Hi team,
I am asked to implement Attack Surface Reduction using SCCM
1. If the below rules are enabled and deployed in Audit Mode then which log file in client to check whether rules enabled or not
a) Block credential stealing from the Windows local security authority subsystem
b) Use advanced protection against ransomware
How to analyze the Event ID 1122 when rule fires in Audit-mode? is the events to be forwarded to centralized location for analysis
Please help to understand.
On one side of sccm, there may be no logs on the details of the reduction of the attack surface, more of endpoint protection.
Yes, you are right. It is suggested to check event viewer. When the user is performing an action that is not allowed as per rule, but set in Audit mode, an entry will be logged in the Event Viewer, in the Windows Defender > Operational log, with Event ID 1122. The same action will be logged as Event ID 1121 if the rule is set to Block the action. In this case the user will also see a notification that the action has been blocked.
Here is the screenshot we could refer to:
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Hi,
May we know the current status of the question? If there is any chance to try above suggestion? If there is any other assistance we can provide, please feel free to let us know, we will do our best to help you.
Thanks and regards,
Amanda
Hello @Amandayou-MSFT
This helped me and accepted as answer. Thank you.
14 people are following this question.
