KBI 312130 – WMI Audit Failure Events Generated When Running Windows Compliance Rule

Sunday, 5 November 2023

Summary

When running Windows Compliance Rule against target machine with limited or disabled remote access to WMI, WMI audit failure events can be generated. It could be annoying as it pollutes the real audit failure events.
It is caused by Windows Compliance Rule tries to check whether system audits are enabled. Argent Omega uses WMI to remotely check these settings. When WMI remote access is disallowed, WMI audit failure events are generated as results.
Argent Omega 2.2A-2310-A is enhanced to include an option ‘Alert On Audit Policies Not Enabled’. By turning this option off, Argent Omega Generator won’t do WMI check; so no more those audit failure events.

Technical Background

Windows Compliance Rule test following system audits:

  • AuditPolicyChange (Success)
  • AuditAccountManage (Success)
  • AuditObjectAccess (Success)
  • AuditAccountLogon (Success)
  • AuditAccountLogon (Failure)
  • AuditLogonEvents (Success)
  • AuditLogonEvents (Failure)
  • AuditSystemEvents (Success)

    • Resolution

    Upgrade to Argent Omega 2.2.2310-A or later

    For further assistance, please contact Argent on Instant Help at
    https://Instanthelp.Argent.com/