This policy setting lets you configure Protected Event Logging.
If you enable this policy setting, components that support it will use the certificate you supply to encrypt potentially sensitive event log data before writing it to the event log. Data will be encrypted using the Cryptographic Message Syntax (CMS) standard and the public key you provide. You can use the Unprotect-CmsMessage PowerShell cmdlet to decrypt these encrypted messages, provided that you have access to the private key corresponding to the public key that they were encrypted with.
If you disable or do not configure this policy setting, components will not encrypt event log messages before writing them to the event log.
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging |
Value Name | EnableProtectedEventLogging |
Value Type | REG_DWORD |
Enabled Value | 1 |
Disabled Value | 0 |
Provide an encryption certificate to be used by Protected Event Logging. You may provide either: - The content of a base-64 encoded X.509 certificate - The thumbprint of a certificate that can be found in the Local Machine certificate store (usually deployed by PKI infrastructure) - The full path to a certificate (can be local, or a remote share) - The path to a directory containing a certificate or certificates (can be local, or a remote share) - The subject name of a certificate that can be found in the Local Machine certificate store (usually deployed by PKI infrastructure) The resulting certificate must have 'Document Encryption' as an enhanced key usage (1.3.6.1.4.1.311.80.1), as well as either Data Encipherment or Key Encipherment key usages enabled.
Registry Hive | HKEY_LOCAL_MACHINE |
Registry Path | Software\Policies\Microsoft\Windows\EventLog\ProtectedEventLogging |
Value Name | EncryptionCertificate |
Value Type | REG_MULTI_SZ |
Default Value |