1

I have created a script that deletes a file and updates some advanced auditing settings using auditpol. However, whenever the computer gets reset, those auditpol changes get reset as well. Is there any way of preventing this? What could cause that to happen? After doing some extensive research, most if not all answers I found went down the path of deleting some audit.csv files in the system path which has some unintended consequences for me. Generally speaking, those deletions completely removed all of the auditpol settings all together. The main post that my search always led back to is here.

All I want is for my auditpol settings to persists. Otherwise, I will have to write a script to automatically apply those settings after every reboot which I certainly don't want to have to do.

Another common fix to these types of problems I have seen is ensuring the registry setting to force advanced audit settings to override the legacy ones is enabled which it is. I don't have any problems actually changing the advanced audit policy, just having it actually remain after rebooting

Edit:

To give more background, the changes I am making are part of the Windows 10 STIG. Here is a link to one of the items in the STIG. You can see in the "fix text" that you should change these values in the policy editor. Unlike others where you can change them via the registry value. Is it not possible at all to modify a registry value to update these particular policy settings?

Improve this question
5
  • 1
    You should use Group Policy to change audit policy: docs.microsoft.com/en-us/windows/security/threat-protection/…
    – Swisstone
    Jun 16, 2020 at 17:02
  • I would if I could. And I have tested that to see if that changes persist through reboot which they do. But my task is to make these changes in an update/install script that we are sending to the client
    – Dave
    Jun 16, 2020 at 17:05
  • Is there really no answer to this? I can't find anything that tells me what could be overriding it. And apparently there are no registry keys that I can directly modify that auditpol uses that can work as an alternative. I need to also do this in a script. What else can be done? The only thing I find when researching this is people who are trying to reset the changes auditpol has done. I am trying to do the opposite. I need auditpol to persist
    – Dave
    Jun 26, 2020 at 22:06
  • Please share your script so we can try to answer "why".
    – SamErde
    Jun 27, 2020 at 0:01
  • The script only runs the basic auditpol commands: auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable etc. for every policy that needs to get updated with their various configurations. That is the only thing that the script does (except for changing two registry keys) and the STIG passes. After reboot, it fails. I will be looking more into exactly what "passing the test" means with our cyber security guy on monday
    – Dave
    Jun 27, 2020 at 0:25

1 Answer 1

Reset to default
0

I reviewed one of my previous environments that followed DISA STIGs. The way that we complied with this requirement was to create a batch file with the required auditpol commands and then dropped that batch file into a GPO startup script under computer configuration.

Improve this answer
1
  • Thanks for the response. I ended up just modifying the audit.csv file. My original idea was to do something similar to what you mentioned, but when I asked about it they said that would only be like a last possibility
    – Dave
    Jul 8, 2020 at 0:35

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .