這個原則設定可讓您設定「受保護的事件記錄」。
如果您啟用這個原則設定,支援的元件在寫入事件記錄檔之前,將會使用您提供用來加密可能的敏感性事件記錄檔資料的憑證。資料將使用密碼編譯訊息語法 (CMS) 標準和您提供的公開金鑰加密。您可以使用 Unprotect-CmsMessage PowerShell cmdlet 來解密這些加密後的檔案,它提供您存取私密金鑰的權限,對應用來加密的公開金鑰。
如果您停用或是未設定這個原則設定,元件寫入事件記錄檔訊息之前將不會加密。
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging |
Value Name | EnableProtectedEventLogging |
Value Type | REG_DWORD |
Enabled Value | 1 |
Disabled Value | 0 |
Provide an encryption certificate to be used by Protected Event Logging. You may provide either: - The content of a base-64 encoded X.509 certificate - The thumbprint of a certificate that can be found in the Local Machine certificate store (usually deployed by PKI infrastructure) - The full path to a certificate (can be local, or a remote share) - The path to a directory containing a certificate or certificates (can be local, or a remote share) - The subject name of a certificate that can be found in the Local Machine certificate store (usually deployed by PKI infrastructure) The resulting certificate must have 'Document Encryption' as an enhanced key usage (1.3.6.1.4.1.311.80.1), as well as either Data Encipherment or Key Encipherment key usages enabled.
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging |
Value Name | EncryptionCertificate |
Value Type | REG_MULTI_SZ |
Default Value |