Key Takeaways
- This policy records full command-line details when a program starts.
- It helps IT teams detect malware and suspicious activity faster.
- It improves troubleshooting by showing exactly how apps were launched.
- Log access must be restricted because command lines may contain sensitive data.
Hey, let’s discuss about How to Enable Audit Process Creation Command Line Logging in Windows using Intune. This policy records command line details when a program starts on a Windows device. A process means any app or program that is running.
When enabled, Windows saves how the program was started. This information is stored in the Security Event Log. This policy helps administrators see more details about running programs. It shows not just the app name, but also how it was launched. This improves visibility on devices. It also helps during security investigations.
This policy is useful for security and troubleshooting. If malware runs a hidden command, the full command is logged. IT teams can clearly see what happened. This helps them detect and fix issues faster.
If a device is attacked, a script may run using PowerShell. Without this policy, logs only show that PowerShell started. With this policy enabled, the exact command is recorded. This helps admins respond quickly.
Table of Contents
What are the Advantages of Enabling this Policy?
Enabling this policy gives IT teams clear visibility into how programs start on a Windows device. It records the exact command used to run an app, which helps improve security and troubleshooting.
1. Helps detect malware and suspicious scripts by logging full command details
2. Makes security investigations easier and faster
3. Provides clear audit logs for compliance and monitoring
4. Helps troubleshoot issues by showing how apps were launched
5. Improves visibility into PowerShell and command prompt usage
6. Helps identify unauthorized or risky commands
How to Enable Audit Process Creation Command Line Logging in Windows using Intune
Command lines may contain sensitive information like passwords. Anyone with access to logs can see this data. So log access should be restricted. Enable this policy only where strong monitoring is needed.
- Enhance Windows Autopilot Bandwidth Efficiency with Connected Cache
- Emergency Fix for Windows Server Crashes Out-of-Band Updates Released by Microsoft
- Use Windows Performance Recorder Event Tracing Tool in Windows 11
Create a Profile
First, sign in to the Microsoft Intune admin center. Then, go to Devices > Configuration > Create > New policy. In the next window, select the platform and profile type. Then, click Next to continue.
| Platform | Profile Type |
|---|---|
| Windows 10 and later | Settings Catalog |
Basic Step
You need to enter some basic details, such as the name and a description. For example, I entered the name as Include command line in process creation event. Description is not mandatory. After filling in the details, click Next to continue.
Configuration Settings
On this page, we click on the + Add Settings hyperlink. Then you will get a settings picker that will show different types of categories to select specific settings. Here, I choose to Administrative Templates\System\Audit Process Creation the category and select the Include command line in process creation events.
Once you have selected this settings and closed the Settings picker. You will see it on the Configuration page. Here we have only two settings: Enable or Disable. By default, it will be set to Disable. If you want to block these settings, click on the Next button.
Enable this Policy
If we enable this policy, you can enable this policy by toggling the switch from left to right. After reviewing or adding more settings, you can click the Next button to continue.
Scope Tag
In Intune, Scope Tags are used to control who can view and modify a policy. The scope tag is not mandatory, so you can skip this section. It functions as a tool for organisation and access management, but assigning it is optional. Click Next if they’re not required for your setup.
Assignments
In the Assignments tab, you choose the users or devices that will receive the policy by clicking Add Group under Include Group, select the group that you want to target (e.g HTMD – Test Policy) and then click Next to continue.
Review + Create
At the final Review + Create step, we see a summary of all configured settings for the new profile; after reviewing the details and making any necessary changes by clicking Previous. We click Create to finish, and a notification confirms that the “Include command line in process creation events created successfully”.
Monitoring Status
To view a policy’s status, go to Devices > Configuration in the Intune portal, select the policy(Include command line in process creation events) and check that the status shows Succeeded(1).
How to Remove Assigned Group from this Policy
Sometimes, we need to remove a group from a policy assignment for security updates. Open the policy from the Configuration tab and click on the Edit button on the Assignment tab. Click on the Remove button on this section to remove the policy. Click Review + Save after making the change.
For detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete this Policy from Intune
To delete an Intune policy for security or operational reasons. It is simple to do. I will demonstrate how to delete an Intune policy through the Include command line in process creation events. Click the three dots, then click the Delete option.
For detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the latest step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP from 2015 onwards for 10 consecutive years! He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is also a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.