Best practices for Security Audit

Before reading this topic, it is recommended that you first refer to Managing policies, Policies - New UI, and ComStore and components.

When managing Windows devices, an important priority is the safety and security of the devices. It is often stated that a chain is only as strong as its weakest link, and a large network may have many links. At its most fundamental level, the challenge of ensuring device security can be summarized by the following two questions:

  • What is the ideal security policy for my network?
  • How many devices deviate from the ideal policy?

In order to help you answer these questions, Datto RMM provides a Security Audit component and monitoring policy set intended to pinpoint common security concerns on Windows devices. These concerns are raised both in the StdOut from the component run and within the Windows Event Log. This information can then be caught by the monitoring policy and filtered. If you are linking into a PSA solution, workflow rules can also be applied to tickets.

The tools

The component is called Security Audit [WIN]. It runs on Windows 7 SP1 and up (including Windows Server builds) of any language. The monitoring policy is called Windows: Security Audit Component. It is configured to look for Event Log entries raised by the component. Both are available for free within their respective sections of the ComStore.

Security Audit

The Security Audit [WIN] component inspects the following criteria:

Monitoring policy

As part of a typical run, the component logs noteworthy discoveries in the Windows Event Log. The codes used to log the events are shown below. These are all included as part of the Windows: Security Audit Component monitoring policy available in the ComStore. Please consult the following chart to help you decide which events are important to you.


The Datto RMM Product Management team is happy to hear suggestions for features to add to the component. Please submit any suggestions via the Comments or Requests? link in the ComStore.