The WindowsSecurityAuditing configuration service provider (CSP) is used to enable logging of security audit events. This CSP was added in Windows 10, version 1511.
The following diagram shows the WindowsSecurityAuditing configuration service provider in tree format.
Value type is boolean. If true, a default set of audit events will be captured to a log file for upload; if false, auditing is disabled and events are not logged. Default value is false.
Supported operations are Get and Replace.
Enable logging of audit events.
<SyncML xmlns="SYNCML:SYNCML1.2"> <SyncBody> <Replace> <CmdID>1</CmdID> <Item> <Target> <LocURI> ./Vendor/MSFT/WindowsSecurityAuditing/ConfigurationSettings/EnableSecurityAuditing </LocURI> </Target> <Meta> <Format xmlns="syncml:metinf">bool</Format> <Type>text/plain</Type> </Meta> <Data>true</Data> </Item> </Replace> <Final/> </SyncBody> </SyncML>
For more information about Windows security auditing, see What's new in security auditing.