Monitoring workstation security logs is essential because workstations are often the entry points for cyberattacks and can provide critical insights that server logs alone cannot.
Workstation log collection has always been a challenge because of the sheer number of workstations compared to servers, resistance to agents, high turnover rate of workstations and the fact that they are often disconnected from the corporate network.
Many organizations found the native Windows Event Collection (aka WEC/WEF) built-in to Windows to be the best solution for log collection especially since Kerberos and Group Policy allows you – within minutes - to be collecting logs from tens of thousands of PCs.
But with the advent of the modern Windows 11 PC that is joined to Entra instead of AD, Kerberos is no longer an option. Nor is Group Policy. That’s the bad news.
The good news is that WEC also supports certificate-based authentication via HTTPS. This means you can use WEC in non-AD environments (e.g. modern Windows PCs) with mutual authentication between collector and forwarder based on certificates instead of Kerberos. The challenge used to be enrolling all those Windows 11 PCs with client certificates and configuring them to connect to your Windows Event Collection servers. But with Intune that has become extremely easy.
In this webinar, I will show you how certificate-based Windows Event Collection works.
I’ll cover the steps for setting up a collector that listens via https for WEC forwarders including:
- Server certificate enrollment
- Setting up an https WinRM listener
- Client certificate mapping
- WEC subscription creation using DNS names and client certificate authorities
Then on the forwarder side, I’ll show you how to:
- Enable Microsoft’s Cloud PKI inside Intune to provide client certificates
- Create SCEP Intune policies so that your Windows 11 devices will request the right certificate
- Configure the other Intune policies to directly subscribe your Windows 11 devices to your Windows Event Collector
This will be a highly technical real-training for free event.
Our sponsor is LOGbinder, and Barry Vista, will finish up by demonstrating the new features in Supercharger for Windows Event Collection that automates the above processes and provides load-balancing of Windows 11 event forwarders across multiple WEC collectors.