Microsoft-Windows-AAD
204 events across 2 channels
Event ID 1001 — AadCloudAPPlugin Initialize Start
Description
AadCloudAPPlugin Initialize Start.
Message #
Event ID 1002 — AadCloudAPPlugin Initialize Stop.
Description
AadCloudAPPlugin Initialize Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1003 — AadCloudAPPlugin Uninitialize Start
Description
AadCloudAPPlugin Uninitialize Start.
Message #
Event ID 1004 — AadCloudAPPlugin ValidateUserInfo Start
Description
AadCloudAPPlugin ValidateUserInfo Start.
Message #
Event ID 1005 — AadCloudAPPlugin ValidateUserInfo Stop.
Description
AadCloudAPPlugin ValidateUserInfo Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1006 — AadCloudAPPlugin GetToken Start
Description
AadCloudAPPlugin GetToken Start.
Message #
Event ID 1007 — AadCloudAPPlugin GetToken Stop.
Description
AadCloudAPPlugin GetToken Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1008 — AadCloudAPPlugin GetKeys Start
Description
AadCloudAPPlugin GetKeys Start.
Message #
Event ID 1009 — AadCloudAPPlugin GetKeys Stop.
Description
AadCloudAPPlugin GetKeys Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1010 — AadCloudAPPlugin GetUnlockKey Start
Description
AadCloudAPPlugin GetUnlockKey Start.
Message #
Event ID 1011 — AadCloudAPPlugin GetUnlockKey Stop.
Description
AadCloudAPPlugin GetUnlockKey Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1012 — AadCloudAPPlugin PersistSSOTokens Start
Description
AadCloudAPPlugin PersistSSOTokens Start.
Message #
Event ID 1013 — AadCloudAPPlugin PersistSSOTokens Stop.
Description
AadCloudAPPlugin PersistSSOTokens Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1015 — AadCloudAPPlugin Realm discovery response: AadCloudAPPlugin_Realm_discovery_response.
Description
AadCloudAPPlugin Realm discovery response: AadCloudAPPlugin_Realm_discovery_response.
Message #
Fields #
| Name | Description |
|---|---|
AadCloudAPPlugin_Realm_discovery_response UnicodeString | — |
Request_status Int32 | — |
Response UnicodeString | — |
Status Int32 | — NTSTATUS reference |
Event ID 1016 — AadCloudAPPlugin device is cloud domain joined
Description
AadCloudAPPlugin device is cloud domain joined.
Message #
Event ID 1017 — AadCloudAPPlugin device is domain joined
Description
AadCloudAPPlugin device is domain joined.
Message #
Event ID 1018 — AadCloudAPPlugin GetToken Correlation ID: AadCloudAPPlugin_GetToken_Correlation_ID.
Event ID 1019 — AadCloudAPPlugin GetKeys Correlation ID: AadCloudAPPlugin_GetKeys_Correlation_ID.
Event ID 1020 — AadCloudAPPlugin loaded as surrogate
Description
AadCloudAPPlugin loaded as surrogate.
Message #
Event ID 1021 — AadCloudAPPlugin MEX request status: AadCloudAPPlugin_MEX_request_status.
Description
AadCloudAPPlugin MEX request status: AadCloudAPPlugin_MEX_request_status.
Message #
Fields #
| Name | Description |
|---|---|
AadCloudAPPlugin_MEX_request_status Int32 | — |
Status Int32 | — NTSTATUS reference |
Event ID 1022 — Endpoint Uri: Endpoint_Uri.
Event ID 1023 — NGC UserID Key: NGC_UserID_Key.
Event ID 1024 — Http request status: Http_request_status.
Event ID 1025 — Http request status: Http_request_status.
Description
Http request status: Http_request_status. Method: Method Endpoint Uri: Endpoint_Uri Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Http_request_status Int32 | — |
Method UnicodeString | — |
Endpoint_Uri UnicodeString | — |
Correlation_ID UnicodeString | — |
value Int32 | — |
EndpointUri UnicodeString | — |
CorrelationID UnicodeString | — |
Event ID 1026 — Credential type: Credential_type Correlation ID: Correlation_ID.
Event ID 1027 — AadCloudAPPlugin managed logon flow for federated NGC user.
Description
AadCloudAPPlugin managed logon flow for federated NGC user.
Message #
Event ID 1028 — AadCloudAPPlugin RefreshToken Start
Description
AadCloudAPPlugin RefreshToken Start.
Message #
Event ID 1029 — AadCloudAPPlugin RefreshToken Stop.
Description
AadCloudAPPlugin RefreshToken Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1030 — AadCloudAPPlugin RefreshToken Correlation ID: AadCloudAPPlugin_RefreshToken_Correlation_ID.
Event ID 1031 — AadCloudAPPlugin encrypted OAuth response received
Description
AadCloudAPPlugin encrypted OAuth response received.
Message #
Event ID 1032 — Number of groups received: value.
Event ID 1033 — Validation needed: Validation_needed.
Event ID 1034 — AadCloudAPPlugin GenericCallPkg Start
Description
AadCloudAPPlugin GenericCallPkg Start.
Message #
Event ID 1035 — AadCloudAPPlugin GenericCallPkg Stop.
Description
AadCloudAPPlugin GenericCallPkg Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1081 — OAuth response error: OAuth_response_error.
Event ID 1082 — Key error: Key_error.
Event ID 1083 — Protected key error: Protected_key_error.
Event ID 1084 — Http transport error.
Event ID 1085 — Logon failure.
Description
Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Logon_failure_Status HexInt32 | Logon failure. Status. |
Correlation_ID UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
Event ID 1086 — Get user realm failure.
Description
Get user realm failure. Status: Get_user_realm_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Get_user_realm_failure_Status HexInt32 | Get user realm failure. Status. |
Correlation_ID UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
Event ID 1087 — Get credential keys failure.
Description
Get credential keys failure. Status: Get_credential_keys_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Get_credential_keys_failure_Status HexInt32 | Get credential keys failure. Status. |
Correlation_ID UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
Event ID 1088 — WSTrust response error: WSTrust_response_error.
Event ID 1089 — Device is not cloud domain joined: Status.
Description
Device is not cloud domain joined: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1090 — NGC nonce response error: NGC_nonce_response_error.
Event ID 1091 — NGC auth ticket is not defined.
Event ID 1092 — OAuth request retry.
Event ID 1093 — NGC call API returned error: Result.
Event ID 1094 — Refresh token failure.
Description
Refresh token failure. Status: Refresh_token_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Refresh_token_failure_Status HexInt32 | Refresh token failure. Status. |
Correlation_ID UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
Event ID 1095 — Refresh token user SIDs don't match.
Event ID 1096 — Refresh token is expired.
Event ID 1097 — Error: Error ErrorMessage AdditionalInformation.
#Message #
Fields #
| Name | Description |
|---|---|
Error UInt32 | — |
ErrorMessage UnicodeString | — |
AdditionalInformation UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AAD",
"guid": "4DE9BC9C-B27A-43C9-8994-0915F1A5E24F",
"event_source_name": "",
"event_id": 1097,
"version": 0,
"level": 3,
"task": 103,
"opcode": 0,
"keywords": 4611686018427387952,
"time_created": "2023-11-05T22:29:32.897824+00:00",
"event_record_id": 8,
"correlation": {
"ActivityID": "59A0D65F-1037-0002-97FA-A0593710DA01"
},
"execution": {
"process_id": 7788,
"thread_id": 7496
},
"channel": "Microsoft-Windows-AAD/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
}
},
"event_data": {
"Error": 2325807322,
"ErrorMessage": "Upgrade default pawn task complete.",
"AdditionalInformation": "Logged at UpdateDefaultPawn.cpp, line: 43, method: UpdateDefaultPawn::Apply."
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1098 — Error: Error ErrorMessage AdditionalInformation.
Message #
Fields #
| Name | Description |
|---|---|
Error UInt32 | — |
ErrorMessage UnicodeString | — |
AdditionalInformation UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AAD",
"guid": "4DE9BC9C-B27A-43C9-8994-0915F1A5E24F",
"event_source_name": "",
"event_id": 1098,
"version": 0,
"level": 2,
"task": 103,
"opcode": 0,
"keywords": 4611686018427387922,
"time_created": "2026-03-14T21:11:21.909514+00:00",
"event_record_id": 25,
"correlation": {},
"execution": {
"process_id": 10584,
"thread_id": 10312
},
"channel": "Microsoft-Windows-AAD/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Error": 3399811278,
"ErrorMessage": "User requested add account.",
"AdditionalInformation": "UI flow is completed with error\r\nLogged at WebUITokenRequest.cpp, line: 180, method: WebUITokenRequest::FinalizeUIFlow.\r\n\r\nRequest: authority: https://login.microsoftonline.com/organizations, client: d3590ed6-52b3-4102-aeff-aad2292ab01c, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c, resource: , correlation ID (request): a315d45d-ad27-4338-a603-c6283cfa75d2"
},
"message": ""
}
Event ID 1099 — Code: Code OperationCode OperationMessage.
Event ID 1100 — Error: Error ErrorMessage AdditionalInformation.
Event ID 1101 — Error: Error ErrorMessage AdditionalInformation.
Event ID 1102 — Code: Code OperationCode OperationMessage.
Event ID 1103 — Can't decrypt OAuth response.
Event ID 1104 — AAD Cloud AP plugin call API returned error: Result.
#Description
AAD Cloud AP plugin call API returned error: Result.
Message #
Fields #
| Name | Description |
|---|---|
API UnicodeString | — |
Result UInt32 | 1 returned error. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AAD",
"guid": "4DE9BC9C-B27A-43C9-8994-0915F1A5E24F",
"event_source_name": "",
"event_id": 1104,
"version": 0,
"level": 2,
"task": 101,
"opcode": 0,
"keywords": 4611686018427387922,
"time_created": "2022-04-07T16:53:02.149442+00:00",
"event_record_id": 10,
"correlation": {
"ActivityID": "E0AAB88C-4A9F-0000-71B9-AAE09F4AD801"
},
"execution": {
"process_id": 664,
"thread_id": 668
},
"channel": "Microsoft-Windows-AAD/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"API": "Plugin initialize",
"Result": 3221521494
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1105 — Device registration API call API returned error: Result.
Event ID 1106 — Number of security groups received value.
Event ID 1107 — Error: Error ErrorMessage AdditionalInformation.
Event ID 1108 — Error: Error ErrorMessage AdditionalInformation.
Event ID 1109 — Error: Error ErrorMessage AdditionalInformation.
Event ID 1110 — Error: Error ErrorMessage AdditionalInformation.
Event ID 1111 — Error: Error ErrorMessage AdditionalInformation.
Event ID 1112 — Error: Error ErrorMessage AdditionalInformation.
Event ID 1113 — Code: Code OperationCode OperationMessage.
Event ID 1114 — Error: Error ErrorMessage AdditionalInformation.
Event ID 1115 — Error: Error ErrorMessage AdditionalInformation.
Event ID 1116 — Get Enterprise STS OAuth Info failure.
Description
Get Enterprise STS OAuth Info failure. Status: Status Correlation ID: CorrelationID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
References #
Event ID 1117 — Enterprise STS Refresh token failure.
Description
Enterprise STS Refresh token failure. Status: Status Correlation ID: CorrelationID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
References #
Event ID 1118 — Enterprise STS Logon failure.
Description
Enterprise STS Logon failure. Status: Enterprise_STS_Logon_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Enterprise_STS_Logon_failure_Status HexInt32 | Enterprise STS Logon failure. Status. |
Correlation_ID UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
References #
Event ID 1119 — Enterprise STS OAuth Info response: Enterprise_STS_OAuth_Info_response.
Description
Enterprise STS OAuth Info response: Enterprise_STS_OAuth_Info_response.
Message #
Fields #
| Name | Description |
|---|---|
Enterprise_STS_OAuth_Info_response UnicodeString | — |
Request_status Int32 | — |
Response UnicodeString | — |
Status Int32 | — NTSTATUS reference |
References #
Event ID 1120 — Enterprise STS Refresh token is expired.
Event ID 1121 — Enterprise STS RefreshToken Correlation ID: value.
Event ID 1122 — Refresh token subject don't match.
Event ID 1123 — AadCloudAPPlugin smart card logon for non-federated user.
Description
AadCloudAPPlugin smart card logon for non-federated user.
Message #
Event ID 1124 — Device is DRS joined but Enterprise STS is disabled: Status.
Description
Device is DRS joined but Enterprise STS is disabled: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1125 — AadCloudAPPlugin loaded as surrogate, no key recovery
Description
AadCloudAPPlugin loaded as surrogate, no key recovery.
Message #
Event ID 1126 — AadCloudAPPlugin device is Enterprise joined
Description
AadCloudAPPlugin device is Enterprise joined.
Message #
Event ID 1127 — AadCloudAPPlugin device P2P certificate update thread started
Event ID 1128 — AadCloudAPPlugin device P2P certificate update thread stopped
Description
AadCloudAPPlugin device P2P certificate update thread stopped.
Message #
Event ID 1129 — AadCloudAPPlugin Uninitialize Stop
Description
AadCloudAPPlugin Uninitialize Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1130 — AadCloudAPPlugin DeviceP2PCertificateUpdate Correlation ID: AadCloudAPPlugin_DeviceP2PCertificateUpdate_Correlation_ID.
Event ID 1131 — Update P2P device certificate failure.
Description
Update P2P device certificate failure. Status: Status Correlation ID: CorrelationID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
Event ID 1132 — AadCloudAPPlugin GetCertificateFromCred Correlation ID: AadCloudAPPlugin_GetCertificateFromCred_Correlation_ID.
Event ID 1133 — Update P2P user certificate failure.
Description
Update P2P user certificate failure. Status: Status Correlation ID: CorrelationID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
Event ID 1134 — AAD Cloud AP plugin call API returned error: Result.
Event ID 1135 — AadCloudAPPlugin RenewCertificate Correlation ID: AadCloudAPPlugin_RenewCertificate_Correlation_ID.
Event ID 1136 — AadCloudAPPlugin AcceptPeerCertificate Start
Description
AadCloudAPPlugin AcceptPeerCertificate Start.
Message #
Event ID 1137 — AadCloudAPPlugin AcceptPeerCertificate Stop.
Description
AadCloudAPPlugin AcceptPeerCertificate Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1138 — AadCloudAPPlugin RenewCertificate Start
Description
AadCloudAPPlugin RenewCertificate Start.
Message #
Event ID 1139 — AadCloudAPPlugin RenewCertificate Stop.
Description
AadCloudAPPlugin RenewCertificate Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1140 — AadCloudAPPlugin GetCertificateFromCred Start
Description
AadCloudAPPlugin GetCertificateFromCred Start.
Message #
Event ID 1141 — AadCloudAPPlugin GetCertificateFromCred Stop.
Description
AadCloudAPPlugin GetCertificateFromCred Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1142 — Get token user names don't match.
Event ID 1143 — Generic Call Package call type: Generic_Call_Packate_call_type.
Event ID 1144 — Realm discovery for: Method authority: EndpointUri fallback domain hint: CorrelationID useUpn: value.
Event ID 1145 — AAD Cloud AP plugin token needs refresh reason: value.
Event ID 1146 — Token is not refreshed.
Event ID 1147 — AadCloudAPPlugin AssembleOpaqueData Start
Description
AadCloudAPPlugin AssembleOpaqueData Start.
Message #
Event ID 1148 — AadCloudAPPlugin AssembleOpaqueData Stop.
Description
AadCloudAPPlugin AssembleOpaqueData Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1149 — AadCloudAPPlugin DisassembleOpaqueData Start
Event ID 1150 — AadCloudAPPlugin DisassembleOpaqueData Stop.
Description
AadCloudAPPlugin DisassembleOpaqueData Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1151 — AadCloudAPPlugin P2P device certificate update error: Status.
Description
AadCloudAPPlugin P2P device certificate update error: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1152 — AadCloudAPPlugin device certificate key error: Result.
Event ID 1153 — AadCloudAPPlugin device certificate not available for logon: value.
Event ID 1154 — Password expiration claims.
Event ID 1155 — Logon with session key failure.
Description
Logon with session key failure. Retrying with device auth. Status: Status Correlation ID: CorrelationID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
Event ID 1156 — Password expiration fields.
Description
Password expiration fields. Status: Password_expiration_fields_Status Date: Date URI: URI.
Message #
Fields #
| Name | Description |
|---|---|
Password_expiration_fields_Status HexInt32 | Password expiration fields. Status. |
Date FILETIME | — |
URI UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
ExpiryTime FILETIME | — |
PasswordChangeURI UnicodeString | — |
Event ID 1157 — AadCloudAPPlugin PostLogonProcessing Start
Description
AadCloudAPPlugin PostLogonProcessing Start.
Message #
Event ID 1158 — AadCloudAPPlugin PostLogonProcessing Stop.
Description
AadCloudAPPlugin PostLogonProcessing Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1159 — AadCloudAPPlugin S4U logon failed.
Description
AadCloudAPPlugin S4U logon failed. Status: AadCloudAPPlugin_S2U_logon_failed_Status.
Message #
Fields #
| Name | Description |
|---|---|
AadCloudAPPlugin_S2U_logon_failed_Status HexInt32 | AadCloudAPPlugin S2U logon failed. Status. |
Status HexInt32 | — NTSTATUS reference |
Event ID 1160 — Logon failure.
Description
Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Logon_failure_Status HexInt32 | Logon failure. Status. |
Correlation_ID UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
Event ID 1161 — Logon failure.
Description
Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Logon_failure_Status HexInt32 | Logon failure. Status. |
Correlation_ID UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
Event ID 1162 — Logon failure.
Description
Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Logon_failure_Status HexInt32 | Logon failure. Status. |
Correlation_ID UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
Event ID 1163 — Logon failure.
Description
Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Logon_failure_Status HexInt32 | Logon failure. Status. |
Correlation_ID UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
Event ID 1164 — Logon failure.
Description
Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Logon_failure_Status HexInt32 | Logon failure. Status. |
Correlation_ID UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
Event ID 1165 — Logon failure.
Description
Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Logon_failure_Status HexInt32 | Logon failure. Status. |
Correlation_ID UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
Event ID 1200 — BrowserCore operation started
Description
BrowserCore operation started.
Message #
Event ID 1201 — BrowserCore operation completed successfully
Event ID 1202 — BrowserCore operation completed with a failure.
Event ID 1203 — BrowserCore inner operation FunctionName completed with error: Result.
Event ID 1204 — AadCloudAPPlugin LookupSIDFromIdentityName Start
Description
AadCloudAPPlugin LookupSIDFromIdentityName Start.
Message #
Event ID 1205 — AadCloudAPPlugin LookupSIDFromIdentityName Stop.
Description
AadCloudAPPlugin LookupSIDFromIdentityName Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1206 — AadCloudAPPlugin LookupIdentityFromSIDName Start
Description
AadCloudAPPlugin LookupIdentityFromSIDName Start.
Message #
Event ID 1207 — AadCloudAPPlugin LookupIdentityFromSIDName Stop.
Description
AadCloudAPPlugin LookupIdentityFromSIDName Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1208 — AadCloudAPPlugin LookupSIDFromIdentity Identity: AadCloudAPPlugin_LookupSIDFromIdentity_Identity Correlation ID: Correlation_ID.
Description
AadCloudAPPlugin LookupSIDFromIdentity Identity: AadCloudAPPlugin_LookupSIDFromIdentity_Identity Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
AadCloudAPPlugin_LookupSIDFromIdentity_Identity UnicodeString | — |
Correlation_ID UnicodeString | — |
value1 UnicodeString | — |
value2 UnicodeString | — |
Event ID 1209 — AadCloudAPPlugin LookupIdentityFromSID SID: AadCloudAPPlugin_LookupIdentityFromSID_SID Correlation ID: Correlation_ID.
Event ID 1210 — AadCloudAPPlugin password expired, password change URI: value.
Event ID 1211 — Writing RunRecovery registry value failed.
Description
Writing RunRecovery registry value failed.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1212 — Enterprise logon.
Description
Enterprise logon. Password is expired.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Correlation_ID UnicodeString | — |
CorrelationID UnicodeString | — |
Event ID 1213 — WamExtension process token operation started
Description
WamExtension process token operation started.
Message #
Event ID 1214 — WamExtension process token operation completed successfully
Description
WamExtension process token operation completed successfully.
Message #
Event ID 1215 — WamExtension process token operation completed with error: Data.
#Description
WamExtension process token operation completed with error: Data.
Message #
Fields #
| Name | Description |
|---|---|
Data | WamExtension process token operation completed with error. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AAD",
"guid": "4DE9BC9C-B27A-43C9-8994-0915F1A5E24F",
"event_source_name": "",
"event_id": 1215,
"version": 0,
"level": 2,
"task": 107,
"opcode": 2,
"keywords": 4611686018427387922,
"time_created": "2022-04-07T16:44:49.386586+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 2080,
"thread_id": 2748
},
"channel": "Microsoft-Windows-AAD/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Data": {
"Name": "Result",
"Value": "\u0004�\u0004�"
}
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1216 — WamExtension device authentication call status: Result Correlation ID: Target.
Event ID 1217 — Get device token.
Description
Get device token. Resource: Get_device_token_Resource ClientID: ClientID Scope: Scope.
Message #
Fields #
| Name | Description |
|---|---|
Get_device_token_Resource UnicodeString | Get device token. Resource. |
ClientID UnicodeString | — |
Scope UnicodeString | — |
value1 UnicodeString | — |
value2 UnicodeString | — |
value3 UnicodeString | — |
Event ID 1218 — StartFidoAuthenticationSession start
Description
StartFidoAuthenticationSession start.
Message #
Event ID 1219 — StartFidoAuthenticationSession stop.
Description
StartFidoAuthenticationSession stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1220 — CloseFidoAuthenticationSession start
Description
CloseFidoAuthenticationSession start.
Message #
Event ID 1221 — CloseFidoAuthenticationSession stop.
Description
CloseFidoAuthenticationSession stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1222 — GetClientData start
Description
GetClientData start.
Message #
Event ID 1223 — GetClientData stop.
Event ID 1224 — SignClientDataFido start
Description
SignClientDataFido start.
Message #
Event ID 1225 — SignClientDataFido stop.
Description
SignClientDataFido stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1226 — ChangePin start
Description
ChangePin start.
Message #
Event ID 1227 — ChangePin stop.
Event ID 1228 — GetSerializedAuthBuffer start
Description
GetSerializedAuthBuffer start.
Message #
Event ID 1229 — GetSerializedAuthBuffer stop.
Description
GetSerializedAuthBuffer stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1230 — AuthHelper call API returned error: Result.
Event ID 1231 — AadCloudAPPlugin Resource infomation: AadCloudAPPlugin_Resource_infomation.
Description
AadCloudAPPlugin Resource infomation: AadCloudAPPlugin_Resource_infomation.
Message #
Fields #
| Name | Description |
|---|---|
AadCloudAPPlugin_Resource_infomation UnicodeString | — |
Request_status Int32 | — |
Response UnicodeString | — |
Status Int32 | — NTSTATUS reference |
Event ID 1232 — AadCloudAPPlugin RBAC authorization code response: Response.
Description
AadCloudAPPlugin RBAC authorization code response: Response.
Message #
Fields #
| Name | Description |
|---|---|
Response UnicodeString | — |
Status Int32 | — NTSTATUS reference |
Event ID 1233 — AadCloudAPPlugin User access control role: value.
Event ID 1234 — AadCloudAPPlugin using resource id from the Idtoken: value.
Event ID 1235 — RBAC Status: RBAC_Status Correlation ID: Correlation_ID.
Description
RBAC Status: RBAC_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
RBAC_Status HexInt32 | — |
Correlation_ID UnicodeString | — |
Status HexInt32 | — NTSTATUS reference |
CorrelationID UnicodeString | — |
Event ID 1236 — Failed to create the resource id
Description
Failed to create the resource id.
Message #
Event ID 1237 — Device is configured for RBAC authorization
Description
Device is configured for RBAC authorization.
Message #
Event ID 1238 — Not sending the client certificate as it is optional on the server
Description
Not sending the client certificate as it is optional on the server.
Message #
Event ID 1239 — Doing RBAC logon of the device type: value.
Event ID 1240 — Skipping Rbac Logon because AadCloudAPPlugin is loaded as surrogate
Description
Skipping Rbac Logon because AadCloudAPPlugin is loaded as surrogate.
Message #
Event ID 1241 — On-prem tgt error: Onprem_tgt_error.
Event ID 1242 — Added user to admins security group
Description
Added user to admins security group.
Message #
Event ID 1243 — Removed user from admins security group
Description
Removed user from admins security group.
Message #
Event ID 1244 — Security groups were not loaded.
Description
Security groups were not loaded. Error: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1245 — Security groups were not updated.
Description
Security groups were not updated. Error: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1246 — User sid: User_sid Group sids: Group_sids.
Event ID 1247 — RunRecovery registry value (Context) successfully written.
Event ID 1248 — AuthHelper auth buff local nonce
Description
AuthHelper auth buff local nonce.
Message #
Event ID 1249 — Cloud tgt error: Cloud_tgt_error.
Event ID 1250 — DoGetToken Diagnostic Event.
Description
DoGetToken Diagnostic Event.
Message #
Fields #
| Name | Description |
|---|---|
Result UInt32 | [DoGetToken Diagnostic Event] Result. |
User_Identity | [DoGetToken Diagnostic Event] User Identity. |
Credential_Type | [DoGetToken Diagnostic Event] Credential Type. |
Correlation_ID | [DoGetToken Diagnostic Event] Correlation ID. |
Endpoint_Uri | [DoGetToken Diagnostic Event] Endpoint Uri. |
HTTP_Status | [DoGetToken Diagnostic Event] HTTP Status. |
HTTP_Method | [DoGetToken Diagnostic Event] HTTP Method. |
ErrorCode UnicodeString | [DoGetToken Diagnostic Event] ErrorCode. |
Error_Description | [DoGetToken Diagnostic Event] Error Description. |
UserIdentity UnicodeString | — |
CredentialType Int32 | — Known values
|
CorrelationID UnicodeString | — |
EndpointUri UnicodeString | — |
Method UnicodeString | — |
HTTPTransportError Int32 | — |
HTTPStatus Int32 | — |
ErrorDescription UnicodeString | — |
Event ID 1251 — DoGetEnterpriseToken Diagnostic Event.
Description
DoGetEnterpriseToken Diagnostic Event.
Message #
Fields #
| Name | Description |
|---|---|
Result UInt32 | [DoGetEnterpriseToken Diagnostic Event] Result. |
User_Identity | [DoGetEnterpriseToken Diagnostic Event] User Identity. |
Credential_Type | [DoGetEnterpriseToken Diagnostic Event] Credential Type. |
Correlation_ID | [DoGetEnterpriseToken Diagnostic Event] Correlation ID. |
Endpoint_Uri | [DoGetEnterpriseToken Diagnostic Event] Endpoint Uri. |
HTTP_Status | [DoGetEnterpriseToken Diagnostic Event] HTTP Status. |
HTTP_Method | [DoGetEnterpriseToken Diagnostic Event] HTTP Method. |
ErrorCode UnicodeString | [DoGetEnterpriseToken Diagnostic Event] ErrorCode. |
Error_Description | [DoGetEnterpriseToken Diagnostic Event] Error Description. |
UserIdentity UnicodeString | — |
CredentialType Int32 | — Known values
|
CorrelationID UnicodeString | — |
EndpointUri UnicodeString | — |
Method UnicodeString | — |
HTTPTransportError Int32 | — |
HTTPStatus Int32 | — |
ErrorDescription UnicodeString | — |
Event ID 1252 — DoRefreshToken Diagnostic Event.
Description
DoRefreshToken Diagnostic Event.
Message #
Fields #
| Name | Description |
|---|---|
Result UInt32 | [DoRefreshToken Diagnostic Event] Result. |
User_Identity | [DoRefreshToken Diagnostic Event] User Identity. |
Credential_Type | [DoRefreshToken Diagnostic Event] Credential Type. |
Correlation_ID | [DoRefreshToken Diagnostic Event] Correlation ID. |
Endpoint_Uri | [DoRefreshToken Diagnostic Event] Endpoint Uri. |
HTTP_Status | [DoRefreshToken Diagnostic Event] HTTP Status. |
HTTP_Method | [DoRefreshToken Diagnostic Event] HTTP Method. |
ErrorCode UnicodeString | [DoRefreshToken Diagnostic Event] ErrorCode. |
Error_Description | [DoRefreshToken Diagnostic Event] Error Description. |
UserIdentity UnicodeString | — |
CredentialType Int32 | — Known values
|
NewToken Boolean | — |
CorrelationID UnicodeString | — |
EndpointUri UnicodeString | — |
Method UnicodeString | — |
HTTPTransportError Int32 | — |
HTTPStatus Int32 | — |
ErrorDescription UnicodeString | — |
Event ID 1253 — DoRefreshEnterpriseToken Diagnostic Event.
Description
DoRefreshEnterpriseToken Diagnostic Event.
Message #
Fields #
| Name | Description |
|---|---|
Result UInt32 | [DoRefreshEnterpriseToken Diagnostic Event] Result. |
User_Identity | [DoRefreshEnterpriseToken Diagnostic Event] User Identity. |
Credential_Type | [DoRefreshEnterpriseToken Diagnostic Event] Credential Type. |
Correlation_ID | [DoRefreshEnterpriseToken Diagnostic Event] Correlation ID. |
Endpoint_Uri | [DoRefreshEnterpriseToken Diagnostic Event] Endpoint Uri. |
HTTP_Status | [DoRefreshEnterpriseToken Diagnostic Event] HTTP Status. |
HTTP_Method | [DoRefreshEnterpriseToken Diagnostic Event] HTTP Method. |
ErrorCode UnicodeString | [DoRefreshEnterpriseToken Diagnostic Event] ErrorCode. |
Error_Description | [DoRefreshEnterpriseToken Diagnostic Event] Error Description. |
UserIdentity UnicodeString | — |
CredentialType Int32 | — Known values
|
NewToken Boolean | — |
CorrelationID UnicodeString | — |
EndpointUri UnicodeString | — |
Method UnicodeString | — |
HTTPTransportError Int32 | — |
HTTPStatus Int32 | — |
ErrorDescription UnicodeString | — |
Event ID 1254 — Response content type: Response_content_type.
Event ID 1255 — AD TGT: AD_TGT Cloud TGT: Cloud_TGT.
Event ID 1256 — P2P certificate update error.
Event ID 1257 — Credbuffer correlation ID: Credbuffer_correlation_ID Correlation ID: Correlation_ID.
Event ID 1258 — CA cert hash (keyID): CA_cert_hash_keyID Correlation ID: Correlation_ID.
Event ID 1259 — CA certificate update error.
Event ID 1260 — RetryGetClientData start
Description
RetryGetClientData start.
Message #
Event ID 1261 — RetryGetClientData stop.
Description
RetryGetClientData stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | — NTSTATUS reference |
Event ID 1262 — Binding key tag check failed: Binding_key_tag_check_failed.
Description
Binding key tag check failed: Binding_key_tag_check_failed.
Message #
Fields #
| Name | Description |
|---|---|
Binding_key_tag_check_failed HexInt32 | — |
Status HexInt32 | — NTSTATUS reference |
Event ID 1263 — BrowserCore inner operation FunctionName with account pairwiseID PairwiseID not found error.
Event ID 1264 — Token binding key created.
Event ID 1265 — WamExtension preprocess token operation started.
Description
WamExtension preprocess token operation started.
Message #
Event ID 1266 — WamExtension preprocess token operation completed successfully
Description
WamExtension preprocess token operation completed successfully.
Message #
Event ID 1267 — WamExtension preprocess token operation completed with error: Result.
Event ID 1268 — WamExtension postprocess token operation started.
Event ID 1269 — WamExtension postprocess token operation completed successfully.
Event ID 1270 — WamExtension postprocess token operation completed with error: Result.
Event ID 1271 — Token binding claim(s) included in the request.
Event ID 1272 — Token binding key is not healthy and needs to be re-created.
Event ID 1273 — Token binding claims need to be re-generated due to changes in attestation key(s).
Event ID 1274 — Token binding claims generated.
Event ID 1275 — Token binding claims generated for UI request.
Event ID 1276 — Token binding claims count: ClaimsCount.
Event ID 1277 — KeyGuard availability detection failed.
Event ID 1278 — KeyGuard with attestation support is not detected.
Description
KeyGuard with attestation support is not detected.