Forum Discussion
Azure ATP & Your Advanced Audit Policy
I also see the same behavior. For it looks like a bug in how AzureATP detects that the GPO is missing. In my lab, I also edited the Default Domain Controller Policy, but the alert still stays in the AzureATP console.
However, after I edited the local GPO directly on each domain controller (using gpedit.msc), the alert went away. Either the documentation are not correct, or it's something wrong with how the portal detects if advanced auditing are turned on or off.
- EliOfek
Microsoft
Can you navigate to this path:
\\[DomainDnsName]\sysvol\[DomainDnsName]\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit\audit.csv
and let us know in each of the cases if the files was existing?
(replace DomainDnsName with your real full dns name...)
Any updates on this? Is the ATP team looking in the wrong location for the policy?
- EliOfek
Yes, It's a bug, a fix is on its way... not sure when it will be deployed yet, so for now I suggest to suppress the alert.
I'm able to see the file under \\[DomainDnsName]\SYSVOL\[DomainDnsName]\Policies\{6AC1786C-016F-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\Audit\audit.csv which is the correct path for the Default Domain Controller Policy, but not the path you shared, which as Alex Entringer mentioned, appears to be for the Default Domain Policy.
Isn't that the wrong GUID for the Default Domain Controllers policy? My understanding is that the GUID you provided is for the Default Domain Policy.
https://support.microsoft.com/en-us/help/556025/how-to-manually-create-default-domain-gpo
