WPNinjas HeaderWPNinjas Header

Configure Windows 10 Auditing with Intune

Windows 10 auditing needs to be configured to comply with the Microsoft Security Baseline. In my opinion this is an important part but completely missed in the Intune UI. But happily there is the Policy CSP which allows us to configure it. The CSP is documented here https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-audit.

To simplify the process for you, I created a table with the correct OMA-URI’s and values. You can start by creating a custom Configuration Profile in Intune:

Then create for each item from the table bellow an entry. The name can be any value, but I recommend using the “Policy Setting Name” from my table. The data type has to be “Integer” and the value can be copied from the “Integer value” column.

The following table lists all audit log settings to comply with the Microsoft Security Baseline:

Policy Setting Name Value Readable


Integer Value
Audit Credential Validation Success and Failure


Audit Security Group Management Success


Audit User Account Management Success and Failure


Audit PNP Activity Success


Audit Process Creation Success


Audit Account Lockout Failure


Audit Group Membership Success


Audit Logon Success and Failure


Audit Other Logon/Logoff Events Success and Failure


Audit Special Logon Success


Audit Detailed File Share Failure


Audit File Share Success and Failure


Audit Other Object Access Events Success and Failure


Audit Removable Storage Success and Failure


Audit Audit Policy Change Success


Audit Authentication Policy Change Success


Audit MPSSVC Rule-Level Policy Change Success and Failure


Audit Other Policy Change Events Failure


Audit Sensitive Privilege Use Success and Failure


Audit Other System Events Success and Failure


Audit Security State Change Success


Audit Security System Extension Success


Audit System Integrity Success and Failure



As soon you added all settings to the profile you can save and assign it to your devices. 


After deploying the profile it is important to check if it is really applied on the devices. The easiest way is to do it with the following command:

auditpol /get /category *
Follow me


Nilldot · May 13, 2020 at 21:44

This is very much appreciated. Thank you!

Sol · August 23, 2020 at 20:13

Thank you! This was great

Jason · December 12, 2020 at 01:21

If you notice in your cmd line results, not all the policies are being correctly set. For instance “Audit Other Logon/Logoff Events”. In my case I’ve tried to apply the new MDM Security Baseline for August 2020 and I’m getting errors for a whole bunch of the audit settings and they aren’t being applied. No idea why because everything looks correct. I bet I’m not the only one.

    Thomas Kurth · January 1, 2021 at 15:28

    I had the same at a customer. It depends on the Windows version you have. For example 1809 and older is not working… despite it should according to Microsoft documentation.

KV · February 20, 2021 at 20:06

Hi Thomas, Thank you for creating the blog, I too noticed that I get a bunch of errors my Windows Version is 19042.804 . Do you perhaps have a solution for this ?

    Thomas Kurth · March 1, 2021 at 14:42

    Strange, now until now it worked without any issues on newer Windows versions. What error messages do you see?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.