Configure the Audit PNP Activity Policy

In this post we’ll show you how to configure the audit PNP activity policy in Windows Server 2016 via group policy.

PNP, or Plug and Play, is used so that the operating system automatically detects and configures an external device so that it’s ready to use. A common example is when you plugin a USB storage device and it “just works”. By auditing PNP activity, we can log events every time an external device is detected.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.


About Audit PNP Activity Policy

Prior to Windows 10 and Windows Server 2016, Windows would only log a PNP related event the first time that particular device was detected. This was not that useful, what if we want to see every instance that a device is plugged in? This is where the audit PNP policy comes in, it allows us to audit whenever plug and play detects an external device.

It’s worth noting that only success events are logged with this policy, despite the fact that you can also select to log failure events. Selecting failure events has no effect. If this policy is not configured, no audit events are created when an external device is detected by plug and play which is the default action.

As the logs are dependent on a device actually being inserted and detected, the volume of logs is estimated to be quite low.

Configure the Audit PNP Activity Policy

To begin open up Group Policy Management, this can be done either through Server Manager > Tools > Group Policy Management, or by running ‘gpmc.msc’ in PowerShell or Command Prompt. At this point you can either create a new policy, or edit an existing policy. In this example we’ll create a new GPO called “PNP Audit”.

Create New GPO

Edit the policy, and browse to Computer Configuration > Policies > Windows Settings > Advanced Audit Policy Configuration > Audit Policies > Detailed Tracking. From within here, either double click or right click then select properties on Audit PNP Activity.

Audit PNP Activity Policy

Select the check box to configure the following audit events, and select success. As mentioned previously, selecting failure with have no effect.

Audit PNP Activity Properties

As this is a computer policy, I had to perform a system reboot before I started to see events logged in the security event log after new PNP devices were detected. We can see in the logs below devices are being detected and logged.

Event Viewier

Summary

We have shown you how to configure the audit PNP activity policy through group policy, which allows us to record detailed logs regarding devices that are plugged into the system.


This post is part of our Microsoft 70-744 Securing Windows Server 2016 exam study guide series. For more related posts and information check out our full 70-744 study guide.

  1. how do I enable from registry

  2. is there a command line to setup this?

Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>