From 7559cfea849c35db5cdf1be9973e15f24b440407 Mon Sep 17 00:00:00 2001
From: fukusuket <41001169+fukusuket@users.noreply.github.com>
Date: Sat, 15 Nov 2025 10:22:36 +0900
Subject: [PATCH] fix: add AD CS AuditFilter configuration to streamline
 auditing setup in WELA.ps1

---
 WELA.ps1 | 73 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 73 insertions(+)

diff --git a/WELA.ps1 b/WELA.ps1
index e51a66bb..2bd62252 100644
--- a/WELA.ps1
+++ b/WELA.ps1
@@ -5890,6 +5890,79 @@ function ConfigureAuditSettings {
         }
         Write-Host ""
     }
+
+    # AD CS AuditFilter の設定
+    Write-Host "Configuring AD CS Audit Settings..."
+    Write-Host ""
+
+    try {
+        $installed = (Get-WindowsFeature -Name AD-Certificate).InstallState -eq "Installed"
+    } catch {
+        $installed = $false
+    }
+
+    if ($installed) {
+        try {
+            $csRootKey = "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\"
+            $caName = (Get-ItemProperty $csRootKey -ErrorAction Stop).Active
+            $regPath = "HKLM:\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\$caName"
+            $prop = Get-ItemProperty -Path $regPath -Name "AuditFilter" -ErrorAction SilentlyContinue
+
+            $currentValue = if ($null -ne $prop) { [int]$prop.AuditFilter } else { "Not Set" }
+
+            Write-Host "Registry: $regPath"
+            if ($currentValue -eq 127) {
+                Write-Host "[OK] AuditFilter is already 127" -ForegroundColor Green
+            }
+            else {
+                Write-Host ("[SET] AuditFilter: {0} -> 127" -f $currentValue) -ForegroundColor Yellow
+
+                $proceed = $false
+                if ($Auto) {
+                    $proceed = $true
+                }
+                else {
+                    $response = Read-Host "Do you want to set AuditFilter to 127 and restart Certificate Services? (Y/n)"
+                    $proceed = ($response -eq "" -or $response -match "^[Yy]$")
+                }
+
+                if ($proceed) {
+                    try {
+                        # AuditFilter の設定
+                        Start-Process -FilePath "certutil.exe" -ArgumentList "-setreg","CA\AuditFilter","127" -NoNewWindow -Wait
+
+                        # 証明書サービスの再起動
+                        Restart-Service -Name "CertSvc" -Force -ErrorAction Stop
+
+                        # 反映確認
+                        $propAfter = Get-ItemProperty -Path $regPath -Name "AuditFilter" -ErrorAction SilentlyContinue
+                        $newValue = if ($null -ne $propAfter) { [int]$propAfter.AuditFilter } else { $null }
+
+                        if ($newValue -eq 127) {
+                            Write-Host "[OK] AuditFilter set to 127 and CertSvc restarted" -ForegroundColor Green
+                        }
+                        else {
+                            Write-Host "[ERROR] AuditFilter did not apply as expected (current: $newValue)" -ForegroundColor Red
+                        }
+                    }
+                    catch {
+                        Write-Host "[ERROR] Failed to set AuditFilter or restart CertSvc: $_" -ForegroundColor Red
+                    }
+                }
+                else {
+                    Write-Host "[SKIP] No changes applied to AuditFilter"
+                }
+            }
+        }
+        catch {
+            Write-Host "[ERROR] Failed to process AD CS audit settings: $_" -ForegroundColor Red
+        }
+    }
+    else {
+        Write-Host "[INFO] AD Certificate Services is not installed. Skipping." -ForegroundColor Yellow
+    }
+    Write-Host ""
+
     Write-Host "Configuration completed successfully" -ForegroundColor Green
 }