Event ID: 4692Backup of data protection master key was attempted
Backup of data protection master key was attempted. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Key Information: Key Identifier: %5 Recovery Server: %6 Recovery Key ID: %7 Status Information: Status Code: %8
This event generates every time that a backup is attempted for the DPAPI Master Key.
Periodically, a domain-joined machine tries to send an RPC request to a domain controller to back up the user’s master key so that the user can recover secrets in case their password has to be reset. Although the user's keys are stored in the user profile, a domain controller must be contacted to encrypt the master key with a domain recovery key. This event also generates every time a new DPAPI Master Key is generated.
Generally only necessary for troubleshooting purposes, but due the low volume is nevertheless recommended.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"DPAPI Activity"
LEFT/RIGHT arrow keys for navigationBack to List