Merge pull request #5775 from AbbyMSFT/automatic-windows-auditing

Ruchika-mittal01 · web-flow · commit 2f182a621562 · 2025-12-02T01:27:03.000+05:30
Remove docs for automatic windows auditing
diff --git a/defender-for-identity/deploy/configure-windows-event-collection.md b/defender-for-identity/deploy/configure-windows-event-collection.md
@@ -9,58 +9,44 @@ ms.reviewer: rlitinsky
 # Configure audit policies for Windows event logs
 
 Defender for Identity detections rely on specific Windows event log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications. 
-This article describes how to optimally configure the Advanced Audit Policy settings on your domain controllers to avoid gaps in the event logs and incomplete Defender for Identity coverage.
+This article describes how to configure the advanced audit policy settings to avoid gaps in the event logs and incomplete Defender for Identity coverage.
 
-## Configure Windows event auditing with the Defender for Identity sensor v3.x
-
-Defender for Identity sensor v3.x offers preview feature that allows automatically configure Windows event auditing on your domain controllers, applying the required Windows event auditing settings to new sensors, and fixing misconfigurations on existing ones.
-
-To turn on automatic windows auditing:
-1. In the [Microsoft Defender portal](https://security.microsoft.com), go to **Settings**, and then **Identities**. 
-1. In the **General** section, select **Advanced features**.
-1. Turn on **Automatic Windows auditing configuration**.​
- 
-If you do not select automatic Windows auditing configuration, you must manually configure Windows event auditing in the Defender portal or using PowerShell.
-
-## Configure Windows event auditing with the Defender for Identity sensor v2.x
-
-Configure Windows event auditing on your domain controllers to support Defender for Identity detections. 
-Defender for Identity generates health issues for each of these scenarios if they're detected. For more information, see [Microsoft Defender for Identity health issues](../health-alerts.md).
+Defender for Identity generates health alerts when it detects incorrect windows event auditing configurations. For more information, see [Microsoft Defender for Identity health alerts](../health-alerts.md).
 
 ## Prerequisites
 
-- Before you run Defender for Identity PowerShell commands, make sure that you download the [Defender for Identity PowerShell module](https://www.powershellgallery.com/packages/DefenderForIdentity/).
+If you are using the Active Directory PowerShell module to configure a domain controller, make sure that you download the [Defender for Identity PowerShell module](https://www.powershellgallery.com/packages/DefenderForIdentity/). 
+
 > [!NOTE]
-> The Active Directory PowerShell module is required when configuring Defender for Identity on domain controllers. It isn’t required on ADCS servers running the Certification Authority Role Service.
+> The Active Directory PowerShell module is only required when configuring Defender for Identity on domain controllers. It isn’t required on AD CS servers running the Certification Authority Role Service.
 
-## Generate a report of current configurations via PowerShell
+## Generate a report of current configurations using PowerShell
 
 Before you start creating new event and audit policies, we recommend that you run the following PowerShell command to generate a report of your current domain configurations:
 
 ```powershell
 New-MDIConfigurationReport -Path "C:\Reports" -Mode Domain -Identity "DOMAIN\ServiceAccountName" -OpenHtmlReport
 ```
-
-> [!NOTE]
-> When using `-Mode Domain`, include the `-Identity` parameter to avoid an interactive prompt.
-> For more information, see: [New-MDIConfigurationReport](/powershell/module/defenderforidentity/new-mdiconfigurationreport?view=defenderforidentity-latest&preserve-view=true).
-
-In the preceding command:
+Where:
 
 - `Path` specifies the path to save the reports to.
 - `Mode` specifies whether you want to use `Domain` or `LocalMachine` mode. In `Domain` mode, the settings are collected from the Group Policy objects (GPOs). In `LocalMachine` mode, the settings are collected from the local machine.
+
+    The `Domain` mode report includes only configurations set as group policies on the domain. If you have settings defined locally on your domain controllers, we recommend that you also run the [Test-MdiReadiness.ps1](https://github.com/microsoft/Microsoft-Defender-for-Identity/tree/main/Test-MdiReadiness) script.
+
 - `OpenHtmlReport` opens the HTML report after the report is generated.
 
+> [!NOTE]
+> When using `-Mode Domain`, include the `-Identity` parameter to avoid an interactive prompt.
+> For more information, see: [New-MDIConfigurationReport](/powershell/module/defenderforidentity/new-mdiconfigurationreport?view=defenderforidentity-latest&preserve-view=true).
+
 For example, to generate a report and open it in your default browser, run the following command:
 
 ```powershell
 New-MDIConfigurationReport -Path "C:\Reports" -Mode Domain -OpenHtmlReport
 ```
 
-For more information, see the [DefenderforIdentity PowerShell reference](/powershell/module/defenderforidentity/new-mdiconfigurationreport).
-
-> [!TIP]
-> The `Domain` mode report includes only configurations set as group policies on the domain. If you have settings defined locally on your domain controllers, we recommend that you also run the [Test-MdiReadiness.ps1](https://github.com/microsoft/Microsoft-Defender-for-Identity/tree/main/Test-MdiReadiness) script.
+For more information, see the [Defender for Identity PowerShell reference](/powershell/module/defenderforidentity/new-mdiconfigurationreport).
 
 ## Configure Windows event auditing for domain controllers
 
@@ -72,16 +58,12 @@ Update your Advanced Audit Policy settings and extra configurations for specific
 
 For more information, see [Advanced security auditing FAQ](/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/advanced-security-auditing-faq).
 
-Use the following procedures to configure auditing on the domain controllers that you're using with Defender for Identity.
+You can configure auditing on the domain controllers either in the portal or using PowerShell.
 
-### Configure Advanced Audit Policy settings from the UI
+### Configure Advanced Audit Policy settings in the Defender portal
 
 This procedure describes how to modify your domain controller's Advanced Audit Policy settings as needed for Defender for Identity via the UI.
 
-**Related health issue:** [Directory Services Advanced Auditing isn't enabled as required](../health-alerts.md)
-
-To configure your Advanced Audit Policy settings:
-
 1. Sign in to the server as **Domain Administrator**.
 1. Open the Group Policy Management Editor from **Server Manager** > **Tools** > **Group Policy Management**.
 1. Expand **Domain Controllers Organizational Units**, right-click **Default Domain Controllers Policy**, and then select **Edit**.
@@ -118,7 +100,6 @@ To configure your Advanced Audit Policy settings:
         ![Screenshot of the Audit Security Group Management Properties dialog.](../media/advanced-audit-policy-check-step-4.png)
 
 1. From an elevated command prompt, enter `gpupdate`.
-
 1. After you apply the policy via GPO, confirm that the new events appear in the Event Viewer, under **Windows Logs** > **Security**.
 
     To test your audit policies from the command line, run the following command:
@@ -129,12 +110,10 @@ To configure your Advanced Audit Policy settings:
 
 For more information, see the [auditpol reference documentation](/windows-server/administration/windows-commands/auditpol).
 
-### Configure Advanced Audit Policy settings by using PowerShell
+### Configure Advanced Audit Policy settings using PowerShell
 
 The following actions describe how to modify your domain controller's Advanced Audit Policy settings as needed for Defender for Identity by using PowerShell.
 
-**Related health issue:** [Directory Services Advanced Auditing isn't enabled as required](../health-alerts.md)
-
 The following command defines all settings for the domain, creates group policy objects, and links them.
 
 ```powershell
@@ -147,7 +126,7 @@ To configure your settings, run:
 Set-MDIConfiguration [-Mode] <String> [-Configuration] <String[]> [-CreateGpoDisabled] [-SkipGpoLink] [-Force]
 ```
 
-In the preceding command:
+Where:
 
 - `Mode` specifies whether you want to use `Domain` or `LocalMachine` mode. In `Domain` mode, the settings are collected from the Group Policy objects. In `LocalMachine` mode, the settings are collected from the local machine.
 - `Configuration` specifies which configuration to set. Use `All` to set all configurations.
@@ -161,7 +140,7 @@ To view your audit policies, use the `Get-MDIConfiguration` command to show curr
 Get-MDIConfiguration [-Mode] <String> [-Configuration] <String[]>
 ```
 
-In the preceding command:
+Where:
 
 - `Mode` specifies whether you want to use `Domain` or `LocalMachine` mode. In `Domain` mode, the settings are collected from the Group Policy objects. In `LocalMachine` mode, the settings are collected from the local machine.
 - `Configuration` specifies which configuration to get. Use `All` to get all configurations.
@@ -172,7 +151,7 @@ To test your audit policies, use the `Test-MDIConfiguration` command to get a `t
 Test-MDIConfiguration [-Mode] <String> [-Configuration] <String[]>
 ```
 
-In the preceding command:
+Where:
 
 - `Mode` specifies whether you want to use `Domain` or `LocalMachine` mode. In `Domain` mode, the settings are collected from the Group Policy objects. In `LocalMachine` mode, the settings are collected from the local machine.
 - `Configuration` specifies which configuration to test. Use `All` to test all configurations.
@@ -183,20 +162,16 @@ For more information, see the following [DefenderForIdentity PowerShell referenc
 - [Get-MDIConfiguration](/powershell/module/defenderforidentity/get-mdiconfiguration)
 - [Test-MDIConfiguration](/powershell/module/defenderforidentity/test-mdiconfiguration)
 
-### Configure NTLM auditing
+## Configure NTLM auditing
 
-This section describes the extra configuration steps that you need for auditing Windows event 8004.
+When a Defender for Identity sensor parses Windows event 8004, Defender for Identity NTLM authentication activities are enriched with the server-accessed data. This section describes the extra configuration steps that you need for auditing Windows event 8004.
 
 > [!NOTE]
->
 > - Domain group policies to collect Windows event 8004 should be applied *only* to domain controllers.
-> - When a Defender for Identity sensor parses Windows event 8004, Defender for Identity NTLM authentication activities are enriched with the server-accessed data.
-
-**Related health issue:** [NTLM Auditing isn't enabled](../health-alerts.md)
 
 To configure NTLM auditing:
 
-1. After you configure your initial Advanced Audit Policy settings (via the [UI](#configure-advanced-audit-policy-settings-from-the-ui) or [PowerShell](#configure-advanced-audit-policy-settings-by-using-powershell)), open **Group Policy Management**. Then go to **Default Domain Controllers Policy** > **Local Policies** > **Security Options**.
+1. After you configure your initial Advanced Audit Policy settings in the [Defender portal](#configure-advanced-audit-policy-settings-in-the-defender-portal) or [using PowerShell](#configure-advanced-audit-policy-settings-using-powershell), open **Group Policy Management**. Then go to **Default Domain Controllers Policy** > **Local Policies** > **Security Options**.
 
 1. Configure the specified security policies as follows:
 
@@ -210,14 +185,11 @@ For example, to configure **Outgoing NTLM traffic to remote servers**, under **S
 
 :::image type="content" source="../media/advanced-audit-policy-check-step-3.png" alt-text="Screenshot of the audit configuration for outgoing NTLM traffic to remote servers." border="false":::
 
-### Configure domain object auditing
+## Configure domain object auditing
 
 To collect events for object changes, such as for event 4662, you must also configure object auditing on the user, group, computer, and other objects. The following procedure describes how to enable auditing in the Active Directory domain.
 
-> [!IMPORTANT]
-> Review and audit your policies (via the [UI](#configure-advanced-audit-policy-settings-from-the-ui) or [PowerShell](#configure-advanced-audit-policy-settings-by-using-powershell)) before you enable event collection, to ensure that the domain controllers are properly configured to record the necessary events. If this auditing is configured properly, it should have a minimal effect on server performance.
-
-**Related health issue:** [Directory Services Object Auditing isn't enabled as required](../health-alerts.md)
+To ensure that the domain controllers are properly configured to record the necessary events, review and audit your policies in the [Defender portal](#configure-advanced-audit-policy-settings-in-the-defender-portal) or [using PowerShell](#configure-advanced-audit-policy-settings-using-powershell) before you enable event collection. If auditing is configured properly, it has minimal effect on server performance.
 
 To configure domain object auditing:
 
@@ -244,7 +216,7 @@ To configure domain object auditing:
 
     ![Screenshot of entering an object name of Everyone.](../media/select-everyone.png)
 
-1. You then return to **Auditing Entry**. Make the following selections:
+1. Go back to **Auditing Entry**, and make the following selections:
 
     1. For **Type**, select **Success**.
     1. For **Applies to**, select **Descendant User objects**.
@@ -268,17 +240,14 @@ To configure domain object auditing:
    - **Descendant msDS-DelegatedManagedServiceAccount Objects** <sup>2</sup>
 
 > [!NOTE]
-> 1. Assigning the auditing permissions on **All descendant objects** would also work, but you need only the object types detailed in the last step.
-> 2. The **msDS-DelegatedManagedServiceAccount** class is relevant only for domains running at least one Windows Server 2025 domain controller.
+> - You could also assign auditing permissions on **All descendant objects**, using only the object types detailed in the last step.
+> - The **msDS-DelegatedManagedServiceAccount** class is relevant only for domains running at least one Windows Server 2025 domain controller.
 
 ## Configure auditing on AD FS
 
-**Related health issue:** [Auditing on the AD FS container is not enabled as required](../health-alerts.md)
-
 To configure auditing on Active Directory Federation Services (AD FS):
 
 1. Go to the **Active Directory Users and Computers** console, and select the domain where you want to enable the logs.
-
 1. Go to **Program Data** > **Microsoft** > **ADFS**.
 
     ![Screenshot of a container for Active Directory Federation Services.](../media/adfs-container.png)
@@ -322,12 +291,9 @@ If you're working with a dedicated server that has Active Directory Certificate
 
      ```cmd
      certutil –setreg CA\AuditFilter 127 
-   
-   
      net stop certsvc && net start certsvc
-     ````
-
-   - To configure CA auditing by using the GUI:
+    ```
+   - To configure CA auditing in the Defender portal:
 
      1. Select **Start** > **Certification Authority (MMC Desktop application)**. Right-click your CA's name and select **Properties**.
 
@@ -352,19 +318,13 @@ To configure auditing on Microsoft Entra Connect servers:
 
 ![Screenshot of the Group Policy Management Editor.](media/configure-windows-event-collection/image.png)
 
-## Configure auditing on the configuration container
-<a name="enable-auditing-on-an-exchange-object"></a>
+## Configure auditing on the configuration container<a name="enable-auditing-on-an-exchange-object"></a>
 
->[!NOTE]
-> The configuration container audit is required only for environments that currently have or previously had Microsoft Exchange, as these environments have an Exchange container located within the domain's Configuration section.
+The configuration container audit is required only for environments that currently have or previously had Microsoft Exchange, as these environments have an Exchange container located within the domain's Configuration section.
 
-**Related health issue:** [Auditing on the Configuration container is not enabled as required](../health-alerts.md)
 1. Open the ADSI Edit tool. Select **Start** > **Run**, enter `ADSIEdit.msc`, and then select **OK**.
-
 1. On the **Action** menu, select **Connect to**.
-
 1. In the **Connection Settings** dialog, under **Select a well known Naming Context**, select **Configuration** > **OK**.
-
 1. Expand the **Configuration** container to show the **Configuration** node, which begins with **"CN=Configuration,DC=..."**.
 
     :::image type="content" source="../media/cn-configuration.png" alt-text="Screenshot of selections for opening properties for the CN Configuration node.":::
@@ -374,21 +334,15 @@ To configure auditing on Microsoft Entra Connect servers:
     ![Screenshot of selections for opening properties for the Configuration node.](../media/configuration-properties.png)
 
 1. Select the **Security** tab, and then select **Advanced**.
-
 1. In **Advanced Security Settings**, select the **Auditing** tab, and then select **Add**.
-
 1. Choose **Select a principal**.
-
 1. Under **Enter the object name to select**, enter **Everyone**. Then select **Check Names** > **OK**.
-
 1. You then return to **Auditing Entry**. Make the following selections:
-
     - For **Type**, select **All**.
     - For **Applies to**, select **This object and all descendant objects**.
     - Under **Permissions**, scroll down and select **Clear all**. Scroll up and select **Write all properties**.
 
     ![Screenshot of the auditing settings for the Configuration container.](../media/audit-configuration.png)
-
 1. Select **OK**.
 
 ## Update legacy configurations
diff --git a/defender-for-identity/deploy/prerequisites-sensor-version-3.md b/defender-for-identity/deploy/prerequisites-sensor-version-3.md
@@ -101,8 +101,7 @@ Learn more about Asset Management Rule [here](/defender-xdr/configure-asset-rule
 
 Defender for Identity detections rely on specific Windows event log entries to enhance detections and provide extra information about the users performing specific actions, such as NTLM sign-ins and security group modifications.
 
-The Defender for Identity sensor v3.x can offer preview feature that allows automatically configure Windows event auditing on your domain controllers, applying the required Windows event auditing settings to new sensors, and fixing misconfigurations on existing ones. See [Configure auditing with the Defender for Identity sensor v3.x](configure-windows-event-collection.md#configure-windows-event-auditing-with-the-defender-for-identity-sensor-v3x).
-If you do not select automatic Windows auditing configuration, you must [manually configure Windows event auditing](configure-windows-event-collection.md) in the Defender portal or using PowerShell. 
+For more information about configuring windows event auditing in the Defender portal or using PowerShell, see [Configure Windows event auditing](configure-windows-event-collection.md).
  
 ## Test your prerequisites
 
diff --git a/defender-for-identity/whats-new.md b/defender-for-identity/whats-new.md
