This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 38%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELS%3C/text%3E%3C/svg%3E)
Hello Team,
We would like to confirm whether Windows Server provides native audit logging for Windows Credential Manager operations.
Specifically, we are looking to understand:
Can Windows log when a credential is modified?
Can Windows log when a credential is deleted?
During our investigation, we observed Security Event IDs:
5376 (Credential Manager credentials were backed up)
5377 (Credential Manager credentials were restored)
However, we were unable to find any event logs related to credential add, modify, or delete operations.
Our questions:
Is this behavior by design?
Does Windows Server natively support auditing these Credential Manager operations?
If not, what is the recommended or supported method to monitor or audit Credential Manager changes in a production environment?
Environment:
Windows Server 2019 / 2022
Domain joined
Advanced audit policies enabled
We require official clarification for audit and compliance documentation purposes.
Thank you
Can Microsoft confirm officially that Windows Credential Manager does not generate native Security Event Log entries for credential add, modify, or delete operations, even when Advanced Audit Policy is fully enabled?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 61%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHP%3C/text%3E%3C/svg%3E)
Yes, this behavior is by design. Windows Server does not generate native Security Event Log entries for credential add, modify, or delete operations in Credential Manager, even with Advanced Audit Policy enabled. The only credential-related events exposed are 5376 and 5377, which correspond to backup and restore operations.
Windows Server does not natively support auditing for add, modify, or delete operations specifically related to Windows Credential Manager. The Security Event IDs you mentioned (5376 and 5377) are related to the backup and restoration of Credential Manager credentials but do not cover the operations of adding, modifying, or deleting credentials.
This behavior appears to be by design, as there are no built-in audit logs for these specific actions. To monitor or audit changes to Credential Manager in a production environment, you may need to consider alternative methods, such as using third-party auditing tools or implementing custom logging solutions that can track these operations at the application level.
For compliance and audit documentation purposes, it is advisable to document this limitation and the recommended alternative methods for monitoring Credential Manager changes.
References:
