ANAVEM
EnglishFrancais
ANAVEM
Languagefr
Windows security monitoring dashboard displaying Event Viewer with IPsec policy and security audit logs
Event ID 4947InformationMicrosoft-Windows-Security-AuditingWindows

Windows Event ID 4947 – Microsoft-Windows-Security-Auditing: IPsec Policy Agent Service Started

Event ID 4947 indicates the IPsec Policy Agent service has successfully started on the system. This security audit event confirms IPsec policy enforcement is active and ready to secure network communications.

Emanuel DE ALMEIDAEmanuel DE ALMEIDA
18 March 20269 min read 0
Event ID 4947Microsoft-Windows-Security-Auditing 5 methods 9 min
Event Reference

What This Event Means

The IPsec Policy Agent service is a critical Windows component that manages Internet Protocol Security (IPsec) policies on local systems. When Event ID 4947 is logged, it confirms the service has initialized successfully and is ready to enforce security policies for network communications.

This service operates by retrieving IPsec policies from various sources including Active Directory Group Policy, local security policy, or registry-based configurations. Once started, the Policy Agent monitors network traffic and applies appropriate security measures such as encryption, authentication, and integrity verification based on configured rules.

The event provides valuable insight into system security posture, particularly in environments where IPsec is mandatory for compliance or security requirements. The timing of this event during system startup helps administrators verify that security controls are properly initialized before network communications begin.

In Windows Server environments, this event is especially significant as servers often handle sensitive data requiring encrypted communications. The successful startup of the Policy Agent ensures that server-to-server communications, client connections, and inter-domain traffic can be properly secured according to organizational policies.

Applies to

Windows 10Windows 11Windows Server 2019/2022/2025
Analysis

Possible Causes

  • System startup with IPsec Policy Agent service configured to start automatically
  • Manual start of the PolicyAgent service through Services console or PowerShell
  • Service recovery after a previous failure or crash
  • Group Policy refresh triggering service restart
  • Windows Update installation requiring service restart
  • System administrator troubleshooting IPsec connectivity issues
  • Domain controller policy changes forcing policy agent restart
Resolution Methods

Troubleshooting Steps

01

Verify Service Status in Event Viewer

Check the Security log to confirm the IPsec Policy Agent started successfully and review related events.

  1. Open Event Viewer by pressing Win + R, typing eventvwr.msc, and pressing Enter
  2. Navigate to Windows LogsSecurity
  3. Filter for Event ID 4947 using the Filter Current Log option
  4. Review the event details including timestamp and user context
  5. Check for any related IPsec events (4945, 4946, 4948) that might indicate policy issues
# PowerShell command to check recent 4947 events
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4947} -MaxEvents 10 | Format-Table TimeCreated, Id, LevelDisplayName, Message -Wrap
Pro tip: Look for the event immediately after system startup to confirm normal service initialization timing.
02

Validate PolicyAgent Service Configuration

Verify the IPsec Policy Agent service is properly configured and running with correct startup parameters.

  1. Open Services console by pressing Win + R, typing services.msc, and pressing Enter
  2. Locate IPsec Policy Agent service in the list
  3. Right-click and select Properties to check startup type and dependencies
  4. Verify the service is set to Automatic startup type
  5. Check the Dependencies tab to ensure required services are available
# Check PolicyAgent service status and configuration
Get-Service -Name PolicyAgent | Format-List *

# View service startup type and dependencies
Get-WmiObject -Class Win32_Service -Filter "Name='PolicyAgent'" | Select-Object Name, StartMode, State, PathName
Warning: Do not disable the PolicyAgent service if IPsec policies are required for network security compliance.
03

Review IPsec Policy Configuration

Examine the current IPsec policies to understand what security rules triggered the Policy Agent startup.

  1. Open Local Security Policy by typing secpol.msc in Run dialog
  2. Navigate to IP Security Policies on Local Computer
  3. Review assigned policies and their rules
  4. Check Group Policy Management Console for domain-based IPsec policies if domain-joined
  5. Verify policy assignment and rule configuration
# Display current IPsec policies using netsh
netsh ipsec static show all

# Check IPsec policy assignment
netsh ipsec static show gpoassignedpolicy

# View active IPsec associations
netsh ipsec dynamic show all
Pro tip: Use netsh ipsec monitor show all to view real-time IPsec activity and confirm policies are being enforced.
04

Analyze Registry IPsec Configuration

Examine registry settings that control IPsec Policy Agent behavior and policy storage locations.

  1. Open Registry Editor by pressing Win + R, typing regedit, and pressing Enter
  2. Navigate to HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent
  3. Review service parameters and startup configuration
  4. Check HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local for local policies
  5. Examine HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Cache for cached domain policies
# Query PolicyAgent service registry configuration
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent" | Format-List

# Check IPsec policy registry locations
Get-ChildItem -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy" -Recurse | Select-Object Name
Warning: Modifying IPsec policy registry entries can break network connectivity. Always backup registry before making changes.
05

Advanced Troubleshooting with Event Correlation

Perform comprehensive analysis by correlating Event ID 4947 with other system and security events to identify potential issues.

  1. Enable IPsec audit logging in Group Policy under Computer ConfigurationWindows SettingsSecurity SettingsAdvanced Audit Policy Configuration
  2. Monitor System log for PolicyAgent service events (Event IDs 7034, 7035, 7036)
  3. Check Application log for IPsec-related application errors
  4. Use Windows Performance Monitor to track IPsec performance counters
  5. Analyze network connectivity issues that might be related to IPsec policy enforcement
# Comprehensive event analysis for IPsec troubleshooting
$Events = @(4945, 4946, 4947, 4948, 5049, 5050, 5051, 5052)
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=$Events; StartTime=(Get-Date).AddHours(-24)} | Sort-Object TimeCreated

# Check for PolicyAgent service events in System log
Get-WinEvent -FilterHashtable @{LogName='System'; ProviderName='Service Control Manager'} | Where-Object {$_.Message -like '*PolicyAgent*'}
Pro tip: Use wevtutil qe Security /q:"*[System[EventID=4947]]" /f:text for detailed XML event analysis when troubleshooting complex IPsec issues.

Overview

Event ID 4947 fires when the IPsec Policy Agent service (PolicyAgent) successfully starts on a Windows system. This event appears in the Security log as part of Windows security auditing and indicates that IPsec policy enforcement is now active. The IPsec Policy Agent is responsible for retrieving IPsec policies from Active Directory or local storage and applying them to secure network communications.

This event typically occurs during system startup, after service recovery operations, or when manually starting the PolicyAgent service. The event confirms that the system is ready to enforce IPsec policies for network traffic encryption, authentication, and integrity checking. In enterprise environments with domain-based IPsec policies, this event signals that the workstation or server can now participate in secure network communications according to organizational security policies.

The event is logged with audit success status and includes details about the service startup context. System administrators monitor this event to verify IPsec policy enforcement is functioning correctly, especially in environments requiring mandatory network encryption or after policy changes.

Frequently Asked Questions

What does Event ID 4947 mean and why is it important?+
Event ID 4947 indicates that the IPsec Policy Agent service has successfully started on your Windows system. This is important because the Policy Agent is responsible for enforcing IPsec security policies that encrypt and authenticate network communications. The event confirms that your system is ready to apply IPsec rules for secure networking, which is critical in environments requiring encrypted communications or compliance with security standards.
Should I be concerned if I see multiple Event ID 4947 entries?+
Multiple Event ID 4947 entries are not necessarily concerning if they correspond to legitimate service starts during system boot, service restarts, or policy updates. However, frequent occurrences outside of these scenarios might indicate service instability, policy conflicts, or system issues. Check the timing of events and correlate with system activities like updates, policy changes, or service management operations to determine if the frequency is normal.
How can I tell if IPsec policies are actually working after seeing Event ID 4947?+
After Event ID 4947 confirms the Policy Agent started, verify IPsec functionality by using netsh ipsec monitor show all to view active security associations, checking for Events 4945-4948 in the Security log for policy loading confirmation, and using network monitoring tools to confirm encrypted traffic. You can also test connectivity to IPsec-protected resources and review IPsec performance counters in Performance Monitor to ensure policies are actively enforcing security rules.
What should I do if Event ID 4947 appears but IPsec isn't working properly?+
If Event ID 4947 appears but IPsec isn't functioning correctly, first verify that policies are properly assigned using netsh ipsec static show gpoassignedpolicy. Check for conflicting policies, ensure required certificates are installed and valid, verify that Windows Firewall isn't blocking IPsec traffic, and review the Security log for IPsec failure events (5049-5052). Also confirm that both endpoints have compatible IPsec configurations and that network infrastructure supports IPsec protocols (ESP, AH, IKE).
Can I disable Event ID 4947 logging if I don't need IPsec monitoring?+
You can disable Event ID 4947 logging by modifying audit policy settings, but this is not recommended in security-conscious environments. To disable, use Group Policy under Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System Audit Policies → Object Access, and disable 'Audit IPsec Driver' and 'Audit Other Object Access Events'. However, keeping this logging enabled provides valuable security monitoring capabilities and helps with compliance requirements and troubleshooting network security issues.
Documentation

References (2)

1
Microsoft Learn - IPsec Policy Agent ServiceOfficial documentation about the IPsec Policy Agent service and its role in Windows securityhttps://learn.microsoft.com/en-us/windows/security/threat-protection/windows-firewall/ipsec-policy-agent
2
Windows Security Auditing Events ReferenceComprehensive guide to Windows security audit events including IPsec-related eventshttps://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/security-auditing-overview
Emanuel DE ALMEIDA
Written by

Emanuel DE ALMEIDA

Senior IT Journalist & Cloud Architect

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#event-id-4947#ipsec-security#windows-auditing

Related Windows Events

Windows security monitoring dashboard displaying audit events and privilege tracking logs
Event 6276
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6276 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6276 records when special privileges are assigned to a user account during logon, indicating elevated access rights have been granted for the session.

March 189 min
Windows security monitoring dashboard displaying privilege assignment events in a professional SOC environment
Event 6274
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6274 – Microsoft-Windows-Security-Auditing: Special Privileges Assigned to New Logon

Event ID 6274 records when special privileges are assigned to a new user logon session, indicating elevated access rights have been granted for security-sensitive operations.

March 189 min
Network Policy Server monitoring dashboard showing authentication events and security logs
Event 6273
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6273 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6273 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 189 min
Network operations center displaying Windows NPS authentication monitoring dashboards and security event logs
Event 6272
Microsoft-Windows-Security-Auditing
Windows EventInformation

Windows Event ID 6272 – Microsoft-Windows-Security-Auditing: Network Policy Server Granted Access

Event ID 6272 indicates that Network Policy Server (NPS) has granted network access to a user or device after successful authentication and authorization through RADIUS protocols.

March 1812 min

Discussion

Share your thoughts and insights

You must be logged in to comment.

Log in
Loading comments...