I have created a script that deletes a file and updates some advanced auditing settings using auditpol. However, whenever the computer gets reset, those auditpol changes get reset as well. Is there any way of preventing this? What could cause that to happen? After doing some extensive research, most if not all answers I found went down the path of deleting some audit.csv files in the system path which has some unintended consequences for me. Generally speaking, those deletions completely removed all of the auditpol settings all together. The main post that my search always led back to is here.
All I want is for my auditpol settings to persists. Otherwise, I will have to write a script to automatically apply those settings after every reboot which I certainly don't want to have to do.
Another common fix to these types of problems I have seen is ensuring the registry setting to force advanced audit settings to override the legacy ones is enabled which it is. I don't have any problems actually changing the advanced audit policy, just having it actually remain after rebooting
Edit:
To give more background, the changes I am making are part of the Windows 10 STIG. Here is a link to one of the items in the STIG. You can see in the "fix text" that you should change these values in the policy editor. Unlike others where you can change them via the registry value. Is it not possible at all to modify a registry value to update these particular policy settings?
auditpol /set /subcategory:"Other Logon/Logoff Events" /success:enable /failure:enable
etc. for every policy that needs to get updated with their various configurations. That is the only thing that the script does (except for changing two registry keys) and the STIG passes. After reboot, it fails. I will be looking more into exactly what "passing the test" means with our cyber security guy on monday