Microsoft-Windows-HelloForBusiness
180 events across 2 channels
Event ID 3045 — Windows Hello processing started.
Event ID 3052 — The key pre-generation pool received a request for a new key.
Description
The key pre-generation pool received a request for a new key.
Message #
Event ID 3052 — The key pre-generation pool received a request for a new key.
Description
The key pre-generation pool received a request for a new key.
Event ID 3053 — The key pre-generation pool needs to pre-generate a key.
Description
The key pre-generation pool needs to pre-generate a key.
Message #
Event ID 3053 — The key pre-generation pool needs to pre-generate a key.
Description
The key pre-generation pool needs to pre-generate a key.
Event ID 3054 — Windows Hello for Business prerequisites check started.
Description
Windows Hello for Business prerequisites check started.
Message #
Event ID 3054 — Windows Hello for Business prerequisites check started.
#Description
Windows Hello for Business prerequisites check started.
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "906B8A99-63CE-58D7-86AB-10989BBD5567",
"event_source_name": "",
"event_id": 3054,
"version": 0,
"level": 4,
"task": 12,
"opcode": 10,
"keywords": 9223372036854775809,
"time_created": "2022-04-07T16:57:32.150039+00:00",
"event_record_id": 16,
"correlation": {},
"execution": {
"process_id": 4128,
"thread_id": 4156
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 3055 — Windows Hello container provisioning started.
Description
Windows Hello container provisioning started.
Message #
Event ID 3060 — Windows Hello is creating a PIN recovery key for user UserSid.
Event ID 3060 — Windows Hello is creating a PIN recovery key for user .
Description
Windows Hello is creating a PIN recovery key for user .
Fields #
| Name | Description |
|---|---|
UserSid SID | — |
Event ID 3065 — The cloud experience host started.
Event ID 3066 — Windows Hello sign-in certificate enrollment started.
Description
Windows Hello sign-in certificate enrollment started.
Message #
Event ID 3130 — Windows Hello PIN Recovery is attempting to change user's PIN.
Event ID 3130 — Windows Hello PIN Recovery is attempting to change user's PIN.
Description
Windows Hello PIN Recovery is attempting to change user's PIN. PIN recovery type: .
Fields #
| Name | Description |
|---|---|
PinRecoveryEntryType UInt32 | — |
Event ID 3225 — Windows Hello key creation started.
Description
Windows Hello key creation started.
Message #
Event ID 3510 — Windows Hello key registration started.
Description
Windows Hello key registration started.
Message #
Event ID 3520 — Attempting multi-factor unlock using provider Group_A.
Event ID 3525 — AD/Azure AD plugin request started.
Description
AD/Azure AD plugin request started.
Message #
Event ID 3555 — Windows Hello container creation started.
Description
Windows Hello container creation started.
Message #
Event ID 3601 — Windows Hello container deletion started in response to a policy change.
Description
Windows Hello container deletion started in response to a policy change.
Message #
Event ID 3611 — Windows Hello container deletion started from CallingAppName.
Event ID 5000 — TPM Manufacturer: TPM_Manufacturer.
Event ID 5001 — A user signed into the device with the following information.
Description
A user signed into the device with the following information.
Message #
Fields #
| Name | Description |
|---|---|
Username UnicodeString | [A user signed into the device with the following information] Username. |
User_SID SID | [A user signed into the device with the following information] User SID. |
Credential_Type UInt32 | [A user signed into the device with the following information] Credential Type. |
Deployment_Type UInt32 | [A user signed into the device with the following information] Deployment Type. |
UserName UnicodeString | — |
UserSid SID | — |
CredentialType UInt32 | — Known values
|
DeploymentType UInt32 | — |
Event ID 5002 — A user is signing into the device with the following gesture information.
Description
A user is signing into the device with the following gesture information.
Message #
Fields #
| Name | Description |
|---|---|
Type HexInt32 | [A user is signing into the device with the following gesture information] Type. |
Subtype UInt32 | [A user is signing into the device with the following gesture information] Subtype. |
GestureType HexInt32 | — |
GestureSubtype UInt32 | — |
Event ID 5003 — Windows Hello for Business Policy Enforcement Information for the user UserSid.
Description
Windows Hello for Business Policy Enforcement Information for the user UserSid.
Message #
Fields #
| Name | Description |
|---|---|
UserSid SID | — |
NgcEnabledPolicyState UInt32 | — |
EnabledPolicySource UInt32 | — |
DeploymentType UInt32 | — |
CredentialType UInt32 | — Known values
|
PinMinLength UInt32 | — |
PinMaxLength UInt32 | — |
PinUppercase UInt32 | — |
PinLowercase UInt32 | — |
PinDigits UInt32 | — |
PinSpecial UInt32 | — |
PinAllowSequences Boolean | — |
PinHistory Boolean | — |
PinExpiration Boolean | — |
PinRecoveryPolicyState UInt32 | — |
TPMRequired Boolean | — |
HardwarePolicy UInt32 | — |
MultifactorUnlock Boolean | — |
Event ID 5004 — Windows Hello for Business Enabled Policy successfully enforced for the user UserSid.
Event ID 5005 — Enforcing the following Windows Hello for Business Enable Policies for the user UserSid.
Event ID 5005 —
Description
Enforcing the following Windows Hello for Business Enable Policies for the user.
Fields #
| Name | Description |
|---|---|
UserSid SID | — |
NgcEnabledPolicyState UInt32 | — |
EnabledPolicySource UInt32 | — |
DeploymentType UInt32 | — |
Event ID 5050 — The key pre-generation pool received a request.
Event ID 5050 — The key pre-generation pool received a request.
Description
The key pre-generation pool received a request.
Fields #
| Name | Description |
|---|---|
Result HexInt32 | — |
NumberOfAvailableKeys UInt32 | — |
ElapsedTime UInt32 | — |
Event ID 5055 — Windows Hello is validating that the device can satisfy all applicable policies.
Event ID 5060 — Windows Hello is checking the PIN recovery policy.
Event ID 5060 — Windows Hello is checking the PIN recovery policy.
Description
Windows Hello is checking the PIN recovery policy. The policy is for user .
Fields #
| Name | Description |
|---|---|
PinRecoveryPolicyState UInt32 | — |
UserSid SID | — |
Event ID 5061 — Windows Hello is downloading the public encryption key from the PIN recovery service.
Description
Windows Hello is downloading the public encryption key from the PIN recovery service.
Message #
Event ID 5061 — Windows Hello is downloading the public encryption key from the PIN recovery service.
Description
Windows Hello is downloading the public encryption key from the PIN recovery service.
Event ID 5062 — Windows Hello found a PIN recovery key for user UserSid.
Event ID 5062 — Windows Hello found a PIN recovery key for user .
Description
Windows Hello found a PIN recovery key for user .
Fields #
| Name | Description |
|---|---|
UserSid SID | — |
Event ID 5063 — Windows Hello is updating the PIN recovery key for user UserSid.
Event ID 5063 — Windows Hello is updating the PIN recovery key for user .
Description
Windows Hello is updating the PIN recovery key for user .
Fields #
| Name | Description |
|---|---|
UserSid SID | — |
Event ID 5064 — Windows Hello is uploading the encrypted PIN recovery key to the PIN recovery service.
Description
Windows Hello is uploading the encrypted PIN recovery key to the PIN recovery service.
Message #
Event ID 5064 — Windows Hello is uploading the encrypted PIN recovery key to the PIN recovery service.
Description
Windows Hello is uploading the encrypted PIN recovery key to the PIN recovery service.
Event ID 5204 — Windows Hello for Business certificate enrollment configurations.
Event ID 5204 — Windows Hello for Business certificate enrollment configurations.
Description
Windows Hello for Business certificate enrollment configurations.
Fields #
| Name | Description |
|---|---|
CertificateEnrollmentMethod UInt32 | — |
CertificateRequired Boolean | — |
Event ID 5205 — Windows Hello for Business On-Premise authentication configurations.
Description
Windows Hello for Business On-Premise authentication configurations.
Message #
Fields #
| Name | Description |
|---|---|
CertificateEnrollmentMethod UInt32 | — |
CertificateRequired Boolean | — |
UseCloudTrust Boolean | — |
HasCloudTgt Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "906B8A99-63CE-58D7-86AB-10989BBD5567",
"event_source_name": "",
"event_id": 5205,
"version": 0,
"level": 4,
"task": 12,
"opcode": 12,
"keywords": 9223372036854775809,
"time_created": "2026-03-09T00:59:27.820700+00:00",
"event_record_id": 19,
"correlation": {},
"execution": {
"process_id": 9652,
"thread_id": 9984
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"CertificateEnrollmentMethod": 0,
"CertificateRequired": false,
"UseCloudTrust": false,
"HasCloudTgt": false
},
"message": ""
}
Event ID 5225 — Creating a KeyProvider Windows Hello key with result Result.
Event ID 5520 — Multi-factor unlock policy is not configured on this device.
#Description
Multi-factor unlock policy is not configured on this device.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "906B8A99-63CE-58D7-86AB-10989BBD5567",
"event_source_name": "",
"event_id": 5520,
"version": 0,
"level": 4,
"task": 15,
"opcode": 12,
"keywords": 9223372036854775809,
"time_created": "2022-04-07T16:55:39.785616+00:00",
"event_record_id": 15,
"correlation": {},
"execution": {
"process_id": 428,
"thread_id": 1500
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 5555 — Windows Hello is validating that the device can satisfy all applicable policies.
Description
Windows Hello is validating that the device can satisfy all applicable policies.
Message #
Fields #
| Name | Description |
|---|---|
TPM_Supported UInt32 | — |
Hardware_Policy UInt32 | — |
Exclude_TPM_12 Boolean | Exclude TPM 1.2. |
TPM_Version UInt32 | — |
TPM_FIPS Boolean | — |
TPM_Locked_Out Boolean | — |
Satisfactory_Key_Pregeneration_Pool Boolean | — |
Key_Storage_Provider UInt32 | — |
Result HexInt32 | — |
TpmSupport UInt32 | — |
HardwarePolicy UInt32 | — |
IsTpm12Excluded Boolean | — |
TpmVersion UInt32 | — |
IsTpmFIPS Boolean | — |
IsTpmLockedOut Boolean | — |
IsKeyPregenPoolSatisfactory Boolean | — |
KeyProvider UInt32 | — |
Event ID 5601 — Windows Hello detected and ignored a policy change to delete the container at the user's next sign out because the user is configured to have no pa...
Description
Windows Hello detected and ignored a policy change to delete the container at the user's next sign out because the user is configured to have no password on this device.
Message #
Event ID 5602 — Windows Hello was unable to check if there was a policy change that would trigger container deletion.
Description
Windows Hello was unable to check if there was a policy change that would trigger container deletion.
Message #
Event ID 5641 — Windows Hello successfully updated a Key_Name KeyProvider key from the Windows Hello container.
Event ID 5701 — Windows Hello read following protector properties from disk: PIN protector = Hr, Bio protector = PinProtector, Secure Bio Protector = BioProtector, Recovery protector ...
Description
Windows Hello read following protector properties from disk: PIN protector = Hr, Bio protector = PinProtector, Secure Bio Protector = BioProtector, Recovery protector = SecureBioProtector, Preboot protector = RecoveryProtector.
Message #
Fields #
| Name | Description |
|---|---|
Hr HexInt32 | — |
PinProtector Boolean | — |
BioProtector Boolean | — |
SecureBioProtector Boolean | — |
RecoveryProtector Boolean | — |
PrebootProtector Boolean | — |
Event ID 5702 — Windows Hello wrote following protector properties to disk: PIN protector = Hr, Bio protector = PinProtector, Secure Bio Protector = BioProtector, Recovery protector =...
Description
Windows Hello wrote following protector properties to disk: PIN protector = Hr, Bio protector = PinProtector, Secure Bio Protector = BioProtector, Recovery protector = SecureBioProtector, Preboot protector = RecoveryProtector.
Message #
Fields #
| Name | Description |
|---|---|
Hr HexInt32 | — |
PinProtector Boolean | — |
BioProtector Boolean | — |
SecureBioProtector Boolean | — |
RecoveryProtector Boolean | — |
PrebootProtector Boolean | — |
Event ID 6010 — A key credential was unavailable for use by an application because it did not meet all the requirements for use.
Event ID 6045 — Windows Hello processing stopped with warning Processing_time.
Event ID 6055 — Windows Hello container provisioning stopped with warning Processing_time.
Event ID 6065 — The cloud experience host scenario stopped with warning Processing_time.
Event ID 6066 — Windows Hello sign-in certificate enrollment was unable to enroll for a logon certificate.
Event ID 6209 — Windows Hello for Business was unable to evaluate the presence of a certificate payload for the sign-in certificate.
Description
Windows Hello for Business was unable to evaluate the presence of a certificate payload for the sign-in certificate.
Message #
Event ID 6209 — Windows Hello for Business was unable to evaluate the presence of a certificate payload for the sign-in certificate.
Description
Windows Hello for Business was unable to evaluate the presence of a certificate payload for the sign-in certificate.
Event ID 6210 — Windows Hello for Business was unable to detect whether the user is running in a remote desktop session.
Description
Windows Hello for Business was unable to detect whether the user is running in a remote desktop session.
Message #
Event ID 6210 — Windows Hello for Business was unable to detect whether the user is running in a remote desktop session.
Description
Windows Hello for Business was unable to detect whether the user is running in a remote desktop session.
Event ID 6441 — Windows Hello for Business certificate trust and cloud trust policies are both enabled.
Description
Windows Hello for Business certificate trust and cloud trust policies are both enabled.
Message #
Event ID 6520 — Provider is not in the acceptable provider list.
Description
Provider is not in the acceptable provider list.
Message #
Event ID 6525 — AD/Azure AD plugin request stopped with warning Processing_time.
Event ID 6611 — Windows Hello could not delete the container as no container currently exists for the user.
Description
Windows Hello could not delete the container as no container currently exists for the user.
Message #
Event ID 7001 — A user failed to sign into the device with the following information.
Description
A user failed to sign into the device with the following information.
Message #
Fields #
| Name | Description |
|---|---|
Username UnicodeString | [A user failed to sign into the device with the following information] Username. |
User_SID SID | [A user failed to sign into the device with the following information] User SID. |
Credential_Type UInt32 | [A user failed to sign into the device with the following information] Credential Type. |
Deployment_Type UInt32 | [A user failed to sign into the device with the following information] Deployment Type. |
Software_Lockout_Counter UInt32 | [A user failed to sign into the device with the following information] Software Lockout Counter. |
Authentication_Error_Status HexInt32 | [A user failed to sign into the device with the following information] Authentication Error Status. |
Authentication_Error_Substatus HexInt32 | [A user failed to sign into the device with the following information] Authentication Error Substatus. |
UserName UnicodeString | — |
UserSid SID | — |
CredentialType UInt32 | — Known values
|
DeploymentType UInt32 | — |
SoftwareLockoutCounter UInt32 | — |
AuthenticationErrorStatus HexInt32 | — |
AuthenticationErrorSubStatus HexInt32 | — |
Event ID 7002 — Failed to load an existing Windows Hello container.
Event ID 7025 — The Error service failed to start.
Event ID 7030 — Windows Hello failed to create the sign-in certificate request.
Event ID 7031 — Windows Hello failed to install the sign-in certificate.
Event ID 7032 — Windows Hello failed to roll back from an unsuccessful sign-in certificate enrollment.
Event ID 7045 — Windows Hello processing failed with Processing_time.
Event ID 7052 — The new key request from the key pre-generation pool failed.
Event ID 7052 — The new key request from the key pre-generation pool failed.
Description
The new key request from the key pre-generation pool failed.
Fields #
| Name | Description |
|---|---|
Error HexInt32 | — |
ProcessingTime UInt32 | — |
Event ID 7053 — The key pre-generation pool failed to pre-generate a key.
Event ID 7053 — The key pre-generation pool failed to pre-generate a key.
Description
The key pre-generation pool failed to pre-generate a key.
Fields #
| Name | Description |
|---|---|
Error HexInt32 | — |
ProcessingTime UInt32 | — |
Event ID 7054 — Windows Hello for Business prerequisites check failed.
Event ID 7054 — Windows Hello for Business prerequisites check failed.
#Description
Windows Hello for Business prerequisites check failed.
Fields #
| Name | Description |
|---|---|
Error HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "906B8A99-63CE-58D7-86AB-10989BBD5567",
"event_source_name": "",
"event_id": 7054,
"version": 0,
"level": 2,
"task": 12,
"opcode": 11,
"keywords": 9223372036854775809,
"time_created": "2022-04-07T16:48:31.714659+00:00",
"event_record_id": 6,
"correlation": {},
"execution": {
"process_id": 4128,
"thread_id": 4228
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"Error": "0x1"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7055 — Windows Hello container provisioning failed with Processing_time.
Event ID 7060 — Windows Hello failed to create a PIN recovery key for user Error.
Event ID 7065 — The cloud experience host scenario failed with Processing_time.
Event ID 7066 — Windows Hello sign-in certificate enrollment failed.
Event ID 7067 — Windows Hello failed to set a certificate property on a Windows Hello key.
Event ID 7130 — Windows Hello PIN Recovery failed to change the user's PIN.
Event ID 7200 — The device registration prerequisite check failed.
Description
The device registration prerequisite check failed.
Message #
Event ID 7200 — The device registration prerequisite check failed.
Description
The device registration prerequisite check failed.
Event ID 7201 — The Primary Account Primary Refresh Token prerequisite check failed.
Description
The Primary Account Primary Refresh Token prerequisite check failed.
Message #
Event ID 7201 — The Primary Account Primary Refresh Token prerequisite check failed.
#Description
The Primary Account Primary Refresh Token prerequisite check failed.
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "906B8A99-63CE-58D7-86AB-10989BBD5567",
"event_source_name": "",
"event_id": 7201,
"version": 0,
"level": 2,
"task": 12,
"opcode": 12,
"keywords": 9223372036854775809,
"time_created": "2022-04-07T16:48:31.714659+00:00",
"event_record_id": 5,
"correlation": {},
"execution": {
"process_id": 4128,
"thread_id": 4228
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7202 — The device failed to meet the Windows Hello for Business hardware requirements.
Description
The device failed to meet the Windows Hello for Business hardware requirements.
Message #
Event ID 7202 — The device failed to meet the Windows Hello for Business hardware requirements.
Description
The device failed to meet the Windows Hello for Business hardware requirements.
Event ID 7203 — Windows Hello for Business is not enabled.
Description
Windows Hello for Business is not enabled.
Message #
Event ID 7203 — Windows Hello for Business is not enabled.
Description
Windows Hello for Business is not enabled.
Event ID 7204 — Windows Hello for Business post-logon provisioning is not enabled.
Description
Windows Hello for Business post-logon provisioning is not enabled.
Message #
Event ID 7204 — Windows Hello for Business post-logon provisioning is not enabled.
Description
Windows Hello for Business post-logon provisioning is not enabled.
Event ID 7205 — Windows Hello for Business failed to locate a usable sign-in certificate template.
Event ID 7205 — Windows Hello for Business failed to locate a usable sign-in certificate template.
Description
Windows Hello for Business failed to locate a usable sign-in certificate template.
Fields #
| Name | Description |
|---|---|
Error HexInt32 | — |
Event ID 7206 — Windows Hello for Business failed to locate a certificate registration authority.
Description
Windows Hello for Business failed to locate a certificate registration authority.
Message #
Event ID 7206 — Windows Hello for Business failed to locate a certificate registration authority.
Description
Windows Hello for Business failed to locate a certificate registration authority.
Event ID 7207 — Windows Hello for Business failed to locate an enterprise management client.
Description
Windows Hello for Business failed to locate an enterprise management client.
Message #
Event ID 7207 — Windows Hello for Business failed to locate an enterprise management client.
Description
Windows Hello for Business failed to locate an enterprise management client.
Event ID 7208 — Windows Hello for Business failed to locate a sign-in certificate profile.
Description
Windows Hello for Business failed to locate a sign-in certificate profile.
Message #
Event ID 7208 — Windows Hello for Business failed to locate a sign-in certificate profile.
Description
Windows Hello for Business failed to locate a sign-in certificate profile.
Event ID 7209 — Windows Hello for Business failed to locate a certificate payload for the sign-in certificate.
Description
Windows Hello for Business failed to locate a certificate payload for the sign-in certificate. The SCEP Request is not available.
Message #
Event ID 7209 — Windows Hello for Business failed to locate a certificate payload for the sign-in certificate.
Description
Windows Hello for Business failed to locate a certificate payload for the sign-in certificate. The SCEP Request is not available.
Event ID 7210 — Windows Hello for Business detected the user running in a remote desktop session.
Description
Windows Hello for Business detected the user running in a remote desktop session.
Message #
Event ID 7210 — Windows Hello for Business detected the user running in a remote desktop session.
Description
Windows Hello for Business detected the user running in a remote desktop session.
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "906B8A99-63CE-58D7-86AB-10989BBD5567",
"event_source_name": "",
"event_id": 7210,
"version": 0,
"level": 2,
"task": 12,
"opcode": 12,
"keywords": 9223372036854775809,
"time_created": "2026-03-13T04:58:41.296416+00:00",
"event_record_id": 45,
"correlation": {},
"execution": {
"process_id": 3604,
"thread_id": 7852
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": ""
}
Event ID 7211 — The Secondary Account Primary Refresh Token prerequisite check failed.
Description
The Secondary Account Primary Refresh Token prerequisite check failed.
Message #
Event ID 7211 — The Secondary Account Primary Refresh Token prerequisite check failed.
Description
The Secondary Account Primary Refresh Token prerequisite check failed.
Event ID 7225 — Windows Hello key creation failed with Processing_time.
Event ID 7226 — Windows Hello failed to delete the Key_Name key.
Event ID 7510 — Windows Hello key registration failed.
Event ID 7520 — Failed to authenticate the user's credential.
Event ID 7525 — AD/Azure AD plugin request failed with Processing_time.
Event ID 7555 — Windows Hello container creation failed.
Event ID 7601 — Windows Hello failed to delete the container in response to a policy change.
Event ID 7611 — Windows Hello failed to delete the container.
Event ID 7621 — Windows Hello failed to delete the user's Windows Hello certificates.
Event ID 7631 — Windows Hello failed to delete the user's biometric enrollments.
Event ID 7701 — Windows Hello failed to use secure biometrics protector due to secret encryption key loss.
Description
Windows Hello failed to use secure biometrics protector due to secret encryption key loss.
Message #
Event ID 8002 — Successfully loaded an existing KeyProvider Windows Hello container.
Event ID 8025 — The ServiceName service started successfully.
#Description
The ServiceName service started successfully.
Message #
Fields #
| Name | Description |
|---|---|
ServiceName UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "906B8A99-63CE-58D7-86AB-10989BBD5567",
"event_source_name": "",
"event_id": 8025,
"version": 0,
"level": 16,
"task": 6,
"opcode": 12,
"keywords": 9223372036854775809,
"time_created": "2023-11-06T01:43:17.888294+00:00",
"event_record_id": 5,
"correlation": {},
"execution": {
"process_id": 1444,
"thread_id": 14060
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ServiceName": "Microsoft Passport Container"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8030 — Windows Hello created the sign-in certificate request successfully.
Description
Windows Hello created the sign-in certificate request successfully.
Message #
Event ID 8031 — Windows Hello installed the sign-in certificate successfully.
Description
Windows Hello installed the sign-in certificate successfully.
Message #
Event ID 8032 — Windows Hello successfully rolled back from an unsuccessful sign-in certificate enrollment.
Description
Windows Hello successfully rolled back from an unsuccessful sign-in certificate enrollment.
Message #
Event ID 8045 — Windows Hello processing completed successfully.
Event ID 8052 — The new key request from the key pre-generation pool completed successfully.
Event ID 8052 — The new key request from the key pre-generation pool completed successfully.
Description
The new key request from the key pre-generation pool completed successfully.
Fields #
| Name | Description |
|---|---|
ProcessingTime UInt32 | — |
Event ID 8053 — The key pre-generation pool successfully pre-generated a key.
Event ID 8053 — The key pre-generation pool successfully pre-generated a key.
Description
The key pre-generation pool successfully pre-generated a key.
Fields #
| Name | Description |
|---|---|
ProcessingTime UInt32 | — |
Event ID 8054 — Windows Hello for Business prerequisites check completed successfully.
Description
Windows Hello for Business prerequisites check completed successfully.
Message #
Event ID 8054 — Windows Hello for Business prerequisites check completed successfully.
#Description
Windows Hello for Business prerequisites check completed successfully.
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "906B8A99-63CE-58D7-86AB-10989BBD5567",
"event_source_name": "",
"event_id": 8054,
"version": 0,
"level": 16,
"task": 12,
"opcode": 11,
"keywords": 9223372036854775809,
"time_created": "2022-04-07T16:57:32.150051+00:00",
"event_record_id": 18,
"correlation": {},
"execution": {
"process_id": 4128,
"thread_id": 4156
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8055 — Windows Hello container provisioning completed successfully.
Event ID 8060 — Windows Hello successfully created a PIN recovery key for user Processing_time.
Event ID 8065 — The cloud experience host completed successfully.
Event ID 8066 — Windows Hello sign-in certificate enrollment completed successfully.
Event ID 8067 — Windows Hello set a certificate property on a Windows Hello key.
Event ID 8130 — Windows Hello PIN Recovery successfully changed the user's PIN.
Event ID 8200 — The device registration prerequisite check completed successfully.
Description
The device registration prerequisite check completed successfully.
Message #
Event ID 8200 — The device registration prerequisite check completed successfully.
Description
The device registration prerequisite check completed successfully.
Event ID 8201 — The Primary Account Primary Refresh Token prerequisite check completed successfully.
Description
The Primary Account Primary Refresh Token prerequisite check completed successfully.
Message #
Event ID 8201 — The Primary Account Primary Refresh Token prerequisite check completed successfully.
Description
The Primary Account Primary Refresh Token prerequisite check completed successfully.
Event ID 8202 — The device meets Windows Hello for Business hardware requirements.
Description
The device meets Windows Hello for Business hardware requirements.
Message #
Event ID 8202 — The device meets Windows Hello for Business hardware requirements.
Description
The device meets Windows Hello for Business hardware requirements.
Event ID 8203 — Windows Hello for Business is enabled.
Description
Windows Hello for Business is enabled.
Message #
Event ID 8203 — Windows Hello for Business is enabled.
Description
Windows Hello for Business is enabled.
Event ID 8204 — Windows Hello for Business post-logon provisioning is enabled.
Description
Windows Hello for Business post-logon provisioning is enabled.
Message #
Event ID 8204 — Windows Hello for Business post-logon provisioning is enabled.
Description
Windows Hello for Business post-logon provisioning is enabled.
Event ID 8205 — Windows Hello for Business successfully located a usable sign-on certificate template.
Description
Windows Hello for Business successfully located a usable sign-on certificate template.
Message #
Event ID 8205 — Windows Hello for Business successfully located a usable sign-on certificate template.
Description
Windows Hello for Business successfully located a usable sign-on certificate template.
Event ID 8206 — Windows Hello for Business successfully located a certificate registration authority.
Description
Windows Hello for Business successfully located a certificate registration authority.
Message #
Event ID 8206 — Windows Hello for Business successfully located a certificate registration authority.
Description
Windows Hello for Business successfully located a certificate registration authority.
Event ID 8207 — Windows Hello for Business successfully located an enterprise management client.
Description
Windows Hello for Business successfully located an enterprise management client.
Message #
Event ID 8207 — Windows Hello for Business successfully located an enterprise management client.
Description
Windows Hello for Business successfully located an enterprise management client.
Event ID 8208 — Windows Hello for Business successfully located a sign-in certificate profile.
Description
Windows Hello for Business successfully located a sign-in certificate profile.
Message #
Event ID 8208 — Windows Hello for Business successfully located a sign-in certificate profile.
Description
Windows Hello for Business successfully located a sign-in certificate profile.
Event ID 8209 — Windows Hello for Business successfully located a certificate payload for the sign-in certificate.
Description
Windows Hello for Business successfully located a certificate payload for the sign-in certificate. The SCEP Request is available.
Message #
Event ID 8209 — Windows Hello for Business successfully located a certificate payload for the sign-in certificate.
Description
Windows Hello for Business successfully located a certificate payload for the sign-in certificate. The SCEP Request is available.
Event ID 8210 — Windows Hello for Business successfully completed the remote desktop prerequisite check.
Description
Windows Hello for Business successfully completed the remote desktop prerequisite check.
Message #
Event ID 8210 — Windows Hello for Business successfully completed the remote desktop prerequisite check.
#Description
Windows Hello for Business successfully completed the remote desktop prerequisite check.
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "906B8A99-63CE-58D7-86AB-10989BBD5567",
"event_source_name": "",
"event_id": 8210,
"version": 0,
"level": 16,
"task": 12,
"opcode": 12,
"keywords": 9223372036854775809,
"time_created": "2022-04-07T16:57:32.150041+00:00",
"event_record_id": 17,
"correlation": {},
"execution": {
"process_id": 4128,
"thread_id": 4156
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 8211 — The Secondary Account Primary Refresh Token prerequisite check completed successfully.
Description
The Secondary Account Primary Refresh Token prerequisite check completed successfully.
Message #
Event ID 8211 — The Secondary Account Primary Refresh Token prerequisite check completed successfully.
Description
The Secondary Account Primary Refresh Token prerequisite check completed successfully.
Event ID 8225 — Windows Hello key creation completed successfully.
Event ID 8226 — Windows Hello successfully deleted a Key_Name KeyProvider key from the Windows Hello container.
Event ID 8510 — Windows Hello key registration completed successfully.
Description
Windows Hello key registration completed successfully.
Message #
Event ID 8520 — Successfully authenticated the user's credential.
Event ID 8525 — AD/Azure AD plugin request completed successfully.
Event ID 8555 — The Windows Hello container creation completed successfully.
Event ID 8601 — Windows Hello successfully deleted the container in response to a policy change.
Event ID 8611 — Windows Hello successfully deleted the container.
Description
Windows Hello successfully deleted the container.
Message #
Event ID 8621 — Windows Hello successfully deleted the user's Windows Hello certificates.
Description
Windows Hello successfully deleted the user's Windows Hello certificates.
Message #
Event ID 8631 — Windows Hello successfully deleted the user's biometric enrollments.
Description
Windows Hello successfully deleted the user's biometric enrollments.
Message #
Event ID 8632 — Windows Hello for Business successfully added a user entry to the Username/SID cache with the following information.
Description
Windows Hello for Business successfully added a user entry to the Username/SID cache with the following information.
Message #
Fields #
| Name | Description |
|---|---|
Username UnicodeString | [Windows Hello for Business successfully added a user entry to the Username/SID cache with the following information] Username. |
User_SID SID | [Windows Hello for Business successfully added a user entry to the Username/SID cache with the following information] User SID. |
Domain UnicodeString | [Windows Hello for Business successfully added a user entry to the Username/SID cache with the following information] Domain. |
UserEntered Boolean | [Windows Hello for Business successfully added a user entry to the Username/SID cache with the following information] User-Entered. |
UserName UnicodeString | — |
UserSid SID | — |
Event ID 8633 — Windows Hello for Business successfully removed a user entry to the Username/SID cache with the following information: User SID.
Description
Windows Hello for Business successfully removed a user entry to the Username/SID cache with the following information.
Message #
Fields #
| Name | Description |
|---|---|
User_SID SID | [Windows Hello for Business successfully removed a user entry to the Username/SID cache with the following information] User SID. |
UserSid SID | — |
Event ID 8634 — Windows Hello for Business found a user entry with a duplicate SID and successfully removed the unused username from the Username/SID cache: User S...
Description
Windows Hello for Business found a user entry with a duplicate SID and successfully removed the unused username from the Username/SID cache.
Message #
Fields #
| Name | Description |
|---|---|
User_SID SID | [Windows Hello for Business found a user entry with a duplicate SID and successfully removed the unused username from the Username/SID cache] User SID. |
Username UnicodeString | [Windows Hello for Business found a user entry with a duplicate SID and successfully removed the unused username from the Username/SID cache] Username. |
Unused_Username UnicodeString | [Windows Hello for Business found a user entry with a duplicate SID and successfully removed the unused username from the Username/SID cache] Unused Username. |
UserSid SID | — |
UserName UnicodeString | — |
UnusedUserName UnicodeString | — |
Event ID 8635 — Windows Hello for Business found a user entry with a duplicate username and successfully removed the unused SID from the Username/SID cache: Userna...
Description
Windows Hello for Business found a user entry with a duplicate username and successfully removed the unused SID from the Username/SID cache.
Message #
Fields #
| Name | Description |
|---|---|
Username UnicodeString | [Windows Hello for Business found a user entry with a duplicate username and successfully removed the unused SID from the Username/SID cache] Username. |
User_SID SID | [Windows Hello for Business found a user entry with a duplicate username and successfully removed the unused SID from the Username/SID cache] User SID. |
Unused_User_SID SID | [Windows Hello for Business found a user entry with a duplicate username and successfully removed the unused SID from the Username/SID cache] Unused User SID. |
UserName UnicodeString | — |
UserSid SID | — |
UnusedUserSid SID | — |
Event ID 8636 — Windows Hello for Business found a stale SID in the Username/SID cache.
Description
Windows Hello for Business found a stale SID in the Username/SID cache.
Message #
Fields #
| Name | Description |
|---|---|
Username UnicodeString | [Windows Hello for Business found a stale SID in the Username/SID cache] Username. |
User_SID SID | [Windows Hello for Business found a stale SID in the Username/SID cache] User SID. |
Stale_User_SID SID | [Windows Hello for Business found a stale SID in the Username/SID cache] Stale User SID. |
UserName UnicodeString | — |
CurrentlyMostRecentUserSid SID | — |
StaleUserSid SID | — |
Event ID 8637 — Windows Hello for Business found a stale username in the Username/SID cache.
Description
Windows Hello for Business found a stale username in the Username/SID cache.
Message #
Fields #
| Name | Description |
|---|---|
User_SID SID | [Windows Hello for Business found a stale username in the Username/SID cache] User SID. |
Username UnicodeString | [Windows Hello for Business found a stale username in the Username/SID cache] Username. |
Stale_Username UnicodeString | [Windows Hello for Business found a stale username in the Username/SID cache] Stale Username. |
UserSid SID | — |
CurrentlyMostRecentUserName UnicodeString | — |
StaleUserName UnicodeString | — |
Event ID 8638 — Windows Hello for Business removed a stale SID from the Username/SID cache: Stale User SID.
Event ID 8639 — Windows Hello for Business removed a stale username from the Username/SID cache.
Description
Windows Hello for Business removed a stale username from the Username/SID cache.
Message #
Fields #
| Name | Description |
|---|---|
User_SID SID | [Windows Hello for Business removed a stale username from the Username/SID cache] User SID. |
Stale_Username UnicodeString | [Windows Hello for Business removed a stale username from the Username/SID cache] Stale Username. |
UserSid SID | — |
StaleUserName UnicodeString | — |