Guest jzderadicka Posted October 24, 2019 Posted October 24, 2019 Hi All, Currently having issues with two windows audit settings: - Advanced Auditing\Detailed Tracking\Audit Process Creation - Enabled: Success https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-process-creation - Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Audit: Shut down system immediately if unable to log security audits - Enabled (HKLM:\SYSTEM\CurrentControlSet\Control\Lsa - crashonauditfail = 1) https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits When enabling these settings together, upon a reboot the system blue screens with known state STOP: C0000244 {Audit Failed} and users are not able to login. When logging in as an admin account, the setting for 'crashonauditfail' is in a triggered state (crashonauditfail = 2). The Security Event Log shows event id 1101 with the description 'Audit events have been dropped by the transport. 0'. I tried to disable all other Advanced Audit Settings, leaving only Audit Process Creation - Success but the issue still occurs. The issue can be easily reproduced by setting crashonauditfail = 1 and rebooting the system again. Any help is appreciated. With thanks, Joey More... Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.