启用受保护的事件日志记录

使用此策略设置，可以配置受保护的事件日志记录。

如果启用此策略设置，则支持它的组件将使用你提供的证书加密可能敏感的事件日志数据，然后将其写入到事件日志。数据将使用密码消息语法(CMS)标准和你提供的公钥进行加密。你可以使用 Unprotect-CmsMessage PowerShell cmdlet 解密这些已加密的消息，前提是你可以访问与加密使用的公钥对应的私钥。

如果禁用或未配置此策略设置，则组件将不加密事件日志消息，直到将其写入到事件日志。

支持的平台: Windows 10 Server、Windows 10 或 Windows 10 RT 及其更高版本

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging
Value Name	EnableProtectedEventLogging
Value Type	REG_DWORD
Enabled Value	1
Disabled Value	0

Provide an encryption certificate to be used by Protected Event Logging. You may provide either: - The content of a base-64 encoded X.509 certificate - The thumbprint of a certificate that can be found in the Local Machine certificate store (usually deployed by PKI infrastructure) - The full path to a certificate (can be local, or a remote share) - The path to a directory containing a certificate or certificates (can be local, or a remote share) - The subject name of a certificate that can be found in the Local Machine certificate store (usually deployed by PKI infrastructure) The resulting certificate must have 'Document Encryption' as an enhanced key usage (1.3.6.1.4.1.311.80.1), as well as either Data Encipherment or Key Encipherment key usages enabled.

Registry Hive	HKEY_LOCAL_MACHINE
Registry Path	Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging
Value Name	EncryptionCertificate
Value Type	REG_MULTI_SZ
Default Value

eventlogging.admx

启用受保护的事件日志记录

管理模板(计算机)

管理模板(用户)