This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 10%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EO%3C/text%3E%3C/svg%3E)
Hi Everyone,
We have followed the following guide from Microsoft in regards to enabling "advanced auditing" for Defender for Identity:
Any ideas?
I am certain have configured our GPO properly (but you never know):
Here are the results of running "auditpol /get /category:*" on one of the servers that this policy has been applied to:
As always, thanks for the help!
I just ran the Test-MdiReadiness.ps1 script:
And in the corresponding .JSON file I have this error message:
I am starting to think that the issue is with the sensor itself and not my GPO policies because I ran this script locally on a DC.
Edit: I opened a issue ticket with the script creators to see if they have any insights:
https://github.com/microsoft/Microsoft-Defender-for-Identity/issues/7
Edit 2: Running the script was flagged by "Microsoft Defender for Identity" which never happened before so I wonder if the sensors are working now properly since I changed the policies to run out of "Default Domain Controllers Policy" GPO.
Just made some headway with this issue; the auditing policies are on and there is an issue with the sensor not being able to see that the auditing policies are turned on.
I had a look at the previously shared script above and found out what policies that had to be turned on:
Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Setting Value System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Distribution Group Management,{0CCE9238-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Security Group Management,{0CCE9237-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Computer Account Management,{0CCE9236-69AE-11D9-BED3-505054503030},Success and Failure,3 System,User Account Management,{0CCE9235-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Directory Service Access,{0CCE923B-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Directory Service Changes,{0CCE923C-69AE-11D9-BED3-505054503030},Success and Failure,3 System,Credential Validation,{0CCE923F-69AE-11D9-BED3-505054503030},Success and Failure,3
Here is the results of AuditPol on my one DC (which shows that the required policies are enabled):
Machine Name,Policy Target,Subcategory,Subcategory GUID,Inclusion Setting,Exclusion Setting,Setting Value DomainController,System,IPsec Driver,{0CCE9213-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,System Integrity,{0CCE9212-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Security System Extension,{0CCE9211-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Security State Change,{0CCE9210-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,Other System Events,{0CCE9214-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Group Membership,{0CCE9249-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,User / Device Claims,{0CCE9247-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Network Policy Server,{0CCE9243-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Other Logon/Logoff Events,{0CCE921C-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Special Logon,{0CCE921B-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,IPsec Extended Mode,{0CCE921A-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,IPsec Quick Mode,{0CCE9219-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,IPsec Main Mode,{0CCE9218-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Account Lockout,{0CCE9217-69AE-11D9-BED3-505054503030},Failure,,2 DomainController,System,Logoff,{0CCE9216-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Logon,{0CCE9215-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Handle Manipulation,{0CCE9223-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Central Policy Staging,{0CCE9246-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Removable Storage,{0CCE9245-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Detailed File Share,{0CCE9244-69AE-11D9-BED3-505054503030},Failure,,2 DomainController,System,Other Object Access Events,{0CCE9227-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Filtering Platform Connection,{0CCE9226-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Filtering Platform Packet Drop,{0CCE9225-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,File Share,{0CCE9224-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Application Generated,{0CCE9222-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Certification Services,{0CCE9221-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,SAM,{0CCE9220-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Kernel Object,{0CCE921F-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Registry,{0CCE921E-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,File System,{0CCE921D-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Other Privilege Use Events,{0CCE922A-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Non Sensitive Privilege Use,{0CCE9229-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Sensitive Privilege Use,{0CCE9228-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,RPC Events,{0CCE922E-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Token Right Adjusted Events,{0CCE924A-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Process Creation,{0CCE922B-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,Process Termination,{0CCE922C-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Plug and Play Events,{0CCE9248-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,DPAPI Activity,{0CCE922D-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Other Policy Change Events,{0CCE9234-69AE-11D9-BED3-505054503030},Failure,,2 DomainController,System,Authentication Policy Change,{0CCE9230-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,Audit Policy Change,{0CCE922F-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,Filtering Platform Policy Change,{0CCE9233-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Authorization Policy Change,{0CCE9231-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,MPSSVC Rule-Level Policy Change,{0CCE9232-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Other Account Management Events,{0CCE923A-69AE-11D9-BED3-505054503030},Success,,1 DomainController,System,Application Group Management,{0CCE9239-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Distribution Group Management,{0CCE9238-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Security Group Management,{0CCE9237-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Computer Account Management,{0CCE9236-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,User Account Management,{0CCE9235-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Directory Service Replication,{0CCE923D-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Directory Service Access,{0CCE923B-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Detailed Directory Service Replication,{0CCE923E-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Directory Service Changes,{0CCE923C-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Other Account Logon Events,{0CCE9241-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Kerberos Service Ticket Operations,{0CCE9240-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,System,Credential Validation,{0CCE923F-69AE-11D9-BED3-505054503030},Success and Failure,,3 DomainController,System,Kerberos Authentication Service,{0CCE9242-69AE-11D9-BED3-505054503030},No Auditing,,0 DomainController,,Option:CrashOnAuditFail,,Disabled,,0 DomainController,,Option:FullPrivilegeAuditing,,Disabled,,0 DomainController,,Option:AuditBaseObjects,,Disabled,,0 DomainController,,Option:AuditBaseDirectories,,Disabled,,0 DomainController,,FileGlobalSacl,,,, DomainController,,RegistryGlobalSacl,,,,
Opened a ticket with Microsoft support, will see what they say.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello
Thank you for your question and reaching out.
Please check below steps and make sure you have checked all relevant event log entries to be enabled for GPO.
--If the reply is helpful, please Upvote and Accept as answer--
Thanks for the link, however I have just confirmed that the relevant logs are on found on my DCs (that was applied via my GPO):
What I just did, was push the policies again from the "Default Domain Controllers Policy" GPO instead of the separate one I had created to see if that fixes the issue.
Edit: Pushing the polices to "Default Domain Controllers Policy" GPO, instead of a separate GPO, is what fixed it. I guess this is a super common bug with enabling Advanced Audit that has been resolved.