Home » Blogs » Configure Windows 10 Auditing with Intune

Configure Windows 10 Auditing with Intune

Windows 10 auditing needs to be configured to comply with the Microsoft Security Baseline. In my opinion this is an important part but completely missed in the Intune UI. But happily there is the Policy CSP which allows us to configure it. The CSP is documented here https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-audit.

To simplify the process for you, I created a table with the correct OMA-URI’s and values. You can start by creating a custom Configuration Profile in Intune:

Then create for each item from the table bellow an entry. The name can be any value, but I recommend using the “Policy Setting Name” from my table. The data type has to be “Integer” and the value can be copied from the “Integer value” column.

The following table lists all audit log settings to comply with the Microsoft Security Baseline:

Policy Setting Name	Value Readable	OMA Uri	Integer Value
Audit Credential Validation	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditCredentialValidation	3
Audit Security Group Management	Success	./Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditSecurityGroupManagement	1
Audit User Account Management	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditUserAccountManagement	3
Audit PNP Activity	Success	./Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditPNPActivity	1
Audit Process Creation	Success	./Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditProcessCreation	1
Audit Account Lockout	Failure	./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditAccountLockout	2
Audit Group Membership	Success	./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditGroupMembership	1
Audit Logon	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditLogon	3
Audit Other Logon/Logoff Events	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents	3
Audit Special Logon	Success	./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditSpecialLogon	1
Audit Detailed File Share	Failure	./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditDetailedFileShare	2
Audit File Share	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditFileShare	3
Audit Other Object Access Events	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditOtherObjectAccessEvents	3
Audit Removable Storage	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditRemovableStorage	3
Audit Audit Policy Change	Success	./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditPolicyChange	1
Audit Authentication Policy Change	Success	./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditAuthenticationPolicyChange	1
Audit MPSSVC Rule-Level Policy Change	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange	3
Audit Other Policy Change Events	Failure	./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditOtherPolicyChangeEvents	2
Audit Sensitive Privilege Use	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditSensitivePrivilegeUse	3
Audit Other System Events	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/System_AuditOtherSystemEvents	3
Audit Security State Change	Success	./Vendor/MSFT/Policy/Config/Audit/System_AuditSecurityStateChange	1
Audit Security System Extension	Success	./Vendor/MSFT/Policy/Config/Audit/System_AuditSecuritySystemExtension	1
Audit System Integrity	Success and Failure	./Vendor/MSFT/Policy/Config/Audit/System_AuditSystemIntegrity	3

As soon you added all settings to the profile you can save and assign it to your devices.

Result

After deploying the profile it is important to check if it is really applied on the devices. The easiest way is to do it with the following command:

auditpol /get /category *

About
Latest Posts

Follow me

Thomas Kurth

Principal Workplace Consultant | MVP at baseVISION AG

I’m a consultant, trainer and architect for modern workplace and enterprise mobility projects with Microsoft Technologies in the past eight years. I love to push and design the modern workplace based on Windows 10, EM&S and O365 for my customers which is the only answer for the current security threats, agile world and the fast-changing business requirements of my customers. Important for me is to simplify and automate the operational processes, because there are the highest costs.

Follow me

4 Comments

Nilldot · May 13, 2020 at 21:44

This is very much appreciated. Thank you!

Sol · August 23, 2020 at 20:13

Thank you! This was great

Jason · December 12, 2020 at 01:21

If you notice in your cmd line results, not all the policies are being correctly set. For instance “Audit Other Logon/Logoff Events”. In my case I’ve tried to apply the new MDM Security Baseline for August 2020 and I’m getting errors for a whole bunch of the audit settings and they aren’t being applied. No idea why because everything looks correct. I bet I’m not the only one.

Thomas Kurth · January 1, 2021 at 15:28

I had the same at a customer. It depends on the Windows version you have. For example 1809 and older is not working… despite it should according to Microsoft documentation.