Microsoft has released emergency patches to fix an apparent reporting error in Active Directory (AD) Group Policy, which allows administrators to manage and configure user and computer settings in Windows. The company reported in a Microsoft 365 message center update that the status of local audit logon/logoff policies might be incorrectly displayed, with audits showing as not occurring when they were actually running in the background. The issue is occurring across various Windows and Windows Server versions, including Windows 11. The out-of-band (OOB) updates only need to be installed by impacted organizations, and can be downloaded and installed from the Microsoft Update Catalog. “The issue is that the setting to audit logon and logoff events may be disabled (set to ‘no auditing’) and yet still produce log entries for events of this type,” explained Fred Chagnon, principal research director at Info-Tech Research Group. “These events are triggered by users or devices authenticating to the local Active Directory when joining the domain.” Potentially confusing reports Out-of-band updates address urgent issues outside of regular release cycles, often for security or other critical issues. They require manual download and installation because they do not impact all users. The AD Group Policy inconsistency is visible in the Local Group Policy Editor (where administrators manage policy settings on a local computer) and Local Security Policy (where administrators manage security settings on individual computers). The ‘audit logon events’ policy setting allows system administrators to track logon and logoff events and create new entries in audit logs that register all user and service activities. It is typically used in security and compliance scenarios. The issue is that ‘audit logon events’ is set to ‘no auditing’ even if audits are indeed running in the background. In the this case, “the downstream effect is potentially confusing reports where such events are displayed alongside other more interesting events, despite an administrator’s attempt to filter them out,” said Chagnon. “Or that the setting merely appears disabled when it is actually acting as enabled.” Last Friday, Microsoft released updates to address the glitch: Windows 11, versions 23H2 and 22H2 (KB5058919) Windows Server 2022 (KB5058920) Windows 10 Enterprise LTSC 2019 and Windows Server 2019 (KB5058922) Windows 10 LTSB 2016 and Windows Server 2016 (KB5058921) Azure Stack HCI, version 22H2 (KB5058920)