Message

Windows Hello processing started.
Scenario type: %1

Fields

Message

The key pre-generation pool received a request for a new key.

Message

The key pre-generation pool needs to pre-generate a key.

Message

Windows Hello for Business prerequisites check started.

Example Event

system:
  provider: Microsoft-Windows-HelloForBusiness
  guid: 906B8A99-63CE-58D7-86AB-10989BBD5567
  event_source_name: ''
  event_id: 3054
  version: 0
  level: 4
  task: 12
  opcode: 10
  keywords: 9223372036854775809
  time_created: '2022-04-07T16:57:32.150039+00:00'
  event_record_id: 16
  correlation: {}
  execution:
    process_id: 4128
    thread_id: 4156
  channel: Microsoft-Windows-HelloForBusiness/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Windows Hello container provisioning started.

Fields

Message

Windows Hello is creating a PIN recovery key for user %1.

Fields

Message

The cloud experience host started.
Scenario type: %1

Fields

Message

Windows Hello sign-in certificate enrollment started.

Message

Windows Hello PIN Recovery is attempting to change user's PIN. PIN recovery type: %1.

Fields

Fields

Message

Windows Hello key creation started.

Message

Windows Hello key registration started.

Message

Attempting multi-factor unlock using provider %1. The list of acceptable providers are:
Group A: %2
Group B: %3

Fields

Message

AD/Azure AD plugin request started.

Message

Windows Hello container creation started.

Message

Windows Hello container deletion started in response to a policy change.

Message

Windows Hello container deletion started from %1.

Fields

Message

TPM Manufacturer: %1
Version: %2
Firmware Version: %3
Is Ready: %4

Fields

Message

A user signed into the device with the following information:

Username: %1
User SID: %2
Credential Type: %3
Deployment Type: %4

Fields

Message

A user is signing into the device with the following gesture information:

Type: %1
Subtype: %2

Fields

Message

Windows Hello for Business Policy Enforcement Information for the user %1:

Use Windows Hello for Business Policy State: %2
 Use Windows Hello for Business Policy Source: %3
Deployment Type: %4
Credential Type: %5
PIN Min Length: %6
PIN Max Length: %7
PIN Uppercase: %8
PIN Lowercase: %9
PIN Digits: %10
PIN Special Characters: %11
PIN Allow Sequences: %12
PIN History: %13
PIN Expiration: %14
PIN Recovery Policy State: %15
TPM Required: %16
Hardware Policy: %17
Multifactor Unlock: %18

Fields

Message

Windows Hello for Business Enabled Policy successfully enforced for the user %1:

Use Windows Hello for Business Policy State: %2

Fields

Fields

Message

Enforcing the following Windows Hello for Business Enable Policies for the user %1:

Use Windows Hello for Business Policy State: %2
Use Windows Hello for Business Policy Source: %3
Deployment Type: %4

Fields

Message

The key pre-generation pool received a request.
Result: %1
Number of available keys: %2
Elapsed time: %3 seconds

Fields

Fields

Message

Windows Hello is validating that the device can satisfy all applicable policies.TPM Supported: {TpmSupport}Hardware Policy: {HardwarePolicy}Exclude TPM 1.2: {IsTpm12Excluded}TPM Version: {TpmVersion}Secure TPM: {IsTpmSecure}Insecure TPM blocked by WHfB policy: {IsInsecureTpmBlockedByWHfBPolicy}Insecure TPM blocked by TPM policy: {IsInsecureTpmBlockedByTpmPolicy}Satisfactory TPM: {IsTpmSatisfactory}TPM FIPS: {IsTpmFIPS}TPM Locked Out: {TpmSupport}0Satisfactory Key Pregeneration Pool: {TpmSupport}1Key Storage Provider: {TpmSupport}2Result: {TpmSupport}3

Fields

Message

Windows Hello is checking the PIN recovery policy. The policy is %1 for user %2.

Fields

Fields

Message

Windows Hello is downloading the public encryption key from the PIN recovery service.

Fields

Message

Windows Hello found a PIN recovery key for user %1.

Fields

Fields

Message

Windows Hello is updating the PIN recovery key for user %1.

Fields

Message

Windows Hello is uploading the encrypted PIN recovery key to the PIN recovery service.

Fields

Message

Windows Hello for Business certificate enrollment configurations: 

Certificate Enrollment Method: %1
Certificate Required for On-Premise Auth: %2

Fields

Message

Windows Hello for Business On-Premise authentication configurations: 

Certificate Enrollment Method: %1
Certificate Required for On-Premise Auth: %2
Use Cloud Trust for On-Premise Auth: %3
Account has Cloud TGT: %4

Fields

Message

Creating a %1 Windows Hello key with result %2.

Fields

Message

Multi-factor unlock policy is not configured on this device.

Example Event

system:
  provider: Microsoft-Windows-HelloForBusiness
  guid: 906B8A99-63CE-58D7-86AB-10989BBD5567
  event_source_name: ''
  event_id: 5520
  version: 0
  level: 4
  task: 15
  opcode: 12
  keywords: 9223372036854775809
  time_created: '2022-04-07T16:55:39.785616+00:00'
  event_record_id: 15
  correlation: {}
  execution:
    process_id: 428
    thread_id: 1500
  channel: Microsoft-Windows-HelloForBusiness/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Windows Hello is validating that the device can satisfy all applicable policies.

TPM Supported: %1
Hardware Policy: %2
Exclude TPM 1.2: %3
TPM Version: %4
TPM FIPS: %5
TPM Locked Out: %6
Satisfactory Key Pregeneration Pool: %7
Key Storage Provider: %8
Result: %9

Fields

Message

Windows Hello detected and ignored a policy change to delete the container at the user's next sign out because the user is configured to have no password on this device.

Message

Windows Hello was unable to check if there was a policy change that would trigger container deletion.

Message

Windows Hello successfully updated a %1 %2 key from the Windows Hello container.

Key Name: %3

Fields

Message

Windows Hello read following protector properties from disk: PIN protector = %1, Bio protector = %2, Secure Bio Protector = %3, Recovery protector = %4, Preboot protector = %5

Fields

Message

Windows Hello wrote following protector properties to disk: PIN protector = %1, Bio protector = %2, Secure Bio Protector = %3, Recovery protector = %4, Preboot protector = %5

Fields

Message

A key credential was unavailable for use by an application because it did not meet all the requirements for use.

Key name: %1
Reason: %2

Fields

Message

Windows Hello processing stopped with warning %1.
Processing time: %2 seconds

Fields

Message

Windows Hello container provisioning stopped with warning %1.
Processing time: %2 seconds

Fields

Message

The cloud experience host scenario stopped with warning %1.
Processing time: %2 seconds

Fields

Message

Windows Hello sign-in certificate enrollment was unable to enroll for a logon certificate. Automatic certificate enrollment will retry at regular intervals.
Error: %1
Processing time: %2 seconds

Fields

Message

Windows Hello for Business was unable to evaluate the presence of a certificate payload for the sign-in certificate.

Message

Windows Hello for Business was unable to detect whether the user is running in a remote desktop session.

Message

Windows Hello for Business certificate trust and cloud trust policies are both enabled.

Certificate trust policy will be enforced.

Message

Provider is not in the acceptable provider list.

Message

AD/Azure AD plugin request stopped with warning %1.
Processing time: %2 seconds

Fields

Message

Windows Hello could not delete the container as no container currently exists for the user.

Message

A user failed to sign into the device with the following information:

Username: %1
User SID: %2
Credential Type: %3
Deployment Type: %4
Software Lockout Counter: %5
Authentication Error Status: %6
Authentication Error Substatus: %7

Fields

Message

Failed to load an existing Windows Hello container.

ID: %1
Error: %2

Fields

Message

The %1 service failed to start.
Error: %2.

Fields

Message

Windows Hello failed to create the sign-in certificate request.
Error: %1

Fields

Message

Windows Hello failed to install the sign-in certificate.
Error: %1

Fields

Message

Windows Hello failed to roll back from an unsuccessful sign-in certificate enrollment.
Error: %1

Fields

Message

Windows Hello processing failed with %1.
Processing time: %2 seconds

Fields

Message

The new key request from the key pre-generation pool failed.
Error: %1
Processing time: %2 seconds.

Fields

Fields

Message

The key pre-generation pool failed to pre-generate a key.
Error: %1
Processing time: %2 seconds.

Fields

Fields

Message

Windows Hello for Business prerequisites check failed.

Error: %1

Fields

Fields

Example Event

system:
  provider: Microsoft-Windows-HelloForBusiness
  guid: 906B8A99-63CE-58D7-86AB-10989BBD5567
  event_source_name: ''
  event_id: 7054
  version: 0
  level: 2
  task: 12
  opcode: 11
  keywords: 9223372036854775809
  time_created: '2022-04-07T16:48:31.714659+00:00'
  event_record_id: 6
  correlation: {}
  execution:
    process_id: 4128
    thread_id: 4228
  channel: Microsoft-Windows-HelloForBusiness/Operational
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  Error: '0x1'
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Windows Hello container provisioning failed with %1.
Processing time: %2 seconds

Fields

Message

Windows Hello failed to create a PIN recovery key for user %1.
Error: %2 (%3)
Correlation vector: %4
Processing time: %5 seconds.

Fields

Message

The cloud experience host scenario failed with %1.
Processing time: %2 seconds

Fields

Message

Windows Hello sign-in certificate enrollment failed.
Error: %1
Processing time: %2 seconds

Fields

Message

Windows Hello failed to set a certificate property on a Windows Hello key.

Error: %1
Key name: %2
Certificate type: %3

Fields

Message

Windows Hello PIN Recovery failed to change the user's PIN.
Error: %1 (%2)
Correlation vector: %3
Processing time: %4 seconds.

Fields

Message

The device registration prerequisite check failed.

Message

The Primary Account Primary Refresh Token prerequisite check failed.

Example Event

system:
  provider: Microsoft-Windows-HelloForBusiness
  guid: 906B8A99-63CE-58D7-86AB-10989BBD5567
  event_source_name: ''
  event_id: 7201
  version: 0
  level: 2
  task: 12
  opcode: 12
  keywords: 9223372036854775809
  time_created: '2022-04-07T16:48:31.714659+00:00'
  event_record_id: 5
  correlation: {}
  execution:
    process_id: 4128
    thread_id: 4228
  channel: Microsoft-Windows-HelloForBusiness/Operational
  computer: WIN-FPV0DSIC9O6
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The device failed to meet the Windows Hello for Business hardware requirements.

Message

Windows Hello for Business is not enabled.

Message

Windows Hello for Business post-logon provisioning is not enabled.

Message

Windows Hello for Business failed to locate a usable sign-in certificate template.

Error: %1

Fields

Fields

Message

Windows Hello for Business failed to locate a certificate registration authority.

Message

Windows Hello for Business failed to locate an enterprise management client.

Message

Windows Hello for Business failed to locate a sign-in certificate profile.

Message

Windows Hello for Business failed to locate a certificate payload for the sign-in certificate. The SCEP Request is not available.

Message

Windows Hello for Business detected the user running in a remote desktop session.

Message

The Secondary Account Primary Refresh Token prerequisite check failed.

Message

Windows Hello key creation failed with %1.
Processing time: %2 seconds

Fields

Message

Windows Hello failed to delete the %1 key.

Key Name: %2
Error: %3

Fields

Message

Windows Hello key registration failed.

Error: %1

Fields

Message

Failed to authenticate the user's credential.
Error: %1 (%2)
Correlation vector: %3
Processing time: %4 milliseconds.

Fields

Message

AD/Azure AD plugin request failed with %1.
Processing time: %2 seconds

Fields

Message

Windows Hello container creation failed.
Error: %1
Processing time: %2 seconds

Fields

Message

Windows Hello failed to delete the container in response to a policy change.

Error: %1
Processing time: %2 milliseconds.

Fields

Message

Windows Hello failed to delete the container.

Error: %1.

Fields

Message

Windows Hello failed to delete the user's Windows Hello certificates.

Error: %1.

Fields

Message

Windows Hello failed to delete the user's biometric enrollments.

Error: %1.

Fields

Message

Windows Hello failed to use secure biometrics protector due to secret encryption key loss.

Message

Successfully loaded an existing %3 Windows Hello container.

ID: %1
Version: %2
Has Cached Logon Key: %4
State: %5

Fields

Message

The %1 service started successfully.

Fields

Example Event

system:
  provider: Microsoft-Windows-HelloForBusiness
  guid: 906B8A99-63CE-58D7-86AB-10989BBD5567
  event_source_name: ''
  event_id: 8025
  version: 0
  level: 16
  task: 6
  opcode: 12
  keywords: 9223372036854775809
  time_created: '2023-11-06T01:43:17.888294+00:00'
  event_record_id: 5
  correlation: {}
  execution:
    process_id: 1444
    thread_id: 14060
  channel: Microsoft-Windows-HelloForBusiness/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-19
event_data:
  ServiceName: Microsoft Passport Container
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Windows Hello created the sign-in certificate request successfully.

Message

Windows Hello installed the sign-in certificate successfully.

Message

Windows Hello successfully rolled back from an unsuccessful sign-in certificate enrollment.

Message

Windows Hello processing completed successfully.
Processing time: %1 seconds

Fields

Message

The new key request from the key pre-generation pool completed successfully.
Processing time: %1 seconds.

Fields

Fields

Message

The key pre-generation pool successfully pre-generated a key. 
Processing time: %1 seconds.

Fields

Fields

Message

Windows Hello for Business prerequisites check completed successfully.

Example Event

system:
  provider: Microsoft-Windows-HelloForBusiness
  guid: 906B8A99-63CE-58D7-86AB-10989BBD5567
  event_source_name: ''
  event_id: 8054
  version: 0
  level: 16
  task: 12
  opcode: 11
  keywords: 9223372036854775809
  time_created: '2022-04-07T16:57:32.150051+00:00'
  event_record_id: 18
  correlation: {}
  execution:
    process_id: 4128
    thread_id: 4156
  channel: Microsoft-Windows-HelloForBusiness/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

Windows Hello container provisioning completed successfully.
Processing time: %1 seconds
Existing container: %2

Fields

Message

Windows Hello successfully created a PIN recovery key for user %1.
Processing time: %2 seconds

Fields

Message

The cloud experience host completed successfully.
Processing time: %1 seconds

Fields

Message

Windows Hello sign-in certificate enrollment completed successfully.
Processing time: %1 seconds

Fields

Message

Windows Hello set a certificate property on a Windows Hello key.

Key name: %1
Certificate type: %2

Fields

Message

Windows Hello PIN Recovery successfully changed the user's PIN.
Processing time: %1 seconds.

Fields

Message

The device registration prerequisite check completed successfully.

Message

The Primary Account Primary Refresh Token prerequisite check completed successfully.

Message

The device meets Windows Hello for Business hardware requirements.

Message

Windows Hello for Business is enabled.

Message

Windows Hello for Business post-logon provisioning is enabled.

Message

Windows Hello for Business successfully located a usable sign-on certificate template.

Message

Windows Hello for Business successfully located a certificate registration authority.

Message

Windows Hello for Business successfully located an enterprise management client.

Message

Windows Hello for Business successfully located a sign-in certificate profile.

Message

Windows Hello for Business successfully located a certificate payload for the sign-in certificate. The SCEP Request is available.

Message

Windows Hello for Business successfully completed the remote desktop prerequisite check.

Example Event

system:
  provider: Microsoft-Windows-HelloForBusiness
  guid: 906B8A99-63CE-58D7-86AB-10989BBD5567
  event_source_name: ''
  event_id: 8210
  version: 0
  level: 16
  task: 12
  opcode: 12
  keywords: 9223372036854775809
  time_created: '2022-04-07T16:57:32.150041+00:00'
  event_record_id: 17
  correlation: {}
  execution:
    process_id: 4128
    thread_id: 4156
  channel: Microsoft-Windows-HelloForBusiness/Operational
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data: {}
message: ''

References

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Message

The Secondary Account Primary Refresh Token prerequisite check completed successfully.

Message

Windows Hello key creation completed successfully.
Processing time: %1 seconds

Fields

Message

Windows Hello successfully deleted a %1 %2 key from the Windows Hello container.

Key Name: %3

Fields

Message

Windows Hello key registration completed successfully.

Message

Successfully authenticated the user's credential.
Processing time: %1 milliseconds.

Fields

Message

AD/Azure AD plugin request completed successfully.
Processing time: %1 seconds

Fields

Message

The Windows Hello container creation completed successfully.
Processing time: %1 seconds

Fields

Message

Windows Hello successfully deleted the container in response to a policy change.

Processing time: %1 milliseconds.

Fields

Message

Windows Hello successfully deleted the container.

Message

Windows Hello successfully deleted the user's Windows Hello certificates.

Message

Windows Hello successfully deleted the user's biometric enrollments.

Message

Windows Hello for Business successfully added a user entry to the Username/SID cache with the following information: 

Username: %1
User SID: %2
Domain: %3
User-Entered: %4

Fields

Message

Windows Hello for Business successfully removed a user entry to the Username/SID cache with the following information: 

User SID: %1

Fields

Message

Windows Hello for Business found a user entry with a duplicate SID and successfully removed the unused username from the Username/SID cache: 

User SID: %1
Username: %2
Unused Username: %3

Fields

Message

Windows Hello for Business found a user entry with a duplicate username and successfully removed the unused SID from the Username/SID cache: 

Username: %1
User SID: %2
Unused User SID: %3

Fields

Message

Windows Hello for Business found a stale SID in the Username/SID cache: 

Username: %1
User SID: %2
Stale User SID: %3

Fields

Message

Windows Hello for Business found a stale username in the Username/SID cache: 

User SID: %1
Username: %2
Stale Username: %3

Fields

Message

Windows Hello for Business removed a stale SID from the Username/SID cache: 

Stale User SID: %1

Fields

Message

Windows Hello for Business removed a stale username from the Username/SID cache: 

User SID: %1
Stale Username: %2

Fields

Message

Windows Hello for Business PIN was changed by a user with the following information: 
User SID: %1

Fields