ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Event Viewer with EFS security events and encryption status
Event ID 4621InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4621 – LSA: Administrator Recovery Agent Policy Changed

Event ID 4621 fires when the Administrator Recovery Agent policy for Encrypting File System (EFS) is modified, indicating changes to data recovery capabilities on the system.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4621Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 4621 is generated by the Local Security Authority (LSA) subsystem whenever the Administrator Recovery Agent policy undergoes modification. This policy defines which certificates and users can serve as recovery agents for EFS-encrypted files within the current security scope.

Recovery agents represent a critical component of enterprise EFS deployments. When users encrypt files with EFS, Windows automatically adds the current recovery agent certificates to the encrypted file's metadata. If a user loses their private key or leaves the organization, designated recovery agents can decrypt the files using their recovery certificates.

The event captures several important details: the subject and issuer of recovery agent certificates, whether certificates were added or removed, and the security identifier of the account making the change. This information proves invaluable during security audits and compliance reviews.

In domain environments, this event commonly appears when Group Policy processes EFS recovery settings. Local administrators might also trigger this event when manually configuring recovery agents through the Local Security Policy snap-in or when importing new recovery certificates through the Certificates MMC console.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Group Policy refresh applying new EFS recovery agent settings from domain controllers
  • Manual modification of recovery agent policy through Local Security Policy console
  • Import or removal of recovery agent certificates via Certificates MMC snap-in
  • PowerShell commands or scripts modifying EFS recovery configuration
  • Third-party EFS management tools updating recovery agent settings
  • System restore operations affecting security policy configuration
  • Certificate renewal processes for existing recovery agents
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the complete event details to understand what recovery agent changes occurred.

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4621 using the filter option
  3. Double-click the most recent 4621 event to view details
  4. Review the General tab for basic information
  5. Click the Details tab and select XML View for complete data
  6. Note the SubjectUserName field showing who made the change
  7. Check the RecoveryAgentName and RecoveryAgentThumbprint fields

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4621} -MaxEvents 20 | Select-Object TimeCreated, Id, LevelDisplayName, Message
Pro tip: The XML view contains the most detailed information about certificate changes, including thumbprints and issuer details.
02

Verify Current Recovery Agent Configuration

Check the current EFS recovery agent policy to understand the active configuration.

  1. Press Win + R, type secpol.msc, and press Enter
  2. Navigate to Public Key PoliciesEncrypting File System
  3. Right-click Encrypting File System and select Properties
  4. Review the General tab for current recovery agent certificates
  5. Check certificate details by selecting each certificate and clicking View Certificate

Use PowerShell to enumerate recovery agents programmatically:

# Check EFS recovery policy
Get-ChildItem -Path "HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS\Certificates" -ErrorAction SilentlyContinue

# Query recovery agent certificates from certificate store
Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {$_.EnhancedKeyUsageList -match "File Recovery"}
Warning: Changes to recovery agent policy affect all future EFS encryption operations on the system.
03

Analyze Group Policy EFS Settings

Investigate whether Group Policy changes triggered the recovery agent modification.

  1. Open Group Policy Management Console (gpmc.msc) on a domain controller
  2. Navigate to the relevant GPO affecting the target computer
  3. Edit the GPO and go to Computer ConfigurationPoliciesWindows SettingsSecurity SettingsPublic Key Policies
  4. Check Encrypting File System settings for recent changes
  5. Review GPO version history and modification dates

Use PowerShell to check Group Policy processing:

# Check last Group Policy refresh
Get-WinEvent -FilterHashtable @{LogName='System'; Id=1502} -MaxEvents 5

# Review EFS-related Group Policy events
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='Group Policy EFS'} -MaxEvents 10 -ErrorAction SilentlyContinue

# Force Group Policy refresh to test
gpupdate /force

Check the Group Policy processing log:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-GroupPolicy/Operational'; Id=4016,4017} -MaxEvents 10
04

Investigate Certificate Store Changes

Examine certificate store modifications that might have triggered the recovery agent policy update.

  1. Open Microsoft Management Console (mmc.exe)
  2. Add the Certificates snap-in for Computer account
  3. Navigate to PersonalCertificates
  4. Look for certificates with File Recovery in the intended purposes
  5. Check certificate validity dates and issuer information
  6. Review the Trusted Root Certification Authorities store for changes

Use PowerShell to audit certificate changes:

# List all certificates with File Recovery capability
Get-ChildItem -Path "Cert:\LocalMachine\My" | Where-Object {
    $_.EnhancedKeyUsageList.FriendlyName -contains "File Recovery"
} | Select-Object Subject, Issuer, NotAfter, Thumbprint

# Check certificate store audit events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4876,4877,4878} -MaxEvents 20 -ErrorAction SilentlyContinue

Monitor certificate installation events:

# Certificate services events
Get-WinEvent -FilterHashtable @{LogName='Application'; ProviderName='Microsoft-Windows-CertificateServices-Deployment'} -MaxEvents 10 -ErrorAction SilentlyContinue
05

Advanced Recovery Agent Policy Analysis

Perform deep analysis of recovery agent policy changes using registry inspection and advanced PowerShell techniques.

  1. Open Registry Editor (regedit.exe) as administrator
  2. Navigate to HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS
  3. Examine the Certificates subkey for recovery agent certificate data
  4. Check HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS for EFS configuration
  5. Review HKLM\SYSTEM\CurrentControlSet\Control\Lsa for LSA audit settings

Use advanced PowerShell analysis:

# Export current EFS policy for analysis
$efsPolicy = Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS\*" -ErrorAction SilentlyContinue
$efsPolicy | Format-List

# Decode recovery agent certificates from registry
$certPath = "HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\EFS\Certificates"
Get-ChildItem -Path $certPath -ErrorAction SilentlyContinue | ForEach-Object {
    $certData = Get-ItemProperty -Path $_.PSPath -Name "Blob" -ErrorAction SilentlyContinue
    if ($certData) {
        $cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2
        $cert.Import($certData.Blob)
        [PSCustomObject]@{
            Subject = $cert.Subject
            Issuer = $cert.Issuer
            Thumbprint = $cert.Thumbprint
            ValidFrom = $cert.NotBefore
            ValidTo = $cert.NotAfter
        }
    }
}

Create a comprehensive audit report:

# Generate EFS recovery agent audit report
$report = @()
$events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4621} -MaxEvents 50 -ErrorAction SilentlyContinue
foreach ($event in $events) {
    $xml = [xml]$event.ToXml()
    $report += [PSCustomObject]@{
        TimeCreated = $event.TimeCreated
        User = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectUserName'} | Select-Object -ExpandProperty '#text'
        Domain = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'SubjectDomainName'} | Select-Object -ExpandProperty '#text'
        RecoveryAgent = $xml.Event.EventData.Data | Where-Object {$_.Name -eq 'RecoveryAgentName'} | Select-Object -ExpandProperty '#text'
    }
}
$report | Export-Csv -Path "C:\temp\EFS_Recovery_Agent_Changes.csv" -NoTypeInformation
Pro tip: Regular monitoring of Event ID 4621 helps maintain visibility into EFS recovery capabilities and supports compliance requirements.

Overview

Event ID 4621 appears in the Security log when Windows modifies the Administrator Recovery Agent (ARA) policy for the Encrypting File System (EFS). This event tracks changes to the cryptographic recovery infrastructure that allows designated administrators to decrypt EFS-protected files when users lose access to their encryption keys.

The event fires during Group Policy updates, manual policy changes, or when administrators modify EFS recovery settings through the Local Security Policy console. This is a critical security audit event because recovery agents have powerful capabilities to decrypt any EFS-encrypted data on the system.

You'll typically see this event on domain controllers when Group Policy refreshes EFS settings, or on workstations when local administrators modify recovery agent certificates. The event contains details about which recovery agent certificates were added, removed, or modified, making it essential for tracking changes to your organization's data recovery capabilities.

Frequently Asked Questions

What does Event ID 4621 indicate about my system's security?+
Event ID 4621 indicates that your system's EFS recovery agent policy has been modified. This is a significant security event because recovery agents have the ability to decrypt any EFS-encrypted files on the system. The event helps you track who made changes to recovery capabilities and when, which is crucial for maintaining data security and meeting compliance requirements. Regular occurrence of this event might indicate active EFS management, while unexpected events could signal unauthorized policy modifications.
How can I determine who triggered Event ID 4621?+
The event details contain the SubjectUserName and SubjectDomainName fields that identify the account responsible for the recovery agent policy change. You can find this information in the event's XML view or by using PowerShell to parse the event data. Additionally, check the SubjectLogonId field to correlate with other security events from the same logon session. If the change was made through Group Policy, the SYSTEM account typically appears as the subject, requiring you to investigate Group Policy modification logs on domain controllers.
Is Event ID 4621 normal in a domain environment?+
Yes, Event ID 4621 is normal in domain environments where EFS recovery agents are managed through Group Policy. You'll typically see this event during Group Policy refresh cycles, especially after administrators modify EFS settings in Group Policy Objects. The frequency depends on your Group Policy refresh interval and how often EFS recovery settings change. However, you should investigate unexpected occurrences or events triggered by non-administrative accounts, as these might indicate unauthorized attempts to modify recovery capabilities.
Can Event ID 4621 help with EFS troubleshooting?+
Absolutely. Event ID 4621 provides valuable information for EFS troubleshooting by showing when recovery agent policies change. If users suddenly cannot encrypt files or if recovery operations fail, checking recent 4621 events can reveal whether policy changes affected EFS functionality. The event details include certificate thumbprints and recovery agent names, helping you verify that the correct recovery agents are configured. Correlating 4621 events with EFS encryption failures can help identify policy-related issues.
How should I respond to unexpected Event ID 4621 occurrences?+
Unexpected Event ID 4621 events require immediate investigation. First, verify the SubjectUserName to confirm the change was made by an authorized administrator. Check the timing against scheduled maintenance windows or Group Policy updates. Review the recovery agent certificates mentioned in the event to ensure they're legitimate and properly issued. If the change appears unauthorized, immediately audit your EFS recovery agent configuration, review certificate stores for unauthorized certificates, and consider revoking compromised recovery agent certificates. Document the incident and implement additional monitoring for future EFS policy changes.
Documentation

References (2)

1
Microsoft Security Auditing Events ReferenceComprehensive guide to Windows security auditing events including EFS-related eventshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
2
Encrypting File System Technical ReferenceOfficial documentation for EFS implementation and recovery agent configurationhttps://docs.microsoft.com/en-us/windows/security/information-protection/encrypting-file-system/encrypting-file-system
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4621#efs-security#recovery-agents

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...