Microsoft-Windows-User Device Registration

220 events across 3 channels

Event ID	Title	Channel
100	The discovery request send operation was successful.	Admin
101	The discovery operation callback was successful.	Admin
102	The initialization of the join request was successful.	Admin
103	The join request was successfully sent to server.	Admin
104	The get join response operation callback was successful.	Admin
105	The complete join response operation was successful.	Admin
106	The post join tasks for the AAD Authentication Package completed successfully.	Admin
107	The existing NGC user ID key was successfully deleted.	Admin
108	The NGC container was successfully created.	Admin
109	The NGC user ID key was successfully created.	Admin
110	The registration status has been successfully cleared from the device.	Admin
111	The registration status has been successfully flushed to disk.	Admin
112	Hostname related error received.	Admin
200	The discovery request send operation failed with exit code.	Admin
201	The discovery operation callback failed with exit code.	Admin
202	The initialization of the join request failed with exit code.	Admin
203	The send join request operation failed with exit code.	Admin
204	The get join response operation callback failed with exit code.	Admin
205	The complete join response operation failed with exit code.	Admin
206	The post join tasks for the Microsoft Entra Authentication Package failed with …	Admin
207	The parameter value should not be NULL or empty.	Admin
208	Unable to remove account %2 from group %1.	Admin
209	Unable to convert the string-format security identifier (SID) %1 to a functional …	Admin
210	Unable to retrieve account information for security identifier (SID) %1.	Admin
211	Unable to add account %2 to group %1.	Admin
212	Error happened while accessing registry.	Admin
213	Unable to connect to Local Security Authority (LSA) server.	Admin
214	Unable to lookup Local Security Authority (LSA) authentication package.	Admin
215	Local Security Authority (LSA) authentication failed.	Admin
216	The security identifier (SID) is invalid.	Admin
217	Unable to copy security identifier (SID) %1.	Admin
218	The string %1 is not a valid email address.	Admin
219	Unable to retrieve the Active Directory domain join status information of the …	Admin
220	Unable to retrieve the local computer's name in the specified format %1.	Admin
221	Unable to connect to the LDAP server %1:%2 using authentication method %3.	Admin
222	Unable to convert the SID structure to its string-format.	Admin
223	Unable to set WinHTTP option %1.	Admin
224	Unable to query WinHTTP option %1.	Admin
225	Unable to initialize WinHTTP.	Admin
226	Unable to connect to server %1:%2 through WinHTTP.	Admin
227	Unable to open WinHTTP %1 request.	Admin
228	Unable to set WinHTTP call back function.	Admin
229	Unable to retrieve WinHTTP header information.	Admin
230	Unable to send WinHTTP request.	Admin
231	One or more errors were encountered while retrieving a Secure Sockets Layer …	Admin
232	The WinHTTP callback function was cancelled.	Admin
233	The WinHTTP callback function failed.	Admin
234	Unalbed to query the amount of data available to read through WinHTTP.	Admin
235	WinHTTP read data failure.	Admin
236	WinHTTP write data failure.	Admin
237	Unable to setup a certificate from the given encoded string.	Admin
238	Unable to save the certificate.	Admin
239	Unable to clear the registration status from the device.	Admin
240	Unable to flush the registration status to disk.	Admin
241	KSP session ID.	Admin
242	Account %2 was added to group %1.	Admin
243	Account %2 was removed from group %1.	Admin
244	Unable to sign authentication data for managed automatic registration.	Admin
245	Unable to verify or update the signing certificate for automatic registration.	Admin
246	Unable to get persisted state location.	Admin
247	Unable to remove Microsoft Passport key registration for all local Active …	Admin
248	Unable to check whether the attribute value of the device object is up to date.	Admin
249	Unable to start updating attribute value of the device object.	Admin
250	Updating attribute value of the device object started successfully.	Admin
251	The attribute value of the device object was updated successfully.	Admin
252	Unable to update the attribute value of the device object.	Admin
253	Unable to parse the device attribute update server response.	Admin
254	Unable to check MDM enrollment status of the device.	Admin
255	Unable to trigger update task for this device.	Admin
256	The update task for this device was successfully triggered.	Admin
257	The task %1\%2 was successfully enabled.	Admin
258	Failed to enable task %2\%3.	Admin
259	The task %1\%2 was successfully disabled.	Admin
260	Failed to disable task %2\%3.	Admin
261	The repair join information operation failed.	Admin
262	The repair join information operation completed successfully.	Admin
263	The repair join information operation failed to start.	Admin
264	The repair join information operation started successfully.	Admin
265	The virtual desktop registry has %2 value(s) missing.	Admin
266	The virtual desktop registry value is invalid.	Admin
267	Failed to read virtual desktop settings from registry.	Admin
268	The virtual desktop settings were successfully retrieved from the registry.	Admin
269	Unable to parse the AIK update server response.	Admin
270	Unable to start updating token binding AIK of the device object.	Admin
271	Updating token binding AIK of the device object started successfully.	Admin
272	The token binding AIK of the device object was updated successfully.	Admin
273	Unable to update the token binding AIK of the device object.	Admin
274	Failed to configure KDC proxy group policy.	Admin
275	Failed to restore KDC proxy local group policy to its original value.	Admin
276	The KDC Proxy group policy setting is incorrect.	Admin
277	The KDC proxy group policy has been configured successfully.	Admin
278	The KDC proxy local group policy has been restored to its original value.	Admin
300	The Microsoft Passport key was successfully registered with Azure AD.	Admin
301	NGC key registration failed.	Admin
302	The NGC key registration request was successfully sent.	Admin
303	The NGC key registration initialization operation failed.	Admin
304	Automatic registration failed at join phase.	Admin
305	Automatic registration failed at authentication phase.	Admin
306	Automatic registration Succeeded.	Admin
307	Automatic registration failed.	Admin
308	This Device is joined to Azure AD, however, the user did not sign-in with an …	Admin
309	Failed to discover the Azure AD DRS service.	Admin
310	Unable to retrieve the NGC user ID key with name %1.	Admin
311	The NGC create container operation failed.	Admin
312	The existing NGC container was successfully deleted.	Admin
314	Unable to delete NGC container.	Admin
315	Unable to create NGC user ID key.	Admin
316	Unable to retrieve the specified NGC user ID key.	Admin
317	Unable to delete NGC user ID key.	Admin
318	Unable to create NGC transport key.	Admin
319	Unable to delete NGC transport key.	Admin
320	Unable to parse the NGC registration server response.	Admin
321	Failed to enable the device lock PIN.	Admin
322	The application does not have the permission to perform this operation.	Admin
323	Preparing to send a request to the Web Account Manager.	Admin
324	Unable to get a token using the Web Account Manager.	Admin
325	Successfully obtained a token for the current user via token broker.	Admin
326	Unable to get the application's core window.	Admin
327	Unable to remove the PIN that has been created to use in place of the current …	Admin
328	Unable to check whether a PIN has been created to use in place of the current …	Admin
329	Preparing to send a request to the Web Account Manager silently (no UI mode).	Admin
330	Azure DRS and Enterprise DRS are configured for this device.	Admin
331	Automatic device join pre-check tasks completed.	Admin
332	Automatic device join pre-check tasks found that this device is joined, however, …	Admin
333	Automatic device join pre-check tasks completed.	Admin
334	Automatic device join pre-check tasks completed.	Admin
335	Automatic device join pre-check tasks completed.	Admin
336	The Web Proxy Autodiscovery Protocol (WPAD) did NOT locate the URL of a …	Admin
337	The request was sent to the server through the out-bound proxy and failed with …	Admin
338	The Web Proxy Autodiscovery Protocol (WPAD) located the URL of a configuration …	Admin
339	The following out-bound proxy information was set for this request.	Admin
340	The Web Proxy Autodiscovery Protocol (WPAD) encountered an unexpected error.	Admin
341	This request will NOT fail over to a proxy server.	Admin
342	Unable to query Passport for Work policies.	Admin
343	Unable to enumerate Passport for Work containers.	Admin
344	Failed to access the device key.	Admin
345	Failed to access the device key.	Admin
346	The Microsoft Passport key was successfully removed from Azure AD.	Admin
347	Failed to remove the Microsoft Passport key from Azure AD.	Admin
348	The Microsoft Passport delete key registration request was successfully sent.	Admin
349	Failed to initialize the Microsoft Passport delete key registration request.	Admin
350	The Microsoft Passport key information was successfully saved.	Admin
351	Failed to save the Microsoft Passport key information.	Admin
352	The Microsoft Passport key information was successfully deleted.	Admin
353	Failed to delete the Microsoft Passport key information.	Admin
354	Json Request Failed.	Admin
355	Successfully enrolled for a logon certificate using a Registration Authority.	Admin
356	Failed to enroll for a logon certificate using a Registration Authority.	Admin
357	Group Policy indicates the user must enroll for a logon certificate along with …	Admin
358	%1 Device is Microsoft Entra joined (or hybrid joined): %2 User has logged on …	Admin
359	Windows Hello for Business provisioning has encountered an error during policy …	Admin
360	%1 Device is Microsoft Entra joined (or hybrid joined): %2 User has logged on …	Admin
361	%1 Device is Microsoft Entra joined (or hybrid joined): %2 User has logged on …	Admin
362	%1 Device is Microsoft Entra joined (or hybrid joined): %2 User has logged on …	Admin
363	The Microsoft Passport key is missing.	Admin
364	The saved Microsoft Passport information does not match the key.	Admin
365	Unable to enroll for a logon certificate using a Registration Authority.	Admin
366	Unable to enroll for a logon certificate using a Registration Authority.	Admin
367	Added following properties to the Web Account Manager access token request.	Admin
368	The following token properties were recieved from the Web Account Manager: …	Admin
369	The Workstation Service logged a device registration message.	Admin
370	The automatic device registration task failed to unregister device.	Admin
371	The automatic device registration task successfully unregistered device.	Admin
372	The FIDO credential was successfully registered with Azure AD.	Admin
373	FIDO credential registration failed.	Admin
374	The FIDO credential registration request was successfully sent.	Admin
375	The FIDO credential registration initialization operation failed.	Admin
376	The FIDO credential was successfully created.	Admin
377	Unable to create FIDO credential.	Admin
378	The FIDO credentials were successfully deleted from Azure AD.	Admin
379	FIDO credential deletion failed.	Admin
380	The FIDO credential deletion request was successfully sent.	Admin
381	The FIDO credential deletion initialization operation failed.	Admin
382	Unable to parse the FIDO registration server response.	Admin
383	The PIN has been successfully recovered.	Admin
384	The PIN recover operation failed with exit code.	Admin
385	Unable to get attestation statement for Microsoft Passport key.	Admin
386	Successfully got attestation statement for Microsoft Passport key.	Admin
387	Unable to reset registry recovery flags.	Admin
388	Recovery API %1 called.	Admin
389	Automatic Azure SecureVM Join Succeeded.	Admin
390	Resource account certificate does not match device ceritificate.	Admin
391	Unable to get the NGC user ID key container state.	Admin
392	The NGC user ID key container is in a bad state.	Admin
393	NGC logon certificate could not be renewed due to device ID flip.	Admin
394	Unable to set registry value for device ID flip.	Admin
395	Unable to unset registry value for device ID flip.	Admin
396	Key policy in registry is set to unsupported value %1.	Admin
397	MDM enrollment for Azure SecureVM succeeded.	Admin
398	MDM enrollment for Azure SecureVM failed.	Admin
399	Attempt to discover enrollment URL for MDM auto-enrollment failed.	Admin
400	All attempts to discover enrollment URL for MDM auto-enrollment failed.	Admin
401	No MDM enrollment URL was discoverered for MDM auto-enrollment.	Admin
402	Attempt to discover enrollment URL for MDM auto-enrollment failed.	Admin
403	Attempt to get token for MDM auto-enrollment failed.	Admin
404	All attempts to get WAM token for MDM auto-enrollment failed.	Admin
405	Requsting token for MDM auto-enrollment failed.	Admin
406	Unenrolling from MDM failed.	Admin
407	Successfully unenrolled from MDM.	Admin
408	Failed to import NGC proof-of-possession key.	Admin
409	Failed to get NGC transport key name.	Admin
410	Failed to get NGC transport key.	Admin
411	The parameter is invalid.	Admin
412	Unsupported public key structure format encountered.	Admin
413	Token binding AIK creation failed.	Admin
414	Token binding AIK deletion failed.	Admin
415	Token binding AIK was successfully created.	Admin
416	Token binding AIK was successfully deleted.	Admin
417	Failed to get token binding AIK name.	Admin
418	Hardware policy in registry is set to unsupported value %1.	Admin
419	NGC transport key creation with key type %5 failed.	Admin
420	Automatic registration failed at authentication phase.	Admin
421		Admin
421		Operational
500		Debug
501		Debug
502		Debug
503		Debug
504		Debug
4096	The automatic device registration task will be triggered.	Admin

Event ID 100 — The discovery request send operation was successful.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The discovery request send operation was successful.

Event ID 101 — The discovery operation callback was successful.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The discovery operation callback was successful. 
Server response was: %1

Fields

Name	Description
`ServerMessage`	—

Event ID 102 — The initialization of the join request was successful.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The initialization of the join request was successful. Inputs:
 JoinRequest: %1 (%2)
 Domain: %3

Fields

Name	Description
`JoinRequestType`	—
`JoinRequestTypeSymbolicName`	—
`Domain`	—

Event ID 103 — The join request was successfully sent to server.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The join request was successfully sent to server. Inputs:
 AuthToken: %1

Fields

Name	Description
`AuthToken`	—

Event ID 104 — The get join response operation callback was successful.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The get join response operation callback was successful. 
Activity Id: %2 
Server response was: %1

Fields

Name	Description
`ServerResponse`	—
`ActivityId`	—

Event ID 105 — The complete join response operation was successful.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The complete join response operation was successful.

Event ID 106 — The post join tasks for the AAD Authentication Package completed successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The post join tasks for the Microsoft Entra Authentication Package completed successfully.

Event ID 107 — The existing NGC user ID key was successfully deleted.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The existing NGC user ID key was successfully deleted. Key name: %1.

Fields

Name	Description
`KeyName`	—

Event ID 108 — The NGC container was successfully created.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The NGC container was successfully created. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
Flags: %4

Fields

Name	Description
`UserSid`	—
`IdpDomain`	—
`TenantDomain`	—
`Flags`	—

Event ID 109 — The NGC user ID key was successfully created.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The NGC user ID key was successfully created. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Flags: %5

Fields

Name	Description
`UserSid`	—
`IdpDomain`	—
`TenantDomain`	—
`UserId`	—
`Flags`	—

Event ID 110 — The registration status has been successfully cleared from the device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The registration status has been successfully cleared from the device. 
Join type: %1 (%2) 
Tenant ID: %3 
UPN: %4

Fields

Name	Description
`JoinType`	—
`JoinTypeSymbolicName`	—
`TenantId`	—
`UPN`	—

Event ID 111 — The registration status has been successfully flushed to disk.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The registration status has been successfully flushed to disk. 
Join type: %1 (%2)

Fields

Name	Description
`JoinRequestType`	—
`JoinRequestTypeSymbolicName`	—

Event ID 112 — Hostname related error received.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Hostname related error received. Retry join without hostnames.

Event ID 200 — The discovery request send operation failed with exit code.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The discovery request send operation failed with exit code: %1. Inputs:
 Domain: %2

Fields

Name	Description
`ExitCode`	—
`Domain`	—

Event ID 201 — The discovery operation callback failed with exit code.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The discovery operation callback failed with exit code: %1. The server returned HTTP status: %2. 
Server response was:
%3

Fields

Name	Description
`ExitCode`	—
`HttpStatus`	—
`ServerMessage`	—

Event ID 202 — The initialization of the join request failed with exit code.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The initialization of the join request failed with exit code: %1. Inputs:
 JoinRequest: %2 (%3)
 Domain: %4

Fields

Name	Description
`ExitCode`	—
`JoinRequestType`	—
`JoinRequestTypeSymbolicName`	—
`Domain`	—

Event ID 203 — The send join request operation failed with exit code.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The send join request operation failed with exit code: %1. Inputs:
 AuthToken: %2

Fields

Name	Description
`ExitCode`	—
`ActivityId`	—

Event ID 204 — The get join response operation callback failed with exit code.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The get join response operation callback failed with exit code: %1. 
Activity Id: %2 
The server returned HTTP status: %3 
Server response was: %4

Fields

Name	Description
`ExitCode`	—
`ActivityId`	—
`HttpStatus`	—
`ServerResponse`	—

Event ID 205 — The complete join response operation failed with exit code.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The complete join response operation failed with exit code: %1.

Fields

Name	Description
`ExitCode`	—

Event ID 206 — The post join tasks for the Microsoft Entra Authentication Package failed with exit code.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The post join tasks for the Microsoft Entra Authentication Package failed with exit code: %1

Fields

Name	Description
`ExitCode`	—

Event ID 207 — The parameter value should not be NULL or empty.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The parameter value should not be NULL or empty. Function: %1; Parameter: %2.

Fields

Name	Description
`FunctionName`	—
`ParameterName`	—

Event ID 208 — Unable to remove account %2 from group %1.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to remove account %2 from group %1. Error: %3

Fields

Name	Description
`Group`	—
`UserSID`	—
`ErrorCode`	—

Event ID 209 — Unable to convert the string-format security identifier (SID) %1 to a functional SID.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to convert the string-format security identifier (SID) %1 to a functional SID. Error: %2

Fields

Name	Description
`SID`	—
`ErrorCode`	—

Event ID 210 — Unable to retrieve account information for security identifier (SID) %1.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to retrieve account information for security identifier (SID) %1. Error: %2

Fields

Name	Description
`SID`	—
`ErrorCode`	—

Event ID 211 — Unable to add account %2 to group %1.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to add account %2 to group %1. Error: %3

Fields

Name	Description
`Group`	—
`UserSID`	—
`ErrorCode`	—

Event ID 212 — Error happened while accessing registry.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Error happened while accessing registry: %1. Operation: %2. Path: %3.

Fields

Name	Description
`ErrorCode`	—
`Operation`	—
`Path`	—

Event ID 213 — Unable to connect to Local Security Authority (LSA) server.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to connect to Local Security Authority (LSA) server. Error: %1

Fields

Name	Description
`NtStatus`	—

Event ID 214 — Unable to lookup Local Security Authority (LSA) authentication package.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to lookup Local Security Authority (LSA) authentication package. Package name: %1. Error: %2

Fields

Name	Description
`PackageName`	—
`NtStatus`	—

Event ID 215 — Local Security Authority (LSA) authentication failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Local Security Authority (LSA) authentication failed. 
Authentication package identifier: %1. 
Authentication package name: %2. 
Authentication package message: %3. 
Error: %4

Fields

Name	Description
`PackageId`	—
`PackageName`	—
`PackageMessage`	—
`NtStatus`	—

Event ID 216 — The security identifier (SID) is invalid.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The security identifier (SID) is invalid. Function name: %1. Parameter name: %2.

Fields

Name	Description
`FunctionName`	—
`ParameterName`	—

Event ID 217 — Unable to copy security identifier (SID) %1.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to copy security identifier (SID) %1. Error: %2

Fields

Name	Description
`SID`	—
`ErrorCode`	—

Event ID 218 — The string %1 is not a valid email address.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The string %1 is not a valid email address.

Fields

Name	Description
`Email`	—

Event ID 219 — Unable to retrieve the Active Directory domain join status information of the computer.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to retrieve the Active Directory domain join status information of the computer. Error: %1

Fields

Name	Description
`ErrorCode`	—

Event ID 220 — Unable to retrieve the local computer's name in the specified format %1.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to retrieve the local computer's name in the specified format %1. Error: %2

Fields

Name	Description
`Format`	—
`ErrorCode`	—

Event ID 221 — Unable to connect to the LDAP server %1:%2 using authentication method %3.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to connect to the LDAP server %1:%2 using authentication method %3. Error: %4

Fields

Name	Description
`Server`	—
`Port`	—
`AuthMethod`	—
`ErrorCode`	—

Event ID 222 — Unable to convert the SID structure to its string-format.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to convert the SID structure to its string-format. Error: %1

Fields

Name	Description
`ErrorCode`	—

Event ID 223 — Unable to set WinHTTP option %1.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to set WinHTTP option %1. Error: %2

Fields

Name	Description
`Option`	—
`ErrorCode`	—

Event ID 224 — Unable to query WinHTTP option %1.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to query WinHTTP option %1. Error: %2

Fields

Name	Description
`Option`	—
`ErrorCode`	—

Event ID 225 — Unable to initialize WinHTTP.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to initialize WinHTTP. 
User agent: %1 
Access type: %2 
Proxy name: %3 
Proxy bypass address list: %4 
Flags: %5 
Error: %6

Fields

Name	Description
`UserAgent`	—
`AccessType`	—
`ProxyName`	—
`ProxyBypassList`	—
`Flags`	—
`ErrorCode`	—

Event ID 226 — Unable to connect to server %1:%2 through WinHTTP.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to connect to server %1:%2 through WinHTTP. Error: %3

Fields

Name	Description
`Server`	—
`Port`	—
`ErrorCode`	—

Event ID 227 — Unable to open WinHTTP %1 request.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to open WinHTTP %1 request. Flags: %2. Error: %3

Fields

Name	Description
`Verb`	—
`Flags`	—
`ErrorCode`	—

Event ID 228 — Unable to set WinHTTP call back function.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to set WinHTTP call back function. Notification flags: %1. Error: %2

Fields

Name	Description
`NotificationFlags`	—
`ErrorCode`	—

Event ID 229 — Unable to retrieve WinHTTP header information.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to retrieve WinHTTP header information. Flags: %1. Name: %2. Error: %3

Fields

Name	Description
`Flags`	—
`HeaderName`	—
`ErrorCode`	—

Event ID 230 — Unable to send WinHTTP request.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to send WinHTTP request. Error: %1

Fields

Name	Description
`ErrorCode`	—

Event ID 231 — One or more errors were encountered while retrieving a Secure Sockets Layer (SSL) certificate from the server.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

One or more errors were encountered while retrieving a Secure Sockets Layer (SSL) certificate from the server.  
Error code: %1 
WinHTTP status: %2 (%3)

Fields

Name	Description
`ErrorCode`	—
`WinHttpStatus`	—
`WinHttpStatusFlag`	—

Event ID 232 — The WinHTTP callback function was cancelled.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The WinHTTP callback function was cancelled. WINHTTP_STATUS_CALLBACK status code: %1 (%2)

Fields

Name	Description
`StatusCode`	—
`StatusName`	—

Event ID 233 — The WinHTTP callback function failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The WinHTTP callback function failed. WINHTTP_STATUS_CALLBACK status code: %1 (%3). Error: %2

Fields

Name	Description
`StatusCode`	—
`ErrorCode`	—
`StatusName`	—

Event ID 234 — Unalbed to query the amount of data available to read through WinHTTP.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unalbed to query the amount of data available to read through WinHTTP. Error: %1

Fields

Name	Description
`ErrorCode`	—

Event ID 235 — WinHTTP read data failure.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

WinHTTP read data failure. Error: %1

Fields

Name	Description
`ErrorCode`	—

Event ID 236 — WinHTTP write data failure.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

WinHTTP write data failure. Error: %1

Fields

Name	Description
`ErrorCode`	—

Event ID 237 — Unable to setup a certificate from the given encoded string.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to setup a certificate from the given encoded string. Error: %1

Fields

Name	Description
`ErrorCode`	—

Event ID 238 — Unable to save the certificate.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to save the certificate. Error: %1

Fields

Name	Description
`ErrorCode`	—

Event ID 239 — Unable to clear the registration status from the device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to clear the registration status from the device. 
Exit code: %1 
Join type: %2 (%3) 
Tenant ID: %4 
UPN: %5

Fields

Name	Description
`ExitCode`	—
`JoinType`	—
`JoinTypeSymbolicName`	—
`TenantId`	—
`UPN`	—

Event ID 240 — Unable to flush the registration status to disk.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to flush the registration status to disk. 
Exit code: %1 
Join type: %2 (%3)

Fields

Name	Description
`ExitCode`	—
`JoinRequestType`	—
`JoinRequestTypeSymbolicName`	—

Event ID 241 — KSP session ID.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

KSP session ID: %1

Fields

Name	Description
`KspSessionID`	—

Event ID 242 — Account %2 was added to group %1.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Account %2 was added to group %1.

Fields

Name	Description
`Group`	—
`UserSID`	—

Event ID 243 — Account %2 was removed from group %1.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Account %2 was removed from group %1.

Fields

Name	Description
`Group`	—
`UserSID`	—

Event ID 244 — Unable to sign authentication data for managed automatic registration.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to sign authentication data for managed automatic registration. Exit code: %1.

Fields

Name	Description
`ExitCode`	—

Event ID 245 — Unable to verify or update the signing certificate for automatic registration.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to verify or update the signing certificate for automatic registration. Exit code: %1.

Fields

Name	Description
`ExitCode`	—

Event ID 246 — Unable to get persisted state location.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to get persisted state location. 
Exit code: %1 
Resource ID: %2 
Default location: %3 
Location type: %4 (%5)

Fields

Name	Description
`ErrorCode`	—
`SourceId`	—
`DefaultPath`	—
`LocationType`	—
`LocationTypeName`	—

Event ID 247 — Unable to remove Microsoft Passport key registration for all local Active Directory and Azure Active Directory users.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to remove Microsoft Passport key registration for all local Active Directory and Microsoft Entra users. 
Exit code: %1

Fields

Name	Description
`ExitCode`	—

Event ID 248 — Unable to check whether the attribute value of the device object is up to date.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to check whether the attribute value of the device object is up to date. 
Exit code: %1 
Attribute: %2 
Tenant ID: %3 
Device ID: %4 
Join type: %5 (%6)

Fields

Name	Description
`ExitCode`	—
`Attribute`	—
`TenantId`	—
`DeviceId`	—
`JoinType`	—
`JoinTypeName`	—

Event ID 249 — Unable to start updating attribute value of the device object.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to start updating attribute value of the device object. 
Exit code: %1 
Attribute: %2 
Tenant ID: %3 
Device ID: %4 
Join type: %5 (%6) 
Request ID: %7

Fields

Name	Description
`ExitCode`	—
`Attribute`	—
`TenantId`	—
`DeviceId`	—
`JoinType`	—
`JoinTypeName`	—
`RequestId`	—

Event ID 250 — Updating attribute value of the device object started successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Updating attribute value of the device object started successfully. 
Attribute: %1 
Tenant ID: %2 
Device ID: %3 
Join type: %4 (%5) 
Request ID: %6

Fields

Name	Description
`Attribute`	—
`TenantId`	—
`DeviceId`	—
`JoinType`	—
`JoinTypeName`	—
`RequestId`	—

Event ID 251 — The attribute value of the device object was updated successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The attribute value of the device object was updated successfully. 
Attribute: %1 
Tenant ID: %2 
Device ID: %3 
Join type: %4 (%5) 
Request ID: %6 
HTTP status: %7 
Time: %8 
Server message: %9 
Server response body: %10

Fields

Name	Description
`Attribute`	—
`TenantId`	—
`DeviceId`	—
`JoinType`	—
`JoinTypeName`	—
`RequestId`	—
`HttpStatus`	—
`ServerTime`	—
`ServerMessage`	—
`ResponseBody`	—

Event ID 252 — Unable to update the attribute value of the device object.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to update the attribute value of the device object. 
Exit code: %1 
Attribute: %2 
Tenant ID: %3 
Device ID: %4 
Join type: %5 (%6) 
Request ID: %7 
HTTP status: %8 
Time: %9 
Error Code: %12 
Error Subcode: %13 
Server message: %10 
Server response body: %11

Fields

Name	Description
`ExitCode`	—
`Attribute`	—
`TenantId`	—
`DeviceId`	—
`JoinType`	—
`JoinTypeName`	—
`RequestId`	—
`HttpStatus`	—
`ServerTime`	—
`ServerMessage`	—
`ResponseBody`	—
`ErrorCode`	—
`ErrorSubcode`	—

Event ID 253 — Unable to parse the device attribute update server response.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to parse the device attribute update server response. 
HTTP status: %1 
Server response body: %2 
Error: %3

Fields

Name	Description
`HttpStatus`	—
`ResponseBody`	—
`ErrorCode`	—

Event ID 254 — Unable to check MDM enrollment status of the device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to check MDM enrollment status of the device. 
Error: %1

Fields

Name	Description
`ErrorCode`	—

Event ID 255 — Unable to trigger update task for this device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to trigger update task for this device. 
Error: %1 
Join type: %2 (%3) 
Tenant ID: %4

Fields

Name	Description
`ErrorCode`	—
`JoinType`	—
`JoinTypeName`	—
`TenantId`	—

Event ID 256 — The update task for this device was successfully triggered.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The update task for this device was successfully triggered. 
Join type: %1 (%2) 
Tenant ID: %3

Fields

Name	Description
`JoinType`	—
`JoinTypeName`	—
`TenantId`	—

Event ID 257 — The task %1\%2 was successfully enabled.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: 4
Samples: 1

Message

The task %1\%2 was successfully enabled.

Fields

Name	Description
`Folder`	—
`TaskName`	—

Example Event

system:
  provider: Microsoft-Windows-User Device Registration
  guid: 23B8D46B-67DD-40A3-B636-D43E50552C6D
  event_source_name: ''
  event_id: 257
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T16:53:21.781532+00:00'
  event_record_id: 25
  correlation: {}
  execution:
    process_id: 1792
    thread_id: 2032
  channel: Microsoft-Windows-User Device Registration/Admin
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-20
event_data:
  Folder: \Microsoft\Windows\Workplace Join
  TaskName: Automatic-Device-Join
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 258 — Failed to enable task %2\%3.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: 3
Samples: 1

Message

Failed to enable task %2\%3. Error: %1

Fields

Name	Description
`ErrorCode`	—
`Folder`	—
`TaskName`	—

Example Event

system:
  provider: Microsoft-Windows-User Device Registration
  guid: 23B8D46B-67DD-40A3-B636-D43E50552C6D
  event_source_name: ''
  event_id: 258
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T16:53:16.759761+00:00'
  event_record_id: 24
  correlation: {}
  execution:
    process_id: 1792
    thread_id: 2032
  channel: Microsoft-Windows-User Device Registration/Admin
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-20
event_data:
  ErrorCode: -2147023728
  Folder: \Microsoft\Windows\Workplace Join
  TaskName: Automatic-Device-Join
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 259 — The task %1\%2 was successfully disabled.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The task %1\%2 was successfully disabled.

Fields

Name	Description
`Folder`	—
`TaskName`	—

Event ID 260 — Failed to disable task %2\%3.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to disable task %2\%3. Error: %1

Fields

Name	Description
`ErrorCode`	—
`Folder`	—
`TaskName`	—

Event ID 261 — The repair join information operation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The repair join information operation failed. 
Exit code: %1 
Tenant ID: %2 
Device ID: %3 
Join Type: %4 (%5) 
Request Id: %6 
Time: %7 
Http Status: %8 
Error Code: %9 
Error Subcode: %10 
Server Message: %11 
Server Operation: %12

Fields

Name	Description
`ExitCode`	—
`TenantId`	—
`DeviceId`	—
`JoinType`	—
`JoinTypeName`	—
`RequestId`	—
`Time`	—
`HttpStatus`	—
`ErrorCode`	—
`ErrorSubcode`	—
`ServerMessage`	—
`ServerOperation`	—

Event ID 262 — The repair join information operation completed successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The repair join information operation completed successfully. 
Tenant ID: %1 
Device ID: %2 
Join UPN: %3 
Join Type: %4 (%5) 
Request Id: %6 
Time: %7 
Http Status: %8

Fields

Name	Description
`TenantId`	—
`DeviceId`	—
`JoinUpn`	—
`JoinType`	—
`JoinTypeName`	—
`RequestId`	—
`Time`	—
`HttpStatus`	—

Event ID 263 — The repair join information operation failed to start.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The repair join information operation failed to start. 
Exit code: %1 
Tenant ID: %2 
Join Type: %3 (%4) 
Input UPN: %5 
Input UPN Count: %6 
Request ID: %7

Fields

Name	Description
`ExitCode`	—
`TenantId`	—
`JoinType`	—
`JoinTypeName`	—
`InputUpn`	—
`InputUpnCount`	—
`RequestId`	—

Event ID 264 — The repair join information operation started successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The repair join information operation started successfully. 
Tenant ID: %1 
Device ID: %2 
Join UPN: %5 
Input UPN Count: %6 
Join Type: %3 (%4) 
Request Id: %7

Fields

Name	Description
`TenantId`	—
`DeviceId`	—
`JoinType`	—
`JoinTypeName`	—
`JoinUpn`	—
`InputUpnCount`	—
`RequestId`	—

Event ID 265 — The virtual desktop registry has %2 value(s) missing.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The virtual desktop registry has %2 value(s) missing. 
Registry key: %1 
Missing values: %4

Fields

Name	Description
`RegistryKey`	—
`ValuesCount`	—
`Value`	—
`ValuesList`	—

Event ID 266 — The virtual desktop registry value is invalid.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The virtual desktop registry value is invalid. 
Registry key: %1 
Value name: %2 
Value: %3

Fields

Name	Description
`RegistryKey`	—
`ValueName`	—
`Value`	—

Event ID 267 — Failed to read virtual desktop settings from registry.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to read virtual desktop settings from registry. 
Error: %1 
Registry key: %2

Fields

Name	Description
`ExitCode`	—
`RegistryKey`	—

Event ID 268 — The virtual desktop settings were successfully retrieved from the registry.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The virtual desktop settings were successfully retrieved from the registry. 
Registry key: %1 
Provider: %2 
Type: %3 (%4) 
User mode: %5 (%6) 
Extensions: %7 
For the list of extensions, see "Extension" in EventData.

Fields

Name	Description
`RegistryKey`	—
`Provider`	—
`Type`	—
`TypeName`	—
`UserMode`	—
`UserModeName`	—
`ExtensionsCount`	—
`Extension`	—

Event ID 269 — Unable to parse the AIK update server response.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to parse the AIK update server response. 
HTTP status: %1 
Server response body: %2 
Error: %3

Fields

Name	Description
`HttpStatus`	—
`ResponseBody`	—
`ErrorCode`	—

Event ID 270 — Unable to start updating token binding AIK of the device object.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to start updating token binding AIK of the device object. 
Exit code: %1 
Join type: %2 (%3) 
Tenant ID: %4 
Device ID: %5 
User SID: %6 
User token: %7 
Request ID: %8

Fields

Name	Description
`ExitCode`	—
`JoinType`	—
`JoinTypeName`	—
`TenantId`	—
`DeviceId`	—
`UserSid`	—
`AuthToken`	—
`RequestId`	—

Event ID 271 — Updating token binding AIK of the device object started successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Updating token binding AIK of the device object started successfully. 
Join type: %1 (%2) 
Tenant ID: %3 
Device ID: %4 
User SID: %5 
User token: %6 
Request ID: %7

Fields

Name	Description
`JoinType`	—
`JoinTypeName`	—
`TenantId`	—
`DeviceId`	—
`UserSid`	—
`AuthToken`	—
`RequestId`	—

Event ID 272 — The token binding AIK of the device object was updated successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The token binding AIK of the device object was updated successfully. 
Join type: %1 (%2) 
Tenant ID: %3 
Device ID: %4 
User SID: %5 
Request ID: %6 
HTTP status: %7 
Time: %8

Fields

Name	Description
`JoinType`	—
`JoinTypeName`	—
`TenantId`	—
`DeviceId`	—
`UserSid`	—
`RequestId`	—
`HttpStatus`	—
`ServerTime`	—

Event ID 273 — Unable to update the token binding AIK of the device object.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to update the token binding AIK of the device object. 
Exit code: %1 
Join type: %2 (%3) 
Tenant ID: %4 
Device ID: %5 
User SID: %6 
Request ID: %7 
HTTP status: %8 
Time: %9 
Error Code: %12 
Error Subcode: %13 
Server message: %10 
Server response body: %11

Fields

Name	Description
`ExitCode`	—
`JoinType`	—
`JoinTypeName`	—
`TenantId`	—
`DeviceId`	—
`UserSid`	—
`RequestId`	—
`HttpStatus`	—
`ServerTime`	—
`ServerMessage`	—
`ResponseBody`	—
`ErrorCode`	—
`ErrorSubcode`	—

Event ID 274 — Failed to configure KDC proxy group policy.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to configure KDC proxy group policy. 
Exit code: %1 
Kerberos endpoint: %2 
Kerberos realm: %3 
KDC proxy server: %4 
Local group policy modified: %5

Fields

Name	Description
`ExitCode`	—
`KerbEndpoint`	—
`Realm`	—
`KdcProxyServer`	—
`LocalGpoModified`	—

Event ID 275 — Failed to restore KDC proxy local group policy to its original value.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to restore KDC proxy local group policy to its original value. 
Exit code: %1

Fields

Name	Description
`ExitCode`	—

Event ID 276 — The KDC Proxy group policy setting is incorrect.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The KDC Proxy group policy setting is incorrect. 
Expected value: 
  KdcProxyServer_Enabled: %1 
  NoRevocationCheck: %2 
  Proxy Server: %3 
Actual value: 
  KdcProxyServer_Enabled: %4 
  NoRevocationCheck: %5 
  Proxy Server: %6

Fields

Name	Description
`ExpectedProxyEnabled`	—
`ExpectedNoRevocationCheck`	—
`ExpectedProxyServer`	—
`ActualProxyEnabled`	—
`ActualNoRevocationCheck`	—
`ActualProxyServer`	—

Event ID 277 — The KDC proxy group policy has been configured successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The KDC proxy group policy has been configured successfully. 
Kerberos endpoint: %1 
Kerberos realm: %2 
KdcProxyServer_Enabled: %3 
NoRevocationCheck: %4 
KDC Proxy Server: %5

Fields

Name	Description
`KerbEndpoint`	—
`Realm`	—
`ProxyEnabled`	—
`NoRevocationCheck`	—
`ProxyServer`	—

Event ID 278 — The KDC proxy local group policy has been restored to its original value.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The KDC proxy local group policy has been restored to its original value. 
KdcProxyServer_Enabled: %1 
NoRevocationCheck: %2 
KDC Proxy Server: %3

Fields

Name	Description
`ProxyEnabled`	—
`NoRevocationCheck`	—
`ProxyServer`	—

Event ID 300 — The Microsoft Passport key was successfully registered with Azure AD.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The Microsoft Passport key was successfully registered with Microsoft Entra. 
Key ID: %1 
UPN: %2 
Attestation: %3 
Client request ID: %4 
Server request ID: %5 
Server response: %6

Fields

Name	Description
`KeyId`	—
`UPN`	—
`Attestation`	—
`ClientRequestId`	—
`ServerRequestId`	—
`ServerResponse`	—

Event ID 301 — NGC key registration failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

NGC key registration failed. 
Exit code: %1 
Client request ID: %2 
Server request ID: %3 
Error code: %4 
Server error message: %5 
Recommended client response: %6 
Server response: %7

Fields

Name	Description
`ExitCode`	—
`ClientRequestId`	—
`ServerRequestId`	—
`ErrorCode`	—
`ServerErrorMessage`	—
`RecommendedClientResponse`	—
`ServerResponse`	—

Event ID 302 — The NGC key registration request was successfully sent.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The NGC key registration request was successfully sent. User email: %1.
Auth token: %2.

Fields

Name	Description
`Email`	—
`AuthToken`	—

Event ID 303 — The NGC key registration initialization operation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The NGC key registration initialization operation failed. Exit code: %1. User email: %2.
Auth token: %3.

Fields

Name	Description
`ExitCode`	—
`Email`	—
`AuthToken`	—

Event ID 304 — Automatic registration failed at join phase.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: 2
Samples: 1

Message

Automatic registration failed at join phase. 
Exit code: %1 
Server error: %2 
Tenant type: %3 
Registration type: %4 
Debug Output: 
%5

Fields

Name	Description
`ExitCode`	—
`ServerErrorMessage`	—
`TenantType`	—
`JoinType`	—
`DebugOutput`	—

Example Event

system:
  provider: Microsoft-Windows-User Device Registration
  guid: 23B8D46B-67DD-40A3-B636-D43E50552C6D
  event_source_name: ''
  event_id: 304
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:10:43.160191+00:00'
  event_record_id: 37
  correlation: {}
  execution:
    process_id: 1256
    thread_id: 5068
  channel: Microsoft-Windows-User Device Registration/Admin
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  ExitCode: -2145648611
  ServerErrorMessage: ''
  TenantType: undefined
  JoinType: undefined
  DebugOutput: 'joinMode: Join

    drsInstance: undefined

    registrationType: undefined

    tenantType: undefined

    tenantId: undefined

    configLocation: undefined

    errorPhase: discover

    adalCorrelationId: 52807b09-dcaf-44b6-a94c-911b39350cb1

    adalLog:

    undefined

    adalResponseCode: 0x0

    '
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 305 — Automatic registration failed at authentication phase.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Automatic registration failed at authentication phase. Unable to acquire access token. 
Exit code: %1 
Tenant Name: %4 
Tenant Type: %3 
Server error: 
%2

Fields

Name	Description
`ExitCode`	—
`ServerErrorMessage`	—
`TenantType`	—
`TenantName`	—

Event ID 306 — Automatic registration Succeeded.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Automatic registration Succeeded.

Event ID 307 — Automatic registration failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: 2
Samples: 1

Message

Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: %1. See http://go.microsoft.com/fwlink/?LinkId=623042

Fields

Name	Description
`ExitCode`	—

Example Event

system:
  provider: Microsoft-Windows-User Device Registration
  guid: 23B8D46B-67DD-40A3-B636-D43E50552C6D
  event_source_name: ''
  event_id: 307
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:10:43.160164+00:00'
  event_record_id: 36
  correlation: {}
  execution:
    process_id: 1256
    thread_id: 5068
  channel: Microsoft-Windows-User Device Registration/Admin
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  ExitCode: -2145648611
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 308 — This Device is joined to Azure AD, however, the user did not sign-in with an Azure AD account.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

This Device is joined to Microsoft Entra, however, the user did not sign-in with a Microsoft Entra account. Microsoft Passport provisioning will not be enabled. User: %1.

Fields

Name	Description
`UserSID`	—

Event ID 309 — Failed to discover the Azure AD DRS service.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to discover the Microsoft Entra DRS service. Exit code: %1.

Fields

Name	Description
`ExitCode`	—

Event ID 310 — Unable to retrieve the NGC user ID key with name %1.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to retrieve the NGC user ID key with name %1. Error: %2

Fields

Name	Description
`KeyName`	—
`ErrorCode`	—

Event ID 311 — The NGC create container operation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The NGC create container operation failed. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
Flags: %4 
Error: %5

Fields

Name	Description
`UserSid`	—
`IdpDomain`	—
`TenantDomain`	—
`Flags`	—
`ErrorCode`	—

Event ID 312 — The existing NGC container was successfully deleted.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The existing NGC container was successfully deleted. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3

Fields

Name	Description
`UserSid`	—
`IdpDomain`	—
`TenantDomain`	—

Event ID 314 — Unable to delete NGC container.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to delete NGC container. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
Error: %4

Fields

Name	Description
`UserSid`	—
`IdpDomain`	—
`TenantDomain`	—
`ErrorCode`	—

Event ID 315 — Unable to create NGC user ID key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to create NGC user ID key. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Flags: %5 
Error: %6

Fields

Name	Description
`UserSid`	—
`IdpDomain`	—
`TenantDomain`	—
`UserId`	—
`Flags`	—
`ErrorCode`	—

Event ID 316 — Unable to retrieve the specified NGC user ID key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to retrieve the specified NGC user ID key. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Error: %5

Fields

Name	Description
`UserSid`	—
`IdpDomain`	—
`TenantDomain`	—
`UserId`	—
`ErrorCode`	—

Event ID 317 — Unable to delete NGC user ID key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to delete NGC user ID key. Key name: %1. Error: %2

Fields

Name	Description
`KeyName`	—
`ErrorCode`	—

Event ID 318 — Unable to create NGC transport key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to create NGC transport key. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Key type: %5 
Flags: %6 
Error: %7

Fields

Name	Description
`UserSid`	—
`IdpDomain`	—
`TenantDomain`	—
`UserId`	—
`KeyType`	—
`Flags`	—
`ErrorCode`	—

Event ID 319 — Unable to delete NGC transport key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to delete NGC transport key. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Flags: %6 
Error: %5

Fields

Name	Description
`UserSid`	—
`IdpDomain`	—
`TenantDomain`	—
`UserId`	—
`ErrorCode`	—
`Flags`	—

Event ID 320 — Unable to parse the NGC registration server response.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to parse the NGC registration server response. 
HTTP status: %1 
Server response body: %2 
Error: %3

Fields

Name	Description
`HttpStatus`	—
`ResponseBody`	—
`ErrorCode`	—

Event ID 321 — Failed to enable the device lock PIN.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to enable the device lock PIN. Error: %1

Fields

Name	Description
`ErrorCode`	—

Event ID 322 — The application does not have the permission to perform this operation.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The application does not have the permission to perform this operation. Application SID: %1

Fields

Name	Description
`AppSid`	—

Event ID 323 — Preparing to send a request to the Web Account Manager.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Preparing to send a request to the Web Account Manager. 
Account provider ID: %1 
Scope: %2 
Client ID: %3 
Authority: %4 
Resource: %5 
CorrelationId: %6

Fields

Name	Description
`AccountProvider`	—
`Scope`	—
`Client`	—
`Authority`	—
`Resource`	—
`CorrelationId`	—

Event ID 324 — Unable to get a token using the Web Account Manager.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to get a token using the Web Account Manager. Error: %5 
Request status code: %1 (%2) 
Token provider error code: %3 
Token provider error message: %4 
CorrelationId: %6

Fields

Name	Description
`RequestStatus`	—
`RequestStatusSymbolicName`	—
`ProviderErrorCode`	—
`ProviderErrorMessage`	—
`ErrorCode`	—
`CorrelationId`	—

Event ID 325 — Successfully obtained a token for the current user via token broker.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Successfully obtained a token for the current user via token broker. 
CorrelationId: %1

Fields

Name	Description
`CorrelationId`	—

Event ID 326 — Unable to get the application's core window.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to get the application's core window. Error: %1

Fields

Name	Description
`ErrorCode`	—

Event ID 327 — Unable to remove the PIN that has been created to use in place of the current user's logon password.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to remove the PIN that has been created to use in place of the current user's logon password. 
User SID: %1 
Error: %2

Fields

Name	Description
`UserSid`	—
`ErrorCode`	—

Event ID 328 — Unable to check whether a PIN has been created to use in place of the current user's logon password.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to check whether a PIN has been created to use in place of the current user's logon password. 
User SID: %1 
Error: %2

Fields

Name	Description
`UserSid`	—
`ErrorCode`	—

Event ID 329 — Preparing to send a request to the Web Account Manager silently (no UI mode).

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Preparing to send a request to the Web Account Manager silently (no UI mode). 
Account provider ID: %1 
Scope: %2 
Client ID: %3 
Authority: %4 
Resource: %5 
CorrelationId: %6

Fields

Name	Description
`AccountProvider`	—
`Scope`	—
`Client`	—
`Authority`	—
`Resource`	—
`CorrelationId`	—

Event ID 330 — Azure DRS and Enterprise DRS are configured for this device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Microsoft Entra DRS and Enterprise DRS are configured for this device. Only one DRS instance can be configured for an environment. MicrosoftEntraTenantName:%1 EnterpriseDrsName:%2

Fields

Name	Description
`AzureADTenantName`	—
`EnterpriseDrsName`	—

Event ID 331 — Automatic device join pre-check tasks completed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: 4
Samples: 1

Message

Automatic device join pre-check tasks completed. Details: 
%1

Fields

Name	Description
`DebugOutput`	—

Example Event

system:
  provider: Microsoft-Windows-User Device Registration
  guid: 23B8D46B-67DD-40A3-B636-D43E50552C6D
  event_source_name: ''
  event_id: 331
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:10:43.101829+00:00'
  event_record_id: 35
  correlation: {}
  execution:
    process_id: 1256
    thread_id: 5068
  channel: Microsoft-Windows-User Device Registration/Admin
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data:
  DebugOutput: 'preCheckResult: Join

    deviceKeysHealthy: undefined

    isJoined: undefined

    isDcAvailable: YES

    isSystem: YES

    keyProvider: undefined

    keyContainer: undefined

    dsrInstance: undefined

    elapsedSeconds: 0

    resultCode: 0x0

    '
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 332 — Automatic device join pre-check tasks found that this device is joined, however, it is missing some required state.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Automatic device join pre-check tasks found that this device is joined, however, it is missing some required state. The device will be removed and then joined again.

Event ID 333 — Automatic device join pre-check tasks completed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Automatic device join pre-check tasks completed. The device can NOT be joined. The process MUST run as NT AUTHORITY\SYSTEM.

Event ID 334 — Automatic device join pre-check tasks completed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: 3
Samples: 1

Message

Automatic device join pre-check tasks completed. The device can NOT be joined because a domain controller could not be located. The device must be connected to a network with connectivity to an Active Directory domain controller.

Example Event

system:
  provider: Microsoft-Windows-User Device Registration
  guid: 23B8D46B-67DD-40A3-B636-D43E50552C6D
  event_source_name: ''
  event_id: 334
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T08:31:21.022689+00:00'
  event_record_id: 14
  correlation: {}
  execution:
    process_id: 2328
    thread_id: 2332
  channel: Microsoft-Windows-User Device Registration/Admin
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 335 — Automatic device join pre-check tasks completed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Automatic device join pre-check tasks completed. The device is already joined.

Event ID 336 — The Web Proxy Autodiscovery Protocol (WPAD) did NOT locate the URL of a configuration file using DHCP and/or DNS discovery methods.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The Web Proxy Autodiscovery Protocol (WPAD) did NOT locate the URL of a configuration file using DHCP and/or DNS discovery methods. The request will be sent directly to the server. 
WINHTTP_STATUS_CALLBACK dwInternetStatus is %1 (%4) 
WINHTTP_ASYNC_RESULT dwResult is %2 (%5) 
WINHTTP_ASYNC_RESULT dwError is %3

Fields

Name	Description
`dwInternetStatus`	—
`dwResult`	—
`dwError`	—
`InternetStatus`	—
`Result`	—

Event ID 337 — The request was sent to the server through the out-bound proxy and failed with the following information.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The request was sent to the server through the out-bound proxy and failed with the following information. A fail-over proxy server will be used if available. 
WINHTTP_STATUS_CALLBACK dwInternetStatus is %1 (%4) 
WINHTTP_ASYNC_RESULT dwResult is %2 (%5) 
WINHTTP_ASYNC_RESULT dwError is %3

Fields

Name	Description
`dwInternetStatus`	—
`dwResult`	—
`dwError`	—
`InternetStatus`	—
`Result`	—

Event ID 338 — The Web Proxy Autodiscovery Protocol (WPAD) located the URL of a configuration file using DHCP and/or DNS discovery methods.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The Web Proxy Autodiscovery Protocol (WPAD) located the URL of a configuration file using DHCP and/or DNS discovery methods. %1 configuration entries were found in the configuration file.

Fields

Name	Description
`ProxyCount`	—

Event ID 339 — The following out-bound proxy information was set for this request.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The following out-bound proxy information was set for this request. 
WINHTTP_PROXY_RESULT_ENTRY fProxy is: %1 
WINHTTP_PROXY_RESULT_ENTRY fBypass is: %2 
WINHTTP_PROXY_RESULT_ENTRY INTERNET_SCHEME is: %3 
WINHTTP_PROXY_RESULT_ENTRY pwszProxy is: %4 
WINHTTP_PROXY_RESULT_ENTRY ProxyPort is: %5

Fields

Name	Description
`fProxy`	—
`fBypass`	—
`INTERNET_SCHEME`	—
`pwszProxy`	—
`ProxyPort`	—

Event ID 340 — The Web Proxy Autodiscovery Protocol (WPAD) encountered an unexpected error.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The Web Proxy Autodiscovery Protocol (WPAD) encountered an unexpected error. The request may not have been sent to the server. 
WINHTTP_STATUS_CALLBACK dwInternetStatus is %1 (%4) 
WINHTTP_ASYNC_RESULT dwResult is %2 (%5) 
WINHTTP_ASYNC_RESULT dwError is %3

Fields

Name	Description
`dwInternetStatus`	—
`dwResult`	—
`dwError`	—
`InternetStatus`	—
`Result`	—

Event ID 341 — This request will NOT fail over to a proxy server.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

This request will NOT fail over to a proxy server. The end of the proxy configuration discovered by Web Proxy Autodiscovery Protocol (WPAD) has been reached. Error %1

Fields

Name	Description
`ErrorCode`	—

Event ID 342 — Unable to query Passport for Work policies.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to query Passport for Work policies. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
Error: %4

Fields

Name	Description
`UserSid`	—
`IdpDomain`	—
`TenantDomain`	—
`ErrorCode`	—

Event ID 343 — Unable to enumerate Passport for Work containers.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to enumerate Passport for Work containers. 
User SID: %1 
Error: %2

Fields

Name	Description
`UserSid`	—
`ErrorCode`	—

Event ID 344 — Failed to access the device key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to access the device key. If you have a TPM, it might be locked out or in an unknown state. 
Error: %1

Fields

Name	Description
`ExitCode`	—

Event ID 345 — Failed to access the device key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to access the device key. The device key has likely been removed. 
Error: %1

Fields

Name	Description
`ExitCode`	—

Event ID 346 — The Microsoft Passport key was successfully removed from Azure AD.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The Microsoft Passport key was successfully removed from Microsoft Entra. 
Key ID (encoded): %1 
UPN: %2 
Client request ID: %3 
Server request ID: %4 
Server response: %5

Fields

Name	Description
`KeyHash`	—
`UPN`	—
`ClientRequestId`	—
`ServerRequestId`	—
`ServerResponse`	—

Event ID 347 — Failed to remove the Microsoft Passport key from Azure AD.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to remove the Microsoft Passport key from Microsoft Entra. 
Error: %2 
Key ID (encoded): %1 
Client request ID: %3 
Server request ID: %4 
Server error code: %5 
Server error message: %6 
Recommended client response: %7 
Server response: %8

Fields

Name	Description
`KeyHash`	—
`ErrorCode`	—
`ClientRequestId`	—
`ServerRequestId`	—
`ServerErrorCode`	—
`ServerErrorMessage`	—
`RecommendedClientResponse`	—
`ServerResponse`	—

Event ID 348 — The Microsoft Passport delete key registration request was successfully sent.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The Microsoft Passport delete key registration request was successfully sent. User email: %1. Tenant ID: %2. Auth token: %3.

Fields

Name	Description
`Email`	—
`TenantId`	—
`AuthToken`	—

Event ID 349 — Failed to initialize the Microsoft Passport delete key registration request.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to initialize the Microsoft Passport delete key registration request. Exit code: %1. User email: %2. Tenant ID: %3. Auth token: %4.

Fields

Name	Description
`ExitCode`	—
`Email`	—
`TenantId`	—
`AuthToken`	—

Event ID 350 — The Microsoft Passport key information was successfully saved.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The Microsoft Passport key information was successfully saved. 
Key ID: %1 
Attestation level: %2 
AIK status: %3 
Key type: %4 
Key name: %5 
IDP domain: %6 
Tenant ID: %7 
User email: %8

Fields

Name	Description
`KeyId`	—
`AttLevel`	—
`AikStatus`	—
`KeyType`	—
`KeyName`	—
`IdpDomain`	—
`TenantId`	—
`UserEmail`	—

Event ID 351 — Failed to save the Microsoft Passport key information.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to save the Microsoft Passport key information. 
Error: %1 
Key ID: %2 
Attestation level: %3 
AIK status: %4 
Key type: %5 
Key name: %6 
IDP domain: %7 
Tenant ID: %8 
User email: %9

Fields

Name	Description
`ErrorCode`	—
`KeyId`	—
`AttLevel`	—
`AikStatus`	—
`KeyType`	—
`KeyName`	—
`IdpDomain`	—
`TenantId`	—
`UserEmail`	—

Event ID 352 — The Microsoft Passport key information was successfully deleted.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The Microsoft Passport key information was successfully deleted. 
Key ID: %1 
User SID: %2

Fields

Name	Description
`KeyId`	—
`UserSid`	—

Event ID 353 — Failed to delete the Microsoft Passport key information.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to delete the Microsoft Passport key information. 
Error: %1 
Key ID: %2 
User SID: %3

Fields

Name	Description
`ErrorCode`	—
`KeyId`	—
`UserSid`	—

Event ID 354 — Json Request Failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Json Request Failed. Exit code: %1. httpStatus: %2 Server response: %3.

Fields

Name	Description
`ExitCode`	—
`HttpStatus`	—
`ServerMessage`	—

Event ID 355 — Successfully enrolled for a logon certificate using a Registration Authority.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Successfully enrolled for a logon certificate using a Registration Authority. 
Upn: %1 
TenantId: %2 
Authority: %3 
Resource: %4 
ExitCode: %5

Fields

Name	Description
`Upn`	—
`TenantId`	—
`Authority`	—
`Resource`	—
`ExitCode`	—

Event ID 356 — Failed to enroll for a logon certificate using a Registration Authority.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to enroll for a logon certificate using a Registration Authority. 
UPN: %1 
TenantId: %2 
ExitCode: %3

Fields

Name	Description
`UPN`	—
`TenantId`	—
`ExitCode`	—

Event ID 357 — Group Policy indicates the user must enroll for a logon certificate along with their work PIN.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Group Policy indicates the user must enroll for a logon certificate along with their work PIN. 
Sid: %1 
TenantId: %2

Fields

Name	Description
`Sid`	—
`TenantId`	—

Event ID 358 — %1 Device is Microsoft Entra joined (or hybrid joined): %2 User has logged on with Microsoft Entra credentials: %3 Windows Hello for Business polic...

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: 4
Samples: 1

Message

%1 
Device is Microsoft Entra joined (or hybrid joined): %2 
User has logged on with Microsoft Entra credentials: %3 
Windows Hello for Business policy is enabled: %4 
Windows Hello for Business post-logon provisioning is enabled: %5 
Local computer meets Windows hello for business hardware requirements: %6 
User is not connected to the machine via Remote Desktop: %7 
User certificate for on premise auth policy is enabled: %8 
Machine is governed by %9 policy. 
Cloud trust for on premise auth policy is enabled: %10 
User account has Cloud to OnPrem TGT: %11 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

Fields

Name	Description
`Message`	—
`DeviceIsJoined`	—
`AADPrt`	—
`NgcPolicyEnabled`	—
`NgcPostLogonProvisioningEnabled`	—
`NgcHardwarePolicyMet`	—
`UserIsRemote`	—
`LogonCertRequired`	—
`MachinePolicySource`	—
`UseCloudTrust`	—
`CloudTgt`	—

Example Event

system:
  provider: Microsoft-Windows-User Device Registration
  guid: 23B8D46B-67DD-40A3-B636-D43E50552C6D
  event_source_name: ''
  event_id: 358
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T16:57:32.679856+00:00'
  event_record_id: 27
  correlation: {}
  execution:
    process_id: 4128
    thread_id: 4156
  channel: Microsoft-Windows-User Device Registration/Admin
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  Message: Windows Hello for Business provisioning will be launched.
  DeviceIsJoined: Not Tested
  AADPrt: Not Tested
  NgcPolicyEnabled: Not Tested
  NgcPostLogonProvisioningEnabled: Not Tested
  NgcHardwarePolicyMet: Not Tested
  UserIsRemote: 'Yes'
  LogonCertRequired: Not Tested
  MachinePolicySource: none
  UseCloudTrust: Not Tested
  CloudTgt: Not Tested
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 359 — Windows Hello for Business provisioning has encountered an error during policy evaluation.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: 2
Samples: 1

Message

Windows Hello for Business provisioning has encountered an error during policy evaluation. 
ExitCode: %1 
Method: %2 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details

Fields

Name	Description
`ExitCode`	—
`Method`	—

Example Event

system:
  provider: Microsoft-Windows-User Device Registration
  guid: 23B8D46B-67DD-40A3-B636-D43E50552C6D
  event_source_name: ''
  event_id: 359
  version: 0
  level: 2
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T16:57:32.078732+00:00'
  event_record_id: 26
  correlation: {}
  execution:
    process_id: 4128
    thread_id: 4156
  channel: Microsoft-Windows-User Device Registration/Admin
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-21-2121334350-1110938707-2888912545-500
event_data:
  ExitCode: -805175273
  Method: LsaGetSSOAccountType
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 360 — %1 Device is Microsoft Entra joined (or hybrid joined): %2 User has logged on with Microsoft Entra credentials: %3 Windows Hello for Business polic...

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: 3
Samples: 1

Message

%1 
Device is Microsoft Entra joined (or hybrid joined): %2 
User has logged on with Microsoft Entra credentials: %3 
Windows Hello for Business policy is enabled: %4 
Windows Hello for Business post-logon provisioning is enabled: %5 
Local computer meets Windows hello for business hardware requirements: %6 
User is not connected to the machine via Remote Desktop: %7 
User certificate for on premise auth policy is enabled: %8 
Machine is governed by %9 policy. 
Cloud trust for on premise auth policy is enabled: %10 
User account has Cloud to OnPrem TGT: %11 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

Fields

Name	Description
`Message`	—
`DeviceIsJoined`	—
`AADPrt`	—
`NgcPolicyEnabled`	—
`NgcPostLogonProvisioningEnabled`	—
`NgcHardwarePolicyMet`	—
`UserIsRemote`	—
`LogonCertRequired`	—
`MachinePolicySource`	—
`UseCloudTrust`	—
`CloudTgt`	—

Example Event

system:
  provider: Microsoft-Windows-User Device Registration
  guid: 23B8D46B-67DD-40A3-B636-D43E50552C6D
  event_source_name: ''
  event_id: 360
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2023-11-05T23:54:10.290552+00:00'
  event_record_id: 11
  correlation: {}
  execution:
    process_id: 10860
    thread_id: 5432
  channel: Microsoft-Windows-User Device Registration/Admin
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-21-1992711665-1655669231-58201500-1000
event_data:
  Message: Windows Hello for Business provisioning will not be launched.
  DeviceIsJoined: Not Tested
  AADPrt: 'No'
  NgcPolicyEnabled: Not Tested
  NgcPostLogonProvisioningEnabled: Not Tested
  NgcHardwarePolicyMet: Not Tested
  UserIsRemote: 'Yes'
  LogonCertRequired: Not Tested
  MachinePolicySource: none
  UseCloudTrust: Not Tested
  CloudTgt: Not Tested
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 361 — %1 Device is Microsoft Entra joined (or hybrid joined): %2 User has logged on with Microsoft Entra credentials: %3 Windows Hello for Business polic...

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

%1 
Device is Microsoft Entra joined (or hybrid joined): %2 
User has logged on with Microsoft Entra credentials: %3 
Windows Hello for Business policy is enabled: %4 
Windows Hello for Business post-logon provisioning is enabled: %5 
Local computer meets Windows hello for business hardware requirements: %6 
User is not connected to the machine via Remote Desktop: %7 
User certificate for on premise auth policy is enabled: %8 
MDM user certificate enrollment is ready: %9 
Certificate enrollment method: %10 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details

Fields

Name	Description
`Message`	—
`DeviceIsJoined`	—
`AADPrt`	—
`NgcPolicyEnabled`	—
`NgcPostLogonProvisioningEnabled`	—
`NgcHardwarePolicyMet`	—
`UserIsRemote`	—
`LogonCertRequired`	—
`MDMCertEnrollmentReady`	—
`MachinePolicySource`	—

Event ID 362 — %1 Device is Microsoft Entra joined (or hybrid joined): %2 User has logged on with Microsoft Entra credentials: %3 Windows Hello for Business polic...

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

%1 
Device is Microsoft Entra joined (or hybrid joined): %2 
User has logged on with Microsoft Entra credentials: %3 
Windows Hello for Business policy is enabled: %4 
Windows Hello for Business post-logon provisioning is enabled: %5 
Local computer meets Windows hello for business hardware requirements: %6 
User is not connected to the machine via Remote Desktop: %7 
User certificate for on premise auth policy is enabled: %8 
Enterprise user logon certificate enrollment endpoint is ready: %9 
Enterprise user logon certificate template is : %10 
User has successfully authenticated to the enterprise STS: %11 
Certificate enrollment method: %12 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

Fields

Name	Description
`Message`	—
`DeviceIsJoined`	—
`AADPrt`	—
`NgcPolicyEnabled`	—
`NgcPostLogonProvisioningEnabled`	—
`NgcHardwarePolicyMet`	—
`UserIsRemote`	—
`LogonCertRequired`	—
`ADFSRaReady`	—
`RATemplateReady`	—
`ADFSPrtPresent`	—
`MachinePolicySource`	—

Event ID 363 — The Microsoft Passport key is missing.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The Microsoft Passport key is missing. 
Key ID: %1 
Attestation level: %2 
AIK status: %3 
Key type: %4 
Key name: %5 
IDP domain: %6 
Tenant ID: %7 
User email: %8

Fields

Name	Description
`KeyId`	—
`AttLevel`	—
`AikStatus`	—
`KeyType`	—
`KeyName`	—
`IdpDomain`	—
`TenantId`	—
`UserEmail`	—

Event ID 364 — The saved Microsoft Passport information does not match the key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The saved Microsoft Passport information does not match the key. 
Saved information: 
  Key ID: %1 
  Key name: %2 
  IDP domain: %3 
  Tenant ID: %4 
  User email: %5 
The Microsoft Passport key: 
  Key name: %6 
  IDP domain: %7 
  Tenant ID: %8 
  User email: %9

Fields

Name	Description
`SavedKeyId`	—
`SavedKeyName`	—
`SavedIdpDomain`	—
`SavedTenantId`	—
`SavedUserEmail`	—
`KeyName`	—
`IdpDomain`	—
`TenantId`	—
`UserEmail`	—

Event ID 365 — Unable to enroll for a logon certificate using a Registration Authority.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to enroll for a logon certificate using a Registration Authority. Automatic certificate enrollment will retry at regular intervals. 
UPN: %1 
TenantId: %2 
ExitCode: %3

Fields

Name	Description
`UPN`	—
`TenantId`	—
`ExitCode`	—

Event ID 366 — Unable to enroll for a logon certificate using a Registration Authority.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to enroll for a logon certificate using a Registration Authority. 
Resource: %1 
ExitCode: %2

Fields

Name	Description
`Resource`	—
`ExitCode`	—

Event ID 367 — Added following properties to the Web Account Manager access token request.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Added following properties to the Web Account Manager access token request. 
Properties: 
%1

Fields

Name	Description
`Properties`	—

Event ID 368 — The following token properties were recieved from the Web Account Manager: Properties.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The following token properties were recieved from the Web Account Manager: 
Properties: %1

Fields

Name	Description
`Properties`	—

Event ID 369 — The Workstation Service logged a device registration message.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: 4
Samples: 1

Message

The Workstation Service logged a device registration message. 
Message: %1

Fields

Name	Description
`Message`	—

Example Event

system:
  provider: Microsoft-Windows-User Device Registration
  guid: 23B8D46B-67DD-40A3-B636-D43E50552C6D
  event_source_name: ''
  event_id: 369
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T16:53:14.439647+00:00'
  event_record_id: 23
  correlation: {}
  execution:
    process_id: 1792
    thread_id: 1992
  channel: Microsoft-Windows-User Device Registration/Admin
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-20
event_data:
  Message: 'AutoJoinSvc/WJSetScheduledTaskState: IRegisteredTask_Run("\Microsoft\Windows\Workplace
    Join\Automatic-Device-Join") failed with code 0x80070490.'
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 370 — The automatic device registration task failed to unregister device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The automatic device registration task failed to unregister device. 
Exit code: %1 
Server error: %2 
Tenant type: %3 
Registration type: %4 
Debug Output: 
%5

Fields

Name	Description
`ExitCode`	—
`ServerErrorMessage`	—
`TenantType`	—
`JoinType`	—
`DebugOutput`	—

Event ID 371 — The automatic device registration task successfully unregistered device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The automatic device registration task successfully unregistered device.

Event ID 372 — The FIDO credential was successfully registered with Azure AD.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The FIDO credential was successfully registered with Microsoft Entra. 
Credential ID: %1 
UPN: %2 
Request ID: %3 
Time: %4 
Server response: %5

Fields

Name	Description
`KeyId`	—
`UPN`	—
`RequestId`	—
`Time`	—
`ServerResponse`	—

Event ID 373 — FIDO credential registration failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

FIDO credential registration failed. 
Exit code: %1 
Request ID: %2 
Time: %3 
HTTP status: %4 
Error code: %5 
Error subcode: %6 
Server error message: %7 
Server response: %8

Fields

Name	Description
`ExitCode`	—
`RequestId`	—
`Time`	—
`HttpStatus`	—
`ErrorCode`	—
`ErrorSubCode`	—
`ServerErrorMessage`	—
`ServerResponse`	—

Event ID 374 — The FIDO credential registration request was successfully sent.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The FIDO credential registration request was successfully sent. 
RPID: %1 
UPN: %2 
Credential display name: %3 
User display name: %4 
User image URL: %5 
Key algorithm: %6 
Auth token: %7 
Request ID: %8 
Flags: %9

Fields

Name	Description
`RPID`	—
`UPN`	—
`KeyDisplayName`	—
`UserDisplayName`	—
`UserImageUrl`	—
`KeyAlgorithm`	—
`AuthToken`	—
`RequestId`	—
`Flags`	—

Event ID 375 — The FIDO credential registration initialization operation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The FIDO credential registration initialization operation failed. 
Exit code: %1 
RPID: %2 
UPN: %3 
Credential display name: %4 
User display name: %5 
User image URL: %6 
Key algorithm: %7 
Auth token: %8 
Request ID: %9 
Flags: %10

Fields

Name	Description
`ExitCode`	—
`RPID`	—
`UPN`	—
`KeyDisplayName`	—
`UserDisplayName`	—
`UserImageUrl`	—
`KeyAlgorithm`	—
`AuthToken`	—
`RequestId`	—
`Flags`	—

Event ID 376 — The FIDO credential was successfully created.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The FIDO credential was successfully created. 
UPN: %1 
Credential display name: %2 
User display name: %3 
User image URL: %4 
Key algorithm: %5 
Auth token: %6 
Request ID: %7 
Flags: %8

Fields

Name	Description
`UPN`	—
`KeyDisplayName`	—
`UserDisplayName`	—
`UserImageUrl`	—
`KeyAlgorithm`	—
`AuthToken`	—
`RequestId`	—
`Flags`	—
`PinStatus`	—
`PinRetries`	—

Event ID 377 — Unable to create FIDO credential.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to create FIDO credential. 
Exit code: %1 
UPN: %2 
Credential display name: %3 
User display name: %4 
User image URL: %5 
Key algorithm: %6 
Auth token: %7 
Request ID: %8 
Flags: %9

Fields

Name	Description
`ExitCode`	—
`UPN`	—
`KeyDisplayName`	—
`UserDisplayName`	—
`UserImageUrl`	—
`KeyAlgorithm`	—
`AuthToken`	—
`RequestId`	—
`Flags`	—
`PinStatus`	—
`PinRetries`	—

Event ID 378 — The FIDO credentials were successfully deleted from Azure AD.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The FIDO credentials were successfully deleted from Microsoft Entra. 
Number of credentials: %1 
UPN: %3 
Request ID: %4 
Time: %5 
Server response: %6

Fields

Name	Description
`NumOfKeyIds`	—
`KeyId`	—
`UPN`	—
`RequestId`	—
`Time`	—
`ServerResponse`	—

Event ID 379 — FIDO credential deletion failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

FIDO credential deletion failed. 
Exit code: %1 
Request ID: %2 
Time: %3 
HTTP status: %4 
Error code: %5 
Error subcode: %6 
Server error message: %7 
Server response: %8

Fields

Name	Description
`ExitCode`	—
`RequestId`	—
`Time`	—
`HttpStatus`	—
`ErrorCode`	—
`ErrorSubCode`	—
`ServerErrorMessage`	—
`ServerResponse`	—

Event ID 380 — The FIDO credential deletion request was successfully sent.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The FIDO credential deletion request was successfully sent. 
UPN: %1 
Credential ID: %2 
Auth token: %3 
Request ID: %4

Fields

Name	Description
`UPN`	—
`KeyId`	—
`AuthToken`	—
`RequestId`	—

Event ID 381 — The FIDO credential deletion initialization operation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The FIDO credential deletion initialization operation failed. 
Exit code: %1 
UPN: %2 
Credential ID: %3 
Auth token: %4 
Request ID: %5

Fields

Name	Description
`ExitCode`	—
`UPN`	—
`KeyId`	—
`AuthToken`	—
`RequestId`	—

Event ID 382 — Unable to parse the FIDO registration server response.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to parse the FIDO registration server response. 
HTTP status: %1 
Server response body: %2 
Error: %3

Fields

Name	Description
`HttpStatus`	—
`ResponseBody`	—
`ErrorCode`	—

Event ID 383 — The PIN has been successfully recovered.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The PIN has been successfully recovered.

Fields

Name	Description
`hWnd`	—

Event ID 384 — The PIN recover operation failed with exit code.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The PIN recover operation failed with exit code: %1.

Fields

Name	Description
`ExitCode`	—
`hWnd`	—

Event ID 385 — Unable to get attestation statement for Microsoft Passport key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to get attestation statement for Microsoft Passport key. Key name: %1,  KeyStatus: %2 (%3), Error: %4.

Fields

Name	Description
`KeyName`	—
`KeyStatus`	—
`KeyStatusSymbolicName`	—
`ErrorCode`	—

Event ID 386 — Successfully got attestation statement for Microsoft Passport key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Successfully got attestation statement for Microsoft Passport key. Key name: %1, KeyStatus: %2 (%3).

Fields

Name	Description
`KeyName`	—
`KeyStatus`	—
`KeyStatusSymbolicName`	—

Event ID 387 — Unable to reset registry recovery flags.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to reset registry recovery flags. Error: %1

Fields

Name	Description
`ExitCode`	—

Event ID 388 — Recovery API %1 called.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Recovery API %1 called. Error: %2

Fields

Name	Description
`APIName`	—
`ExitCode`	—

Event ID 389 — Automatic Azure SecureVM Join Succeeded.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Automatic Microsoft Entra SecureVM Join Succeeded.

Event ID 390 — Resource account certificate does not match device ceritificate.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Resource account certificate does not match device ceritificate. 
Mismatch in: %1 
Resource account certificate's value: %2 
Device certificate's value: %3 
Request ID: %4 
Server time: %5

Fields

Name	Description
`IdType`	—
`RACertificateId`	—
`DeviceCeritifcateId`	—
`ServerRequestId`	—
`ServerTime`	—

Event ID 391 — Unable to get the NGC user ID key container state.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to get the NGC user ID key container state. 
SID: %1 
Key name: %2 
Error: %3

Fields

Name	Description
`UserSid`	—
`UserKeyName`	—
`ErrorCode`	—

Event ID 392 — The NGC user ID key container is in a bad state.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The NGC user ID key container is in a bad state. 
SID: %1 
Key name: %2 
Container status: %3

Fields

Name	Description
`UserSid`	—
`UserKeyName`	—
`ContainerStatus`	—

Event ID 393 — NGC logon certificate could not be renewed due to device ID flip.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

NGC logon certificate could not be renewed due to device ID flip.

Event ID 394 — Unable to set registry value for device ID flip.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to set registry value for device ID flip. 
Exit code: %1

Fields

Name	Description
`ExitCode`	—

Event ID 395 — Unable to unset registry value for device ID flip.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unable to unset registry value for device ID flip. 
Exit code: %1

Fields

Name	Description
`ExitCode`	—

Event ID 396 — Key policy in registry is set to unsupported value %1.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Key policy in registry is set to unsupported value %1. Default key policy will be used.

Fields

Name	Description
`PolicyValue`	—

Event ID 397 — MDM enrollment for Azure SecureVM succeeded.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

MDM enrollment for Microsoft Entra SecureVM succeeded. 
MDM Enrollment URL: %1

Fields

Name	Description
`URL`	—

Event ID 398 — MDM enrollment for Azure SecureVM failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

MDM enrollment for Microsoft Entra SecureVM failed. The device will be unjoined from Microsoft Entra. 
MDM Enrollment URL: %1

Fields

Name	Description
`URL`	—

Event ID 399 — Attempt to discover enrollment URL for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Attempt to discover enrollment URL for MDM auto-enrollment failed. AAD logs may contains additional details about the failure. Another attempt to discover MDM enrollment URL will be made later. 
CorrelationId: %1 
Additional information: %2

Fields

Name	Description
`CorrelationId`	—
`AdditionalDetails`	—

Event ID 400 — All attempts to discover enrollment URL for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

All attempts to discover enrollment URL for MDM auto-enrollment failed.

Event ID 401 — No MDM enrollment URL was discoverered for MDM auto-enrollment.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

No MDM enrollment URL was discoverered for MDM auto-enrollment. Verify MDM auto-enrollment configuration in the Microsoft Entra tenant is correct and the specified MDM application ID is successfully resolved by Microsoft Entra server. 
CorrelationId: %1 
MDM application ID: %2

Fields

Name	Description
`CorrelationId`	—
`MDMAppID`	—

Event ID 402 — Attempt to discover enrollment URL for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Attempt to discover enrollment URL for MDM auto-enrollment failed. AAD logs may contains additional details about the failure. 
Error: %1 
CorrelationId: %2 
Additional information: %3

Fields

Name	Description
`ErrorCode`	—
`CorrelationId`	—
`AdditionalDetails`	—

Event ID 403 — Attempt to get token for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Attempt to get token for MDM auto-enrollment failed. AAD logs may contains additional details about the failure. Another attempt to get token for MDM auto-enrollment will be made later. 
CorrelationId: %1 
Additional information: %2

Fields

Name	Description
`CorrelationId`	—
`AdditionalDetails`	—

Event ID 404 — All attempts to get WAM token for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

All attempts to get WAM token for MDM auto-enrollment failed.

Event ID 405 — Requsting token for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Requsting token for MDM auto-enrollment failed. AAD logs may contains additional details about the failure. 
Error: %1 
CorrelationId: %2 
Additional information: %3

Fields

Name	Description
`ErrorCode`	—
`CorrelationId`	—
`AdditionalDetails`	—

Event ID 406 — Unenrolling from MDM failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unenrolling from MDM failed. MDM logs may contains additional details about the failure. 
Error: %1 
MDM enrollment ID: %2

Fields

Name	Description
`ExitCode`	—
`EnrollmentId`	—

Event ID 407 — Successfully unenrolled from MDM.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Successfully unenrolled from MDM. 
MDM enrollment ID: %1

Fields

Name	Description
`EnrollmentId`	—

Event ID 408 — Failed to import NGC proof-of-possession key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to import NGC proof-of-possession key. Falling back to software.

Event ID 409 — Failed to get NGC transport key name.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to get NGC transport key name . Falling back to software.

Event ID 410 — Failed to get NGC transport key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to get NGC transport key. Falling back to software.

Event ID 411 — The parameter is invalid.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

The parameter is invalid. Function: %1; Parameter: %2.

Fields

Name	Description
`FunctionName`	—
`ParameterName`	—
`ParameterValueLength`	—
`ParameterValue`	—

Event ID 412 — Unsupported public key structure format encountered.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Unsupported public key structure format encountered. 
Functon: %1 
Magic value: %2

Fields

Name	Description
`FunctionName`	—
`MagicValue`	—

Event ID 413 — Token binding AIK creation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Token binding AIK creation failed. 
Key type: %1 
IDP domain: %2 
Tenant-based ID: %3 
User SID: %4 
Error: %5

Fields

Name	Description
`KeyType`	—
`IdpDomain`	—
`TenantDomain`	—
`UserSid`	—
`ErrorCode`	—

Event ID 414 — Token binding AIK deletion failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Token binding AIK deletion failed. 
Key type: %1 
IDP domain: %2 
Tenant-based ID: %3 
User SID: %4 
Error: %5

Fields

Name	Description
`KeyType`	—
`IdpDomain`	—
`TenantDomain`	—
`UserSid`	—
`ErrorCode`	—

Event ID 415 — Token binding AIK was successfully created.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Token binding AIK was successfully created. 
Key type: %1 
IDP domain: %2 
Tenant-based ID: %3 
User SID: %4

Fields

Name	Description
`KeyType`	—
`IdpDomain`	—
`TenantDomain`	—
`UserSid`	—

Event ID 416 — Token binding AIK was successfully deleted.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Token binding AIK was successfully deleted. 
Key type: %1 
IDP domain: %2 
Tenant-based ID: %3 
User SID: %4

Fields

Name	Description
`KeyType`	—
`IdpDomain`	—
`TenantDomain`	—
`UserSid`	—

Event ID 417 — Failed to get token binding AIK name.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Failed to get token binding AIK name. 
Key type: %1 
IDP domain: %2 
Tenant-based ID: %3 
User SID: %4 
Error: %5

Fields

Name	Description
`KeyType`	—
`IdpDomain`	—
`TenantDomain`	—
`UserSid`	—
`ErrorCode`	—

Event ID 418 — Hardware policy in registry is set to unsupported value %1.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Hardware policy in registry is set to unsupported value %1. Default hardware policy will be used.

Fields

Name	Description
`PolicyValue`	—

Event ID 419 — NGC transport key creation with key type %5 failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

NGC transport key creation with key type %5 failed. Falling back to a different key type. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Flags: %6 
Error: %7

Fields

Name	Description
`UserSid`	—
`IdpDomain`	—
`TenantDomain`	—
`UserId`	—
`KeyType`	—
`Flags`	—
`ErrorCode`	—

Event ID 420 — Automatic registration failed at authentication phase.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message

Automatic registration failed at authentication phase. Unable to acquire Kerberos ticket. 
Exit code: %1 
Kerberos endpoint: %2 
SPN: %3

Fields

Name	Description
`ExitCode`	—
`Endpoint`	—
`SPN`	—

Event ID 421 —

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Fields

Name	Description
`ErrorCode`	—

Event ID 421 —

Provider: Microsoft-Windows-User Device Registration
Channel: Operational

Fields

Name	Description
`ErrorCode`	—

Event ID 500 —

Provider: Microsoft-Windows-User Device Registration
Channel: Debug

Message

%1

Fields

Name	Description
`Message`	—

Event ID 501 —

Provider: Microsoft-Windows-User Device Registration
Channel: Debug

Message

%1

Fields

Name	Description
`Message`	—

Event ID 502 —

Provider: Microsoft-Windows-User Device Registration
Channel: Debug

Message

%1

Fields

Name	Description
`Message`	—

Event ID 503 —

Provider: Microsoft-Windows-User Device Registration
Channel: Debug

Message

%1

Fields

Name	Description
`Message`	—

Event ID 504 —

Provider: Microsoft-Windows-User Device Registration
Channel: Debug

Message

%1

Fields

Name	Description
`Message`	—

Event ID 4096 — The automatic device registration task will be triggered.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: 4
Samples: 1

Message

The automatic device registration task will be triggered.

Example Event

system:
  provider: Microsoft-Windows-User Device Registration
  guid: 23B8D46B-67DD-40A3-B636-D43E50552C6D
  event_source_name: ''
  event_id: 4096
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 9223372036854775808
  time_created: '2022-04-07T17:10:41.738174+00:00'
  event_record_id: 34
  correlation: {}
  execution:
    process_id: 1792
    thread_id: 2032
  channel: Microsoft-Windows-User Device Registration/Admin
  computer: WIN-FPV0DSIC9O6.sigma.fr
  security:
    user_id: S-1-5-20
event_data: {}
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline