Overview
After configuring certain group policy settings, Blumira can ingest advanced Microsoft Commandline and PowerShell module logging. You can use Logmira to import the pre-built settings easily. Logmira has been created as a helpful download of Microsoft Windows Domain Group Policy Object (GPO) settings.
This GPO backup includes our recommended Windows logging settings for all supported versions of Microsoft Windows. Importing it from backup is much easier than following a list and manually modifying 100+ settings.
Note: Pairing Poshim with the Logmira GPO template provides the most advanced and thorough detection coverage for your systems. Many of Blumira's Windows detection rules rely on the advanced logging GPO. Ensure that you deploy the GPO when you deploy Poshim to your Windows endpoints.
Deploying Logmira
Below, we provide the steps to deploy Logmira using either of these methods:
- Using a domain controller in Windows Server Active Directory environments
- Using Intune Endpoint Manager for cloud-based environments
- Deploying to non-domain joined machines
Using a domain controller in Windows Server Active Directory environments
To import the settings of the Logmira GPO onto your DC using Windows Group Policy Management, do the following:
- Download the Logmira ZIP file and extract its contents.
- Copy the extracted folder to your DC.
- Log in to the DC and open Group Policy Management.
- In the GPM navigation tree, expand the Forest node > Domains node > your domain node.
- Right-click on the group policy objects folder under your domain and select New.
- In the New GPO window, type a name for the object, such as "Logmira-RV."
- In the Source Starter GPO field, keep the default (none) setting and click OK.
- Under the Contents tab of the Group Policy Objects window, right-click the new GPO entry (e.g., Logmira-RV), then click Import Settings.
- In the Import Settings Wizard window, click Next to continue.
- In Backup GPO, ignore the Backup button, and click Next.
- In Backup location, click Browse to find and select the parent folder where you extracted the zip file's contents and click OK.
Example: If you extracted the folder to Desktop, choose Desktop in the folder browser. Do not select the extracted folder. - In the Source GPO window, select Logmira, then click Next.
- After scanning the backup, click Next.
- Click Finish.
After the policy has been imported, link the policy to your domain by doing the following:
-
- In Group Policy Management, right-click on your domain and click Link an existing GPO.
- In Select GPO, select your Logmira GPO and click OK.
- Set your security filtering on the policy to:
- Domain Users
- Domain Computers
- Domain Controllers
To create a GPO backup for exporting, do the following:
- Open the Group Policy Management Console and navigate to the proper domain.
- Expand the group policy objects.
- Locate the group policy object you want to export, right-click it to open the options menu, and click Back Up.
- Select the location the backup will be exported to and the description.
- Click Back Up.
- Click OK.
Using Intune Endpoint Manager for cloud-based environments
For organizations that do not have a traditional Active Directory environment, Blumira also supports the deployment of Logmira using Microsoft Intune Endpoint Manager. The Group Policy Analytics tool gives you the ability to import a Group Policy XML file and convert it to a Configuration Profile in Endpoint Manager.
Note: The instructions given here only relate to the use of the Group Policy Analytics tool to deploy Logmira. Not all Microsoft 365 licensing supports this option, and we cannot guarantee that this method is an option for your license.
To import Logmira, do the following:
- Download a copy of Logmira.
- Unzip the folder and locate the file
GPReport.xml
, which you will import in Step 5. - Log in to Intune Endpoint Manager at endpoint.microsoft.com.
- Select Devices, and then under the Policy section, select Group Policy analytics.
- Click Import.
- Select the GPReport.xml file that was unzipped above.
- Click Next.
- (Optional) Under Scope tags, you can create a scope tag for Logmira.
- Click Next, and then click Create.
- The Group Policy analytics preview appears with a line item for Logmira, showing you information about MDM support (what policies are supported by Endpoint Manager) and Unknown Settings (what settings are not recognized by Endpoint Manager).
Note: Logmira has one unsupported MDM setting and one Unknown setting. Both are minor, and Logmira is acceptable to use in this state.
To create a Configuration Profile from the imported GPO, do the following:
- Click the check box under the Migrate column in the Logmira row, then click Migrate at the top of the page.
- Select all available settings to be migrated by clicking Select all on this page, then go to the next page and repeat.
Note: Using this button is the only way to select in bulk, and it must be done on each page. - Verify the message “40 of 41 settings have been selected for migration” appears.
Note: This count is correct because one MDM setting is not supported.
- Click Next at the bottom of the page.
- Under Configuration, verify the list of settings that will be migrated and click Next.
- Under Profile info, type a name and description for the configuration policy and click Next.
Tip: Include Blumira and Logmira in the name for easier identification in the future. - (Optional) Under Scope tags, create a scope tag to use for future tagging of devices or groups.
- Click Next.
- Under Assignments, assign this new configuration policy to groups, users, or devices. You can also add or change group assignments in this window.
- Click Next.
- Review your settings and click Deploy.
If you did not scope any Groups or Tags, the Configuration policy will be created, but not deployed to any devices. If you did scoping, deployment to endpoints will begin within the normal time period for Endpoint Manager device updates.
You should now be redirected to the Configuration profiles page. You can now use this profile to deploy the Logmira GPO to all endpoints as needed.
Deploying to non-domain joined machines
To deploy Logmira to non-domain joined machines, do the following:
- Download the Logmira ZIP file and extract its contents.
- Locate the Machine and User folders
- Copy the Machine and User folders to an endpoint’s
C:\Windows\System32\GroupPolicy\
folder.
Note: This will overwrite any existing policies in place. - On the endpoint, run the following command:
gpupdate /force
Additional reference
Find additional information about GPOs in the following Microsoft resources: