![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 37%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELP%3C/text%3E%3C/svg%3E)
151 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
By default, Windows does not log private key exports even when performed by an administrator. That’s a design limitation — exporting a private key from the Windows certificate store doesn’t generate a specific Windows Event Log, unless additional auditing or security tools are enabled.
To mitigate potential risks, consider the following options:
- Enable role separation in ADCS between users who manage the CA and those who request/issue certificates.
- Minimize the number of users who are local administrators on the CA server. Use Just Enough Administration (JEA) or Privileged Access Workstations (PAWs).
- Apply additional auditing and logging.
- Enable Audit Object Access in Group Policy.
- Enable "Audit Certification Services" logs.
- Monitor with EDR/XDR Tools. Modern Endpoint Detection and Response (EDR) tools (e.g., Microsoft Defender for Endpoint) can detect unusual behaviors:
- Access to MachineKeys directory
- Use of certutil or other certificate tools
- Suspicious command-line activity like
certutil -exportPFX
If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.
hth
Marcin