How to move Windows 10 Security Audit Policies to Endpoint Manager / Intune

Where do you start with moving polcies to Intune, I don’t think there is a right or wrong answer. I decided to start with Audit Policies. For 2 reasons. I need to standardise the security event auditing on our devices and we need to update one region to help with SCCM UDA.

How to do it?

Lets look at what we have today. We have differences between the computer around the regions in what we audit. An example below.

Audit LogonSuccess and FailureSuccess and FailureSuccess and Failure Success and Failure
Audit File ShareFailureSuccess and FailureSuccess Success
Audit Sensitive Privilege UseSuccess and FailureSuccess and FailureSuccess and FailureSuccess and Failure
Audit Other Policy Change EventsSuccess and FailureSuccess and Failure FailureSuccess and Failure

We know SCCM likes us to audit Logon events to make sure you have good User Device Affinity. You also need to have a good history of the events, otherwise it can impact you UDA.

Checking the Microsoft Windows 10 1909 baseline, it likes to include these (But they do cause some noise in the event logs with impacts the SCCM UDA. Rock and a hard place anyone?)

Audit Credential ValidationSuccess and Failure
Audit Security Group ManagementSuccess
Audit User Account ManagementSuccess and Failure
Audit PNP ActivitySuccess
Audit Process CreationSuccess
Audit Account LockoutFailure
Audit Group MembershipSuccess
Audit LogonSuccess and Failure
Audit Other Logon/Logoff EventsSuccess and Failure
Audit Special LogonSuccess
Audit Detailed File ShareFailure
Audit File ShareSuccess and Failure
Audit Other Object Access EventsSuccess and Failure
Audit Removable StorageSuccess and Failure
Audit Audit Policy ChangeSuccess
Audit Authentication Policy ChangeSuccess
Audit MPSSVC Rule-Level Policy ChangeSuccess and Failure
Audit Other Policy Change EventsFailure
Audit Sensitive Privilege UseSuccess and Failure
Audit Other System EventsSuccess and Failure
Audit Security State ChangeSuccess
Audit Security System ExtensionSuccess
Audit System IntegritySuccess and Failure

Now we know what we want to audit, lets get started in Endpoint Manager. audit policies aren’t available in administrative templates (Yet). So we need to use the CSP. We can see the policies exist in ./Vendor/MSFT/Policy/Config/Audit. The CSP cover most of the audit points you will want, but we will only add the relevant ones.

Goto Devices -> Configuration Profiles. Select Add new.

Select “Windows 10 and Later” and Custom in the profile.

Select Add. Enter in the Name for the Audit Value, I add the criteria into the description.

In the OMA-URI add in ./Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditCredentialValidation

In the Data Type, Select Integer and the Value (0 Disabled, 1 Success, 2 Failure, 3 Success and Failure)

Then press Save. Repeat for the rest of the desire values.

Using the table below should get you to the 1909 Baseline.

ConfigurationSet ToCSPData TypeValue
Audit Credential ValidationSuccess and Failure./Vendor/MSFT/Policy/Config/Audit/AccountLogon_AuditCredentialValidationInteger3
Audit Security Group ManagementSuccess./Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditSecurityGroupManagementInteger1
Audit User Account ManagementSuccess and Failure./Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditUserAccountManagementInteger3
Audit PNP ActivitySuccess./Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditPNPActivityInteger1
Audit Process CreationSuccess./Vendor/MSFT/Policy/Config/Audit/DetailedTracking_AuditProcessCreationInteger1
Audit Account LockoutFailure./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditAccountLockoutInteger2
Audit Group MembershipSuccess./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditGroupMembershipInteger1
Audit LogonSuccess and Failure./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditLogonInteger3
Audit Other Logon/Logoff EventsSuccess and Failure./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditOtherLogonLogoffEventsInteger3
Audit Special LogonSuccess./Vendor/MSFT/Policy/Config/Audit/AccountLogonLogoff_AuditSpecialLogonInteger1
Audit Detailed File ShareFailure./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditDetailedFileShareInteger2
Audit File ShareSuccess and Failure./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditFileShareInteger3
Audit Removable StorageSuccess and Failure./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditRemovableStorageInteger3
Audit Audit Policy ChangeNot configured./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditPolicyChangeInteger0
Audit Authentication Policy ChangeNot configured./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditAuthenticationPolicyChangeInteger0
Audit MPSSVC Rule-Level Policy ChangeSuccess and Failure./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditMPSSVCRuleLevelPolicyChangeInteger3
Audit Other Policy Change EventsNot configured./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditOtherPolicyChangeEventsInteger0
Audit Sensitive Privilege UseSuccess and Failure./Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditSensitivePrivilegeUseInteger3
Audit Other System EventsSuccess and Failure./Vendor/MSFT/Policy/Config/Audit/System_AuditOtherSystemEventsInteger3
Audit Security State ChangeSuccess./Vendor/MSFT/Policy/Config/Audit/System_AuditSecurityStateChangeInteger1
Audit Security System ExtensionSuccess./Vendor/MSFT/Policy/Config/Audit/System_AuditSecuritySystemExtensionInteger1
Audit System IntegritySuccess and Failure./Vendor/MSFT/Policy/Config/Audit/System_AuditSystemIntegrityInteger3
Audit Non Sensitive Privilege UseNot configured./Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditNonSensitivePrivilegeUseInteger0
Audit Other Privilege Use EventsNot configured./Vendor/MSFT/Policy/Config/Audit/PrivilegeUse_AuditOtherPrivilegeUseEventsInteger0
Audit Authorization Policy ChangeNot configured./Vendor/MSFT/Policy/Config/Audit/PolicyChange_AuditAuthorizationPolicyChangeInteger0
Audit Application Group ManagementSuccess and Failure./Vendor/MSFT/Policy/Config/Audit/AccountManagement_AuditApplicationGroupManagementInteger3
Audit IPsec DriverNot configured./Vendor/MSFT/Policy/Config/Audit/System_AuditIPsecDriverInteger0
Audit Other Object Access EventsNot configured./Vendor/MSFT/Policy/Config/Audit/ObjectAccess_AuditOtherObjectAccessEvents

Press Save, and then assign it to your test Azure AD Group and press save.

Give it some time to apply. If you’re impatient like me, force a Sync through Settings > Accounts > Access work or school. Click your work or school account, then click Sync.

How do we know its worked? You can run the following command to see what’s change.

C:\>auditpol /get /category:*
System audit policy
Category/Subcategory Setting
Security System Extension Success
System Integrity Success and Failure
IPsec Driver Success and Failure
Other System Events Success and Failure
Security State Change Success
Logon Success and Failure
Logoff Success and Failure
Account Lockout Failure
IPsec Main Mode No Auditing
IPsec Quick Mode No Auditing
IPsec Extended Mode No Auditing
Special Logon Success
Other Logon/Logoff Events No Auditing
Network Policy Server No Auditing
User / Device Claims No Auditing
Group Membership Success
Object Access
File System No Auditing
Registry No Auditing
Kernel Object No Auditing
SAM No Auditing
Certification Services No Auditing
Application Generated No Auditing
Handle Manipulation No Auditing
File Share Success and Failure
Filtering Platform Packet Drop No Auditing
Filtering Platform Connection No Auditing
Other Object Access Events Success and Failure
Detailed File Share Failure
Removable Storage Success and Failure
Central Policy Staging No Auditing
Privilege Use
Non Sensitive Privilege Use No Auditing
Other Privilege Use Events No Auditing
Sensitive Privilege Use Success and Failure
Detailed Tracking
Process Creation Success
Process Termination No Auditing
DPAPI Activity No Auditing
RPC Events No Auditing
Plug and Play Events Success
Token Right Adjusted Events No Auditing
Policy Change
Audit Policy Change Success
Authentication Policy Change Success
Authorization Policy Change Success
MPSSVC Rule-Level Policy Change Success and Failure
Filtering Platform Policy Change No Auditing
Other Policy Change Events Failure
Account Management
Computer Account Management No Auditing
Security Group Management Success
Distribution Group Management No Auditing
Application Group Management Success and Failure
Other Account Management Events No Auditing
User Account Management Success and Failure
DS Access
Directory Service Access No Auditing
Directory Service Changes No Auditing
Directory Service Replication No Auditing
Detailed Directory Service Replication No Auditing
Account Logon
Kerberos Service Ticket Operations Success and Failure
Other Account Logon Events Success and Failure
Kerberos Authentication Service Success and Failure
Credential Validation Success and Failure

If it hasn’t worked, check the event long. Look in the event log. Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider. Look for any errors. Most of my errors were either missing a character or adding a space to the end of the OMA-URI.