deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-19 20:33:42 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
b5101b1fbd75f538e7af22d78524ea3b5335c587
windows-itpro-docs/windows/security/threat-protection/auditing/audit-security-state-change.md
Paolo Matarazzo d6cd44eb56 (Windows 10)
2023-05-24 11:44:39 -04:00

2.8 KiB
Raw Blame History

title, description, ms.assetid, ms.reviewer, manager, ms.author, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, ms.localizationpriority, author, ms.date, ms.technology, ms.topic
title description ms.assetid ms.reviewer manager ms.author ms.pagetype ms.prod ms.mktglfcycl ms.sitesec ms.localizationpriority author ms.date ms.technology ms.topic
Audit Security State Change The policy setting, Audit Security State Change, which determines whether Windows generates audit events for changes in the security state of a system. decb3218-a67d-4efa-afc0-337c79a89a2d aaroncz vinpa security windows-client deploy library none vinaypamnani-msft 09/06/2021 itpro-security reference

Audit Security State Change

Audit Security State Change contains Windows startup, recovery, and shutdown events, and information about changes in system time.

Event volume: Low.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller Yes No Yes No The volume of events in this subcategory is very low and all of them are important events and have security relevance.
This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Member Server Yes No Yes No The volume of events in this subcategory is very low and all of them are important events and have security relevance.
This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Workstation Yes No Yes No The volume of events in this subcategory is very low and all of them are important events and have security relevance.
This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.

Events List:

  • 4608(S): Windows is starting up.

  • 4616(S): The system time was changed.

  • 4621(S): Administrator recovered system from CrashOnAuditFail.

Note

Event 4609(S): Windows is shutting down doesn't currently generate. It is a defined event, but it is never invoked by the operating system.