Event ID: 4693Recovery of data protection master key was attempted
Recovery of data protection master key was attempted. Subject: Security ID: %1 Account Name: %2 Account Domain: %3 Logon ID: %4 Key Information: Key Identifier: %5 Recovery Server: %6 Recovery Key ID: %8 Recovery Reason: %7 Status Information: Status Code: %9
This event generates every time that recovery is attempted for a DPAPI Master Key.
While unprotecting data, if DPAPI cannot use the Master Key protected by the user's password, it sends the backup Master Key to a domain controller by using a mutually authenticated and privacy protected RPC call.
Failure event generates when a Master Key restore operation fails for some reason.
Generally only necessary for troubleshooting purposes, but due the low volume is nevertheless recommended.
Lookup Audit Policy Configuration Settings
C:\> AuditPol.exe /get /subcategory:"DPAPI Activity"
LEFT/RIGHT arrow keys for navigationBack to List