Windows Server Advanced Auditing For defender

JoeS-0122 41 Reputation points
2024-08-29T14:34:04.4666667+00:00

We are attempting to setup Defender Identity on our domain controllers. We are getting errors claiming that Directory Services Advanced Auditing is not enabled.

Please enable the Directory Services Advanced Auditing events according to the guidance as described in https://aka.ms/mdi/advancedaudit

We ran the readiness report and found that Advanced Auditing is set to false despite changes we made to group policy to turn it on We followed the article below by creating a brand new policy and binded it to the domain controllers: https://learn.microsoft.com/en-us/defender-for-identity/deploy/configure-windows-event-collection#configure-advanced-audit-policy-settings

I saw an article from reddit which pointed to the following: https://www.reddit.com/r/sysadmin/comments/17kvooe/advanced_audit_policy_configurations_not_showing/ https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/security-auditing-settings-not-applied-when-deploy-domain-based-policy

 ImageImage

ImageImage

when we perform a get-mdiconfiguration command on the domain, it is advanced auditing and NTLM auditing is set to true on the domain but whenever we do so for the localmachine, it becomes true and eventually goes back to false.

Our group policies are not set on the default domain policy. It is set on a seperate policy that is binded to the domain controllers. When running the set-mdiconfiguration, it auto created an ntlm policy and advancedaudit policy. Even with this, advancedaudit is not showing as on when we run the readiness report

Is anyone familiar with the reason for this and can offer some assistance?

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,697 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,909 questions
0 comments No comments
{count} votes

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.