This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 10%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EO%3C/text%3E%3C/svg%3E)
Hi Everyone,
We have followed the following guide from Microsoft in regards to enabling "advanced auditing" for Defender for Identity:
Any ideas?
I am certain have configured our GPO properly (but you never know):
Here are the results of running "auditpol /get /category:*" on one of the servers that this policy has been applied to:
As always, thanks for the help!
I just ran the Test-MdiReadiness.ps1 script:
And in the corresponding .JSON file I have this error message:
I am starting to think that the issue is with the sensor itself and not my GPO policies because I ran this script locally on a DC.
Edit: I opened a issue ticket with the script creators to see if they have any insights:
https://github.com/microsoft/Microsoft-Defender-for-Identity/issues/7
Edit 2: Running the script was flagged by "Microsoft Defender for Identity" which never happened before so I wonder if the sensors are working now properly since I changed the policies to run out of "Default Domain Controllers Policy" GPO.
Just made some headway with this issue; the auditing policies are on and there is an issue with the sensor not being able to see that the auditing policies are turned on.
I had a look at the previously shared script above and found out what policies that had to be turned on:
Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Setting Value System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Distribution Group Management,{0CCE9238-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Security Group Management,{0CCE9237-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Computer Account Management,{0CCE9236-69AE-11D9-BED3-505054503030},Success and Failure,3 System,User Account Management,{0CCE9235-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Directory Service Access,{0CCE923B-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Directory Service Changes,{0CCE923C-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Credential Validation,{0CCE923F-69AE-11D9-BED3-505054503030},Success and Failure,3
Here is the results of AuditPol on my one DC (which shows that the required policies are enabled):
Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value DomainController,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Security State Change,{0CCE9210-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,Other System Events,{0CCE9214-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Group Membership,{0CCE9249-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,User / Device Claims,{0CCE9247-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Network Policy Server,{0CCE9243-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Other Logon/Logoff Events,{0CCE921C-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Special Logon,{0CCE921B-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,IPsec Extended Mode,{0CCE921A-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,IPsec Quick Mode,{0CCE9219-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,IPsec Main Mode,{0CCE9218-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Account Lockout,{0CCE9217-69AE-11D9-BED3-505054503030},Failure,,2 DomainController,System,Logoff,{0CCE9216-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Logon,{0CCE9215-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Handle Manipulation,{0CCE9223-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Central Policy Staging,{0CCE9246-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Removable Storage,{0CCE9245-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Detailed File Share,{0CCE9244-69AE-11D9-BED3-505054503030},Failure,,2 DomainController,System,Other Object Access Events,{0CCE9227-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Filtering Platform Connection,{0CCE9226-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Filtering Platform Packet Drop,{0CCE9225-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,File Share,{0CCE9224-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Application Generated,{0CCE9222-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Certification Services,{0CCE9221-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,SAM,{0CCE9220-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Kernel Object,{0CCE921F-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Registry,{0CCE921E-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,File System,{0CCE921D-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Other Privilege Use Events,{0CCE922A-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Non Sensitive Privilege Use,{0CCE9229-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Sensitive Privilege Use,{0CCE9228-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,RPC Events,{0CCE922E-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Token Right Adjusted Events,{0CCE924A-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,Process Termination,{0CCE922C-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Plug and Play Events,{0CCE9248-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,DPAPI Activity,{0CCE922D-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Other Policy Change Events,{0CCE9234-69AE-11D9-BED3-505054503030},Failure,,2 DomainController,System,Authentication Policy Change,{0CCE9230-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,Audit Policy Change,{0CCE922F-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,Filtering Platform Policy Change,{0CCE9233-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Authorization Policy Change,{0CCE9231-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,MPSSVC Rule-Level Policy Change,{0CCE9232-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Other Account Management Events,{0CCE923A-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,Application Group Management,{0CCE9239-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Distribution Group Management,{0CCE9238-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Security Group Management,{0CCE9237-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Computer Account Management,{0CCE9236-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,User Account Management,{0CCE9235-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Directory Service Replication,{0CCE923D-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Directory Service Access,{0CCE923B-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Detailed Directory Service Replication,{0CCE923E-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Directory Service Changes,{0CCE923C-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Other Account Logon Events,{0CCE9241-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Kerberos Service Ticket Operations,{0CCE9240-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Credential Validation,{0CCE923F-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,,Option:CrashOnAuditFail,,Disabled,,0 DomainController,,Option:FullPrivilegeAuditing,,Disabled,,0 DomainController,,Option:AuditBaseObjects,,Disabled,,0 DomainController,,Option:AuditBaseDirectories,,Disabled,,0 DomainController,,FileGlobalSacl,,,, DomainController,,RegistryGlobalSacl,,,,
Opened a ticket with Microsoft support, will see what they say.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello
Thank you for your question and reaching out.
Please check below steps and make sure you have checked all relevant event log entries to be enabled for GPO.
--If the reply is helpful, please Upvote and Accept as answer--
Thanks for the link, however I have just confirmed that the relevant logs are on found on my DCs (that was applied via my GPO):
What I just did, was push the policies again from the "Default Domain Controllers Policy" GPO instead of the separate one I had created to see if that fixes the issue.
Edit: Pushing the polices to "Default Domain Controllers Policy" GPO, instead of a separate GPO, is what fixed it. I guess this is a super common bug with enabling Advanced Audit that has been resolved.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(16, 11%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi, how are you doing?
Did you just run "gpupdate /force" as domain administrator on an elevated terminal on the domain controller to push the policy from the "Default Domain Controllers Policy"?
I'm facing the same problem that you describe (I've made all configurations exacly as you described/show from the pictures above), but I'm already using the "Default Domain Controllers Policy" GPO to enable the advanced auditing (as sugested on the official documentation). Though, I'm still facing the error
Duplicate question
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(12.8, 82%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFO%3C/text%3E%3C/svg%3E)
In my case, I've got another GPO with success audit only, I've add failure audit and it's Ok now
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 46%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECW%3C/text%3E%3C/svg%3E)
Thanks OwITecAB. Pushing the polices to "Default Domain Controllers Policy" GPO fixed it.
