deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-30 01:33:37 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
Files
4fe4029a8f46b44a2c435d6e29785d81cb15c152
windows-itpro-docs/windows/device-security/auditing/event-4714.md
Nicholas Brower 1ae3f0b230 Merged PR 4822: "msdate update (generated from most recent commit date)" 
"msdate update (generated from most recent commit date)"
2017-12-05 22:36:05 +00:00

2.5 KiB
Raw Blame History

title, description, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, author, ms.date
title description ms.pagetype ms.prod ms.mktglfcycl ms.sitesec author ms.date
4714(S) Encrypted data recovery policy was changed. (Windows 10) Describes security event 4714(S) Encrypted data recovery policy was changed. security w10 deploy library Mir0sh 04/19/2017

4714(S): Encrypted data recovery policy was changed.

Applies to

  • Windows 10
  • Windows Server 2016
Event 4714 illustration

Subcategory: Audit Other Policy Change Events

Event Description:

This event generates when a Data Recovery Agent group policy for Encrypting File System (EFS) has changed.

This event generates when a Data Recovery Agent certificate or Data Recovery Agent policy was changed for the computer or device.

In the background, this event generates when the \HKLM\Software\Policies\Microsoft\SystemCertificates\EFS\EfsBlob registry value is changed during a Group Policy update.

Note

  For recommendations, see Security Monitoring Recommendations for this event.


Event XML:

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
 <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
 <EventID>4714</EventID> 
 <Version>0</Version> 
 <Level>0</Level> 
 <Task>13573</Task> 
 <Opcode>0</Opcode> 
 <Keywords>0x8020000000000000</Keywords> 
 <TimeCreated SystemTime="2015-10-08T05:27:40.740602500Z" /> 
 <EventRecordID>1080883</EventRecordID> 
 <Correlation /> 
 <Execution ProcessID="524" ThreadID="4856" /> 
 <Channel>Security</Channel> 
 <Computer>DC01.contoso.local</Computer> 
 <Security /> 
 </System>
- <ProcessingErrorData>
 <ErrorCode>13</ErrorCode> 
 <DataItemName>SubjectUserSid</DataItemName> 
 <EventPayload /> 
 </ProcessingErrorData>
 </Event>

Required Server Roles: None.

Minimum OS Version: Windows Server 2008, Windows Vista.

Event Versions: 0.

Security Monitoring Recommendations

For 4714(S): Encrypted data recovery policy was changed.

  • We recommend monitoring this event and if the change was not planned, investigate the reason for the change.