Microsoft has taken proactive measures to address a pressing issue concerning local audit logon policies within Active Directory Group Policy. The company has issued out-of-band (OOB) Windows updates aimed at rectifying inconsistencies that may arise in reporting, although it is important to note that logon and logoff events may still be correctly audited on certain devices.
Details of the Update
According to a recent update from Microsoft via the Microsoft 365 message center, the problem stems from a situation where audit logon/logoff events do not appear as enabled on devices, despite being operational. This discrepancy can be observed in both the Local Group Policy Editor and Local Security Policy, where the ‘Audit logon events’ policy is displayed with a security setting of ‘No auditing.’
When activated, the ‘Audit logon events’ policy empowers administrators to determine whether to audit logon and logoff events, subsequently generating new entries in the audit logs. These logs are crucial for tracking user and service activity, aiding security teams and system administrators during breach investigations and ensuring compliance with regulatory standards.
On Friday, Microsoft rolled out several updates to rectify the Active Directory audit logon policy issue:
- Windows 11, versions 23H2 and 22H2 (KB5058919)
- Windows Server 2022 (KB5058920)
- Windows 10 Enterprise LTSC 2019 and Windows Server 2019 (KB5058922)
- Windows 10 LTSB 2016 and Windows Server 2016 (KB5058921)
- Azure Stack HCI, version 22H2 (KB5058920)
These emergency updates are categorized as non-security releases and are intended solely for organizations experiencing the identified issues. Affected Windows versions can download and install these updates via the Microsoft Update Catalog. Notably, these updates are cumulative, meaning there is no need to install prior updates before applying them.
Microsoft has indicated that home users are unlikely to encounter this issue, as logon auditing is primarily relevant in enterprise settings.
In addition to addressing the audit logon policy, Microsoft issued a warning on Friday regarding potential accessibility issues for some domain controllers running Windows Server 2025 after a restart, which could lead to application and service failures. Furthermore, last week, the company released emergency updates for Office 2016 to resolve crashes in Word, Excel, and Outlook that were triggered by the April 2025 security updates. Additionally, users experienced login difficulties with Windows Hello following the installation of this month’s security updates.
