ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing Event Viewer with certificate management and security audit logs
Event ID 4707InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4707 – Microsoft-Windows-Security-Auditing: Cryptographic Trust Removed

Event ID 4707 indicates that a cryptographic trust relationship has been removed from the system, typically when certificates are deleted or trust relationships are revoked in Active Directory environments.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4707Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 4707 represents a security audit event generated by the Windows Security subsystem when cryptographic trust relationships are removed from the system. This event occurs in various scenarios including certificate store modifications, PKI policy changes, and Active Directory trust relationship management.

The event contains detailed information about the removed trust, including the certificate thumbprint, issuer details, subject information, and the security context of the user or process that initiated the removal. Windows generates this event regardless of whether the removal was successful or failed, providing complete audit trails for compliance and security monitoring.

In enterprise environments, this event is particularly important for tracking changes to certificate authorities, monitoring certificate lifecycle management, and detecting potential security incidents involving PKI infrastructure. The event helps identify when trusted root certificates are removed, intermediate CA certificates are revoked, or cross-forest trust relationships are terminated.

The event appears in the Windows Security log and requires appropriate audit policy settings to be enabled. Specifically, the 'Audit Other Object Access Events' policy must be configured to capture cryptographic operations. This event is essential for organizations maintaining strict security compliance requirements and those using certificate-based authentication systems.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • Manual removal of certificates from the Trusted Root Certification Authorities store
  • Automatic certificate cleanup by Windows Update or security policies
  • Group Policy changes affecting certificate trust settings
  • Active Directory Certificate Services configuration modifications
  • PowerShell or certlm.msc operations removing trusted certificates
  • Third-party security software removing potentially malicious certificates
  • Domain controller trust relationship changes in multi-domain environments
  • Certificate revocation list (CRL) updates affecting trust chains
  • Smart card or hardware security module (HSM) certificate management
Resolution Methods

Troubleshooting Steps

01

Examine Event Details in Event Viewer

Start by reviewing the complete event details to understand what trust was removed and by whom.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4707 using the Filter Current Log option
  4. Double-click the event to view detailed information including:
    • Subject: User account that performed the action
    • Certificate Information: Thumbprint, issuer, and subject details
    • Process Information: Application that initiated the removal
  5. Note the timestamp and correlate with any recent system changes or maintenance activities

Use PowerShell to query multiple events efficiently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4707} -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message | Format-Table -Wrap
02

Verify Current Certificate Store Status

Check the current state of certificate stores to understand what trusts remain and identify any missing certificates.

  1. Open Certificate Manager by running certlm.msc as administrator
  2. Expand Trusted Root Certification AuthoritiesCertificates
  3. Review the list of trusted root CAs and compare against your organization's approved certificate list
  4. Check Intermediate Certification Authorities for any missing intermediate certificates
  5. Use PowerShell to enumerate certificate stores programmatically:
# List all certificates in Trusted Root store
Get-ChildItem -Path Cert:\LocalMachine\Root | Select-Object Subject, Issuer, Thumbprint, NotAfter | Format-Table -AutoSize

# Check for specific certificate by thumbprint from Event 4707
$thumbprint = "PASTE_THUMBPRINT_FROM_EVENT_HERE"
Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Thumbprint -eq $thumbprint}

Document any missing certificates that may need to be reinstalled for proper system operation.

03

Analyze Group Policy and Security Settings

Investigate whether Group Policy changes or security policies triggered the certificate removal.

  1. Open Group Policy Management Console (gpmc.msc) if in a domain environment
  2. Review recent changes to policies affecting certificate management:
    • Computer Configuration → Windows Settings → Security Settings → Public Key Policies
    • Certificate path validation settings
    • Trusted root certification authorities policies
  3. Check local security policy settings using secpol.msc
  4. Use PowerShell to review Group Policy results:
# Generate Group Policy report
Get-GPResultantSetOfPolicy -ReportType Html -Path "C:\Temp\GPReport.html"

# Check certificate-related registry settings
Get-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates" -ErrorAction SilentlyContinue
Pro tip: Use gpupdate /force to refresh Group Policy settings and check if certificates are restored automatically.
04

Investigate Process and User Context

Determine which process or user initiated the certificate removal to identify the root cause.

  1. From the Event 4707 details, note the Process Name and Process ID
  2. Cross-reference with other security events around the same timeframe:
# Find related events by Process ID
$processId = "1234"  # Replace with actual PID from event
$startTime = (Get-Date).AddHours(-2)
$endTime = Get-Date

Get-WinEvent -FilterHashtable @{
    LogName='Security'
    StartTime=$startTime
    EndTime=$endTime
} | Where-Object {$_.Message -like "*$processId*"} | Select-Object TimeCreated, Id, Message
  1. Check if the process was legitimate system maintenance or potentially malicious activity
  2. Review user account details and verify if the action was authorized
  3. Examine process execution context using Process Monitor if the issue is ongoing
  4. Check Windows Defender or other security software logs for related certificate actions
Warning: If an unauthorized user or suspicious process removed trusted certificates, this could indicate a security compromise requiring immediate investigation.
05

Restore Trust Relationships and Implement Monitoring

Restore necessary certificates and implement monitoring to prevent future issues.

  1. If legitimate certificates were incorrectly removed, restore them from backup or download from the issuing CA
  2. For domain environments, use Group Policy to deploy trusted certificates:
# Import certificate to Trusted Root store
$certPath = "C:\Temp\TrustedCA.cer"
Import-Certificate -FilePath $certPath -CertStoreLocation Cert:\LocalMachine\Root

# Verify certificate installation
Get-ChildItem -Path Cert:\LocalMachine\Root | Where-Object {$_.Subject -like "*YourCA*"}
  1. Configure advanced audit policy to monitor certificate changes:
# Enable auditing for certificate operations
auditpol /set /subcategory:"Other Object Access Events" /success:enable /failure:enable

# Verify audit policy settings
auditpol /get /subcategory:"Other Object Access Events"
  1. Set up automated monitoring using PowerShell scripts or SIEM integration
  2. Create alerts for Event ID 4707 occurrences to detect future unauthorized changes
  3. Document the incident and update change management procedures to prevent recurrence

Consider implementing certificate pinning or additional validation mechanisms for critical applications to reduce dependency on system trust stores.

Overview

Event ID 4707 fires when Windows removes a cryptographic trust relationship from the system. This security audit event occurs during certificate management operations, PKI infrastructure changes, or when administrators manually revoke trust relationships. The event appears in the Security log and provides detailed information about which trust was removed, who initiated the action, and the specific cryptographic context.

This event is part of Windows Advanced Audit Policy configuration under Object Access auditing. It tracks changes to the cryptographic trust store, including root certificate authorities, intermediate certificates, and domain trust relationships. The event helps administrators maintain visibility over PKI security posture and detect unauthorized certificate management activities.

Understanding this event is crucial for environments using certificate-based authentication, code signing, SSL/TLS communications, or Active Directory Certificate Services. The event provides forensic evidence of trust modifications and helps troubleshoot authentication failures related to certificate validation.

Frequently Asked Questions

What does Event ID 4707 mean and when does it occur?+
Event ID 4707 indicates that a cryptographic trust relationship has been removed from the Windows system. This event occurs when certificates are deleted from trust stores, certificate authorities are removed, or trust relationships are revoked. It's generated by the Windows Security Auditing subsystem and appears in the Security log when the 'Audit Other Object Access Events' policy is enabled. The event provides detailed information about what trust was removed, who performed the action, and the specific cryptographic context involved.
How can I determine which certificate was removed from Event ID 4707?+
The Event ID 4707 details contain specific information about the removed certificate including the certificate thumbprint, issuer name, subject details, and validity period. You can find this information in the event's XML view or detailed text description. Use the thumbprint value to search for the certificate in backup systems or certificate authority databases. The event also includes the user account and process that initiated the removal, helping you trace the source of the change.
Is Event ID 4707 a security concern that requires immediate attention?+
Event ID 4707 itself is informational, but it can indicate security concerns depending on the context. If trusted root certificates or critical intermediate certificates were removed without authorization, this could compromise SSL/TLS validation, code signing verification, or authentication systems. Investigate immediately if: the removal was performed by an unauthorized user, system processes are failing certificate validation, or the removed certificate was critical for business operations. Regular certificate maintenance may generate legitimate 4707 events that don't require concern.
How do I restore a certificate that was removed and triggered Event ID 4707?+
To restore a removed certificate, first identify the specific certificate from the Event 4707 details. If you have the original certificate file, import it using certlm.msc or PowerShell's Import-Certificate cmdlet. For domain environments, check if the certificate can be redistributed via Group Policy. Contact your certificate authority to reissue the certificate if the original is unavailable. For root CA certificates, download them from the issuer's website or Windows Update. Always verify the certificate's authenticity before importing to prevent security compromises.
How can I prevent unauthorized certificate removals that generate Event ID 4707?+
Implement several security measures to prevent unauthorized certificate modifications: restrict administrative access to certificate stores using proper role-based access controls, enable advanced audit policies to monitor all certificate operations, use Group Policy to manage certificate deployment and prevent local modifications, implement change management procedures requiring approval for certificate changes, and set up real-time monitoring and alerting for Event ID 4707 occurrences. Consider using certificate pinning for critical applications and regularly review certificate store contents for unauthorized changes.
Documentation

References (2)

1
Microsoft Learn - Advanced Security Audit PoliciesOfficial documentation covering Windows advanced audit policy configuration including Object Access events and cryptographic operations monitoring.https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policies
2
Microsoft Docs - Certificate and Trust ManagementComprehensive guide to Windows certificate management, trust relationships, and PKI infrastructure configuration.https://docs.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4707#security-auditing#certificate-management

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...