This should allow you to view changes to your users’ workstations operating system versions. We can even tailor the search filters to include when workstations are upgraded to Windows 11 within your audited environment.
Requirement: Active Directory Data Source
The How
Active Directory obtains the Operating System Version attribute data during communication with a client. When local changes occur, such as an upgrade, the client operating system updates Active Directory with the new data. This should allow us to track OS version changes.
Let’s search through our audited data for the events related to Computer Operating System Changes. To accomplish this, we will want to navigate to the ‘Search Activity Records’ tile. Then, select the ‘Advanced Mode’ button, this will allow us to easily create the needed filters.
I have included an example below of how the search filters should appear.
Search Filters Explained
We will first want to specify the Active Directory data source, this will filter out any ‘noise’ from other data sources.
- Data Source | Equals | Active Directory
Secondly, we will want to specify the object type as Computer.
- Object Type | Equals | Computer
In this final step, we can choose different options based on the activity type you want to monitor. The important part is to remember to use “Contains” if you use “Equals” this will decrease the number of matching events and potentially exclude data.
To view activity related to any Operating System Change we will want to use the below filter.
- Details | Contains | Computer Operating System changed
To view activity related to Operating System Changes for Windows 11 we can use the below filter.
- Details | Contains | Windows 11
You can also use the ‘What’ filter to view a specific workstation or filter by Active Directory path. The important part is to remember to use “Contains” if you use “Equals” this will decrease the number of matching events and potentially exclude data.
Next Steps
I would recommend testing the search filters before we save them as report, alert or subscription. Depending on your database retention period we should be able to view historical data that match up with the created filters. If you have a workstation that upgraded its OS version recently, we will want to verify we can view this event within the search results.
I would also recommend saving the search filters using the ‘Tools’ menu on the top right-hand corner, then select ‘Save as Report’. This will save us from rebuilding the filters each time we would like to view data related to this use case. You can view the saved report within the ‘custom’ report folder, found within the ‘Reports’ menu.
Now that we have verified the results of our newly created search filters, we have a few options. on what to do next. We can view the different options by selecting the ‘Tools’ menu found on the top right-hand corner. I have included a summary of some of the available options below.
Create an Alert
- This can allow you to receive a notification for each potential upgrade event. I would recommend enabling the alert before adding any recipients at first. This will allow you to track each time the alert is ‘Triggered’ without sending out notifications.
Create a Subscription
- Helpful if you would like to receive a summary of matching actions. This can be sent via email or uploaded directly to a file share.
Export Data
- Allows you to export your search results as a .PDF or .CSV file.
If you have any questions, please let me know