Event ID 4890 — The certificate manager settings for Certificate Services changed.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Object Access → Certification Services
Collection Priority: Recommended (NSA, others)
Opcode: Info

Description

The certificate manager settings for Certificate Services changed.

Message #

The certificate manager settings for Certificate Services changed.
	
Enable: %1

%2

Fields #

Name	Description
`Enable`	—
`EnableRestrictedPermissions` UnicodeString	Enable
`RestrictedPermissions` UnicodeString	—
`SubjectUserSid` SID	—
`SubjectUserName` UnicodeString	—
`SubjectDomainName` UnicodeString	—
`SubjectLogonId` HexInt64	—

Community Notes #

May indicate tampering with permissions to issue trusted certificates and impersonate any domain principal. Can detect AD CS abuse techniques, ie ESC1. Any Subject SID that is not NT AUTHORITY\SYSTEM or approved service identity indicates unauthorized privilege abuse.

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4890
Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Ultimate Windows Security https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4890