Where do you start with moving polcies to Intune, I don’t think there is a right or wrong answer. I decided to start with Audit Policies. For 2 reasons. I need to standardise the security event auditing on our devices and we need to update one region to help with SCCM UDA.
How to do it?
Lets look at what we have today. We have differences between the computer around the regions in what we audit. An example below.
| Polciy | Europe | Americas | Asia | Pacific |
| Audit Logon | Success and Failure | Success and Failure | Success and Failure | Success and Failure |
| Audit File Share | Failure | Success and Failure | Success | Success |
| Audit Sensitive Privilege Use | Success and Failure | Success and Failure | Success and Failure | Success and Failure |
| Audit Other Policy Change Events | Success and Failure | Success and Failure | Failure | Success and Failure |
We know SCCM likes us to audit Logon events to make sure you have good User Device Affinity. You also need to have a good history of the events, otherwise it can impact you UDA.
Checking the Microsoft Windows 10 1909 baseline, it likes to include these (But they do cause some noise in the event logs with impacts the SCCM UDA. Rock and a hard place anyone?)
| Audit Credential Validation | Success and Failure |
| Audit Security Group Management | Success |
| Audit User Account Management | Success and Failure |
| Audit PNP Activity | Success |
| Audit Process Creation | Success |
| Audit Account Lockout | Failure |
| Audit Group Membership | Success |
| Audit Logon | Success and Failure |
| Audit Other Logon/Logoff Events | Success and Failure |
| Audit Special Logon | Success |
| Audit Detailed File Share | Failure |
| Audit File Share | Success and Failure |
| Audit Other Object Access Events | Success and Failure |
| Audit Removable Storage | Success and Failure |
| Audit Audit Policy Change | Success |
| Audit Authentication Policy Change | Success |
| Audit MPSSVC Rule-Level Policy Change | Success and Failure |
| Audit Other Policy Change Events | Failure |
| Audit Sensitive Privilege Use | Success and Failure |
| Audit Other System Events | Success and Failure |
| Audit Security State Change | Success |
| Audit Security System Extension | Success |
| Audit System Integrity | Success and Failure |
Now we know what we want to audit, lets get started in Endpoint Manager. audit policies aren’t available in administrative templates (Yet). So we need to use the CSP. We can see the policies exist in ./Vendor/MSFT/Policy/Config/Audit. The CSP cover most of the audit points you will want, but we will only add the relevant ones.
https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-audit
Goto Devices -> Configuration Profiles. Select Add new.
Select “Windows 10 and Later” and Custom in the profile.
Select Add. Enter in the Name for the Audit Value, I add the criteria into the description.
In the OMA-URI add in ./Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditCredentialValidation
In the Data Type, Select Integer and the Value (0 Disabled, 1 Success, 2 Failure, 3 Success and Failure)
Then press Save. Repeat for the rest of the desire values.
Using the table below should get you to the 1909 Baseline.
| Configuration | Set To | CSP | Data Type | Value |
|---|---|---|---|---|
| Audit Credential Validation | Success and Failure | ./Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditCredentialValidation | Integer | 3 |
| Audit Security Group Management | Success | ./Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditSecurityGroupManagement | Integer | 1 |
| Audit User Account Management | Success and Failure | ./Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditUserAccountManagement | Integer | 3 |
| Audit PNP Activity | Success | ./Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditPNPActivity | Integer | 1 |
| Audit Process Creation | Success | ./Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditProcessCreation | Integer | 1 |
| Audit Account Lockout | Failure | ./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditAccountLockout | Integer | 2 |
| Audit Group Membership | Success | ./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditGroupMembership | Integer | 1 |
| Audit Logon | Success and Failure | ./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditLogon | Integer | 3 |
| Audit Other Logon/Logoff Events | Success and Failure | ./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditOtherLogonLogoffEvents | Integer | 3 |
| Audit Special Logon | Success | ./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditSpecialLogon | Integer | 1 |
| Audit Detailed File Share | Failure | ./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditDetailedFileShare | Integer | 2 |
| Audit File Share | Success and Failure | ./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditFileShare | Integer | 3 |
| Audit Removable Storage | Success and Failure | ./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditRemovableStorage | Integer | 3 |
| Audit Audit Policy Change | Not configured | ./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditPolicyChange | Integer | 0 |
| Audit Authentication Policy Change | Not configured | ./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditAuthenticationPolicyChange | Integer | 0 |
| Audit MPSSVC Rule-Level Policy Change | Success and Failure | ./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChange | Integer | 3 |
| Audit Other Policy Change Events | Not configured | ./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditOtherPolicyChangeEvents | Integer | 0 |
| Audit Sensitive Privilege Use | Success and Failure | ./Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditSensitivePrivilegeUse | Integer | 3 |
| Audit Other System Events | Success and Failure | ./Vendor/MSFT/Policy/Config/Audit/System_AuditOtherSystemEvents | Integer | 3 |
| Audit Security State Change | Success | ./Vendor/MSFT/Policy/Config/Audit/System_AuditSecurityStateChange | Integer | 1 |
| Audit Security System Extension | Success | ./Vendor/MSFT/Policy/Config/Audit/System_AuditSecuritySystemExtension | Integer | 1 |
| Audit System Integrity | Success and Failure | ./Vendor/MSFT/Policy/Config/Audit/System_AuditSystemIntegrity | Integer | 3 |
| Audit Non Sensitive Privilege Use | Not configured | ./Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditNonSensitivePrivilegeUse | Integer | 0 |
| Audit Other Privilege Use Events | Not configured | ./Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditOtherPrivilegeUseEvents | Integer | 0 |
| Audit Authorization Policy Change | Not configured | ./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditAuthorizationPolicyChange | Integer | 0 |
| Audit Application Group Management | Success and Failure | ./Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditApplicationGroupManagement | Integer | 3 |
| Audit IPsec Driver | Not configured | ./Vendor/MSFT/Policy/Config/Audit/System_AuditIPsecDriver | Integer | 0 |
| Audit Other Object Access Events | Not configured | ./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditOtherObjectAccessEvents |
Press Save, and then assign it to your test Azure AD Group and press save.
Give it some time to apply. If you’re impatient like me, force a Sync through Settings > Accounts > Access work or school. Click your work or school account, then click Sync.
How do we know its worked? You can run the following command to see what’s change.
C:\>auditpol /get /category:* |
If it hasn’t worked, check the event long. Look in the event log. Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider. Look for any errors. Most of my errors were either missing a character or adding a space to the end of the OMA-URI.
