Agentless Event Log Collection for the Modern Entra-Joined Windows 11 Endpoint

Webinar Registration

Monitoring workstation security logs is essential because workstations are often the entry points for cyberattacks and can provide critical insights that server logs alone cannot.

Workstation log collection has always been a challenge because of the sheer number of workstations compared to servers, resistance to agents, high turnover rate of workstations and the fact that they are often disconnected from the corporate network.

Many organizations found the native Windows Event Collection (aka WEC/WEF) built-in to Windows to be the best solution for log collection especially since Kerberos and Group Policy allows you – within minutes - to be collecting logs from tens of thousands of PCs.

But with the advent of the modern Windows 11 PC that is joined to Entra instead of AD, Kerberos is no longer an option. Nor is Group Policy. That’s the bad news.

The good news is that WEC also supports certificate-based authentication via HTTPS. This means you can use WEC in non-AD environments (e.g. modern Windows PCs) with mutual authentication between collector and forwarder based on certificates instead of Kerberos. The challenge used to be enrolling all those Windows 11 PCs with client certificates and configuring them to connect to your Windows Event Collection servers. But with Intune that has become extremely easy.

In this webinar, I will show you how certificate-based Windows Event Collection works.

I’ll cover the steps for setting up a collector that listens via https for WEC forwarders including:

Server certificate enrollment
Setting up an https WinRM listener
Client certificate mapping
WEC subscription creation using DNS names and client certificate authorities

Then on the forwarder side, I’ll show you how to:

Enable Microsoft’s Cloud PKI inside Intune to provide client certificates
Create SCEP Intune policies so that your Windows 11 devices will request the right certificate
Configure the other Intune policies to directly subscribe your Windows 11 devices to your Windows Event Collector

This will be a highly technical real-training for free event.

Our sponsor is LOGbinder, and Barry Vista, will finish up by demonstrating the new features in Supercharger for Windows Event Collection that automates the above processes and provides load-balancing of Windows 11 event forwarders across multiple WEC collectors.

Required

First Name:	Required
Last Name:	Required
Work Email:	Required Invalid email address
Job Title:	Required
Organization:	Required
How long have you been using native Windows Event Collection in production?:	RequiredRequired
How many Windows servers in your organization? :	RequiredRequired
How many Windows workstations in your organization?:	RequiredRequired
	Your information will be shared with the sponsor. By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us and the sponsor. Tweet

Upcoming Webinars

Additional Resources

User name:
Password:
	/ Forgot?
	Register

April 2025 Patch Tuesday	"Patch Tuesday - One Zero Day! " - sponsored by LOGbinder

Follow @randyfsmith

About | Newsletter | Contact

Ultimate IT Security is a division of Monterey Technology Group, Inc. ©2006-2025 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.