MicrosoftUntil this change, Microsoft had not set a recommendation for this audit setting, which allowed customers to enable it on an ad hoc basis when needed and when there is a plan to make use of that additional information. The concern had been exactly as Rick describes, that passwords are incorporated into command lines far too often. AFAIK, Windows includes no built-in feature to encrypt event logs as they are being written. The threat is mitigated somewhat by the restrictive default permissions on the Security event log.
The following ADMX policy will let you encrypt event logs however, it will pretty much make it impossible for non-authorized users who do not have access to the private key to decrypt logs.
Largely created too much burden and most will have same private key being used on each device otherwise the private/public key management turns into a nightmare.
https://learn.microsoft.com/en-us/windows/client-management/mdm/policy-csp-admx-eventlogging#enableprotectedeventlogging
Amarjeet5 - thanks for that pointer. I had missed the introduction of that feature in Windows. It's unfortunate that there's so little documentation from Microsoft about it: I see none beyond how to configure it using that CSP you linked or via PowerShell cmdlets. "Protected Event Logging lets participating applications encrypt sensitive data written to the event log." What are "participating applications?" What parts of Windows participate?
