Auditing the VMware UEM Configuration Share

I want to start this blog post by saying that the content of this post is based upon great solutions and work by others. A special thanks and appreciation goes out to Boe Prox for providing his PowerShell function New-FileSystemWatcher and to Mike Bijl for providing the configuration steps and his PowerShell script for looking up file/folder changes and user name and machine name lookup.

Introduction

VMware User Environment Manager (UEM) does not have auditing build in. However, VMware UEM is all file/folder based, and therefore a solution that audits files and folders should normally be sufficient. In this blog post I want to describe a solution which is easy to implement and which can easily be adjusted to your own needs. The solution is built using

  • A Group Policy Object (GPO)
  • A PowerShell script
  • A scheduled task


One important thing to mention: This solution only works using a Windows file server (share) that hosts the VMware UEM configuration.

Auditing GPO

A GPO that audits the file system and file share is required for being able to look up the user name that made the change and for looking up the system name from which the change happened.

Use the following steps for creating the Auditing GPO.

Open Group Policy Management and create a new GPO and apply it to your file server hosting the VMware UEM Configuration Share.

In this example my domain controller (INFRA01) is also the server hosting the VMware UEM Configuration Share.

 Edit the GPO and browse to Computer Configuration –> Policies –> Windows Settings –> Security Settings –>Advanced Audit Policy Configuration –> Audit Policies –> Object Access

Configure the following Subcategories and enable the Audit Events for Success

Audit Detailed File Share
Audit File Share
Audit File System

Applying the above GPO to the server hosting the VMware UEM Configuration Share results in events in the Security event log as pictured.

Audit VMware UEM Configuration Share PowerShell Script

The Audit VMware UEM Configuration Share PowerShell Script is the actual brain in this solution. It uses the FileSystemWatcher class for setting up a listener that watches predefined folders and/or files. The following script is an example of how I implemented it in my LAB environment and it does the following (high level).

  • Creates an event log for VMware UEM Configuration Share auditing (VMware UEM)
  • “Listens” for changes in the specified local path (C:\Shares\UEM_Config –> INFRA01.lab.localUEM_Config)
  • Creates events for changes in the specified local path in the specified event log (VMware UEM)

This is the actual content of my script.

You can download the script and change it to your own needs.


Scheduled Task Configuration

Follow the next steps for creating the scheduled task that runs the PowerShell script.

 Start Task Scheduler and create a new Task (not a Basic Task)
On the General tab, give the task a name and use the SYSTEM account for running the task and select Run with highest privileges
On the Triggers tab, create a new trigger and select At startup for Begin the task

Select Delay task for 1 minute

Select Repeat task every 1 hour for a duration of Indefinitely

Select Enabled

On the Actions tab, create a new action and select Start a program for Action

For Program/script enter C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

For Add arguments (optional) enter -noexit -executionpolicy bypass -file “D:\Audit\VMware UEM Configuration Share.ps1”

Change the path to the script when needed.

Select Run task as soon as possible after a scheduled start is missed
That’s all for creating the scheduled task.

End Results

When I now create/edit/delete configurations in the VMware UEM Management Console it will be picked up by the PowerShell script that’s running (scheduled task) and it will create events in the event log, specifying the file/folder, action (Create/Delete/Change), date/time, user name and source computer name.

You may also like...