If you find GPO policies about Auditing group policies set in Computer Configuration>Windows Settings>Security Settings>Advanced Audit Policy Configuration (Figure 1 – this GPO will result in entries in registry at HKLM\SECURITY\Policy\PolAdtEv\(Default)) changed from time to time and you happen to have computers onboarded to Microsoft Defender for Endpoint, that is not your fault but designed behaviour of MDE.
Figure 1
If you capture a ProcMon file (ProcMon Example below), you will find a pattern that every time the registry gets modified MsSense.exe is called before that modification carried out by lass.exe takes place. The logic here is MsSense.exe will adjust auditing group policies which is hardcoded in MDE and then MsSense.exe will ask lass.exe to apply those adjustments to Audit GPO policies.
ProcMon Example –
3:50:33.2533705 PM lsass.exe 820 2736 QueryNameInformationFile C:\Program Files\Windows Defender Advanced Threat Protection\MsSense.exe SUCCESS NT AUTHORITY\SYSTEM Name: \Program Files\Windows Defender Advanced Threat Protection\MsSense.exe 656 3:50:33.2571559 PM lsass.exe 820 2736 RegSetValue HKLM\SECURITY\Policy\PolAdtEv\(Default) SUCCESS NT AUTHORITY\SYSTEM Type: REG_NONE, Length: 150, Data: 00 01 00 00 09 00 00 00 84 00 00 00 03 00 00 00 656 Part of the Stack: 8 lsasrv.dll LsapDbSetAuditPolicy C:\windows\system32\lsasrv.dll 9 lsasrv.dll LsapAdtSetAuditPolicy C:\windows\system32\lsasrv.dll 10 lsasrv.dll LsarSetAuditPolicy C:\windows\system32\lsasrv.dll
And when Audit GPO policies changes happen, Security event log will log 4719 events.
Figure 2
As the MDE hardcodes the logic, there is no workaround for this issue. Per the MDE product team of Microsoft, changing the Audit GPO policies can affect the functionality Endpoint Detection & Response (EDR). Therefore, the best is not to interfere with those GPO policies. If you must, consider offboard those computers from MDE or reach out to Microsoft Security team for suggestions if you still want to use MDE.
SCCM Monde 