ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard showing certificate services and audit logs
Event ID 4896InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4896 – Microsoft-Windows-Security-Auditing: Certificate Services Template Security Descriptor Modified

Event ID 4896 fires when security permissions on a Certificate Authority template are modified, indicating changes to who can request, approve, or manage specific certificate types.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4896Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

Event ID 4896 is generated by the Windows Security Auditing subsystem whenever the Access Control List (ACL) of a certificate template object in Active Directory is modified. Certificate templates are stored in the Configuration partition of Active Directory under CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com.

The event provides detailed information including the security identifier (SID) of the user who made the change, the distinguished name of the affected template, the old and new security descriptors in Security Descriptor Definition Language (SDDL) format, and the process that initiated the change. This level of detail makes it invaluable for forensic analysis and compliance auditing.

Certificate template security descriptors control several critical permissions: Read (allows viewing template properties), Enroll (allows requesting certificates based on the template), Autoenroll (enables automatic certificate enrollment), Write (permits modifying template properties), and Full Control (grants complete administrative access). Unauthorized changes to these permissions can lead to certificate abuse, privilege escalation, or denial of service attacks against your PKI infrastructure.

The event is particularly important in environments where certificate-based authentication is used for VPN access, wireless networks, email encryption, or code signing. Monitoring these events helps detect insider threats, misconfigured permissions, or external attacks targeting your certificate infrastructure.

Applies to

Windows Server 2019Windows Server 2022Windows Server 2025
Analysis

Possible Causes

  • Administrator modifying certificate template permissions through Certificate Templates MMC snap-in
  • PowerShell scripts using Set-ADObject or similar cmdlets to modify template ACLs
  • Group Policy changes affecting certificate template permissions
  • Direct LDAP modifications to certificate template objects in Active Directory
  • Certificate Authority management tools modifying template security settings
  • Automated scripts or applications updating template permissions
  • Migration tools transferring certificate templates between forests
  • Security principal changes (user/group deletions) triggering ACL cleanup
Resolution Methods

Troubleshooting Steps

01

Review Event Details in Event Viewer

Start by examining the event details to understand what changed and who made the modification.

  1. Open Event ViewerWindows LogsSecurity
  2. Filter for Event ID 4896 using the filter option
  3. Double-click the event to view detailed information
  4. Note the Subject section showing who made the change
  5. Review the Certificate Template field for the affected template name
  6. Examine the Old Security Descriptor and New Security Descriptor fields

Use PowerShell to query multiple events:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4896} -MaxEvents 50 | Select-Object TimeCreated, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='Template';Expression={$_.Properties[4].Value}}
Pro tip: The SDDL strings in the security descriptor fields can be converted to readable format using ConvertFrom-SddlString in PowerShell 5.1 and later.
02

Analyze Certificate Template Permissions

Verify current template permissions and compare with the logged changes to understand the impact.

  1. Open Certificate Authority MMC snap-in on your CA server
  2. Right-click Certificate TemplatesManage
  3. Locate the affected template and right-click → Properties
  4. Click the Security tab to view current permissions
  5. Compare current permissions with the event log details

Use PowerShell to query template permissions directly from Active Directory:

Import-Module ActiveDirectory
$TemplateDN = "CN=YourTemplate,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=yourdomain,DC=com"
$Template = Get-ADObject -Identity $TemplateDN -Properties nTSecurityDescriptor
$Template.nTSecurityDescriptor.Access | Format-Table IdentityReference, AccessControlType, ActiveDirectoryRights -AutoSize

To convert SDDL from the event to readable format:

$SDDL = "O:BAG:BAD:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)"
ConvertFrom-SddlString -Sddl $SDDL
03

Investigate Using Advanced Audit Logs

Enable detailed certificate services auditing and correlate with other security events for comprehensive analysis.

  1. Verify audit policy settings: Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy ConfigurationObject AccessAudit Certification Services
  2. Enable if not already configured: auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable
  3. Check for related events around the same timeframe

Query for related certificate services events:

$StartTime = (Get-Date).AddHours(-24)
$Events = Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4896,4897,4898; StartTime=$StartTime}
$Events | Select-Object Id, TimeCreated, @{Name='User';Expression={$_.Properties[1].Value}}, @{Name='Details';Expression={$_.Message.Split("`n")[0]}} | Sort-Object TimeCreated

Create a timeline of certificate-related changes:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4886,4887,4888,4889,4890,4891,4892,4893,4894,4895,4896,4897,4898; StartTime=(Get-Date).AddDays(-7)} | Sort-Object TimeCreated | Export-Csv -Path "C:\Temp\CertificateAuditTimeline.csv" -NoTypeInformation
04

Monitor Template Changes with PowerShell Script

Implement continuous monitoring for certificate template security descriptor changes using PowerShell.

Create a monitoring script that watches for Event ID 4896:

# Certificate Template Security Monitor
$Action = {
    $Event = $Event.SourceEventArgs.NewEvent
    $User = $Event.Properties[1].Value
    $Template = $Event.Properties[4].Value
    $OldSD = $Event.Properties[5].Value
    $NewSD = $Event.Properties[6].Value
    
    $Message = "Certificate template '$Template' security modified by $User at $($Event.TimeCreated)"
    Write-EventLog -LogName Application -Source "CertTemplateMonitor" -EventId 1001 -EntryType Warning -Message $Message
    
    # Send email alert (configure SMTP settings)
    Send-MailMessage -To "admin@company.com" -From "monitoring@company.com" -Subject "Certificate Template Security Change" -Body $Message -SmtpServer "smtp.company.com"
}

Register-WmiEvent -Query "SELECT * FROM Win32_NTLogEvent WHERE LogFile='Security' AND EventCode=4896" -Action $Action

Set up scheduled task to run the monitoring script:

$TaskAction = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File C:\Scripts\CertTemplateMonitor.ps1"
$TaskTrigger = New-ScheduledTaskTrigger -AtStartup
$TaskPrincipal = New-ScheduledTaskPrincipal -UserId "SYSTEM" -LogonType ServiceAccount
Register-ScheduledTask -TaskName "CertificateTemplateMonitor" -Action $TaskAction -Trigger $TaskTrigger -Principal $TaskPrincipal
05

Implement Baseline Monitoring and Alerting

Establish baseline certificate template permissions and implement automated detection of unauthorized changes.

Create a baseline of current template permissions:

# Export current certificate template permissions
$ConfigDN = (Get-ADRootDSE).configurationNamingContext
$TemplatesPath = "CN=Certificate Templates,CN=Public Key Services,CN=Services,$ConfigDN"
$Templates = Get-ADObject -SearchBase $TemplatesPath -Filter {objectClass -eq "pKICertificateTemplate"} -Properties nTSecurityDescriptor, displayName

$Baseline = @()
foreach ($Template in $Templates) {
    $Permissions = $Template.nTSecurityDescriptor.Access | Where-Object {$_.AccessControlType -eq "Allow"}
    foreach ($Permission in $Permissions) {
        $Baseline += [PSCustomObject]@{
            Template = $Template.displayName
            Identity = $Permission.IdentityReference
            Rights = $Permission.ActiveDirectoryRights
            InheritanceType = $Permission.InheritanceType
        }
    }
}
$Baseline | Export-Csv -Path "C:\Baselines\CertificateTemplatePermissions_$(Get-Date -Format 'yyyyMMdd').csv" -NoTypeInformation

Create a compliance checking script:

# Compare current permissions against baseline
$BaselineFile = "C:\Baselines\CertificateTemplatePermissions_Approved.csv"
$Baseline = Import-Csv $BaselineFile
$Current = # ... (repeat baseline collection code)

$Differences = Compare-Object $Baseline $Current -Property Template, Identity, Rights
$Differences | Where-Object {$_.SideIndicator -eq "=>"} | ForEach-Object {
    Write-Warning "Unauthorized permission detected: $($_.Template) - $($_.Identity) - $($_.Rights)"
}
Warning: Always test permission changes in a lab environment before implementing baseline monitoring in production to avoid false positives.

Overview

Event ID 4896 is a security audit event that fires whenever the security descriptor of a Certificate Authority (CA) template is modified. This event is part of Windows Advanced Audit Policy and specifically tracks changes to certificate template permissions within Active Directory Certificate Services (AD CS). The event captures who made the change, which template was affected, and what permissions were modified.

This event is critical for PKI security monitoring as certificate templates control who can request certificates, what types of certificates can be issued, and the approval workflow. Changes to template security descriptors can significantly impact your organization's certificate issuance policies and security posture. The event fires on domain controllers and Certificate Authority servers when template permissions are modified through the Certificate Templates MMC snap-in, PowerShell commands, or direct LDAP modifications.

In enterprise environments running Windows Server 2025 and newer versions, this event has enhanced logging capabilities that provide more granular details about permission changes, making it easier to track unauthorized modifications to certificate templates.

Frequently Asked Questions

What does Event ID 4896 mean and why is it important?+
Event ID 4896 indicates that the security permissions on a Certificate Authority template have been modified. This is critical because certificate templates control who can request certificates, what types of certificates can be issued, and the approval workflow. Unauthorized changes to template permissions can lead to certificate abuse, privilege escalation, or compromise of your PKI infrastructure. The event provides detailed information about who made the change, which template was affected, and the specific permission modifications.
How can I determine what specific permissions were changed in Event ID 4896?+
The event contains Old Security Descriptor and New Security Descriptor fields in SDDL (Security Descriptor Definition Language) format. You can convert these SDDL strings to readable format using PowerShell: ConvertFrom-SddlString -Sddl "your_sddl_string". This will show you the exact permissions that were added, removed, or modified. Compare the old and new descriptors to identify the specific changes made to the certificate template's access control list.
Should I be concerned about Event ID 4896 appearing frequently in my logs?+
Frequent Event ID 4896 occurrences warrant investigation. While occasional events may be normal during planned administrative changes, frequent modifications could indicate unauthorized access, misconfigured automation scripts, or potential security threats. Review the Subject field to identify who is making changes and correlate with your change management processes. Establish a baseline of normal template modification patterns and investigate any deviations from expected behavior.
Can Event ID 4896 help detect certificate-based attacks?+
Yes, Event ID 4896 is valuable for detecting certain certificate-based attacks. Attackers may attempt to modify template permissions to grant themselves certificate enrollment rights, enable vulnerable certificate templates, or remove security restrictions. Monitor for unexpected permission changes, especially those granting Enroll or Full Control permissions to unauthorized users or groups. Correlate these events with other certificate services events (4886-4898) to build a complete picture of certificate infrastructure changes.
How do I configure auditing to ensure Event ID 4896 is logged?+
Enable the 'Audit Certification Services' policy under Advanced Audit Policy Configuration → Object Access. Use the command: auditpol /set /subcategory:"Certification Services" /success:enable /failure:enable. This policy must be enabled on domain controllers and Certificate Authority servers. Additionally, ensure the Security log has sufficient size to retain these events, as certificate services can generate numerous audit events in busy environments. Consider forwarding these events to a centralized logging system for long-term retention and analysis.
Documentation

References (2)

1
Microsoft Learn - Advanced Audit Policy ConfigurationOfficial documentation for configuring advanced audit policies including certificate services auditinghttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
2
Microsoft Docs - Certificate Services Security EventsComprehensive guide to certificate services security events and their meaningshttps://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-certification-services
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4896#certificate-services#security-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...