Audit Other Policy Change Events

This security policy setting determines whether the operating system generates events for security policy changes that are not otherwise audited in the Policy Change category, such as the following:

  • Trusted Platform Module (TPM) configuration changes. 
  • Kernel-mode cryptographic self tests. 
  • Cryptographic provider operations. 
  • Cryptographic context operations or modifications. 


Event volume: Low
If this policy setting is configured, the following events are generated. The events appear on computers running Windows Server 2008 R2, Windows Server 2008, Windows 7, or Windows Vista.

  • 4670: Permissions on an object were changed.
  • 4909: The local policy settings for the TBS were changed.
  • 4910: The group policy settings for the TBS were changed.
  • 5063: A cryptographic provider operation was attempted.
  • 5064: A cryptographic context operation was attempted.
  • 5065: A cryptographic context modification was attempted.
  • 5066: A cryptographic function operation was attempted.
  • 5067: A cryptographic function modification was attempted.
  • 5068: A cryptographic function provider operation was attempted.
  • 5069: A cryptographic function property operation was attempted.
  • 5070: A cryptographic function property modification was attempted.
  • 5447: A Windows Filtering Platform filter has been changed.
  • 6144: Security policy in the group policy objects has been applied successfully.
  • 6145: One or more errors occurred while processing security policy in the group policy objects.

Scope: 

Computer

Default: 

Not configured

Related content