The security option "crash on audit fail" has no effect

Bagitman 561 Reputation points
2023-01-13T10:04:59.5933333+00:00

Dear MS security team,

setting the GPO "Audit: Shut down system immediately if unable to log security audits"

https://learn.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits

does not have the desired effect on server 2019 (Version 10.0.17763.3770).

To test whether it works or not, I setup the security event log not to overwrite old events when it becomes full and then I waited until it became full. The eventlog then states that it's full, but no shutdown occurs.

I would also like to share the observation, that when you taskkill the eventlog service process and it restarts after a minute, it will populate the log with everything that happened in between the taskkill and the restart (which is fine!), but it will NOT trigger any event-triggered tasks that might be attached to the events it just wrote to the log. Is this expected behavior?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,140 questions
Windows Server Security
Windows Server Security
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
1,304 questions
Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
2,201 questions
No comments
1 vote

1 answer

Sort by: Most helpful
  1. Bagitman 561 Reputation points
    2023-01-17T21:56:45.7933333+00:00

    Update: on Windows server 2022, all works: it crashes as expected and tasks triggered by missed events work after the service is restarted.

    No comments