Windows Security Log Event ID 4714

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Policy Change
 • Authorization Policy Change
Type Success
Corresponding events
in Windows 2003
and before
618  

4714: Encrypted data recovery policy was changed

On this page

This computer's Security Settings\Public Key Policies\Encrypting File System data recovery agent policy was modified - either via Local Security Policy or Group Policy in Active Directory.

Unfortunately the Subject fields don't identify who actually changed the policy because this policy isn't directly configured by administrators. Instead it is edited in a group policy object which then gets applied to the computer. Therefore this event always shows the local computer as the one who changed the policy since the computer is the security principal under which gpupdate runs. Subject:

The ID and logon session of the user that changed the policy - always the local system - see note above.

  •  Security ID:  The SID of the account.
  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Free Security Log Resources by Randy

Description Fields in 4714

Changes Made:

The old and new values are displayed for each Kerberos policy.  These settings correspond to Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Encrypting File System in group policy.

Supercharger Free Edition


Your entire Windows Event Collection environment on a single pane of glass.

Free.

 

Examples of 4714

Encrypted data recovery policy was changed.

Subject:

   Security ID:  SYSTEM
   Account Name:  WIN-R9H529RIO4Y$
   Account Domain:  WORKGROUP
   Logon ID:  0x3e7

Changes Made:

   ('====' means no changes, otherwise each change is shown as:
   (Parameter Name): (new value) (old value))
   PolEfDat: <binary data> (none);

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources