Аудит системных событий Audit system events

Область применения Applies to

Определяет, следует ли проводить аудит, когда пользователь перезапускает или выключает компьютер, или когда происходит событие, которое влияет либо на безопасность системы, либо на журнал безопасности. Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.

Если вы определяете этот параметр политики, вы можете указать, следует ли проверять успехи, сбои аудита или вообще не проверять тип события. If you define this policy setting, you can specify whether to audit successes, audit failures, or not audit the event type at all. Аудит успешности создает запись аудита при успешной попытке входа. Success audits generate an audit entry when a logon attempt succeeds. Аудит сбоев создает запись аудита при неудачной попытке входа. Failure audits generate an audit entry when a logon attempt fails.

Чтобы установить для этого параметра значение «Нетаудита», в **** диалоговом окне «Свойства» **** для этого параметра политики установите флажок «Определить эти параметры политики» и установите флажки «Успешно» и «Сбой». **** To set this value to No auditing, in the Properties dialog box for this policy setting, select the Define these policy settings check box and clear the Success and Failure check boxes.

По умолчанию: Default:

• Успех на контроллерах домена. Success on domain controllers.
• Аудит на серверах-членах не проводится. No auditing on member servers.

Настройка этого параметра аудита Configure this audit setting

Этот параметр безопасности можно настроить, открыв соответствующую политику в области «Конфигурация компьютера\Параметры Windows\Параметры безопасности\Локальные политики\Политика аудита». You can configure this security setting by opening the appropriate policy under Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy.

Boot Windows to Audit Mode or OOBE

You can use audit mode to customize your computer, add applications and device drivers, and test your computer in a Windows environment. Booting to audit mode starts the computer in the built-in administrator account. WindowsВ® removes this account automatically during the generalize configuration pass. After you configure a computer to boot to audit mode, the computer will continue to boot to audit mode by default until you configure the computer to boot to Out-Of-Box Experience (OOBE) when the computer ships to the user.

If a password-protected screen saver starts when you are in audit mode, you cannot log back on to the system. The built-in administrator account that is used to log on to audit mode is immediately disabled after logon. To disable the screen saver, either change the power plan through WindowsВ Control Panel or configure and deploy a custom plan. For more information, see Create a Custom Power Plan.

Boot to audit mode automatically on a new installation

To configure Windows to boot to audit mode, add the Microsoft-Windows-Deployment | Reseal | Mode = audit answer file setting.

When Windows completes the installation process, the computer boots into audit mode automatically, and the System Preparation (Sysprep) Tool appears. For more information about using the Sysprep tool in audit mode, see Sysprep (Generalize) a Windows installation.

NoteВ В Settings in an answer file from the oobeSystem configuration pass do not appear in audit mode. For more information about which answer file settings are processed when you boot to audit mode or OOBE, see How Configuration Passes Work.

Boot to audit mode manually (on a new or existing installation)

At the OOBE screen, press CTRL+SHIFT+F3.

Windows reboots the computer into audit mode, and the System Preparation (Sysprep) Tool appears.

NoteВ В The CTRL+SHIFT+F3 keyboard shortcut does not bypass all parts of the OOBE process, such as running scripts and applying answer file settings in the oobeSystem configuration pass.

Boot to OOBE automatically on a new installation

To configure Windows to boot to OOBE, add the Microsoft-Windows-Deployment | Reseal | Mode = oobe answer file setting.

If you have configured your Windows image to boot to OOBE, but then you need to make further configurations to your image in audit mode, see Modify an existing image that is configured to boot to OOBE.

Modify an existing image that is configured to boot to OOBE

If you have configured your Windows image to boot to OOBE, but then need to make further configurations to your image in audit mode, you can do one of the following:

Use the CTRL+SHIFT+F3 keyboard shortcut. The computer will reboot into audit mode.

This option may trigger any scripts that you have configured to launch in OOBE.

Mount the image, add an answer file with the audit setting, and save it as C:\test\offline\Windows\Panther\Unattend\Unattend.xml. This may require overwriting an existing answer file at this location.

On the next boot, Windows will boot directly into audit mode.

Boot to audit mode automatically from an existing image

Create a new answer file, and then add the Microsoft-Windows-Deployment | Reseal | Mode = audit setting. Save the answer file as Unattend.xml.

At an elevated command prompt, mount the Windows image. For example:

where is the number of the selected image on the .wim file.

Copy the new answer file to the C:\test\offline\Windows\Panther\Unattend folder.

Commit the changes, and then unmount the image. For example:

When the image is applied to the destination computer and Windows is booted, the computer boots into audit mode automatically, and the Sysprep tool appears. For sample procedures, see Step 1: Transfer an image to a different computer and Step 2: Prepare the computer for a customer in Deployment examples.

Options for applying an image also include using answer file settings, such as specifying the image to install and the disk configurations to make on the destination computer. For more information, see the Unattended Windows Setup Reference Guide.

Deployment examples

To transfer an image to a different computer, you must first remove the computer-specific information from the configured computer by generalizing the image with the Sysprep tool. To prepare a computer for the customer, you must generalize the computer, and then set it to boot to OOBE when a customer starts the computer for the first time. In the following examples we create and transfer a reference image to a different computer, and then create a model-specific image that ships to a customer.

Step 1: Transfer an image to a different computer

Install Windows on a reference computer.

After the installation is complete, boot the computer and install any additional device drivers or applications.

After you update the Windows installation, run Sysprep:

At the command line, run the Sysprep /generalize /shutdown command.

In the System Preparation Tool window, select the Generalize check box under the System Cleanup Action box on the Shutdown Options box, select Shutdown, and then click OK.

Sysprep removes system-specific data from the Windows installation. System-specific information includes event logs, unique security IDs (SIDs), and other unique information. After Sysprep removes the unique system information, the computer shuts down.

After the computer shuts down, insert the WindowsВ PE USB flash drive or other bootable media, and reboot into WindowsВ PE.

In the WindowsВ PE session, capture the reference image by using the Dism /capture-image command.

Proceed to the next step to create a model-specific reference image.

Step 2: Prepare the computer for a customer

Install the reference image you created in Step 1 that is destined for your customer.

After you update the Windows installation, at the command line run the Sysprep /audit /generalize /shutdown command to configure Windows to boot the computer to audit mode. You can then capture the Windows image by booting to another partition or by using WindowsВ PE.

Use the new model-specific reference image to install Windows on a new computer. The Windows image is applied to the computer, and Windows boots to audit mode.

(Optional) You can install additional applications and other updates based on a customer’s order. You can also test the computer to verify that all components are working correctly.

After you update the Windows installation, run the Sysprep /oobe /shutdown command.

NoteВ В If you install Windows images by using the Sysprep /generalize /oobe command, the user experience will not be ideal. On the next reboot after you run the Sysprep /generalize /oobe command, Windows runs the specialize configuration pass, Plug and Play, and other Setup tasks before Windows starts OOBE. This process can take additional time and can delay a customer’s first logon.

Package and deliver the computer to your customer.

When the customer starts the computer, OOBE runs.

Windows Setup Automation Overview

Use Setupconfig.ini to install Windows

What is a setupconfig file?

Setupconfig is a configuration file that is used to pass a set of flags or parameters to Windows setup.exe. Use this file as an alternative to passing parameters to Windows setup on a command line. This functionality is available in Windows 10, version 1511 and later.

IT pros can use the setupconfig file to add parameters to Windows Setup from Windows Update and Windows Server Update Services.

The different parameters that can be used with Windows 10 Setup.exe are described in this topic.

Setupconfig.ini files can contain single parameters, or parameters and value pairs. Do not include “/” characters, and with parameter and value pairs, include “=” between the two.

For example, you create a Setupconfig.ini with the following. Note that the header [SetupConfig] is required.

This is equivalent to the following command line:

How does Windows Setup use Setupconfig.ini?

Using media/ISO file

If you are running Windows setup from media or an ISO file, you must include the location to the setupconfig file on the command line (“/ConfigFile

”) when running setup.exe. For example:

If you include a parameter on the command line and the same parameter in the setupconfig file, the setupconfig file parameter and value has precedence.

Using Windows Update

If the update is delivered through Windows Update, Windows Setup searches in a default location for a setupconfig file. You can include the setupconfig file here:

Use an answer file while installing Windows

You can automate Windows installation by using an answer file:

Use a USB flash drive

Use a sample answer file or create your own with Windows System Image Manager (Windows SIM).

Save the file as Autounattend.xml on the root of a USB flash drive.

On a new PC, put in the Windows product DVD and the USB flash drive, and then boot the PC. When no other answer file is selected, Windows Setup searches for this file.

Select an answer file

• You can select a specific answer file during installation by booting to the Windows Preinstallation Environment, and using the setup.exe command with the /unattend:filename option. For more information, see WinPE: Create USB Bootable drive.

For sample answer files and a list of settings used to automate installation, see Automate Windows Setup.

Modify an existing installation

Because reboots are required during Setup, a copy of the answer file is cached to the %WINDIR%\Panther directory of the Windows installation. You can modify this file to do any of the following:

Update system and control panel settings without booting the image.

Update an image by preparing the PC to boot to audit mode (see Microsoft-Windows-Deployment\Reseal\Mode).

Update the order in which drivers or packages are installed. (Packages with dependencies may require installation in a certain order.)

Replace the answer file in an offline image

Create a custom answer file in Windows System Image Manager (Windows SIM).

Open an elevated command prompt.

Mount the Windows image.

Modify or replace the file: \Windows\Panther\unattend.xml in the mounted image.

NoteВ В The answer file in the image may contain settings that have not yet been processed. If you want these settings to get processed, edit the existing file rather than replacing it.

Unmount the image.

Test the image by deploying it to a new PC, without specifying an answer file. When Windows Setup runs, it finds and uses this answer file.

Implicit Answer File Search Order

WindowsВ Setup searches for answer files at the beginning of each configuration pass, including the initial installation and after applying and booting an image. If an answer file is found, and it contains settings for the given configuration pass, it processes those settings.

WindowsВ Setup identifies and logs all available answer files, depending on the search order. The answer file that has the highest precedence is used. The answer file is validated and then cached to the computer. Valid answer files are cached to the $Windows.

BT\Sources\Panther directory during the windowsPE and offlineServicing configuration passes. After the Windows installation is extracted to the hard disk, the answer file is cached to %WINDIR%\panther.

The following table shows the implicit answer file search order.

Specifies a pointer in the registry to an answer file. The answer file is not required to be named Unattend.xml.

The name of the answer file must be either Unattend.xml or Autounattend.xml.

Windows Setup searches this directory only on downlevel installations. If Windows Setup starts from Windows PE, the %WINDIR%\Panther\Unattend directory is not searched.

Windows Setup caches answer files to this location for use in subsequent stages of installation. For example, when a computer reboots, Setup can continue to apply the settings in an answer file. If you explicitly specify an answer file by using Windows Setup or Sysprep, the answer file cached to this directory is overwritten with the explicitly specified answer file.

Do not use, modify, or overwrite the answer file in this directory. The answer file in this directory is annotated by Windows Setup during installation. This answer file cannot be reused in Windows SIM or any other Windows installations.

Removable read/write media in order of drive letter, at the root of the drive.

Removable read/write media in order of drive letter, at the root of the drive.

The name of the answer file must be Autounattend.xml, and the answer file must be located at the root of the drive.

Removable read-only media in order of drive letter, at the root of the drive.

Removable read-only media in order of drive letter, at the root of the drive.

The name of the answer file must be Autounattend.xml, and must be located at the root of the drive.

\Sources directory in a Windows distribution

All other passes:

In the windowsPE and offlineServicing configuration passes, the name of the answer file must be Autounattend.xml.

For all other configuration passes, the file name must be Unattend.xml.

The answer file name must be Unattend.xml or Autounattend.xml

Drive from where Windows Setup (setup.exe) is running, at the root of the drive.

The name of the answer file must be Unattend.xml or Autounattend.xml, and must be located at the root of the Windows Setup folder path.

Sensitive Data in Answer Files

Setup removes sensitive data in the cached answer file at the end of each configuration pass.

Important
Because answer files are cached to the computer during Windows Setup, your answer files will persist on the computer between reboots. Before you deliver the computer to a customer, you must delete the cached answer file in the %WINDIR%\panther directory. There might be potential security issues if you include domain passwords, product keys, or other sensitive data in your answer file. However, if you have unprocessed settings in the oobeSystem configuration pass that you intend to run when an end user starts the computer, consider deleting the sections of the answer file that have already been processed. One option when you run the sysprep /oobe command might be to use a separate answer file that only contains settings in the oobeSystem configuration pass.

However, if an answer file is embedded in a higher precedence location than the cached answer file, then the cached answer may be overwritten at the beginning of each subsequent configuration pass, if the embedded answer file matches the implicit search criteria. For example, if an answer file is embedded at %WINDIR%\Panther\Unattend\Unattend.xml, the embedded answer file will replace the cached answer file at the beginning of each configuration pass. For example, if the embedded answer file specifies both the specialize and oobeSystem configuration passes, then the embedded answer file is discovered for the specialize configuration pass, cached, processed, and sensitive data is cleared. The embedded answer file is discovered again during the oobeSystem configuration pass and cached again. As a result, the sensitive data for the specialize configuration pass is no longer cleared. Sensitive data for previously processed configuration passes will not be cleared again. Unless the cached answer file must be overridden, embed the answer files at a location that has a lower precedence.

Important
Because answer files are cached to the computer during Windows Setup, your answer files will persist on the computer between reboots. Before you deliver the computer to a customer, you must delete the cached answer file in the %WINDIR%\panther directory. There might be potential security issues if you include domain passwords, product keys, or other sensitive data in your answer file. However, if you have unprocessed settings in the oobeSystem configuration pass that you intend to run when an end user starts the computer, consider deleting the sections of the answer file that have already been processed. One option when you run the sysprep /oobe command might be to use a separate answer file that only contains settings in the oobeSystem configuration pass.

You can add a command to the Setupcomplete.cmd command script that deletes any cached or embedded answer files on the computer. For more information, see Add a Custom Script to Windows Setup.

Windows Setup Annotates Configuration Passes in an Answer File

After a configuration pass is processed, Windows Setup annotates the cached answer file to indicate that the pass has been processed. If the configuration pass is run again and the cached answer file has not been replaced or updated in the interim, the answer file settings are not processed again. Instead, Windows Setup will search for implicit Unattend.xml files that are at a lower precedence location than the cached Unattend.xml file.

For example, you can install Windows with an answer file that contains Microsoft-Windows-Deployment/RunSynchronous commands in the specialize configuration pass. During installation, the specialize configuration pass runs and the RunSynchronous commands execute. After installation, run the sysprep command with the /generalize option. If there is no answer file in a higher precedence than the cached answer file or an answer file was not explicitly passed to the Sysprep tool, Setup runs the specialize configuration pass the next time that the computer boots. Because the cached answer file contains an annotation that the settings for that configuration pass were already applied, the RunSynchronous commands do not execute.

Implicit Answer File Search Examples

The following examples help describe the behavior of implicit answer file searches.

Answer Files Named Autounattend.xml are Automatically Discovered by Windows Setup

Create an answer file that is named Autounattend.xml that includes settings in the windowsPE configuration pass.

Copy Autounattend.xml to a removable media device.

Configure the BIOS of your computer to boot from CD or DVD.

Boot the Windows product DVD.

Insert the removable media device when Windows is booting. This example assumes that the removable media is assigned the drive letter D:\.

Windows Setup starts and automatically identifies Autounattend.xml as a valid answer file. Because the answer file uses a valid file name (Autounattend.xml), is located in one of the valid search paths (the root of D), and includes valid settings for the current configuration pass (windowsPE), this answer file is used.

The answer file is cached to the computer. If there are no additional answer files discovered in later passes, the cached answer file is used throughout Windows Setup.

Answer Files are Discovered in Order of Precedence in Predefined Search Paths

Install Windows with an answer file by using the steps in the previous scenario. The answer file that is used to install Windows is cached to the system in the %WINDIR%\Panther directory.

Copy an Unattend.xml file to the %WINDIR%\System32\Sysprep directory.

This answer file has settings in the generalize configuration pass.

Run the sysprep command with the /generalize option to create a reference image.

Because the %WINDIR%\System32\Sysprep directory is in the implicit search paths, the answer file copied to this directory is found. However, an answer file that was used to install Windows is still cached on the computer and contains settings for the generalize configuration pass. This cached answer file has a higher precedence than the one copied to the Sysprep directory. The cached answer file is used.

Note
The Sysprep tool can be run as a command-line tool or as a GUI tool. If you run the Sysprep tool as a GUI tool, you can select the Generalize check box.

Answer Files Must Include a Valid Configuration Pass

Copy an Unattend.xml file to a removable media device.

The Unattend.xml file has settings only for the auditSystem and auditUser configuration passes.

On an installed Windows operating system, run the sysprep /generalize /oobe command.

Even though the answer file is available in one of the implicit search paths, the Unattend.xml file is ignored because it does not contain a valid pass for the generalize configuration pass.

Additional Resources

See the following topics for more information about answer files and configuration passes:

Search Order	Location	Description