Windows 10 auditing needs to be configured to comply with the Microsoft Security Baseline. In my opinion this is an important part but completely missed in the Intune UI. But happily there is the Policy CSP which allows us to configure it. The CSP is documented here https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-audit.
To simplify the process for you, I created a table with the correct OMA-URI’s and values. You can start by creating a custom Configuration Profile in Intune:
Then create for each item from the table bellow an entry. The name can be any value, but I recommend using the “Policy Setting Name” from my table. The data type has to be “Integer” and the value can be copied from the “Integer value” column.
The following table lists all audit log settings to comply with the Microsoft Security Baseline:
| Policy Setting Name | Value Readable |
OMA Uri |
Integer Value |
| Audit Credential Validation | Success and Failure |
./Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditCredentialValidation |
3 |
| Audit Security Group Management | Success |
./Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditSecurityGroupManagement |
1 |
| Audit User Account Management | Success and Failure |
./Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditUserAccountManagement |
3 |
| Audit PNP Activity | Success |
./Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditPNPActivity |
1 |
| Audit Process Creation | Success |
./Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditProcessCreation |
1 |
| Audit Account Lockout | Failure |
./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditAccountLockout |
2 |
| Audit Group Membership | Success |
./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditGroupMembership |
1 |
| Audit Logon | Success and Failure |
./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditLogon |
3 |
| Audit Other Logon/Logoff Events | Success and Failure |
./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents |
3 |
| Audit Special Logon | Success |
./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditSpecialLogon |
1 |
| Audit Detailed File Share | Failure |
./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditDetailedFileShare |
2 |
| Audit File Share | Success and Failure |
./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditFileShare |
3 |
| Audit Other Object Access Events | Success and Failure |
./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditOtherObjectAccessEvents |
3 |
| Audit Removable Storage | Success and Failure |
./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditRemovableStorage |
3 |
| Audit Audit Policy Change | Success |
./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditPolicyChange |
1 |
| Audit Authentication Policy Change | Success |
./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditAuthenticationPolicyChange |
1 |
| Audit MPSSVC Rule-Level Policy Change | Success and Failure |
./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange |
3 |
| Audit Other Policy Change Events | Failure |
./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditOtherPolicyChangeEvents |
2 |
| Audit Sensitive Privilege Use | Success and Failure |
./Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditSensitivePrivilegeUse |
3 |
| Audit Other System Events | Success and Failure |
./Vendor/MSFT/Policy/Config/Audit/System_AuditOtherSystemEvents |
3 |
| Audit Security State Change | Success |
./Vendor/MSFT/Policy/Config/Audit/System_AuditSecurityStateChange |
1 |
| Audit Security System Extension | Success |
./Vendor/MSFT/Policy/Config/Audit/System_AuditSecuritySystemExtension |
1 |
| Audit System Integrity | Success and Failure |
./Vendor/MSFT/Policy/Config/Audit/System_AuditSystemIntegrity |
3 |
As soon you added all settings to the profile you can save and assign it to your devices.
Result
After deploying the profile it is important to check if it is really applied on the devices. The easiest way is to do it with the following command:
auditpol /get /category *
- Azure AD Guest Account -Governance and Cleanup - June 30, 2020
- Use OATH TOTP token with Azure MFA - June 25, 2020
- Monitor Windows Hello and AAD Hybrid join enrollment with MEMCM - June 1, 2020
1 Comment
Nilldot · May 13, 2020 at 21:44
This is very much appreciated. Thank you!