Event ID 6423 — The installation of this device is forbidden by system policy.

Provider: Microsoft-Windows-Security-Auditing
Channel: Security
Audit Policy: Detailed Tracking → Plug and Play Events
Collection Priority: Recommended (Yamato Security)
Opcode: Info

Description

The installation of this device is forbidden by system policy.

Message #

The installation of this device is forbidden by system policy.

Subject:
	Security ID: %1
	Account Name: %2
	Account Domain: %3
	Logon ID: %4

Device ID: %5

Device Name: %6

Class ID: %7

Class Name: %8

Hardware IDs: %9

Compatible IDs: %10

Location Information: %11

Fields #

Name	Description
`SubjectUserSid` SID	[Subject] Security ID
`SubjectUserName` UnicodeString	[Subject] Account Name
`SubjectDomainName` UnicodeString	[Subject] Account Domain
`SubjectLogonId` HexInt64	[Subject] Logon ID
`DeviceId` UnicodeString	Device ID
`DeviceDescription` UnicodeString	Device Name
`ClassId` GUID	Class ID
`ClassName` UnicodeString	Class Name
`HardwareIds` UnicodeString	Hardware IDs
`CompatibleIds` UnicodeString	Compatible IDs
`LocationInformation` UnicodeString	Location Information

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Device Installation Blocked source medium: Detects an installation of a device that is forbidden by the system policy

References #

Microsoft Learn Audit Policy https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity