Overview

On April 11, 2025, Microsoft issued an out-of-band (OOB) update to address a critical reporting error in Active Directory (AD) Group Policy. This issue caused the "Audit logon events" policy to display as "No auditing" in the Local Group Policy Editor and Local Security Policy, despite logon and logoff events being correctly audited. This discrepancy posed significant challenges for IT administrators relying on accurate audit logs for security monitoring and compliance.

Background

Active Directory is a cornerstone of enterprise IT infrastructure, providing centralized domain management, authentication, and policy enforcement. The "Audit logon events" policy is crucial for tracking user logon and logoff activities, generating entries in audit logs that are essential for security investigations and regulatory compliance. The reporting error led to confusion, as administrators could not verify the policy's status through standard management tools.

Technical Details

The issue manifested as follows:

  • In the Local Group Policy Editor or Local Security Policy, the "Audit logon events" policy incorrectly displayed a security setting of "No auditing."
  • Despite this display error, logon and logoff events were still being audited and recorded as expected.

This misrepresentation did not affect the actual functionality of the auditing process but created a false impression that auditing was disabled, potentially leading to oversight in security monitoring.

Implications and Impact

For enterprise environments, accurate audit logs are vital for:

  • Security Monitoring: Ensuring that unauthorized access attempts are detected and investigated promptly.
  • Compliance Auditing: Demonstrating adherence to regulatory requirements that mandate comprehensive logging of user activities.

The reporting error could have led to:

  • Misinterpretation of security postures.
  • Potential non-compliance with regulatory standards.
  • Delayed response to security incidents due to uncertainty about audit log accuracy.

Microsoft's Response

To resolve this issue, Microsoft released the following updates:

  • Windows 11, versions 23H2 and 22H2: KB5058919
  • Windows Server 2022: KB5058920
  • Windows 10 Enterprise LTSC 2019 and Windows Server 2019: KB5058922
  • Windows 10 LTSB 2016 and Windows Server 2016: KB5058921
  • Azure Stack HCI, version 22H2: KB5058920

These cumulative, non-security updates are available exclusively through the Microsoft Update Catalog and should be installed by affected organizations to correct the reporting error. (bleepingcomputer.com)

Recommendations for IT Administrators

  • Assess Impact: Determine if your organization is affected by verifying the display status of the "Audit logon events" policy in the Local Group Policy Editor or Local Security Policy.
  • Apply Updates: Download and install the appropriate OOB update from the Microsoft Update Catalog for your system version.
  • Verify Resolution: After installation, confirm that the "Audit logon events" policy displays correctly and that audit logs are functioning as intended.
  • Maintain Vigilance: Regularly monitor and verify audit policies and logs to ensure ongoing accuracy and compliance.

Conclusion

Microsoft's prompt release of an emergency update underscores the importance of accurate policy reporting in Active Directory environments. By addressing the reporting error, organizations can maintain confidence in their audit logs, ensuring effective security monitoring and compliance with regulatory standards.