions issues.

Simply knowing which machines are affected can save hours of troubleshooting time.

Enhancements include:

• Explicit corruption detection

• Improved error messaging

• Better alignment between Event ID 1096 and entries in GPSVC.log

3. More detailed error information for Group Policy Preferences

Group Policy Preferences logging now provides richer diagnostic data when items fail to apply. In addition to existing events, a new Event ID 4117 is logged with expanded context. Previously vague errors such as “object not found” are now paired with actionable detail.

What you will now see:

• The exact network path involved

• The preference item name

• The associated error code, including HRESULT

4. Improved attribution for Group Policy refresh triggers

When Group Policy refreshes occur, logs now include who or what triggered them. Both the Group Policy Operational log and GPSVC.log provide expanded attribution.

New details include:

• Parent process

• Triggering process

• Process ID

• Session ID

• Account context

5. Enable Group Policy Preferences logging locally

Group Policy Preferences debug logging can now be enabled locally using gpedit.msc. There is no requirement to configure a domain‑level GPO just to collect diagnostics.

Key points:

• GPP logging ADMX and ADML files are now available on client SKUs

• Logging is configurable directly on the local machine

• Ideal for isolated systems or early investigations

6. Critical section lock detection

Tracing around critical policy section locks has been significantly improved. Third‑party applications can sometimes lock Group Policy processing and fail to release it, resulting in long delays or apparent hangs. Previously, diagnosing this required heavy debugging. Now, the responsible process is visible directly in the logs.

GPSVC.log now shows when:

• A critical policy section is entered

• An external process holds the lock

• Timeouts are adjusted

• The lock is released

Share

Subscribe now

Starting with the upcoming Key Vault API version 2026‑02‑01, Azure Key Vault defaults to Azure RBAC for access control, not access policies. This is a default behavior change at the API level, and it could cause you some issues.

For years, access policies gave teams a fast way to wire up permissions. They also created a messy security boundary where anyone with sufficient write permissions on the vault could quietly grant themselves data access.

RBAC closes that gap.

With RBAC as the default:

• Data plane access is governed through Entra AD roles

• Permission assignment is centralized

• Privileged Identity Management finally applies cleanly to Key Vault

• The “vault writer gives themselves secret access” gun goes away

What actually changes

Here’s what you need to know

• New vaults created with API version 2026‑02‑01 automatically enable RBAC

• Existing vaults stay exactly as they are until you change them

• You can still opt into access policies, but you have to do so explicitly

Cloud Shell users are especially impacted because Cloud Shell always uses the latest API version. If you haven’t validated your permissions model ahead of time, you may notice things breaking in surprising ways.

The deadline

Older Key Vault API versions retire February 27, 2027. If you manage Key Vaults at scale, or rely on them for automation, secrets delivery, or identity‑driven workflows, this is your signal to inventory, test, and migrate.

Share

Subscribe now

Everything is urgent. Everything is loud. The noise is overwhelming.

The basic limitations of the traditional use of low, medium and high to gauge alert severity makes it hard to determine the most urgent issues. We’ve talked about alert fatigue in how Noise is the enemy of speed. In fact, we did a whole series about improving incident prioritization called Let’s automate your SOC.

And all of that information is still valuable if you want to control incident prioritization using your own criteria. But there is a new feature in the Defender portal that helps prioritize your incident queue automatically. The Defender incident queue now applies a machine learning–driven prioritization algorithm across all incidents, including Microsoft native detections, custom detections, and third-party signals when they surface in Defender or Sentinel. Prioritize...soft Learn

Every incident receives a priority score from 0 to 100, recalculated daily:

• Red (>85): top priority

• Orange (15–85): medium priority

• Gray (<15): low priority

This immediately does two things:

1. It creates an ordered queue letting you know what to focus on first

2. It forces the platform to explain its reasoning

Where the score comes from

The algorithm considers a combination of signals that you probably already use mentally when you’re making a decision of what to triage.

• Threat analytics and disruption indicators

• MITRE techniques tied to the activity

• Asset criticality for the impacted users, devices, or apps

• Alert type rarity and signal-to-noise patterns

• Indicators associated with high-profile threats like ransomware or nation-state activity

See the reasoning behind the score

Now, when you select an incident in the queue you can see the contributing factors behind the score in the summary pane, alongside the incident details, recommended actions, and related threats. For the incident below, you can see that it received a score of 100 because there were three notable alert types, high risk threat of Credential Phish, a critical asset was involved and there were two related threat analytics reports.

Each of the priority factors can be expanded to gain even more information. For example, if you click the drop-down arrow next to the related threat analytics reports, you’ll be able to move directly to the two articles about the related threats.

Let us know what you think about the new prioritization feature. Is it saving you time? Evaluating incidents the way you would? Look forward to hearing from you.

Share

Subscribe now

If you’ve ever worked through a Sentinel‑to‑Defender transition, you already know the pain point. Sentinel’s incident model is beautifully straightforward: one analytics rule, one grouping configuration, one predictable incident. Defender XDR, on the other hand, takes all your alerts, stirs in correlation logic, attacker activity sequences, multi‑product signals and sometimes hands you back incidents shaped slightly differently than what your automation playbooks expect.

That change can cause more than a few problems with runbooks, SOAR logic, backlog projections… basically anything that relies on consistent incident formation.

Microsoft Defender XDR’s correlation engine is powerful. It’s also opinionated. It tells a cohesive “attack story” by merging alerts and incidents across products and analytics engines. That’s fantastic when you want clarity during an active attack. But for teams migrating from Sentinel, it can be disruptive.

This new preview lets you selectively exclude specific analytics rules from the correlation engine so that:

• Alerts from those rules bypass correlation entirely

• They form incidents in Defender the same way they did in Sentinel

• Your existing automations continue to behave predictably

• Your runbooks stop throwing surprise exceptions

• Your analysts stop asking why incidents look “wrong”

How do I actually disable correlation

There are two ways to disable correlation in the Defender portal.

1. Browse to Investigation & response → Hunting → Custom detection rules.

2. Select the check box next to the rule that you want to disable correlation.

3. Then at the top select Disable correlation.

Another method is to exclude a rule from correlation by adding a #DONT_CORR# tag.

1. Browse to Investigation & response → Hunting → Custom detection rules.

2. Open the analytics rule in edit mode.

3. In the rule’s Description field, add #DONT_CORR# at the very beginning of the text.

4. Save the rule.

   

   Share

   Subscribe now

Sysmon functionality in Windows:

Sysinternals Sysmon is now included in updates to Windows 11 and Windows Server 2025. Prior to this release, you had to deploy, update and configure Sysmon all on your own. This functionality provides better visibility for proactive threat hunting with reduced operational overhead.

Additional resources: Native Sysmon functionality coming to Windows | Microsoft Community Hub

Custom data collection in Microsoft Defender for Endpoint (Preview)

Custom data collection (Preview) enables you to customize telemetry collection beyond the default MDE configurations to support your specialized threat hunting and security monitoring needs. This feature allows you to define specific collection rules with tailored filters for event properties such as folder paths, process names, and network connections.

Additional resources: Custom data collection in Microsoft Defender for Endpoint - Microsoft Defender for Endpoint | Microsoft Learn

Autopatch update readiness

This feature, now in preview, is designed to help you gain real-time visibility into which devices are ready for updates or need attention and why. It surfaces actionable insights, provides clear guidance on remediation and helps prevent issues before they disrupt work. Hopefully, it will help you spend less time chasing and patching problems.

You can quickly find devices that are out of compliance or missing critical signals. Policy conflicts that could block updates will be identified and explained and detailed telemetry will help ensure that every device provides the data needed for update readiness and compliance tracking.

Additional resources: Windows Autopatch — Elevate Your Update Experience for Modern Work

New enterprise features for Microsoft Edge for Business

Watermarking: Employees often struggle to recognize which files are safe to share and which are not. Edge for Business is making it easier to distinguish sensitive data with a watermarking overlay — a persistent, visual reminder that will prompt users to pause and think before sharing confidential content. Admins will be able to enable watermarking with a simple toggle in the Edge management service. Once turned on, the overlay will appear on sensitive files and sites based on sensitivity labels or data loss prevention (DLP) policies.

Protected clipboard: Another new feature addresses the “all or nothing” dilemma common in data protection: Admins can either block all copy/paste actions or allow users to copy/paste freely and risk data leaks. Protected clipboard in Edge for Business will enable admins to define trusted boundaries across managed web apps. Data from inside the boundary can’t be pasted outside, while data from outside can enter the boundary if needed. Users will get a clear warning if they try to paste outside the trusted zone, keeping data safe without breaking workflows.

Manage cross-platform security policies all in one place: You’ll be able to use the Edge management service in the Microsoft 365 admin center to easily set and enforce Edge browser policies across macOS, iOS and Android. You simply select checkboxes for the additional platforms you want to manage.

These features are available in preview beginning later this month.

Additional resources: Edge for Business presents: the world’s first secure enterprise AI browser

Share

Subscribe now