Warning! Audit Deprecated
Information
This policy setting controls whether the process creation command line text is logged in security audit events when a new process has been created.
The recommended state for this setting is: Enabled.
Note: This feature that this setting controls was not originally supported in workstation OSes older than Windows 8.1. However, in February 2015 Microsoft added support for the feature to Windows 7 and Windows 8.0 via an update - KB3004375. Therefore, this setting is also important to set on those older OSes.
Rationale:
Capturing process command line information in event logs can be very valuable when performing forensic investigations of attack incidents.
Impact:
Process command line information will be included in the event logs, which can contain sensitive or private information such as passwords or user data.
Warning: There are potential risks of capturing credentials and sensitive information which could be exposed to users who have read-access to event logs. Microsoft provides a feature called 'Protected Event Logging' to better secure event log data. For assistance with protecting event logging, visit: About Logging Windows - PowerShell | Microsoft Docs.
Solution
To establish the recommended configuration, set the following Device Configuration Policy to Enabled:
To access the Device Configuration Policy from the Intune Home page:
Click Devices
Click Configuration profiles
Click Create profile
Select the platform (Windows 10 and later)
Select the profile (Administrative Templates)
Click Create
Enter a Name
Click Next
Configure the following Setting
Path: Computer Configuration\System\Audit Process Creation
Setting Name: Include command line in process creation events
Configuration: Enabled
Select OK
Continue through the Wizard to complete the creation of the profile (profile assignments, applicability etc.)
Note: More than one configuration setting from each of the Configuration profiles (ex: Administrative Templates, Custom etc.) can be added to each Device Configuration Policy.
Default Value:
Disabled. (Process command line information will not be included in Audit Process Creation events.)