We have a machine that had Endpoint Encryption removed (boot protection set to Remove & reboot) back in January 2010. The last event in the audit shows a login and check for configuration updates on 1/5/2010. Is there a way to find out the user who initiated decryption?
Solved! Go to Solution.
Nope. These are the last two lines of the machine audit:
01/05/2010 10:04:01 AM,0x04000001,"[username]" (ID=00001107\Type=00000001),Logon successful
01/05/2010 10:16:24 AM,0x01000014,N/A,Check for configuration updates
I was hoping it recorded the user that removed the encryption.
The client files was version 5.1.7.
you need to look for an "update object" event (0x01000089) for the machine in question. No need to dump all the audit for users, just that one event.
then you can look for the machine id and see who made the change.
Sure you can narrow it down that way, but sometimes is useful to know also other event types for this machine.
Dumping audit log for group(s) of administrators does not take long, so I do not see benefit of filtering events.