We found a great article written by Abhinav Rana on AnoopCnair.com
It guides you through the setup process for the Audit Credential Validation Policy using Intune’s Settings Catalog. This process involves the strategic utilization of Configuration Profiles within Intune to establish the policy effectively.
The Audit Credential Validation Policy is crucial for auditing events generated during the validation of user account logon credentials. These events specifically occur on the computer that is the authoritative source for these credentials. For domain accounts, this authoritative entity is the domain controller, and for local accounts, it’s the local computer.
This particular subcategory is tasked with recording the results of credential validation tests during user account logon attempts. Such events take place on the machine designated as the authoritative source for the said credentials. In a domain environment, the Domain Controller is the authority for domain accounts, while the local computer holds this role for local accounts.
In domain-utilizing environments, most Account Logon events are logged in the Security log of the Domain Controllers that manage domain accounts. However, these events can also occur on other computers within an organization, especially when local accounts are used for logging in. Events under this subcategory include:
- 4774: An account was mapped for logon.
- 4775: An account could not be mapped for logon.
- 4776: The Domain Controller attempted to validate the credentials for an account.
- 4777: The Domain Controller failed to validate the credentials for an account.
Steps to Create an Audit Credential Validation Policy:
- Accessing Intune Admin Center: Log in to the Intune Admin Center portal at https://intune.microsoft.com/.
- Creating the Profile: Go to Devices > Windows > Configuration profiles and select ‘Create a profile’. Choose ‘Windows 10 and later’ as the platform and ‘Settings catalog’ as the profile type. Click ‘Create’.
- Policy Configuration: In the Basics tab, name the policy “Audit Credential Validation Policy”. You may also add a policy description. Proceed by clicking “Next”.
- Adding Settings: In the Configuration Settings, click ‘Add Settings’ to find the Audit settings. Select the sub-category ‘Account Logon Audit Credential Validation’.
- Setting Options: The Audit Credential Validation setting has options like Off/None, Success, Failure, Success + Failure. It’s recommended to choose ‘Success + Failure’.
- Scope Tags: Assign scope tags to filter the profile for specific IT groups if needed.
- Assigning Groups: In the Assignments section, add groups to the Included Groups and continue to the next step.
- Review and Create: Review your settings and click ‘Create’ to save changes and assign the profile.
- Notification and Verification: Upon successful creation, a notification confirms the action. Verify the policy in the Configuration Profiles list.
- Policy Application: The policy applies to devices when they check in with the Intune service.
- Reporting: In the Intune Portal, view the profile report for an overview of policy deployment status.
- Registry Key Verification: To confirm the deployment, check the registry settings on the target computer. Navigate to the path
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\5B88AEF1-09E8-43BB-B144-7254ACBBDF3E\default\Device\aUDITto find the
- Windows CSP Details: Ensure proper configuration of audit settings to balance security needs and performance.
Remember, the right audit settings are crucial for security and compliance, especially in regulated industries.
Original article: https://www.anoopcnair.com/intune-audit-credential-validation-policy/