Windows 11 must have command line process auditing events enabled for failures.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-257770	WN11-AU-000585	SV-257770r930681_rule		Medium

Description
When this policy setting is enabled, the operating system generates audit events when a process fails to start and the name of the program or user that created it. These audit events can assist in understanding how a computer is being used and tracking user activity.

STIG	Date
Microsoft Windows 11 Security Technical Implementation Guide	2023-09-29

Details

Check Text ( C-61511r930674_chk )
Ensure Audit Process Creation auditing has been enabled: Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> Detailed Tracking >> Set to "Failure". If "Audit Process Creation" is not set to "Failure", this is a finding.

Fix Text (F-61435r930675_fix)
Go to Computer Configuration >> Policies >> Windows Settings >> Security Settings >> Advanced Audit Policy Configuration >> Detailed Tracking >> Set "Audit Process Creation" to "Failure".