Windows Server Advanced Auditing For defender
We are attempting to setup Defender Identity on our domain controllers. We are getting errors claiming that Directory Services Advanced Auditing is not enabled.
Please enable the Directory Services Advanced Auditing events according to the guidance as described in https://aka.ms/mdi/advancedaudit
We ran the readiness report and found that Advanced Auditing is set to false despite changes we made to group policy to turn it on We followed the article below by creating a brand new policy and binded it to the domain controllers: https://learn.microsoft.com/en-us/defender-for-identity/deploy/configure-windows-event-collection#configure-advanced-audit-policy-settings
I saw an article from reddit which pointed to the following: https://www.reddit.com/r/sysadmin/comments/17kvooe/advanced_audit_policy_configurations_not_showing/ https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/security-auditing-settings-not-applied-when-deploy-domain-based-policy
when we perform a get-mdiconfiguration command on the domain, it is advanced auditing and NTLM auditing is set to true on the domain but whenever we do so for the localmachine, it becomes true and eventually goes back to false.
Our group policies are not set on the default domain policy. It is set on a seperate policy that is binded to the domain controllers. When running the set-mdiconfiguration, it auto created an ntlm policy and advancedaudit policy. Even with this, advancedaudit is not showing as on when we run the readiness report
Is anyone familiar with the reason for this and can offer some assistance?