Audit Other Policy Change Events

Applies to

  • Windows 10
  • Windows Server 2016

Audit Other Policy Change Events contains events about EFS Data Recovery Agent policy changes, changes in Windows Filtering Platform filter, status on Security policy settings updates for local Group Policy settings, Central Access Policy changes, and detailed troubleshooting events for Cryptographic Next Generation (CNG) operations.

Event volume: Low.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller IF Yes IF Yes IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.
We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions.
Member Server IF Yes IF Yes IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.
We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions.
Workstation IF Yes IF Yes IF - We do not recommend Success auditing because of event “5447: A Windows Filtering Platform filter has been changed”—this event generates many times during group policy updates and typically is used for troubleshooting purposes for Windows Filtering Platform filters. But you would still need to enable Success auditing for this subcategory if, for example, you must monitor changes in Boot Configuration Data or Central Access Policies.
We recommend Failure auditing, to detect errors in applied Security settings which came from Group Policy, and failure events related to Cryptographic Next Generation (CNG) functions.

Events List:

  • 4714(S): Encrypted data recovery policy was changed.

  • 4819(S): Central Access Policies on the machine have been changed.

  • 4826(S): Boot Configuration Data loaded.

  • 4909(-): The local policy settings for the TBS were changed.

  • 4910(-): The group policy settings for the TBS were changed.

  • 5063(S, F): A cryptographic provider operation was attempted.

  • 5064(S, F): A cryptographic context operation was attempted.

  • 5065(S, F): A cryptographic context modification was attempted.

  • 5066(S, F): A cryptographic function operation was attempted.

  • 5067(S, F): A cryptographic function modification was attempted.

  • 5068(S, F): A cryptographic function provider operation was attempted.

  • 5069(S, F): A cryptographic function property operation was attempted.

  • 5070(S, F): A cryptographic function property modification was attempted.

  • 5447(S): A Windows Filtering Platform filter has been changed.

  • 6144(S): Security policy in the group policy objects has been applied successfully.

  • 6145(F): One or more errors occurred while processing security policy in the group policy objects.