Microsoft Advanced Auditing for defender for identity

Question

Microsoft Advanced Auditing for defender for identity

Anonymous

We are attempting to setup Defender Identity on our domain controllers. We are getting errors claiming that Directory Services Advanced Auditing is not enabled.

Please enable the Directory Services Advanced Auditing events according to the guidance as described in https://aka.ms/mdi/advancedaudit

We ran the readiness report and found that Advanced Auditing is set to false despite changes we made to group policy to turn it on We followed the article below by creating a brand new policy and binded it to the domain controllers: https://learn.microsoft.com/en-us/defender-for-identity/deploy/configure-windows-event-collection#configure-advanced-audit-policy-settings

I saw an article from reddit which pointed to the following: https://www.reddit.com/r/sysadmin/comments/17kvooe/advanced_audit_policy_configurations_not_showing/ https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/security-auditing-settings-not-applied-when-deploy-domain-based-policy

![](https://filestore.community.support.microsoft.com/api/images/00469cea-79c2-4ba9-9992-995048442666?upload=true&fud_access=hC1SxZhn7m%2FZQJkOIiOVstu10yTQgXS4A%2FDBzZTg8nbaCgIogkrcDydMeI5Y4za2dOqDdWtsG2JNS3E35V60i9TiGHR7STMpJHheeXuDvO8nwjUlqCBHhJ0NDvuYN7OS4VKiSVMdb6DOeARcnqcCE6qPXihEZi%2Bn9Mftt7zRsTEYnrpM%2FO%2BtDaXXB91Nc9lrj29QE3AZL%2B%2Bu9mvNOEhpmENSgQw7ok2OqIi%2Bl%2FtX9g9C6PV7JqbU7h%2F%2BtD3miTBaRyMPMBLR0umZhdS2BzyTv9xQ2%2BuOI%2F4W1C5d3hRYH%2BZ8n8Vzj1NPQagjKAK3g5I5AtdylCIr%2FAw3EzbRNi2XH%2F90yM2G%2BhISqXA8mYXGiR8QU2h9TSYWvmj7fN8b3eSE%2F8U%2Bn6C7hN8gyrq638YwBu%2FLyxamTKNSZVBuZKe4otU%3D)![](https://filestore.community.support.microsoft.com/api/images/520d3667-0bb3-4704-b5c9-eacfea10258c?upload=true&fud_access=hC1SxZhn7m%2FZQJkOIiOVstu10yTQgXS4A%2FDBzZTg8nbaCgIogkrcDydMeI5Y4za2dOqDdWtsG2JNS3E35V60i9TiGHR7STMpJHheeXuDvO8nwjUlqCBHhJ0NDvuYN7OS4VKiSVMdb6DOeARcnqcCE6qPXihEZi%2Bn9Mftt7zRsTEYnrpM%2FO%2BtDaXXB91Nc9lrj29QE3AZL%2B%2Bu9mvNOEhpmENSgQw7ok2OqIi%2Bl%2FtX9g%2BW47I5HSm2zSE%2BrecOzjp6nwzyelEEgCbIwQEDToreqlw6654M7jqoUmZWN%2BR6P%2BX59WaD5jyDP6pnCGu8b9BR320gTsXcTG3xUgYPcFicCtgAdFA9aIhVNv2rC3TNWoEd0wM9r0sATnsQ5DHWavMWZgFKMwLPhUZ1tw2MW2vyIXwiJollW%2Fke8iCsIrdv6EI%3D)

when we perform a get-mdiconfiguration command on the domain, it is advanced auditing and NTLM auditing is set to true on the domain but whenever we do so for the localmachine, it becomes true and eventually goes back to false.

Our group policies are not set on the default domain policy. It is set on a seperate policy that is binded to the domain controllers. When running the set-mdiconfiguration, it auto created an ntlm policy and advancedaudit policy. Even with this, advancedaudit is not showing as on when we run the readiness report

Is anyone familiar with the reason for this and can offer some assistance?

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question. To protect privacy, user profiles for migrated questions are anonymized.

1 answer

Answer 1

Hello Joe Stef,

Thank you for posting in Microsoft Community forum.

I checked the link you provided, and I can see:

b.Under Audit Policies, edit each of the following policies and select Configure the following audit events for both Success and Failure events.

DS Access (Audit Directory Service Changes and Audit Directory Service Access) also should be configured to both Success and Failure.

But the command result above only has configured to "Success"

You can try to configure DS Access (Audit Directory Service Changes and Audit Directory Service Access) to both Success and Failure, and check the result.

I hope the information above is helpful.

If you have any question or concern, please feel free to let us know.

Best Regards,

Daisy Zhou

Share via

Microsoft Advanced Auditing for defender for identity

1 answer