Key Takeaways
- Subcategory settings take priority, giving more detailed control over audit logs.
- Helps track specific activities.
- Useful for meeting security standards.
- Beneficial for tracking and recording system activities.
- Helpful for Intune and Windows 11 for accurate auditing.
Hey, let’s learn about ‘enable advanced audit policy settings in Windows using Intune‘. This policy helps to audit the use of backup and restore privileges. Basically, auditing means tracking and recording activities or actions in a system. This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect.
Table of Contents
Table of Contents
What are the Advantages of this Policy?
Enabling this option when the Audit privilege use policy is also enabled generates an audit event for every file that’s backed up or restored.
1. Avoids policy conflicts
2. Helps to control exactly what gets logged
3. Captures detailed events like specific logon successes or failures.
Enable Advanced Audit Policy Settings in Windows using Intune
Audit the use of the Backup and Restore privilege. This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect.
- Supporting Secure Login Practices Through NTLM Auditing using Intune Policy
- Easy Way to Create Intune Audit User Account Management Policy
- How to Create Intune Audit Credential Validation Policy
How to Create a Policy
First, sign in to the Microsoft Intune Admin Center. Go to the devices and select configuration. Then click on the create down arrow, and after that, click on new policy.
Creating the Profile
To create a policy, you must specify the profile type and platform. From this window, you can select profile type as Windows 10 and later and platform as settings catalog.
Basics Tab for Name and Description
On the basics tab, give an appropriate name and description, so that it is easy to identify later. In the name box, give the policy name (audit the use of backup and restore privilege) and giving a description is not mandatory. Here, I described these security settings determines whether to audit the use of all user privileges.
Configuration Settings in this Policy
On the configuration settings tab, after clicking on the add settings, you can search for the name of the policy from the settings picker. In the search bar, enter the policy name and select the category, Local Policies, Security Option, and enable the settings name.
Disabling this policy
This policy helps enable auditing of the use of the backup and restore privilege. If you disable this policy, then use of the Backup or Restore privilege is not audited even when Audit privilege use is enabled. By default, the policy will be disabled. If you like to continue, click on the next.
Enabling this Policy
This security setting determines whether to audit the use of all user privileges, including Backup and Restore, when the Audit privilege use policy is in effect. Enabling this option when the Audit privilege use policy is also enabled generates an audit event for every file that is backed up or restored.
Purpose of Scope Tags
A scope tag in Intune is used to control visibility and access to Intune resources based on administrative roles. Scope tags are not mandatory. You can add the scope tag using the select scope tags button. Click Next to continue.
Assignments Tab to Add Group
On the assignments tab, you can select which users or devices get this policy. Under Include Groups, click Add Groups. From the list, select the group that you want to target (HTMD – Test Policy). Then click the Next button to continue.
Review + Create
At the review + create step, you can review each tab to avoid misconfiguration or policy failure. After reviewing the details and making any necessary changes by clicking Previous. We click Create to finish, and a notification confirms that the “audit the use of backup and restore privilege created successfully”.
Monitoring the Status of the Policy
You can check a policy’s status in the Intune portal. Generally, it takes 8 hours for policies to be created. By using the manual sync option, you can reduce the configuration delay in the company portal app on the device, then check the status again. Navigate to Devices > Configuration. Click on the specific policy to see its details.
Client-Side Verification
To confirm if a policy has been applied, use the Event Viewer on the client device. Go to Applications and Services Logs > Microsoft >Windows >Device Management > Enterprise Diagnostic Provider > Admin. From the list of policies, use the Filter Current Log option and search for Intune event 815.
MDM PolicyManager: Set policy binary, Policy:
(Audit_AuditTheUseOfBackupAndRestoreprivilege), Area: (LocalPoliciesSecurityOptions),
EnrollmentID requesting merge: (EB427D85-802F-46D9-A3E2-D5B414587F63), Current User:
(Device), Enrollment Type: (0x6), Scope: (0x0).
Configuration Service Provider (CSP)
The Policy Configuration Service Provider (CSP) is a feature used by organisations to manage and control settings on Windows 10 and 11 devices. It explains what each policy does, what settings or values can be used, and how it connects to older Group Policy settings (Group Policy Mapping details).
Description framework properties:
| Property name | Property value |
|---|---|
| Format | b64 |
| Access Type | Add, Delete, Get, Replace |
| Default Value | AA == |
Allowed values:
- AQ== – Enable
- AA== (Default) – Disable
Group policy mapping:
| Name | Value |
|---|---|
| Name | Audit: Audit the use of Backup and Restore privilege |
| Path | Windows Settings > Security Settings > Local Policies > Security Options |
How to Remove an Assigned Group from this Policy
If you need to remove a group from a policy assignment for security updates. Open the policy from the configuration tab and click on the edit button. Then, click on the Remove button. Click Review + Save after making the changes.
For detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete this Policy from Intune Portal
If you want to delete this policy for any reason, you can do it easily. First, search for the policy name in the configuration section. When you find the policy name, click the 3-dot menu next to it and tap the Delete option.
For more information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community and WhatsApp Channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.