detection.wiki
Blog

Microsoft-Windows-AAD

204 events across 2 channels

Event IDTitleChannel
1001AadCloudAPPlugin Initialize StartAnalytic
1002AadCloudAPPlugin Initialize Stop.Analytic
1003AadCloudAPPlugin Uninitialize StartAnalytic
1004AadCloudAPPlugin ValidateUserInfo StartAnalytic
1005AadCloudAPPlugin ValidateUserInfo Stop.Analytic
1006AadCloudAPPlugin GetToken StartAnalytic
1007AadCloudAPPlugin GetToken Stop.Analytic
1008AadCloudAPPlugin GetKeys StartAnalytic
1009AadCloudAPPlugin GetKeys Stop.Analytic
1010AadCloudAPPlugin GetUnlockKey StartAnalytic
1011AadCloudAPPlugin GetUnlockKey Stop.Analytic
1012AadCloudAPPlugin PersistSSOTokens StartAnalytic
1013AadCloudAPPlugin PersistSSOTokens Stop.Analytic
1015AadCloudAPPlugin Realm discovery response.Analytic
1016AadCloudAPPlugin device is cloud domain joinedAnalytic
1017AadCloudAPPlugin device is domain joinedAnalytic
1018AadCloudAPPlugin GetToken Correlation ID.Analytic
1019AadCloudAPPlugin GetKeys Correlation ID.Analytic
1020AadCloudAPPlugin loaded as surrogateAnalytic
1021AadCloudAPPlugin MEX request status.Analytic
1022Endpoint Uri.Analytic
1023NGC UserID Key.Analytic
1024Http request status.Operational
1025Http request status.Operational
1026Credential type: %1 Correlation ID: %2.Analytic
1027AadCloudAPPlugin managed logon flow for federated NGC user.Analytic
1028AadCloudAPPlugin RefreshToken StartAnalytic
1029AadCloudAPPlugin RefreshToken Stop.Analytic
1030AadCloudAPPlugin RefreshToken Correlation ID.Analytic
1031AadCloudAPPlugin encrypted OAuth response receivedAnalytic
1032Number of groups received.Analytic
1033Validation needed.Analytic
1034AadCloudAPPlugin GenericCallPkg StartAnalytic
1035AadCloudAPPlugin GenericCallPkg Stop.Analytic
1081OAuth response error: %1 Error description: %2 CorrelationID: %3.Operational
1082Key error: %1 Error description: %2 CorrelationID: %3.Operational
1083Protected key error: %1 Error description: %2 CorrelationID: %3.Operational
1084Http transport error.Operational
1085Logon failure.Operational
1086Get user realm failure.Operational
1087Get credential keys failure.Operational
1088WSTrust response error: %1 Error description: %2.Operational
1089Device is not cloud domain joined.Operational
1090NGC nonce response error: %1 Error description: %2 CorrelationID: %3.Operational
1091NGC auth ticket is not defined.Operational
1092OAuth request retry.Operational
1093NGC call %1 returned error: %2.Operational
1094Refresh token failure.Operational
1095Refresh token user SIDs don't match.Operational
1096Refresh token is expired.Operational
1097Error: %1 %2 %3.Operational
1098Error: %1 %2 %3.Operational
1099Code: %1 %2 %3.Analytic
1100Error: %1 %2 %3.Operational
1101Error: %1 %2 %3.Operational
1102Code: %1 %2 %3.Analytic
1103Can't decrypt OAuth response.Operational
1104AAD Cloud AP plugin call %1 returned error: %2.Operational
1105Device registration API call %1 returned error: %2.Operational
1106Number of security groups received %1.Operational
1107Error: %1 %2 %3.Analytic
1108Error: %1 %2 %3.Analytic
1109Error: %1 %2 %3.Analytic
1110Error: %1 %2 %3.Analytic
1111Error: %1 %2 %3.Operational
1112Error: %1 %2 %3.Operational
1113Code: %1 %2 %3.Analytic
1114Error: %1 %2 %3.Analytic
1115Error: %1 %2 %3.Analytic
1116Get Enterprise STS OAuth Info failure.Operational
1117Enterprise STS Refresh token failure.Operational
1118Enterprise STS Logon failure.Operational
1119Enterprise STS OAuth Info response.Analytic
1120Enterprise STS Refresh token is expired.Operational
1121Enterprise STS RefreshToken Correlation ID.Analytic
1122Refresh token subject don't match.Operational
1123AadCloudAPPlugin smart card logon for non-federated user.Operational
1124Device is DRS joined but Enterprise STS is disabled.Operational
1125AadCloudAPPlugin loaded as surrogate, no key recoveryAnalytic
1126AadCloudAPPlugin device is Enterprise joinedAnalytic
1127AadCloudAPPlugin device P2P certificate update thread startedAnalytic
1128AadCloudAPPlugin device P2P certificate update thread stoppedAnalytic
1129AadCloudAPPlugin Uninitialize StopAnalytic
1130AadCloudAPPlugin DeviceP2PCertificateUpdate Correlation ID.Analytic
1131Update P2P device certificate failure.Operational
1132AadCloudAPPlugin GetCertificateFromCred Correlation ID.Analytic
1133Update P2P user certificate failure.Operational
1134AAD Cloud AP plugin call %1 returned error: %2.Analytic
1135AadCloudAPPlugin RenewCertificate Correlation ID.Analytic
1136AadCloudAPPlugin AcceptPeerCertificate StartAnalytic
1137AadCloudAPPlugin AcceptPeerCertificate Stop.Analytic
1138AadCloudAPPlugin RenewCertificate StartAnalytic
1139AadCloudAPPlugin RenewCertificate Stop.Analytic
1140AadCloudAPPlugin GetCertificateFromCred StartAnalytic
1141AadCloudAPPlugin GetCertificateFromCred Stop.Analytic
1142Get token user names don't match.Operational
1143Generic Call Package call type.Analytic
1144Realm discovery for: %2 authority: %3 fallback domain hint: %4 useUpn: %1.Analytic
1145AAD Cloud AP plugin token needs refresh reason.Analytic
1146Token is not refreshed.Analytic
1147AadCloudAPPlugin AssembleOpaqueData StartAnalytic
1148AadCloudAPPlugin AssembleOpaqueData Stop.Analytic
1149AadCloudAPPlugin DisassembleOpaqueData StartAnalytic
1150AadCloudAPPlugin DisassembleOpaqueData Stop.Analytic
1151AadCloudAPPlugin P2P device certificate update error.Operational
1152AadCloudAPPlugin device certificate key error.Operational
1153AadCloudAPPlugin device certificate not available for logon.Operational
1154Password expiration claims.Analytic
1155Logon with session key failure.Operational
1156Password expiration fields.Analytic
1157AadCloudAPPlugin PostLogonProcessing StartAnalytic
1158AadCloudAPPlugin PostLogonProcessing Stop.Analytic
1159AadCloudAPPlugin S2U logon failed.Operational
1160Logon failure.Operational
1161Logon failure.Operational
1162Logon failure.Operational
1163Logon failure.Operational
1164Logon failure.Operational
1165Logon failure.Operational
1200BrowserCore operation startedAnalytic
1201BrowserCore operation completed successfullyAnalytic
1202BrowserCore operation completed with a failure.Operational
1203BrowserCore inner operation %2 completed with error: %1.Operational
1204AadCloudAPPlugin LookupSIDFromIdentityName StartAnalytic
1205AadCloudAPPlugin LookupSIDFromIdentityName Stop.Analytic
1206AadCloudAPPlugin LookupIdentityFromSIDName StartAnalytic
1207AadCloudAPPlugin LookupIdentityFromSIDName Stop.Analytic
1208AadCloudAPPlugin LookupSIDFromIdentity Identity: %1 Correlation ID: %2.Analytic
1209AadCloudAPPlugin LookupIdentityFromSID SID: %1 Correlation ID: %2.Analytic
1210AadCloudAPPlugin password expired, password change URI.Operational
1211Writing RunRecovery registry value failed.Operational
1212Enterprise logon.Operational
1213WamExtension process token operation startedAnalytic
1214WamExtension process token operation completed successfullyAnalytic
1215WamExtension process token operation completed with error.Operational
1216WamExtension device authentication call status: %1 Correlation ID: %2.Analytic
1217Get device token.Analytic
1218StartFidoAuthenticationSession startAnalytic
1219StartFidoAuthenticationSession stop.Analytic
1220CloseFidoAuthenticationSession startAnalytic
1221CloseFidoAuthenticationSession stop.Analytic
1222GetClientData startAnalytic
1223GetClientData stop.Analytic
1224SignClientDataFido startAnalytic
1225SignClientDataFido stop.Analytic
1226ChangePin startAnalytic
1227ChangePin stop.Analytic
1228GetSerializedAuthBuffer startAnalytic
1229GetSerializedAuthBuffer stop.Analytic
1230AuthHelper call %1 returned error: %2.Operational
1231AadCloudAPPlugin Resource infomation.Analytic
1232AadCloudAPPlugin RBAC authorization code response.Analytic
1233AadCloudAPPlugin User access control role.Analytic
1234AadCloudAPPlugin using resource id from the Idtoken.Analytic
1235RBAC Status: %1 Correlation ID: %2.Analytic
1236Failed to create the resource idAnalytic
1237Device is configured for RBAC authorizationOperational
1238Not sending the client certificate as it is optional on the serverAnalytic
1239Doing RBAC logonAnalytic
1240Skipping Rbac Logon because AadCloudAPPlugin is loaded as surrogateAnalytic
1241On-prem tgt error.Operational
1242Added user to admins security groupAnalytic
1243Removed user from admins security groupAnalytic
1244Security groups were not loaded.Operational
1245Security groups were not updated.Operational
1246User sid: %1 Group sids: %2.Analytic
1247RunRecovery registry value successfully written.Operational
1248AuthHelper auth buff local nonceOperational
1249Cloud tgt error.Operational
1250DoGetToken Diagnostic Event: Result: %1 User Identity: %2 Credential Type: %3 …Operational
1251DoGetEnterpriseToken Diagnostic Event: Result: %1 User Identity: %2 Credential …Operational
1252DoRefreshToken Diagnostic Event: Result: %1 User Identity: %2 Credential Type: …Operational
1253DoRefreshEnterpriseToken Diagnostic Event: Result: %1 User Identity: %2 …Operational
1254Response content type.Analytic
1255AD TGT: %1 Cloud TGT: %2.Analytic
1256P2P certificate update error.Operational
1257Credbuffer correlation ID: %1 Correlation ID: %2.Analytic
1258CA cert hash (keyID): %1 Correlation ID: %2.Analytic
1259CA certificate update error.Operational
1260RetryGetClientData startAnalytic
1261RetryGetClientData stop.Analytic
1262Binding key tag check failed.Operational
1263BrowserCore inner operation %2 with account pairwiseID %1 not found error.Operational
1264Token binding key created.Analytic
1265WamExtension preprocess token operation started.Analytic
1266WamExtension preprocess token operation completed successfullyAnalytic
1267WamExtension preprocess token operation completed with error.Operational
1268WamExtension postprocess token operation started.Analytic
1269WamExtension postprocess token operation completed successfully.Analytic
1270WamExtension postprocess token operation completed with error.Operational
1271Token binding claim(s) included in the request.Analytic
1272Token binding key is not healthy and needs to be re-created.Analytic
1273Token binding claims need to be re-generated due to changes in attestation …Analytic
1274Token binding claims generated.Analytic
1275Token binding claims generated for UI request.Analytic
1276Token binding claims count.Analytic
1277KeyGuard availability detection failed.Operational
1278KeyGuard with attestation support is not detected.Operational
1279Token binding claims of type %1 could not be generated because AIK does not …Analytic
1280PRT session key needs to be rolled.Operational
1281Token binding key deleted.Analytic
1282SHR property in request is not allowed.Operational
1283Invalid registry value was ignored.Analytic
1284Token binding claims need to be re-generated as cached claims were generated for …Analytic

Event ID 1001 — AadCloudAPPlugin Initialize Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin Initialize Start

Event ID 1002 — AadCloudAPPlugin Initialize Stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin Initialize Stop.
Status: %1

Fields

NameDescription
Status

Event ID 1003 — AadCloudAPPlugin Uninitialize Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin Uninitialize Start

Event ID 1004 — AadCloudAPPlugin ValidateUserInfo Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin ValidateUserInfo Start

Event ID 1005 — AadCloudAPPlugin ValidateUserInfo Stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin ValidateUserInfo Stop.
Status: %1

Fields

NameDescription
Status

Event ID 1006 — AadCloudAPPlugin GetToken Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin GetToken Start

Event ID 1007 — AadCloudAPPlugin GetToken Stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin GetToken Stop.
Status: %1

Fields

NameDescription
Status

Event ID 1008 — AadCloudAPPlugin GetKeys Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin GetKeys Start

Event ID 1009 — AadCloudAPPlugin GetKeys Stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin GetKeys Stop.
Status: %1

Fields

NameDescription
Status

Event ID 1010 — AadCloudAPPlugin GetUnlockKey Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin GetUnlockKey Start

Event ID 1011 — AadCloudAPPlugin GetUnlockKey Stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin GetUnlockKey Stop.
Status: %1

Fields

NameDescription
Status

Event ID 1012 — AadCloudAPPlugin PersistSSOTokens Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin PersistSSOTokens Start

Event ID 1013 — AadCloudAPPlugin PersistSSOTokens Stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin PersistSSOTokens Stop.
Status: %1

Fields

NameDescription
Status

Event ID 1015 — AadCloudAPPlugin Realm discovery response.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin Realm discovery response: %1.
Request status: %2

Fields

NameDescription
AadCloudAPPlugin_Realm_discovery_response
Request_status
Response
Status

Event ID 1016 — AadCloudAPPlugin device is cloud domain joined

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin device is cloud domain joined

Event ID 1017 — AadCloudAPPlugin device is domain joined

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin device is domain joined

Event ID 1018 — AadCloudAPPlugin GetToken Correlation ID.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin GetToken Correlation ID: %1

Fields

NameDescription
AadCloudAPPlugin_GetToken_Correlation_ID
value

Event ID 1019 — AadCloudAPPlugin GetKeys Correlation ID.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin GetKeys Correlation ID: %1

Fields

NameDescription
AadCloudAPPlugin_GetKeys_Correlation_ID
value

Event ID 1020 — AadCloudAPPlugin loaded as surrogate

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin loaded as surrogate

Event ID 1021 — AadCloudAPPlugin MEX request status.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin MEX request status: %1

Fields

NameDescription
AadCloudAPPlugin_MEX_request_status
Status

Event ID 1022 — Endpoint Uri.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Endpoint Uri: %1

Fields

NameDescription
Endpoint_Uri
value

Event ID 1023 — NGC UserID Key.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

NGC UserID Key: %1

Fields

NameDescription
NGC_UserID_Key
value

Event ID 1024 — Http request status.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Http request status: %1

Fields

NameDescription
Http_request_status
value

Event ID 1025 — Http request status.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Http request status: %1. Method: %2 Endpoint Uri: %3 Correlation ID: %4

Fields

NameDescription
Http_request_status
Method
Endpoint_Uri
Correlation_ID
value
EndpointUri
CorrelationID

Event ID 1026 — Credential type: %1 Correlation ID: %2.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Credential type: %1 Correlation ID: %2

Fields

NameDescription
Credential_type
Correlation_ID
value
CorrelationID

Event ID 1027 — AadCloudAPPlugin managed logon flow for federated NGC user.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin managed logon flow for federated NGC user.

Event ID 1028 — AadCloudAPPlugin RefreshToken Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin RefreshToken Start

Event ID 1029 — AadCloudAPPlugin RefreshToken Stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin RefreshToken Stop.
Status: %1

Fields

NameDescription
Status

Event ID 1030 — AadCloudAPPlugin RefreshToken Correlation ID.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin RefreshToken Correlation ID: %1

Fields

NameDescription
AadCloudAPPlugin_RefreshToken_Correlation_ID
value

Event ID 1031 — AadCloudAPPlugin encrypted OAuth response received

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin encrypted OAuth response received

Event ID 1032 — Number of groups received.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Number of groups received: %1

Fields

NameDescription
value

Event ID 1033 — Validation needed.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Validation needed: %1

Fields

NameDescription
Validation_needed
value

Event ID 1034 — AadCloudAPPlugin GenericCallPkg Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin GenericCallPkg Start

Event ID 1035 — AadCloudAPPlugin GenericCallPkg Stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin GenericCallPkg Stop.
Status: %1

Fields

NameDescription
Status

Event ID 1081 — OAuth response error: %1 Error description: %2 CorrelationID: %3.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

OAuth response error: %1
Error description: %2
CorrelationID: %3

Fields

NameDescription
OAuth_response_error
Error_description
CorrelationID
Error
ErrorDescription

Event ID 1082 — Key error: %1 Error description: %2 CorrelationID: %3.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Key error: %1
Error description: %2
CorrelationID: %3

Fields

NameDescription
Key_error
Error_description
CorrelationID
Error
ErrorDescription

Event ID 1083 — Protected key error: %1 Error description: %2 CorrelationID: %3.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Protected key error: %1
Error description: %2
CorrelationID: %3

Fields

NameDescription
Protected_key_error
Error_description
CorrelationID
Error
ErrorDescription

References

Event ID 1084 — Http transport error.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Http transport error. Status: %1 Correlation ID: %2

Fields

NameDescription
Http_transport_error_StatusHttp transport error. Status.
Correlation_ID
Result
Target

References

Event ID 1085 — Logon failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Logon failure. Status: %1 Correlation ID: %2

Fields

NameDescription
Logon_failure_StatusLogon failure. Status.
Correlation_ID
Status
CorrelationID

Event ID 1086 — Get user realm failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Get user realm failure. Status: %1 Correlation ID: %2

Fields

NameDescription
Get_user_realm_failure_StatusGet user realm failure. Status.
Correlation_ID
Status
CorrelationID

Event ID 1087 — Get credential keys failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Get credential keys failure. Status: %1 Correlation ID: %2

Fields

NameDescription
Get_credential_keys_failure_StatusGet credential keys failure. Status.
Correlation_ID
Status
CorrelationID

Event ID 1088 — WSTrust response error: %1 Error description: %2.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

WSTrust response error: %1
Error description: %2

Fields

NameDescription
WSTrust_response_error
Error_description
Error
ErrorDescription

Event ID 1089 — Device is not cloud domain joined.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Device is not cloud domain joined: %1

Fields

NameDescription
Status

Event ID 1090 — NGC nonce response error: %1 Error description: %2 CorrelationID: %3.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

NGC nonce response error: %1
Error description: %2
CorrelationID: %3

Fields

NameDescription
NGC_nonce_response_error
Error_description
CorrelationID
Error
ErrorDescription

Event ID 1091 — NGC auth ticket is not defined.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

NGC auth ticket is not defined. Error: %1

Fields

NameDescription
Result

Event ID 1092 — OAuth request retry.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

OAuth request retry. Correlation ID: %1 Retry: %2

Fields

NameDescription
OAuth_request_retry_Correlation_IDOAuth request retry. Correlation ID.
Retry
CorrelationID
RetryNumber

Event ID 1093 — NGC call %1 returned error: %2.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

NGC call %1 returned error: %2

Fields

NameDescription
API
Result

References

Event ID 1094 — Refresh token failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Refresh token failure. Status: %1 Correlation ID: %2

Fields

NameDescription
Refresh_token_failure_StatusRefresh token failure. Status.
Correlation_ID
Status
CorrelationID

Event ID 1095 — Refresh token user SIDs don't match.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Refresh token user SIDs don't match. Correlation ID: %1

Fields

NameDescription
value

Event ID 1096 — Refresh token is expired.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Refresh token is expired. Correlation ID: %1

Fields

NameDescription
value

Event ID 1097 — Error: %1 %2 %3.

Provider
Microsoft-Windows-AAD
Channel
Operational
Level
3
Samples
1

Message

Error: %1 %2
%3

Fields

NameDescription
Error
ErrorMessage
AdditionalInformation

Example Event

system:
  provider: Microsoft-Windows-AAD
  guid: 4DE9BC9C-B27A-43C9-8994-0915F1A5E24F
  event_source_name: ''
  event_id: 1097
  version: 0
  level: 3
  task: 103
  opcode: 0
  keywords: 4611686018427387952
  time_created: '2023-11-05T22:29:32.897824+00:00'
  event_record_id: 8
  correlation:
    ActivityID: 59A0D65F-1037-0002-97FA-A0593710DA01
  execution:
    process_id: 7788
    thread_id: 7496
  channel: Microsoft-Windows-AAD/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  Error: 2325807322
  ErrorMessage: Upgrade default pawn task complete.
  AdditionalInformation: 'Logged at UpdateDefaultPawn.cpp, line: 43, method: UpdateDefaultPawn::Apply.'
message: ''

References

Event ID 1098 — Error: %1 %2 %3.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Error: %1 %2
%3

Fields

NameDescription
Error
ErrorMessage
AdditionalInformation

Event ID 1099 — Code: %1 %2 %3.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Code: %1 %2
%3

Fields

NameDescription
Code
OperationCode
OperationMessage
AdditionalInformation

Event ID 1100 — Error: %1 %2 %3.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Error: %1 %2
%3

Fields

NameDescription
Error
ErrorMessage
AdditionalInformation

Event ID 1101 — Error: %1 %2 %3.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Error: %1 %2
%3

Fields

NameDescription
Error
ErrorMessage
AdditionalInformation

Event ID 1102 — Code: %1 %2 %3.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Code: %1 %2
%3

Fields

NameDescription
Code
OperationCode
OperationMessage
AdditionalInformation

Event ID 1103 — Can't decrypt OAuth response.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Can't decrypt OAuth response. Error: %1

Fields

NameDescription
Cant_decrypt_OAuth_response_ErrorCan't decrypt OAuth response. Error.
Result

Event ID 1104 — AAD Cloud AP plugin call %1 returned error: %2.

Provider
Microsoft-Windows-AAD
Channel
Operational
Level
2
Samples
1

Message

AAD Cloud AP plugin call %1 returned error: %2

Fields

NameDescription
API
Result1 returned error.

Example Event

system:
  provider: Microsoft-Windows-AAD
  guid: 4DE9BC9C-B27A-43C9-8994-0915F1A5E24F
  event_source_name: ''
  event_id: 1104
  version: 0
  level: 2
  task: 101
  opcode: 0
  keywords: 4611686018427387922
  time_created: '2022-04-07T16:53:02.149442+00:00'
  event_record_id: 10
  correlation:
    ActivityID: E0AAB88C-4A9F-0000-71B9-AAE09F4AD801
  execution:
    process_id: 664
    thread_id: 668
  channel: Microsoft-Windows-AAD/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  API: Plugin initialize
  Result: 3221521494
message: ''

References

Event ID 1105 — Device registration API call %1 returned error: %2.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Device registration API call %1 returned error: %2

Fields

NameDescription
API
Result

Event ID 1106 — Number of security groups received %1.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Number of security groups received %1. CorrelationID: %2

Fields

NameDescription
value
CorrelationID

Event ID 1107 — Error: %1 %2 %3.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Error: %1 %2
%3

Fields

NameDescription
Error
ErrorMessage
AdditionalInformation

Event ID 1108 — Error: %1 %2 %3.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Error: %1 %2
%3

Fields

NameDescription
Error
ErrorMessage
AdditionalInformation

Event ID 1109 — Error: %1 %2 %3.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Error: %1 %2
%3

Fields

NameDescription
Error
ErrorMessage
AdditionalInformation

Event ID 1110 — Error: %1 %2 %3.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Error: %1 %2
%3

Fields

NameDescription
Error
ErrorMessage
AdditionalInformation

Event ID 1111 — Error: %1 %2 %3.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Error: %1 %2
%3

Fields

NameDescription
Error
ErrorMessage
AdditionalInformation

Event ID 1112 — Error: %1 %2 %3.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Error: %1 %2
%3

Fields

NameDescription
Error
ErrorMessage
AdditionalInformation

Event ID 1113 — Code: %1 %2 %3.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Code: %1 %2
%3

Fields

NameDescription
Code
OperationCode
OperationMessage
AdditionalInformation

Event ID 1114 — Error: %1 %2 %3.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Error: %1 %2
%3

Fields

NameDescription
Error
ErrorMessage
AdditionalInformation

Event ID 1115 — Error: %1 %2 %3.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Error: %1 %2
%3

Fields

NameDescription
Error
ErrorMessage
AdditionalInformation

Event ID 1116 — Get Enterprise STS OAuth Info failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Get Enterprise STS OAuth Info failure. Status: %1 Correlation ID: %2

Fields

NameDescription
Status
CorrelationID

References

Event ID 1117 — Enterprise STS Refresh token failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Enterprise STS Refresh token failure. Status: %1 Correlation ID: %2

Fields

NameDescription
Status
CorrelationID

References

Event ID 1118 — Enterprise STS Logon failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Enterprise STS Logon failure. Status: %1 Correlation ID: %2

Fields

NameDescription
Enterprise_STS_Logon_failure_StatusEnterprise STS Logon failure. Status.
Correlation_ID
Status
CorrelationID

References

Event ID 1119 — Enterprise STS OAuth Info response.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Enterprise STS OAuth Info response: %1.
Request status: %2

Fields

NameDescription
Enterprise_STS_OAuth_Info_response
Request_status
Response
Status

References

Event ID 1120 — Enterprise STS Refresh token is expired.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Enterprise STS Refresh token is expired. Correlation ID: %1

Fields

NameDescription
value

Event ID 1121 — Enterprise STS RefreshToken Correlation ID.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Enterprise STS RefreshToken Correlation ID: %1

Fields

NameDescription
value

Event ID 1122 — Refresh token subject don't match.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Refresh token subject don't match. Correlation ID: %1

Fields

NameDescription
value

Event ID 1123 — AadCloudAPPlugin smart card logon for non-federated user.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

AadCloudAPPlugin smart card logon for non-federated user.

Event ID 1124 — Device is DRS joined but Enterprise STS is disabled.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Device is DRS joined but Enterprise STS is disabled: %1

Fields

NameDescription
Status

Event ID 1125 — AadCloudAPPlugin loaded as surrogate, no key recovery

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin loaded as surrogate, no key recovery

Event ID 1126 — AadCloudAPPlugin device is Enterprise joined

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin device is Enterprise joined

Event ID 1127 — AadCloudAPPlugin device P2P certificate update thread started

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin device P2P certificate update thread started

References

Event ID 1128 — AadCloudAPPlugin device P2P certificate update thread stopped

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin device P2P certificate update thread stopped

Event ID 1129 — AadCloudAPPlugin Uninitialize Stop

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin Uninitialize Stop

Fields

NameDescription
Status

Event ID 1130 — AadCloudAPPlugin DeviceP2PCertificateUpdate Correlation ID.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin DeviceP2PCertificateUpdate Correlation ID: %1

Fields

NameDescription
AadCloudAPPlugin_DeviceP2PCertificateUpdate_Correlation_ID
value

Event ID 1131 — Update P2P device certificate failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Update P2P device certificate failure. Status: %1 Correlation ID: %2

Fields

NameDescription
Status
CorrelationID

Event ID 1132 — AadCloudAPPlugin GetCertificateFromCred Correlation ID.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin GetCertificateFromCred Correlation ID: %1

Fields

NameDescription
AadCloudAPPlugin_GetCertificateFromCred_Correlation_ID
value

Event ID 1133 — Update P2P user certificate failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Update P2P user certificate failure. Status: %1 Correlation ID: %2

Fields

NameDescription
Status
CorrelationID

Event ID 1134 — AAD Cloud AP plugin call %1 returned error: %2.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AAD Cloud AP plugin call %1 returned error: %2

Fields

NameDescription
API
Result

Event ID 1135 — AadCloudAPPlugin RenewCertificate Correlation ID.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin RenewCertificate Correlation ID: %1

Fields

NameDescription
AadCloudAPPlugin_RenewCertificate_Correlation_ID
value

Event ID 1136 — AadCloudAPPlugin AcceptPeerCertificate Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin AcceptPeerCertificate Start

Event ID 1137 — AadCloudAPPlugin AcceptPeerCertificate Stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin AcceptPeerCertificate Stop.
Status: %1

Fields

NameDescription
Status

Event ID 1138 — AadCloudAPPlugin RenewCertificate Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin RenewCertificate Start

Event ID 1139 — AadCloudAPPlugin RenewCertificate Stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin RenewCertificate Stop.
Status: %1

Fields

NameDescription
Status

Event ID 1140 — AadCloudAPPlugin GetCertificateFromCred Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin GetCertificateFromCred Start

Event ID 1141 — AadCloudAPPlugin GetCertificateFromCred Stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin GetCertificateFromCred Stop.
Status: %1

Fields

NameDescription
Status

Event ID 1142 — Get token user names don't match.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Get token user names don't match. Correlation ID: %1

Fields

NameDescription
value

Event ID 1143 — Generic Call Package call type.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Generic Call Package call type: %1. Correlation ID: %2

Fields

NameDescription
Generic_Call_Packate_call_type
Correlation_ID
value
CorrelationID

Event ID 1144 — Realm discovery for: %2 authority: %3 fallback domain hint: %4 useUpn: %1.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Realm discovery for: %2 authority: %3 fallback domain hint: %4 useUpn: %1

Fields

NameDescription
value
Method
EndpointUri
CorrelationID

Event ID 1145 — AAD Cloud AP plugin token needs refresh reason.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AAD Cloud AP plugin token needs refresh reason: %1

Fields

NameDescription
value

Event ID 1146 — Token is not refreshed.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Token is not refreshed. token time: %1 update time: %2

Fields

NameDescription
NoOfTargets
RequestType

Event ID 1147 — AadCloudAPPlugin AssembleOpaqueData Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin AssembleOpaqueData Start

Event ID 1148 — AadCloudAPPlugin AssembleOpaqueData Stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin AssembleOpaqueData Stop.
Status: %1

Fields

NameDescription
Status

Event ID 1149 — AadCloudAPPlugin DisassembleOpaqueData Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin DisassembleOpaqueData Start

References

Event ID 1150 — AadCloudAPPlugin DisassembleOpaqueData Stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin DisassembleOpaqueData Stop.
Status: %1

Fields

NameDescription
Status

Event ID 1151 — AadCloudAPPlugin P2P device certificate update error.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

AadCloudAPPlugin P2P device certificate update error: %1

Fields

NameDescription
Status

Event ID 1152 — AadCloudAPPlugin device certificate key error.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

AadCloudAPPlugin device certificate key error: %1

Fields

NameDescription
Result

Event ID 1153 — AadCloudAPPlugin device certificate not available for logon.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

AadCloudAPPlugin device certificate not available for logon: %1

Fields

NameDescription
value

Event ID 1154 — Password expiration claims.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Password expiration claims. Seconds: %1 URI: %2

Fields

NameDescription
Password_expiration_claims_SecondsPassword expiration claims. Seconds.
URI
seconds

Event ID 1155 — Logon with session key failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Logon with session key failure. Retrying with device auth. Status: %1 Correlation ID: %2

Fields

NameDescription
Status
CorrelationID

Event ID 1156 — Password expiration fields.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Password expiration fields. Status: %1 Date: %2 URI: %3

Fields

NameDescription
Password_expiration_fields_StatusPassword expiration fields. Status.
Date
URI
Status
ExpiryTime
PasswordChangeURI

Event ID 1157 — AadCloudAPPlugin PostLogonProcessing Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin PostLogonProcessing Start

Event ID 1158 — AadCloudAPPlugin PostLogonProcessing Stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin PostLogonProcessing Stop.
Status: %1

Fields

NameDescription
Status

Event ID 1159 — AadCloudAPPlugin S2U logon failed.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

AadCloudAPPlugin S4U logon failed. Status: %1

Fields

NameDescription
AadCloudAPPlugin_S2U_logon_failed_StatusAadCloudAPPlugin S2U logon failed. Status.
Status

Event ID 1160 — Logon failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Logon failure. Status: %1 Correlation ID: %2

Fields

NameDescription
Logon_failure_StatusLogon failure. Status.
Correlation_ID
Status
CorrelationID

Event ID 1161 — Logon failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Logon failure. Status: %1 Correlation ID: %2

Fields

NameDescription
Logon_failure_StatusLogon failure. Status.
Correlation_ID
Status
CorrelationID

Event ID 1162 — Logon failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Logon failure. Status: %1 Correlation ID: %2

Fields

NameDescription
Logon_failure_StatusLogon failure. Status.
Correlation_ID
Status
CorrelationID

Event ID 1163 — Logon failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Logon failure. Status: %1 Correlation ID: %2

Fields

NameDescription
Logon_failure_StatusLogon failure. Status.
Correlation_ID
Status
CorrelationID

Event ID 1164 — Logon failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Logon failure. Status: %1 Correlation ID: %2

Fields

NameDescription
Logon_failure_StatusLogon failure. Status.
Correlation_ID
Status
CorrelationID

Event ID 1165 — Logon failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Logon failure. Status: %1 Correlation ID: %2

Fields

NameDescription
Logon_failure_StatusLogon failure. Status.
Correlation_ID
Status
CorrelationID

Event ID 1200 — BrowserCore operation started

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

BrowserCore operation started

Event ID 1201 — BrowserCore operation completed successfully

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

BrowserCore operation completed successfully.
Method: %1
CorrelationID: %2

Fields

NameDescription
Method
CorrelationID

Event ID 1202 — BrowserCore operation completed with a failure.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

BrowserCore operation completed with a failure.
Error: %1
Error Message: %2
Method: %3
CorrelationID: %4

Fields

NameDescription
Error
Error_Message
Result
ErrorMessage
Method
CorrelationID

Event ID 1203 — BrowserCore inner operation %2 completed with error: %1.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

BrowserCore inner operation %2 completed with error: %1

Fields

NameDescription
Result
FunctionName

Event ID 1204 — AadCloudAPPlugin LookupSIDFromIdentityName Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin LookupSIDFromIdentityName Start

Event ID 1205 — AadCloudAPPlugin LookupSIDFromIdentityName Stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin LookupSIDFromIdentityName Stop.
Status: %1

Fields

NameDescription
Status

Event ID 1206 — AadCloudAPPlugin LookupIdentityFromSIDName Start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin LookupIdentityFromSIDName Start

Event ID 1207 — AadCloudAPPlugin LookupIdentityFromSIDName Stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin LookupIdentityFromSIDName Stop.
Status: %1

Fields

NameDescription
Status

Event ID 1208 — AadCloudAPPlugin LookupSIDFromIdentity Identity: %1 Correlation ID: %2.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin LookupSIDFromIdentity Identity: %1 Correlation ID: %2

Fields

NameDescription
AadCloudAPPlugin_LookupSIDFromIdentity_Identity
Correlation_ID
value1
value2

Event ID 1209 — AadCloudAPPlugin LookupIdentityFromSID SID: %1 Correlation ID: %2.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin LookupIdentityFromSID SID: %1 Correlation ID: %2

Fields

NameDescription
AadCloudAPPlugin_LookupIdentityFromSID_SID
Correlation_ID
value1
value2

Event ID 1210 — AadCloudAPPlugin password expired, password change URI.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

AadCloudAPPlugin password expired, password change URI: %1

Fields

NameDescription
value

Event ID 1211 — Writing RunRecovery registry value failed.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Writing RunRecovery registry value failed.
Status: %1

Fields

NameDescription
Status

Event ID 1212 — Enterprise logon.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Enterprise logon. Password is expired.
Status: %1 Correlation ID: %2

Fields

NameDescription
Status
Correlation_ID
CorrelationID

Event ID 1213 — WamExtension process token operation started

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

WamExtension process token operation started.

Event ID 1214 — WamExtension process token operation completed successfully

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

WamExtension process token operation completed successfully

Event ID 1215 — WamExtension process token operation completed with error.

Provider
Microsoft-Windows-AAD
Channel
Operational
Level
2
Samples
1

Message

WamExtension process token operation completed with error: %1

Fields

NameDescription
DataWamExtension process token operation completed with error.

Example Event

system:
  provider: Microsoft-Windows-AAD
  guid: 4DE9BC9C-B27A-43C9-8994-0915F1A5E24F
  event_source_name: ''
  event_id: 1215
  version: 0
  level: 2
  task: 107
  opcode: 2
  keywords: 4611686018427387922
  time_created: '2022-04-07T16:44:49.386586+00:00'
  event_record_id: 2
  correlation: {}
  execution:
    process_id: 2080
    thread_id: 2748
  channel: Microsoft-Windows-AAD/Operational
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-18
event_data:
  Data:
    Name: Result
    Value: "\x04�\x04�"
message: ''

References

Event ID 1216 — WamExtension device authentication call status: %1 Correlation ID: %2.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

WamExtension device authentication call status: %1 Correlation ID: %2

Fields

NameDescription
Result
Target

Event ID 1217 — Get device token.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Get device token. Resource: %1 ClientID: %2 Scope: %3

Fields

NameDescription
Get_device_token_ResourceGet device token. Resource.
ClientID
Scope
value1
value2
value3

Event ID 1218 — StartFidoAuthenticationSession start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

StartFidoAuthenticationSession start

Event ID 1219 — StartFidoAuthenticationSession stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

StartFidoAuthenticationSession stop.
Status: %1

Fields

NameDescription
Status

Event ID 1220 — CloseFidoAuthenticationSession start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

CloseFidoAuthenticationSession start

Event ID 1221 — CloseFidoAuthenticationSession stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

CloseFidoAuthenticationSession stop.
Status: %1

Fields

NameDescription
Status

Event ID 1222 — GetClientData start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

GetClientData start

Event ID 1223 — GetClientData stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

GetClientData stop.
Status: %1

Fields

NameDescription
Status

Event ID 1224 — SignClientDataFido start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

SignClientDataFido start

Event ID 1225 — SignClientDataFido stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

SignClientDataFido stop.
Status: %1

Fields

NameDescription
Status

Event ID 1226 — ChangePin start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

ChangePin start

Event ID 1227 — ChangePin stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

ChangePin stop.
Status: %1

Fields

NameDescription
Status

Event ID 1228 — GetSerializedAuthBuffer start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

GetSerializedAuthBuffer start

Event ID 1229 — GetSerializedAuthBuffer stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

GetSerializedAuthBuffer stop.
Status: %1

Fields

NameDescription
Status

Event ID 1230 — AuthHelper call %1 returned error: %2.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

AuthHelper call %1 returned error: %2

Fields

NameDescription
API
Result

Event ID 1231 — AadCloudAPPlugin Resource infomation.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin Resource infomation: %1.
Request status: %2

Fields

NameDescription
AadCloudAPPlugin_Resource_infomation
Request_status
Response
Status

Event ID 1232 — AadCloudAPPlugin RBAC authorization code response.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin RBAC authorization code response: %1.
Request status: %2

Fields

NameDescription
Response
Status

Event ID 1233 — AadCloudAPPlugin User access control role.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin User access control role: %1

Fields

NameDescription
value

Event ID 1234 — AadCloudAPPlugin using resource id from the Idtoken.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AadCloudAPPlugin using resource id from the Idtoken: %1

Fields

NameDescription
value

Event ID 1235 — RBAC Status: %1 Correlation ID: %2.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

RBAC Status: %1 Correlation ID: %2

Fields

NameDescription
RBAC_Status
Correlation_ID
Status
CorrelationID

Event ID 1236 — Failed to create the resource id

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Failed to create the resource id

Event ID 1237 — Device is configured for RBAC authorization

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Device is configured for RBAC authorization

Event ID 1238 — Not sending the client certificate as it is optional on the server

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Not sending the client certificate as it is optional on the server

Event ID 1239 — Doing RBAC logon

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Doing RBAC logon of the device type: %1

Fields

NameDescription
value

Event ID 1240 — Skipping Rbac Logon because AadCloudAPPlugin is loaded as surrogate

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Skipping Rbac Logon because AadCloudAPPlugin is loaded as surrogate

Event ID 1241 — On-prem tgt error.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

On-prem tgt error: %1

Fields

NameDescription
Onprem_tgt_errorOn-prem tgt error.
value

Event ID 1242 — Added user to admins security group

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Added user to admins security group

Event ID 1243 — Removed user from admins security group

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Removed user from admins security group

Event ID 1244 — Security groups were not loaded.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Security groups were not loaded. Error: %1

Fields

NameDescription
Status

Event ID 1245 — Security groups were not updated.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Security groups were not updated. Error: %1

Fields

NameDescription
Status

Event ID 1246 — User sid: %1 Group sids: %2.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

User sid: %1
Group sids:
%2

Fields

NameDescription
User_sid
Group_sids
value1
value2

Event ID 1247 — RunRecovery registry value successfully written.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

RunRecovery registry value (%1) successfully written.
Context: %2
Reason: %3

Fields

NameDescription
Context
Reason
value
Result

Event ID 1248 — AuthHelper auth buff local nonce

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

AuthHelper auth buff local nonce

Event ID 1249 — Cloud tgt error.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Cloud tgt error: %1

Fields

NameDescription
Cloud_tgt_error
value

Event ID 1250 — DoGetToken Diagnostic Event: Result: %1 User Identity: %2 Credential Type: %3 Correlation ID: %4 Endpoint Uri: %5 HTTP Status: %6 HTTP Method: %7 E...

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

DoGetToken Diagnostic Event:
Result: %1
User Identity: %2
Credential Type: %3
Correlation ID: %4
Endpoint Uri: %5
HTTP Status: %6
HTTP Method: %7
ErrorCode: %8
Error Description: %9

Fields

NameDescription
Result[DoGetToken Diagnostic Event] Result.
User_Identity[DoGetToken Diagnostic Event] User Identity.
Credential_Type[DoGetToken Diagnostic Event] Credential Type.
Correlation_ID[DoGetToken Diagnostic Event] Correlation ID.
Endpoint_Uri[DoGetToken Diagnostic Event] Endpoint Uri.
HTTP_Status[DoGetToken Diagnostic Event] HTTP Status.
HTTP_Method[DoGetToken Diagnostic Event] HTTP Method.
ErrorCode[DoGetToken Diagnostic Event] ErrorCode.
Error_Description[DoGetToken Diagnostic Event] Error Description.
UserIdentity
CredentialType
CorrelationID
EndpointUri
Method
HTTPTransportError
HTTPStatus
ErrorDescription

Event ID 1251 — DoGetEnterpriseToken Diagnostic Event: Result: %1 User Identity: %2 Credential Type: %3 Correlation ID: %4 Endpoint Uri: %5 HTTP Status: %6 HTTP Me...

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

DoGetEnterpriseToken Diagnostic Event:
Result: %1
User Identity: %2
Credential Type: %3
Correlation ID: %4
Endpoint Uri: %5
HTTP Status: %6
HTTP Method: %7
ErrorCode: %8
Error Description: %9

Fields

NameDescription
Result[DoGetEnterpriseToken Diagnostic Event] Result.
User_Identity[DoGetEnterpriseToken Diagnostic Event] User Identity.
Credential_Type[DoGetEnterpriseToken Diagnostic Event] Credential Type.
Correlation_ID[DoGetEnterpriseToken Diagnostic Event] Correlation ID.
Endpoint_Uri[DoGetEnterpriseToken Diagnostic Event] Endpoint Uri.
HTTP_Status[DoGetEnterpriseToken Diagnostic Event] HTTP Status.
HTTP_Method[DoGetEnterpriseToken Diagnostic Event] HTTP Method.
ErrorCode[DoGetEnterpriseToken Diagnostic Event] ErrorCode.
Error_Description[DoGetEnterpriseToken Diagnostic Event] Error Description.
UserIdentity
CredentialType
CorrelationID
EndpointUri
Method
HTTPTransportError
HTTPStatus
ErrorDescription

Event ID 1252 — DoRefreshToken Diagnostic Event: Result: %1 User Identity: %2 Credential Type: %3 Correlation ID: %4 Endpoint Uri: %5 HTTP Status: %6 HTTP Method: ...

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

DoRefreshToken Diagnostic Event:
Result: %1
User Identity: %2
Credential Type: %3
Correlation ID: %4
Endpoint Uri: %5
HTTP Status: %6
HTTP Method: %7
ErrorCode: %8
Error Description: %9

Fields

NameDescription
Result[DoRefreshToken Diagnostic Event] Result.
User_Identity[DoRefreshToken Diagnostic Event] User Identity.
Credential_Type[DoRefreshToken Diagnostic Event] Credential Type.
Correlation_ID[DoRefreshToken Diagnostic Event] Correlation ID.
Endpoint_Uri[DoRefreshToken Diagnostic Event] Endpoint Uri.
HTTP_Status[DoRefreshToken Diagnostic Event] HTTP Status.
HTTP_Method[DoRefreshToken Diagnostic Event] HTTP Method.
ErrorCode[DoRefreshToken Diagnostic Event] ErrorCode.
Error_Description[DoRefreshToken Diagnostic Event] Error Description.
UserIdentity
CredentialType
NewToken
CorrelationID
EndpointUri
Method
HTTPTransportError
HTTPStatus
ErrorDescription

Event ID 1253 — DoRefreshEnterpriseToken Diagnostic Event: Result: %1 User Identity: %2 Credential Type: %3 Correlation ID: %4 Endpoint Uri: %5 HTTP Status: %6 HTT...

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

DoRefreshEnterpriseToken Diagnostic Event:
Result: %1
User Identity: %2
Credential Type: %3
Correlation ID: %4
Endpoint Uri: %5
HTTP Status: %6
HTTP Method: %7
ErrorCode: %8
Error Description: %9

Fields

NameDescription
Result[DoRefreshEnterpriseToken Diagnostic Event] Result.
User_Identity[DoRefreshEnterpriseToken Diagnostic Event] User Identity.
Credential_Type[DoRefreshEnterpriseToken Diagnostic Event] Credential Type.
Correlation_ID[DoRefreshEnterpriseToken Diagnostic Event] Correlation ID.
Endpoint_Uri[DoRefreshEnterpriseToken Diagnostic Event] Endpoint Uri.
HTTP_Status[DoRefreshEnterpriseToken Diagnostic Event] HTTP Status.
HTTP_Method[DoRefreshEnterpriseToken Diagnostic Event] HTTP Method.
ErrorCode[DoRefreshEnterpriseToken Diagnostic Event] ErrorCode.
Error_Description[DoRefreshEnterpriseToken Diagnostic Event] Error Description.
UserIdentity
CredentialType
NewToken
CorrelationID
EndpointUri
Method
HTTPTransportError
HTTPStatus
ErrorDescription

Event ID 1254 — Response content type.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Response content type: %1

Fields

NameDescription
Response_content_type
value

Event ID 1255 — AD TGT: %1 Cloud TGT: %2.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

AD TGT: %1 Cloud TGT: %2

Fields

NameDescription
AD_TGT
Cloud_TGT
NoOfTargets
RequestType

Event ID 1256 — P2P certificate update error.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

P2P certificate update error. Status: %1 Correlation ID: %2

Fields

NameDescription
P2P_certificate_update_error_StatusP2P certificate update error. Status.
Correlation_ID
Result
Target

Event ID 1257 — Credbuffer correlation ID: %1 Correlation ID: %2.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Credbuffer correlation ID: %1 Correlation ID: %2

Fields

NameDescription
Credbuffer_correlation_ID
Correlation_ID
value1
value2

Event ID 1258 — CA cert hash (keyID): %1 Correlation ID: %2.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

CA cert hash (keyID): %1 Correlation ID: %2

Fields

NameDescription
CA_cert_hash_keyIDCA cert hash (keyID).
Correlation_ID
value1
value2

Event ID 1259 — CA certificate update error.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

CA certificate update error. Status: %1 Correlation ID: %2

Fields

NameDescription
CA_certificate_update_error_StatusCA certificate update error. Status.
Correlation_ID
Result
Target

Event ID 1260 — RetryGetClientData start

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

RetryGetClientData start

Event ID 1261 — RetryGetClientData stop.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

RetryGetClientData stop.
Status: %1

Fields

NameDescription
Status

Event ID 1262 — Binding key tag check failed.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

Binding key tag check failed: %1

Fields

NameDescription
Binding_key_tag_check_failed
Status

Event ID 1263 — BrowserCore inner operation %2 with account pairwiseID %1 not found error.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

BrowserCore inner operation %2 with account pairwiseID %1 not found error

Fields

NameDescription
PairwiseID
FunctionName

Event ID 1264 — Token binding key created.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Token binding key created.
Key Type: %1
Client: %2
Resource: %3
Scope: %4

Fields

NameDescription
KeyType
ClientId
Resource
Scope

Event ID 1265 — WamExtension preprocess token operation started.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

WamExtension preprocess token operation started.

Event ID 1266 — WamExtension preprocess token operation completed successfully

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

WamExtension preprocess token operation completed successfully

Event ID 1267 — WamExtension preprocess token operation completed with error.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

WamExtension preprocess token operation completed with error: %1

Fields

NameDescription
Result

Event ID 1268 — WamExtension postprocess token operation started.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

WamExtension postprocess token operation started.
Stage: %1

Fields

NameDescription
Stage

Event ID 1269 — WamExtension postprocess token operation completed successfully.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

WamExtension postprocess token operation completed successfully.
Stage: %1

Fields

NameDescription
Stage

Event ID 1270 — WamExtension postprocess token operation completed with error.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

WamExtension postprocess token operation completed with error: %2.
Stage: %1

Fields

NameDescription
Stage
Result

Event ID 1271 — Token binding claim(s) included in the request.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Token binding claim(s) included in the request. Correlation ID: %1

Fields

NameDescription
CorrelationID

Event ID 1272 — Token binding key is not healthy and needs to be re-created.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Token binding key is not healthy and needs to be re-created.
Key Type: %1
Client: %2
Resource: %3
Scope: %4
Test result: %5

Fields

NameDescription
KeyType
ClientId
Resource
Scope
KeyTestResult

Event ID 1273 — Token binding claims need to be re-generated due to changes in attestation key(s).

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Token binding claims need to be re-generated due to changes in attestation key(s).
Key Type: %1
Client: %2
Resource: %3
Scope: %4

Fields

NameDescription
KeyType
ClientId
Resource
Scope

Event ID 1274 — Token binding claims generated.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Token binding claims generated.
Key Type: %1
Client: %2
Resource: %3
Scope: %4

Fields

NameDescription
KeyType
ClientId
Resource
Scope

Event ID 1275 — Token binding claims generated for UI request.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Token binding claims generated for UI request.
Key Type: %1
Client: %2
Resource: %3
Scope: %4

Fields

NameDescription
KeyType
ClientId
Resource
Scope

Event ID 1276 — Token binding claims count.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Token binding claims count: %1

Fields

NameDescription
ClaimsCount

Event ID 1277 — KeyGuard availability detection failed.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

KeyGuard availability detection failed. Error: %1

Fields

NameDescription
Result

Event ID 1278 — KeyGuard with attestation support is not detected.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

KeyGuard with attestation support is not detected.

Event ID 1279 — Token binding claims of type %1 could not be generated because AIK does not exist.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Token binding claims of type %1 could not be generated because AIK does not exist.
Join Type: %2
Tenant ID: %3

Fields

NameDescription
KeyType
JoinType
TenantId

Event ID 1280 — PRT session key needs to be rolled.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

PRT session key needs to be rolled.
Reason: %1

Fields

NameDescription
Reason
RollReason

Event ID 1281 — Token binding key deleted.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Token binding key deleted.
Key: %1

Fields

NameDescription
Key

Event ID 1282 — SHR property in request is not allowed.

Provider
Microsoft-Windows-AAD
Channel
Operational

Message

SHR property in request is not allowed. Property: %1

Fields

NameDescription
PropertyName

Event ID 1283 — Invalid registry value was ignored.

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Invalid registry value was ignored.
Location: %1
Value name: %2
Value: %3

Fields

NameDescription
RegistryLocation
RegistryValueName
Value

Event ID 1284 — Token binding claims need to be re-generated as cached claims were generated for different attestation key(s).

Provider
Microsoft-Windows-AAD
Channel
Analytic

Message

Token binding claims need to be re-generated as cached claims were generated for different attestation key(s).
Key Type: %1
Client: %2
Resource: %3
Scope: %4

Fields

NameDescription
KeyType
ClientId
Resource
Scope