Microsoft-Windows-User Device Registration

220 events across 3 channels

Event ID	Title	Channel
100	The discovery request send operation was successful.	Admin
101	The discovery operation callback was successful.	Admin
102	The initialization of the join request was successful.	Admin
103	The join request was successfully sent to server.	Admin
104	The get join response operation callback was successful.	Admin
105	The complete join response operation was successful.	Admin
106	The post join tasks for the AAD Authentication Package completed successfully.	Admin
107	The existing NGC user ID key was successfully deleted.	Admin
108	The NGC container was successfully created.	Admin
109	The NGC user ID key was successfully created.	Admin
110	The registration status has been successfully cleared from the device.	Admin
111	The registration status has been successfully flushed to disk.	Admin
112	Hostname related error received.	Admin
200	The discovery request send operation failed with exit code: ExitCode.	Admin
201	The discovery operation callback failed with exit code: ExitCode.	Admin
202	The initialization of the join request failed with exit code: ExitCode.	Admin
203	The send join request operation failed with exit code: ExitCode.	Admin
204	The get join response operation callback failed with exit code: ExitCode.	Admin
205	The complete join response operation failed with exit code: ExitCode.	Admin
206	The post join tasks for the Microsoft Entra Authentication Package failed with …	Admin
207	The parameter value should not be NULL or empty.	Admin
208	Unable to remove account UserSID from group Group.	Admin
209	Unable to convert the string-format security identifier (SID) SID to a …	Admin
210	Unable to retrieve account information for security identifier (SID) SID.	Admin
211	Unable to add account UserSID to group Group.	Admin
212	Error happened while accessing registry: ErrorCode.	Admin
213	Unable to connect to Local Security Authority (LSA) server.	Admin
214	Unable to lookup Local Security Authority (LSA) authentication package.	Admin
215	Local Security Authority (LSA) authentication failed.	Admin
216	The security identifier (SID) is invalid.	Admin
217	Unable to copy security identifier (SID) SID.	Admin
218	The string Email is not a valid email address.	Admin
219	Unable to retrieve the Active Directory domain join status information of the …	Admin
220	Unable to retrieve the local computer's name in the specified format Format.	Admin
221	Unable to connect to the LDAP server Server:Port using authentication method …	Admin
222	Unable to convert the SID structure to its string-format.	Admin
223	Unable to set WinHTTP option Option.	Admin
224	Unable to query WinHTTP option Option.	Admin
225	Unable to initialize WinHTTP.	Admin
226	Unable to connect to server Server:Port through WinHTTP.	Admin
227	Unable to open WinHTTP Verb request.	Admin
228	Unable to set WinHTTP call back function.	Admin
229	Unable to retrieve WinHTTP header information.	Admin
230	Unable to send WinHTTP request.	Admin
231	One or more errors were encountered while retrieving a Secure Sockets Layer …	Admin
232	The WinHTTP callback function was cancelled.	Admin
233	The WinHTTP callback function failed.	Admin
234	Unalbed to query the amount of data available to read through WinHTTP.	Admin
235	WinHTTP read data failure.	Admin
236	WinHTTP write data failure.	Admin
237	Unable to setup a certificate from the given encoded string.	Admin
238	Unable to save the certificate.	Admin
239	Unable to clear the registration status from the device.	Admin
240	Unable to flush the registration status to disk.	Admin
241	KSP session ID: KspSessionID.	Admin
242	Account UserSID was added to group Group.	Admin
243	Account UserSID was removed from group Group.	Admin
244	Unable to sign authentication data for managed automatic registration.	Admin
245	Unable to verify or update the signing certificate for automatic registration.	Admin
246	Unable to get persisted state location.	Admin
247	Unable to remove Microsoft Passport key registration for all local Active …	Admin
248	Unable to check whether the attribute value of the device object is up to date.	Admin
249	Unable to start updating attribute value of the device object.	Admin
250	Updating attribute value of the device object started successfully.	Admin
251	The attribute value of the device object was updated successfully.	Admin
252	Unable to update the attribute value of the device object.	Admin
253	Unable to parse the device attribute update server response.	Admin
254	Unable to check MDM enrollment status of the device.	Admin
255	Unable to trigger update task for this device.	Admin
256	The update task for this device was successfully triggered.	Admin
257	The task Folder\TaskName was successfully enabled.	Admin
258	Failed to enable task Folder\TaskName.	Admin
259	The task Folder\TaskName was successfully disabled.	Admin
260	Failed to disable task Folder\TaskName.	Admin
261	The repair join information operation failed.	Admin
262	The repair join information operation completed successfully.	Admin
263	The repair join information operation failed to start.	Admin
264	The repair join information operation started successfully.	Admin
265	The virtual desktop registry has ValuesCount value(s) missing.	Admin
266	The virtual desktop registry value is invalid.	Admin
267	Failed to read virtual desktop settings from registry.	Admin
268	The virtual desktop settings were successfully retrieved from the registry.	Admin
269	Unable to parse the AIK update server response.	Admin
270	Unable to start updating token binding AIK of the device object.	Admin
271	Updating token binding AIK of the device object started successfully.	Admin
272	The token binding AIK of the device object was updated successfully.	Admin
273	Unable to update the token binding AIK of the device object.	Admin
274	Failed to configure KDC proxy group policy.	Admin
275	Failed to restore KDC proxy local group policy to its original value.	Admin
276	The KDC Proxy group policy setting is incorrect.	Admin
277	The KDC proxy group policy has been configured successfully.	Admin
278	The KDC proxy local group policy has been restored to its original value.	Admin
300	The Microsoft Passport key was successfully registered with Azure AD.	Admin
301	NGC key registration failed.	Admin
302	The NGC key registration request was successfully sent.	Admin
303	The NGC key registration initialization operation failed.	Admin
304	Automatic registration failed at join phase.	Admin
305	Automatic registration failed at authentication phase.	Admin
306	Automatic registration Succeeded.	Admin
307	Automatic registration failed.	Admin
308	This Device is joined to Microsoft Entra, however, the user did not sign-in with …	Admin
309	Failed to discover the Microsoft Entra DRS service.	Admin
310	Unable to retrieve the NGC user ID key with name KeyName.	Admin
311	The NGC create container operation failed.	Admin
312	The existing NGC container was successfully deleted.	Admin
314	Unable to delete NGC container.	Admin
315	Unable to create NGC user ID key.	Admin
316	Unable to retrieve the specified NGC user ID key.	Admin
317	Unable to delete NGC user ID key.	Admin
318	Unable to create NGC transport key.	Admin
319	Unable to delete NGC transport key.	Admin
320	Unable to parse the NGC registration server response.	Admin
321	Failed to enable the device lock PIN.	Admin
322	The application does not have the permission to perform this operation.	Admin
323	Preparing to send a request to the Web Account Manager.	Admin
324	Unable to get a token using the Web Account Manager.	Admin
325	Successfully obtained a token for the current user via token broker.	Admin
326	Unable to get the application's core window.	Admin
327	Unable to remove the PIN that has been created to use in place of the current …	Admin
328	Unable to check whether a PIN has been created to use in place of the current …	Admin
329	Preparing to send a request to the Web Account Manager silently (no UI mode).	Admin
330	Microsoft Entra DRS and Enterprise DRS are configured for this device.	Admin
331	Automatic device join pre-check tasks completed.	Admin
332	Automatic device join pre-check tasks found that this device is joined, however, …	Admin
333	Automatic device join pre-check tasks completed.	Admin
334	Automatic device join pre-check tasks completed.	Admin
335	Automatic device join pre-check tasks completed.	Admin
336	The Web Proxy Autodiscovery Protocol (WPAD) did NOT locate the URL of a …	Admin
337	The request was sent to the server through the out-bound proxy and failed with …	Admin
338	The Web Proxy Autodiscovery Protocol (WPAD) located the URL of a configuration …	Admin
339	The following out-bound proxy information was set for this request.	Admin
340	The Web Proxy Autodiscovery Protocol (WPAD) encountered an unexpected error.	Admin
341	This request will NOT fail over to a proxy server.	Admin
342	Unable to query Passport for Work policies.	Admin
343	Unable to enumerate Passport for Work containers.	Admin
344	Failed to access the device key.	Admin
345	Failed to access the device key.	Admin
346	The Microsoft Passport key was successfully removed from Azure AD.	Admin
347	Failed to remove the Microsoft Passport key from Azure AD.	Admin
348	The Microsoft Passport delete key registration request was successfully sent.	Admin
349	Failed to initialize the Microsoft Passport delete key registration request.	Admin
350	The Microsoft Passport key information was successfully saved.	Admin
351	Failed to save the Microsoft Passport key information.	Admin
352	The Microsoft Passport key information was successfully deleted.	Admin
353	Failed to delete the Microsoft Passport key information.	Admin
354	Json Request Failed.	Admin
355	Successfully enrolled for a logon certificate using a Registration Authority.	Admin
356	Failed to enroll for a logon certificate using a Registration Authority.	Admin
357	Group Policy indicates the user must enroll for a logon certificate along with …	Admin
358	Message Device is Microsoft Entra joined (or hybrid joined): DeviceIsJoined User …	Admin
359	Windows Hello for Business provisioning has encountered an error during policy …	Admin
360	Message Device is Microsoft Entra joined (or hybrid joined): DeviceIsJoined User …	Admin
361	Message Device is Microsoft Entra joined (or hybrid joined): DeviceIsJoined User …	Admin
362	Message Device is Microsoft Entra joined (or hybrid joined): DeviceIsJoined User …	Admin
363	The Microsoft Passport key is missing.	Admin
364	The saved Microsoft Passport information does not match the key.	Admin
365	Unable to enroll for a logon certificate using a Registration Authority.	Admin
366	Unable to enroll for a logon certificate using a Registration Authority.	Admin
367	Added following properties to the Web Account Manager access token request.	Admin
368	The following token properties were recieved from the Web Account Manager.	Admin
369	The Workstation Service logged a device registration message.	Admin
370	The automatic device registration task failed to unregister device.	Admin
371	The automatic device registration task successfully unregistered device.	Admin
372	The FIDO credential was successfully registered with Azure AD.	Admin
373	FIDO credential registration failed.	Admin
374	The FIDO credential registration request was successfully sent.	Admin
375	The FIDO credential registration initialization operation failed.	Admin
376	The FIDO credential was successfully created.	Admin
377	Unable to create FIDO credential.	Admin
378	The FIDO credentials were successfully deleted from Azure AD.	Admin
379	FIDO credential deletion failed.	Admin
380	The FIDO credential deletion request was successfully sent.	Admin
381	The FIDO credential deletion initialization operation failed.	Admin
382	Unable to parse the FIDO registration server response.	Admin
383	The PIN has been successfully recovered.	Admin
384	The PIN recover operation failed with exit code: ExitCode.	Admin
385	Unable to get attestation statement for Microsoft Passport key.	Admin
386	Successfully got attestation statement for Microsoft Passport key.	Admin
387	Unable to reset registry recovery flags.	Admin
388	Recovery API APIName called.	Admin
389	Automatic Azure SecureVM Join Succeeded.	Admin
390	Resource account certificate does not match device ceritificate.	Admin
391	Unable to get the NGC user ID key container state.	Admin
392	The NGC user ID key container is in a bad state.	Admin
393	NGC logon certificate could not be renewed due to device ID flip.	Admin
394	Unable to set registry value for device ID flip.	Admin
395	Unable to unset registry value for device ID flip.	Admin
396	Key policy in registry is set to unsupported value PolicyValue.	Admin
397	MDM enrollment for Azure SecureVM succeeded.	Admin
398	MDM enrollment for Azure SecureVM failed.	Admin
399	Attempt to discover enrollment URL for MDM auto-enrollment failed.	Admin
400	All attempts to discover enrollment URL for MDM auto-enrollment failed.	Admin
401	No MDM enrollment URL was discoverered for MDM auto-enrollment.	Admin
402	Attempt to discover enrollment URL for MDM auto-enrollment failed.	Admin
403	Attempt to get token for MDM auto-enrollment failed.	Admin
404	All attempts to get WAM token for MDM auto-enrollment failed.	Admin
405	Requsting token for MDM auto-enrollment failed.	Admin
406	Unenrolling from MDM failed.	Admin
407	Successfully unenrolled from MDM.	Admin
408	Failed to import NGC proof-of-possession key.	Admin
409	Failed to get NGC transport key name.	Admin
410	Failed to get NGC transport key.	Admin
411	The parameter is invalid.	Admin
412	Unsupported public key structure format encountered.	Admin
413	Token binding AIK creation failed.	Admin
414	Token binding AIK deletion failed.	Admin
415	Token binding AIK was successfully created.	Admin
416	Token binding AIK was successfully deleted.	Admin
417	Failed to get token binding AIK name.	Admin
418	Hardware policy in registry is set to unsupported value PolicyValue.	Admin
419	NGC transport key creation with key type KeyType failed.	Admin
420	Automatic registration failed at authentication phase.	Admin
421		Admin
421		Operational
500	Message.	Debug
501	Message.	Debug
502	Message.	Debug
503	Message.	Debug
504	Message.	Debug
4096	The automatic device registration task will be triggered.	Admin

Event ID 100 — The discovery request send operation was successful.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The discovery request send operation was successful.

Message #

The discovery request send operation was successful.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 100,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T21:11:23.195032+00:00",
    "event_record_id": 565,
    "correlation": {},
    "execution": {
      "process_id": 9420,
      "thread_id": 12040
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 101 — The discovery operation callback was successful.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The discovery operation callback was successful.

Message #

The discovery operation callback was successful. 
Server response was: %1

Fields #

Name	Description
`ServerMessage` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 101,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T21:11:23.777637+00:00",
    "event_record_id": 566,
    "correlation": {},
    "execution": {
      "process_id": 9420,
      "thread_id": 11132
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "ServerMessage": "{\"DiscoveryService\":{\"DiscoveryEndpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/contoso.onmicrosoft.com\\/Discover\",\"ServiceVersion\":\"1.7\"},\"DeviceRegistrationService\":{\"RegistrationEndpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/EnrollmentServer\\/DeviceEnrollmentWebService.svc\",\"RegistrationResourceId\":\"urn:ms-drs:enterpriseregistration.windows.net\",\"ServiceVersion\":\"1.0\"},\"AuthenticationService\":{\"OAuth2\":{\"AuthCodeEndpoint\":\"https:\\/\\/login.microsoftonline.com\\/1e64ccd8-db90-4ab1-be9c-c04de7241eca\\/oauth2\\/authorize\",\"TokenEndpoint\":\"https:\\/\\/login.microsoftonline.com\\/1e64ccd8-db90-4ab1-be9c-c04de7241eca\\/oauth2\\/token\"}},\"IdentityProviderService\":{\"Federated\":false,\"PassiveAuthEndpoint\":\"https:\\/\\/login.microsoftonline.com\\/contoso.onmicrosoft.com\\/wsfed\"},\"DeviceJoinService\":{\"JoinEndpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/EnrollmentServer\\/device\\/\",\"JoinResourceId\":\"urn:ms-drs:enterpriseregistration.windows.net\",\"ServiceVersion\":\"2.0\"},\"KeyProvisioningService\":{\"KeyProvisionEndpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/EnrollmentServer\\/key\\/\",\"KeyProvisionResourceId\":\"urn:ms-drs:enterpriseregistration.windows.net\",\"ServiceVersion\":\"1.0\"},\"WebAuthNService\":{\"ServiceVersion\":\"1.0\",\"WebAuthNEndpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/webauthn\\/1e64ccd8-db90-4ab1-be9c-c04de7241eca\\/\",\"WebAuthNResourceId\":\"urn:ms-drs:enterpriseregistration.windows.net\"},\"DeviceManagementService\":{\"DeviceManagementEndpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/manage\\/1e64ccd8-db90-4ab1-be9c-c04de7241eca\\/\",\"DeviceManagementResourceId\":\"urn:ms-drs:enterpriseregistration.windows.net\",\"ServiceVersion\":\"1.0\"},\"MsaProviderData\":{\"SiteId\":\"295958\",\"SiteUrl\":\"enterpriseregistration.windows.net\"},\"PrecreateService\":{\"PrecreateEndpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/EnrollmentServer\\/device\\/precreate\\/1e64ccd8-db90-4ab1-be9c-c04de7241eca\\/\",\"PrecreateResourceId\":\"urn:ms-drs:enterpriseregistration.windows.net\",\"ServiceVersion\":\"2.0\"},\"TenantInfo\":{\"TenantId\":\"1e64ccd8-db90-4ab1-be9c-c04de7241eca\",\"TenantName\":\"contoso.onmicrosoft.com\"},\"AzureRbacService\":{\"RbacPolicyEndpoint\":\"https:\\/\\/pas.windows.net\"},\"BPLService\":{\"BPLProxyServicePrincipalId\":\"dda27c27-f274-469f-8005-cce10f270009\",\"BPLResourceId\":\"urn:ms-drs:enterpriseregistration.windows.net\",\"BPLServiceEndpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/aadpasswordpolicy\\/1e64ccd8-db90-4ab1-be9c-c04de7241eca\\/\",\"ServiceVersion\":\"1.0\"},\"DeviceJoinResourceService\":{\"Endpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/EnrollmentServer\\/device\\/resource\\/1e64ccd8-db90-4ab1-be9c-c04de7241eca\\/\",\"JoinResourceEndpointTLS\":null,\"ResourceId\":\"urn:ms-drs:enterpriseregistration.windows.net\",\"ServiceVersion\":\"2.0\"}}"
  },
  "message": ""
}

Event ID 102 — The initialization of the join request was successful.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The initialization of the join request was successful. Inputs.

Message #

The initialization of the join request was successful. Inputs:
 JoinRequest: %1 (%2)
 Domain: %3

Fields #

Name	Description
`JoinRequestType` Int32	—
`JoinRequestTypeSymbolicName` UnicodeString	—
`Domain` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 102,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T21:11:23.874759+00:00",
    "event_record_id": 567,
    "correlation": {
      "ActivityID": "D73F5340-B345-0006-CF04-40D745B3DC01"
    },
    "execution": {
      "process_id": 9420,
      "thread_id": 12040
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "JoinRequestType": 5,
    "JoinRequestTypeSymbolicName": "WORKPLACE",
    "Domain": "contoso.onmicrosoft.com"
  },
  "message": ""
}

Event ID 103 — The join request was successfully sent to server.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The join request was successfully sent to server. Inputs.

Message #

The join request was successfully sent to server. Inputs:
 AuthToken: %1

Fields #

Name	Description
`AuthToken` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 103,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T21:11:24.436419+00:00",
    "event_record_id": 568,
    "correlation": {
      "ActivityID": "D73F5340-B345-0006-CF04-40D745B3DC01"
    },
    "execution": {
      "process_id": 9420,
      "thread_id": 12040
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "AuthToken": "<Present; Snipped>"
  },
  "message": ""
}

Event ID 104 — The get join response operation callback was successful.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The get join response operation callback was successful.

Message #

The get join response operation callback was successful. 
Activity Id: %2 
Server response was: %1

Fields #

Name	Description
`ServerResponse` UnicodeString	—
`ActivityId` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 104,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T21:11:28.473964+00:00",
    "event_record_id": 569,
    "correlation": {},
    "execution": {
      "process_id": 9420,
      "thread_id": 11132
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "ServerResponse": "{\"Certificate\":{\"Thumbprint\":\"25A0849791D73569B739463793F2D6FE8B537CB1\",\"RawBody\":\"MIID8jCCAtqgAwIBAgIQ/uYcFQ+SyYBADB2zdnI1rjANBgkqhkiG9w0BAQsFADB4MXYwEQYKCZImiZPyLGQBGRYDbmV0MBUGCgmSJomT8ixkARkWB3dpbmRvd3MwHQYDVQQDExZNUy1Pcmdhbml6YXRpb24tQWNjZXNzMCsGA1UECxMkODJkYmFjYTQtM2U4MS00NmNhLTljNzMtMDk1MGMxZWFjYTk3MB4XDTI2MDMxNDIwNDEyN1oXDTM2MDMxNDIxMTEyN1owLzEtMCsGA1UEAxMkZWYwMWI5OWQtN2Y0Zi00Y2E1LWEwM2MtOTU2ZThmYTdmMmExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwdBuTpxq8zFwuHDPpAmdbuwivMhdDv+0kBMzYiHzXpaV8nb1dhk22G8GltrLbv/laYt+QP0Ca6rkRrnyY8UCoxmgBLQb/NeM7NnHFTWG7sSVVfL8Pjgkkpx6NAh518EVLtLlfU6dF6FIWkO+QqmpjdoLtXBQLH93zvKECyDFuSYXJoFzmCUiyFqUTk4ueejA10PPfq6YBk4JAaytEZ6PAutmEicFt+fGg4vVyMPjaQ8vWpadY+HvbCKAkLH41lgEDpR4icTZOhdUHrnld4p04RgTTyulFYgEHjsIR5udbtzESg9AtbWBjD75ZB0SYhQGj2/5wjIXG/K0307Rnp9N4QIDAQABo4HAMIG9MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwIgYLKoZIhvcUAQWCHAIEEwSBEJ25Ae9Pf6VMoDyVbo+n8qEwIgYLKoZIhvcUAQWCHAMEEwSBEGnWW4NI3klAvtJ1/ppArPgwIgYLKoZIhvcUAQWCHAUEEwSBENjMZB6Q27FKvpzATeckHsowFAYLKoZIhvcUAQWCHAgEBQSBAk5BMBMGCyqGSIb3FAEFghwHBAQEgQEwMA0GCSqGSIb3DQEBCwUAA4IBAQAo6t7fWMVuGniVRcEqD1U+NehXmlUPHIuIVJBSmar6EYw9ACwCd9n/WKM3LtgMDLQ3nwXroVHJwpxK3IiCqgDnAHuhcQHOWbwhnuuttoXRGm7vj0pj3d0Ap9mJsd2CJj5OvTXtxIeui/Te3enG3WWuvpx0Qu5RIJqwmr031QBunzcsNncvpyhPWFNzotuMTiRORvJh8n1i44VrIthbjl2VgMdSoHE6vNQlefuQZ7a27+Ph0KJeqMo5v6jqLMamfp5U/VyjZ4zssg1IbrW5gfhUDZnQyb+cWcDVMnEdCV585QUzAYIlDjR8Vg3iaAIfPrfJ7oO/k28Q/MOweAv4y/hD\"},\"User\":{\"Upn\":\"labuser@contoso.onmicrosoft.com\"},\"MembershipChanges\":[{\"LocalSID\":\"S-1-5-32-544\",\"AddSIDs\":[\"S-1-12-1-2117376648-1315835739-3444453811-542002737\",\"S-1-12-1-2359094871-1093718557-3030428564-552357830\"]}]}",
    "ActivityId": "a315d45d-ad27-4338-a603-c6283cfa75d2"
  },
  "message": ""
}

Event ID 105 — The complete join response operation was successful.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The complete join response operation was successful.

Message #

The complete join response operation was successful.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 105,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T21:11:28.486079+00:00",
    "event_record_id": 572,
    "correlation": {
      "ActivityID": "D73F5340-B345-000B-88D0-3FD745B3DC01"
    },
    "execution": {
      "process_id": 9420,
      "thread_id": 11132
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 106 — The post join tasks for the AAD Authentication Package completed successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The post join tasks for the Microsoft Entra Authentication Package completed successfully.

Message #

The post join tasks for the Microsoft Entra Authentication Package completed successfully.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 106,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T21:11:28.474004+00:00",
    "event_record_id": 570,
    "correlation": {
      "ActivityID": "D73F5340-B345-000B-88D0-3FD745B3DC01"
    },
    "execution": {
      "process_id": 9420,
      "thread_id": 11132
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 107 — The existing NGC user ID key was successfully deleted.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The existing NGC user ID key was successfully deleted. Key name: KeyName.

Message #

The existing NGC user ID key was successfully deleted. Key name: %1.

Fields #

Name	Description
`KeyName` UnicodeString	—

Event ID 108 — The NGC container was successfully created.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The NGC container was successfully created.

Message #

The NGC container was successfully created. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
Flags: %4

Fields #

Name	Description
`UserSid` UnicodeString	—
`IdpDomain` UnicodeString	—
`TenantDomain` UnicodeString	—
`Flags` UInt32	—

Event ID 109 — The NGC user ID key was successfully created.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The NGC user ID key was successfully created.

Message #

The NGC user ID key was successfully created. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Flags: %5

Fields #

Name	Description
`UserSid` UnicodeString	—
`IdpDomain` UnicodeString	—
`TenantDomain` UnicodeString	—
`UserId` UnicodeString	—
`Flags` UInt32	—

Event ID 110 — The registration status has been successfully cleared from the device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The registration status has been successfully cleared from the device.

Message #

The registration status has been successfully cleared from the device. 
Join type: %1 (%2) 
Tenant ID: %3 
UPN: %4

Fields #

Name	Description
`JoinType` Int32	—
`JoinTypeSymbolicName` UnicodeString	—
`TenantId` UnicodeString	—
`UPN` UnicodeString	—

Event ID 111 — The registration status has been successfully flushed to disk.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The registration status has been successfully flushed to disk.

Message #

The registration status has been successfully flushed to disk. 
Join type: %1 (%2)

Fields #

Name	Description
`JoinRequestType` Int32	—
`JoinRequestTypeSymbolicName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 111,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T21:11:28.486074+00:00",
    "event_record_id": 571,
    "correlation": {
      "ActivityID": "D73F5340-B345-000B-88D0-3FD745B3DC01"
    },
    "execution": {
      "process_id": 9420,
      "thread_id": 11132
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "JoinRequestType": 5,
    "JoinRequestTypeSymbolicName": "WORKPLACE"
  },
  "message": ""
}

Event ID 112 — Hostname related error received.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Hostname related error received. Retry join without hostnames.

Message #

Hostname related error received. Retry join without hostnames.

Event ID 200 — The discovery request send operation failed with exit code: ExitCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The discovery request send operation failed with exit code: ExitCode. Inputs.

Message #

The discovery request send operation failed with exit code: %1. Inputs:
 Domain: %2

Fields #

Name	Description
`ExitCode` Int32	—
`Domain` UnicodeString	—

Event ID 201 — The discovery operation callback failed with exit code: ExitCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The discovery operation callback failed with exit code: ExitCode. The server returned HTTP status: HttpStatus.

Message #

The discovery operation callback failed with exit code: %1. The server returned HTTP status: %2. 
Server response was:
%3

Fields #

Name	Description
`ExitCode` Int32	—
`HttpStatus` UInt32	—
`ServerMessage` UnicodeString	—

Event ID 202 — The initialization of the join request failed with exit code: ExitCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The initialization of the join request failed with exit code: ExitCode. Inputs.

Message #

The initialization of the join request failed with exit code: %1. Inputs:
 JoinRequest: %2 (%3)
 Domain: %4

Fields #

Name	Description
`ExitCode` Int32	—
`JoinRequestType` Int32	—
`JoinRequestTypeSymbolicName` UnicodeString	—
`Domain` UnicodeString	—

Event ID 203 — The send join request operation failed with exit code: ExitCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The send join request operation failed with exit code: ExitCode. Inputs.

Message #

The send join request operation failed with exit code: %1. Inputs:
 AuthToken: %2

Fields #

Name	Description
`ExitCode` Int32	—
`ActivityId` UnicodeString	—

Event ID 204 — The get join response operation callback failed with exit code: ExitCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The get join response operation callback failed with exit code: ExitCode.

Message #

The get join response operation callback failed with exit code: %1. 
Activity Id: %2 
The server returned HTTP status: %3 
Server response was: %4

Fields #

Name	Description
`ExitCode` Int32	—
`ActivityId` UnicodeString	—
`HttpStatus` UInt32	—
`ServerResponse` UnicodeString	—

Event ID 205 — The complete join response operation failed with exit code: ExitCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The complete join response operation failed with exit code: ExitCode.

Message #

The complete join response operation failed with exit code: %1.

Fields #

Name	Description
`ExitCode` Int32	—

Event ID 206 — The post join tasks for the Microsoft Entra Authentication Package failed with exit code: ExitCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The post join tasks for the Microsoft Entra Authentication Package failed with exit code: ExitCode.

Message #

The post join tasks for the Microsoft Entra Authentication Package failed with exit code: %1

Fields #

Name	Description
`ExitCode` Int32	—

Event ID 207 — The parameter value should not be NULL or empty.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The parameter value should not be NULL or empty. Function: FunctionName; Parameter: ParameterName.

Message #

The parameter value should not be NULL or empty. Function: %1; Parameter: %2.

Fields #

Name	Description
`FunctionName` UnicodeString	—
`ParameterName` UnicodeString	—

Event ID 208 — Unable to remove account UserSID from group Group.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to remove account UserSID from group Group. Error: ErrorCode.

Message #

Unable to remove account %2 from group %1. Error: %3

Fields #

Name	Description
`Group` UnicodeString	—
`UserSID` SID	—
`ErrorCode` UInt32	—

Event ID 209 — Unable to convert the string-format security identifier (SID) SID to a functional SID.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to convert the string-format security identifier (SID) SID to a functional SID. Error: ErrorCode.

Message #

Unable to convert the string-format security identifier (SID) %1 to a functional SID. Error: %2

Fields #

Name	Description
`SID` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 210 — Unable to retrieve account information for security identifier (SID) SID.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to retrieve account information for security identifier (SID) SID. Error: ErrorCode.

Message #

Unable to retrieve account information for security identifier (SID) %1. Error: %2

Fields #

Name	Description
`SID` SID	—
`ErrorCode` UInt32	—

Event ID 211 — Unable to add account UserSID to group Group.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to add account UserSID to group Group. Error: ErrorCode.

Message #

Unable to add account %2 to group %1. Error: %3

Fields #

Name	Description
`Group` UnicodeString	—
`UserSID` SID	—
`ErrorCode` UInt32	—

Event ID 212 — Error happened while accessing registry: ErrorCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Error happened while accessing registry: ErrorCode. Operation: Operation. Path: Path.

Message #

Error happened while accessing registry: %1. Operation: %2. Path: %3.

Fields #

Name	Description
`ErrorCode` UInt32	—
`Operation` UnicodeString	— Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`Path` UnicodeString	—

Event ID 213 — Unable to connect to Local Security Authority (LSA) server.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to connect to Local Security Authority (LSA) server. Error: NtStatus.

Message #

Unable to connect to Local Security Authority (LSA) server. Error: %1

Fields #

Name	Description
`NtStatus` UInt32	—

Event ID 214 — Unable to lookup Local Security Authority (LSA) authentication package.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to lookup Local Security Authority (LSA) authentication package. Package name: PackageName. Error: NtStatus.

Message #

Unable to lookup Local Security Authority (LSA) authentication package. Package name: %1. Error: %2

Fields #

Name	Description
`PackageName` AnsiString	—
`NtStatus` UInt32	—

Event ID 215 — Local Security Authority (LSA) authentication failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Local Security Authority (LSA) authentication failed.

Message #

Local Security Authority (LSA) authentication failed. 
Authentication package identifier: %1. 
Authentication package name: %2. 
Authentication package message: %3. 
Error: %4

Fields #

Name	Description
`PackageId` UInt32	—
`PackageName` AnsiString	—
`PackageMessage` UnicodeString	—
`NtStatus` UInt32	—

Event ID 216 — The security identifier (SID) is invalid.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The security identifier (SID) is invalid. Function name: FunctionName. Parameter name: ParameterName.

Message #

The security identifier (SID) is invalid. Function name: %1. Parameter name: %2.

Fields #

Name	Description
`FunctionName` UnicodeString	—
`ParameterName` UnicodeString	—

Event ID 217 — Unable to copy security identifier (SID) SID.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to copy security identifier (SID) SID. Error: ErrorCode.

Message #

Unable to copy security identifier (SID) %1. Error: %2

Fields #

Name	Description
`SID` SID	—
`ErrorCode` UInt32	—

Event ID 218 — The string Email is not a valid email address.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The string Email is not a valid email address.

Message #

The string %1 is not a valid email address.

Fields #

Name	Description
`Email` UnicodeString	—

Event ID 219 — Unable to retrieve the Active Directory domain join status information of the computer.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to retrieve the Active Directory domain join status information of the computer. Error: ErrorCode.

Message #

Unable to retrieve the Active Directory domain join status information of the computer. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 220 — Unable to retrieve the local computer's name in the specified format Format.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

Unable to retrieve the local computer's name in the specified format Format. Error: ErrorCode.

Message #

Unable to retrieve the local computer's name in the specified format %1. Error: %2

Fields #

Name	Description
`Format` UnicodeString	—
`ErrorCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 220,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-18T05:25:02.728108+00:00",
    "event_record_id": 144,
    "correlation": {},
    "execution": {
      "process_id": 3728,
      "thread_id": 6640
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Format": "NameFullyQualifiedDN",
    "ErrorCode": 1398
  },
  "message": ""
}

Event ID 221 — Unable to connect to the LDAP server Server:Port using authentication method AuthMethod.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

Unable to connect to the LDAP server Server:Port using authentication method AuthMethod. Error: ErrorCode.

Message #

Unable to connect to the LDAP server %1:%2 using authentication method %3. Error: %4

Fields #

Name	Description
`Server` UnicodeString	—
`Port` UInt32	—
`AuthMethod` UInt32	—
`ErrorCode` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 221,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-10T01:11:25.427288+00:00",
    "event_record_id": 14,
    "correlation": {},
    "execution": {
      "process_id": 2936,
      "thread_id": 4644
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Server": "",
    "Port": 389,
    "AuthMethod": 1158,
    "ErrorCode": 81
  },
  "message": ""
}

Event ID 222 — Unable to convert the SID structure to its string-format.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to convert the SID structure to its string-format. Error: ErrorCode.

Message #

Unable to convert the SID structure to its string-format. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 223 — Unable to set WinHTTP option Option.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to set WinHTTP option Option. Error: ErrorCode.

Message #

Unable to set WinHTTP option %1. Error: %2

Fields #

Name	Description
`Option` UInt32	—
`ErrorCode` UInt32	—

Event ID 224 — Unable to query WinHTTP option Option.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to query WinHTTP option Option. Error: ErrorCode.

Message #

Unable to query WinHTTP option %1. Error: %2

Fields #

Name	Description
`Option` UInt32	—
`ErrorCode` UInt32	—

Event ID 225 — Unable to initialize WinHTTP.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to initialize WinHTTP.

Message #

Unable to initialize WinHTTP. 
User agent: %1 
Access type: %2 
Proxy name: %3 
Proxy bypass address list: %4 
Flags: %5 
Error: %6

Fields #

Name	Description
`UserAgent` UnicodeString	—
`AccessType` UInt32	—
`ProxyName` UnicodeString	—
`ProxyBypassList` UnicodeString	—
`Flags` UInt32	—
`ErrorCode` UInt32	—

Event ID 226 — Unable to connect to server Server:Port through WinHTTP.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to connect to server Server:Port through WinHTTP. Error: ErrorCode.

Message #

Unable to connect to server %1:%2 through WinHTTP. Error: %3

Fields #

Name	Description
`Server` UnicodeString	—
`Port` UInt16	—
`ErrorCode` UInt32	—

Event ID 227 — Unable to open WinHTTP Verb request.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to open WinHTTP Verb request. Flags: Flags. Error: ErrorCode.

Message #

Unable to open WinHTTP %1 request. Flags: %2. Error: %3

Fields #

Name	Description
`Verb` UnicodeString	—
`Flags` UInt32	—
`ErrorCode` UInt32	—

Event ID 228 — Unable to set WinHTTP call back function.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to set WinHTTP call back function. Notification flags: NotificationFlags. Error: ErrorCode.

Message #

Unable to set WinHTTP call back function. Notification flags: %1. Error: %2

Fields #

Name	Description
`NotificationFlags` UInt32	—
`ErrorCode` UInt32	—

Event ID 229 — Unable to retrieve WinHTTP header information.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to retrieve WinHTTP header information. Flags: Flags. Name: HeaderName. Error: ErrorCode.

Message #

Unable to retrieve WinHTTP header information. Flags: %1. Name: %2. Error: %3

Fields #

Name	Description
`Flags` UInt32	—
`HeaderName` UnicodeString	—
`ErrorCode` UInt32	—

Event ID 230 — Unable to send WinHTTP request.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to send WinHTTP request. Error: ErrorCode.

Message #

Unable to send WinHTTP request. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 231 — One or more errors were encountered while retrieving a Secure Sockets Layer (SSL) certificate from the server.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

One or more errors were encountered while retrieving a Secure Sockets Layer (SSL) certificate from the server.

Message #

One or more errors were encountered while retrieving a Secure Sockets Layer (SSL) certificate from the server.  
Error code: %1 
WinHTTP status: %2 (%3)

Fields #

Name	Description
`ErrorCode` UInt32	—
`WinHttpStatus` UInt32	—
`WinHttpStatusFlag` UnicodeString	—

Event ID 232 — The WinHTTP callback function was cancelled.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The WinHTTP callback function was cancelled. WINHTTP_STATUS_CALLBACK status code: StatusCode (StatusName).

Message #

The WinHTTP callback function was cancelled. WINHTTP_STATUS_CALLBACK status code: %1 (%2)

Fields #

Name	Description
`StatusCode` UInt32	—
`StatusName` UnicodeString	—

Event ID 233 — The WinHTTP callback function failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The WinHTTP callback function failed. WINHTTP_STATUS_CALLBACK status code: StatusCode (StatusName). Error: ErrorCode.

Message #

The WinHTTP callback function failed. WINHTTP_STATUS_CALLBACK status code: %1 (%3). Error: %2

Fields #

Name	Description
`StatusCode` UInt32	—
`ErrorCode` Int32	—
`StatusName` UnicodeString	—

Event ID 234 — Unalbed to query the amount of data available to read through WinHTTP.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unalbed to query the amount of data available to read through WinHTTP. Error: ErrorCode.

Message #

Unalbed to query the amount of data available to read through WinHTTP. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 235 — WinHTTP read data failure.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

WinHTTP read data failure. Error: ErrorCode.

Message #

WinHTTP read data failure. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 236 — WinHTTP write data failure.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

WinHTTP write data failure. Error: ErrorCode.

Message #

WinHTTP write data failure. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 237 — Unable to setup a certificate from the given encoded string.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to setup a certificate from the given encoded string. Error: ErrorCode.

Message #

Unable to setup a certificate from the given encoded string. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 238 — Unable to save the certificate.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to save the certificate. Error: ErrorCode.

Message #

Unable to save the certificate. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 239 — Unable to clear the registration status from the device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to clear the registration status from the device.

Message #

Unable to clear the registration status from the device. 
Exit code: %1 
Join type: %2 (%3) 
Tenant ID: %4 
UPN: %5

Fields #

Name	Description
`ExitCode` Int32	—
`JoinType` Int32	—
`JoinTypeSymbolicName` UnicodeString	—
`TenantId` UnicodeString	—
`UPN` UnicodeString	—

Event ID 240 — Unable to flush the registration status to disk.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to flush the registration status to disk.

Message #

Unable to flush the registration status to disk. 
Exit code: %1 
Join type: %2 (%3)

Fields #

Name	Description
`ExitCode` Int32	—
`JoinRequestType` Int32	—
`JoinRequestTypeSymbolicName` UnicodeString	—

Event ID 241 — KSP session ID: KspSessionID.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

KSP session ID: KspSessionID.

Message #

KSP session ID: %1

Fields #

Name	Description
`KspSessionID` UnicodeString	—

Event ID 242 — Account UserSID was added to group Group.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Account UserSID was added to group Group.

Message #

Account %2 was added to group %1.

Fields #

Name	Description
`Group` UnicodeString	—
`UserSID` SID	—

Event ID 243 — Account UserSID was removed from group Group.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Account UserSID was removed from group Group.

Message #

Account %2 was removed from group %1.

Fields #

Name	Description
`Group` UnicodeString	—
`UserSID` SID	—

Event ID 244 — Unable to sign authentication data for managed automatic registration.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to sign authentication data for managed automatic registration. Exit code: ExitCode.

Message #

Unable to sign authentication data for managed automatic registration. Exit code: %1.

Fields #

Name	Description
`ExitCode` Int32	—

Event ID 245 — Unable to verify or update the signing certificate for automatic registration.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to verify or update the signing certificate for automatic registration. Exit code: ExitCode.

Message #

Unable to verify or update the signing certificate for automatic registration. Exit code: %1.

Fields #

Name	Description
`ExitCode` Int32	—

Event ID 246 — Unable to get persisted state location.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to get persisted state location.

Message #

Unable to get persisted state location. 
Exit code: %1 
Resource ID: %2 
Default location: %3 
Location type: %4 (%5)

Fields #

Name	Description
`ErrorCode` HexInt32	—
`SourceId` UnicodeString	—
`DefaultPath` UnicodeString	—
`LocationType` Int32	—
`LocationTypeName` UnicodeString	—

Event ID 247 — Unable to remove Microsoft Passport key registration for all local Active Directory and Azure Active Directory users.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to remove Microsoft Passport key registration for all local Active Directory and Microsoft Entra users.

Message #

Unable to remove Microsoft Passport key registration for all local Active Directory and Microsoft Entra users. 
Exit code: %1

Fields #

Name	Description
`ExitCode` Int32	—

Event ID 248 — Unable to check whether the attribute value of the device object is up to date.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to check whether the attribute value of the device object is up to date.

Message #

Unable to check whether the attribute value of the device object is up to date. 
Exit code: %1 
Attribute: %2 
Tenant ID: %3 
Device ID: %4 
Join type: %5 (%6)

Fields #

Name	Description
`ExitCode` Int32	—
`Attribute` UnicodeString	—
`TenantId` UnicodeString	—
`DeviceId` UnicodeString	—
`JoinType` Int32	—
`JoinTypeName` UnicodeString	—

Event ID 249 — Unable to start updating attribute value of the device object.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to start updating attribute value of the device object.

Message #

Unable to start updating attribute value of the device object. 
Exit code: %1 
Attribute: %2 
Tenant ID: %3 
Device ID: %4 
Join type: %5 (%6) 
Request ID: %7

Fields #

Name	Description
`ExitCode` Int32	—
`Attribute` UnicodeString	—
`TenantId` UnicodeString	—
`DeviceId` UnicodeString	—
`JoinType` Int32	—
`JoinTypeName` UnicodeString	—
`RequestId` UnicodeString	—

Event ID 250 — Updating attribute value of the device object started successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Updating attribute value of the device object started successfully.

Message #

Updating attribute value of the device object started successfully. 
Attribute: %1 
Tenant ID: %2 
Device ID: %3 
Join type: %4 (%5) 
Request ID: %6

Fields #

Name	Description
`Attribute` UnicodeString	—
`TenantId` UnicodeString	—
`DeviceId` UnicodeString	—
`JoinType` Int32	—
`JoinTypeName` UnicodeString	—
`RequestId` UnicodeString	—

Event ID 251 — The attribute value of the device object was updated successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The attribute value of the device object was updated successfully.

Message #

The attribute value of the device object was updated successfully. 
Attribute: %1 
Tenant ID: %2 
Device ID: %3 
Join type: %4 (%5) 
Request ID: %6 
HTTP status: %7 
Time: %8 
Server message: %9 
Server response body: %10

Fields #

Name	Description
`Attribute` UnicodeString	—
`TenantId` UnicodeString	—
`DeviceId` UnicodeString	—
`JoinType` Int32	—
`JoinTypeName` UnicodeString	—
`RequestId` UnicodeString	—
`HttpStatus` Int32	—
`ServerTime` UnicodeString	—
`ServerMessage` UnicodeString	—
`ResponseBody` UnicodeString	—

Event ID 252 — Unable to update the attribute value of the device object.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to update the attribute value of the device object.

Message #

Unable to update the attribute value of the device object. 
Exit code: %1 
Attribute: %2 
Tenant ID: %3 
Device ID: %4 
Join type: %5 (%6) 
Request ID: %7 
HTTP status: %8 
Time: %9 
Error Code: %12 
Error Subcode: %13 
Server message: %10 
Server response body: %11

Fields #

Name	Description
`ExitCode` Int32	—
`Attribute` UnicodeString	—
`TenantId` UnicodeString	—
`DeviceId` UnicodeString	—
`JoinType` Int32	—
`JoinTypeName` UnicodeString	—
`RequestId` UnicodeString	—
`HttpStatus` Int32	—
`ServerTime` UnicodeString	—
`ServerMessage` UnicodeString	—
`ResponseBody` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorSubcode` UnicodeString	—

Event ID 253 — Unable to parse the device attribute update server response.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to parse the device attribute update server response.

Message #

Unable to parse the device attribute update server response. 
HTTP status: %1 
Server response body: %2 
Error: %3

Fields #

Name	Description
`HttpStatus` UInt32	—
`ResponseBody` UnicodeString	—
`ErrorCode` Int32	—

Event ID 254 — Unable to check MDM enrollment status of the device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to check MDM enrollment status of the device.

Message #

Unable to check MDM enrollment status of the device. 
Error: %1

Fields #

Name	Description
`ErrorCode` Int32	—

Event ID 255 — Unable to trigger update task for this device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to trigger update task for this device.

Message #

Unable to trigger update task for this device. 
Error: %1 
Join type: %2 (%3) 
Tenant ID: %4

Fields #

Name	Description
`ErrorCode` Int32	—
`JoinType` Int32	—
`JoinTypeName` UnicodeString	—
`TenantId` UnicodeString	—

Event ID 256 — The update task for this device was successfully triggered.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The update task for this device was successfully triggered.

Message #

The update task for this device was successfully triggered. 
Join type: %1 (%2) 
Tenant ID: %3

Fields #

Name	Description
`JoinType` Int32	—
`JoinTypeName` UnicodeString	—
`TenantId` UnicodeString	—

Event ID 257 — The task Folder\TaskName was successfully enabled.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The task Folder\TaskName was successfully enabled.

Message #

The task %1\%2 was successfully enabled.

Fields #

Name	Description
`Folder` UnicodeString	—
`TaskName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 257,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T16:53:21.781532+00:00",
    "event_record_id": 25,
    "correlation": {},
    "execution": {
      "process_id": 1792,
      "thread_id": 2032
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "Folder": "\\Microsoft\\Windows\\Workplace Join",
    "TaskName": "Automatic-Device-Join"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 258 — Failed to enable task Folder\TaskName.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Warning

Description

Failed to enable task Folder\TaskName. Error: ErrorCode.

Message #

Failed to enable task %2\%3. Error: %1

Fields #

Name	Description
`ErrorCode` Int32	—
`Folder` UnicodeString	—
`TaskName` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 258,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T16:53:16.759761+00:00",
    "event_record_id": 24,
    "correlation": {},
    "execution": {
      "process_id": 1792,
      "thread_id": 2032
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "ErrorCode": -2147023728,
    "Folder": "\\Microsoft\\Windows\\Workplace Join",
    "TaskName": "Automatic-Device-Join"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 259 — The task Folder\TaskName was successfully disabled.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The task Folder\TaskName was successfully disabled.

Message #

The task %1\%2 was successfully disabled.

Fields #

Name	Description
`Folder` UnicodeString	—
`TaskName` UnicodeString	—

Event ID 260 — Failed to disable task Folder\TaskName.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to disable task Folder\TaskName. Error: ErrorCode.

Message #

Failed to disable task %2\%3. Error: %1

Fields #

Name	Description
`ErrorCode` Int32	—
`Folder` UnicodeString	—
`TaskName` UnicodeString	—

Event ID 261 — The repair join information operation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The repair join information operation failed.

Message #

The repair join information operation failed. 
Exit code: %1 
Tenant ID: %2 
Device ID: %3 
Join Type: %4 (%5) 
Request Id: %6 
Time: %7 
Http Status: %8 
Error Code: %9 
Error Subcode: %10 
Server Message: %11 
Server Operation: %12

Fields #

Name	Description
`ExitCode` Int32	—
`TenantId` UnicodeString	—
`DeviceId` UnicodeString	—
`JoinType` Int32	—
`JoinTypeName` UnicodeString	—
`RequestId` UnicodeString	—
`Time` UnicodeString	—
`HttpStatus` UInt32	—
`ErrorCode` UnicodeString	—
`ErrorSubcode` UnicodeString	—
`ServerMessage` UnicodeString	—
`ServerOperation` UnicodeString	—

Event ID 262 — The repair join information operation completed successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The repair join information operation completed successfully.

Message #

The repair join information operation completed successfully. 
Tenant ID: %1 
Device ID: %2 
Join UPN: %3 
Join Type: %4 (%5) 
Request Id: %6 
Time: %7 
Http Status: %8

Fields #

Name	Description
`TenantId` UnicodeString	—
`DeviceId` UnicodeString	—
`JoinUpn` UnicodeString	—
`JoinType` Int32	—
`JoinTypeName` UnicodeString	—
`RequestId` UnicodeString	—
`Time` UnicodeString	—
`HttpStatus` UInt32	—

Event ID 263 — The repair join information operation failed to start.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The repair join information operation failed to start.

Message #

The repair join information operation failed to start. 
Exit code: %1 
Tenant ID: %2 
Join Type: %3 (%4) 
Input UPN: %5 
Input UPN Count: %6 
Request ID: %7

Fields #

Name	Description
`ExitCode` Int32	—
`TenantId` UnicodeString	—
`JoinType` Int32	—
`JoinTypeName` UnicodeString	—
`InputUpn` UnicodeString	—
`InputUpnCount` UInt32	—
`RequestId` UnicodeString	—

Event ID 264 — The repair join information operation started successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The repair join information operation started successfully.

Message #

The repair join information operation started successfully. 
Tenant ID: %1 
Device ID: %2 
Join UPN: %5 
Input UPN Count: %6 
Join Type: %3 (%4) 
Request Id: %7

Fields #

Name	Description
`TenantId` UnicodeString	—
`DeviceId` UnicodeString	—
`JoinType` Int32	—
`JoinTypeName` UnicodeString	—
`JoinUpn` UnicodeString	—
`InputUpnCount` UInt32	—
`RequestId` UnicodeString	—

Event ID 265 — The virtual desktop registry has ValuesCount value(s) missing.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The virtual desktop registry has ValuesCount value(s) missing.

Message #

The virtual desktop registry has %2 value(s) missing. 
Registry key: %1 
Missing values: %4

Fields #

Name	Description
`RegistryKey` UnicodeString	—
`ValuesCount` UInt32	—
`Value` UnicodeString	—
`ValuesList` UnicodeString	—

Event ID 266 — The virtual desktop registry value is invalid.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The virtual desktop registry value is invalid.

Message #

The virtual desktop registry value is invalid. 
Registry key: %1 
Value name: %2 
Value: %3

Fields #

Name	Description
`RegistryKey` UnicodeString	—
`ValueName` UnicodeString	—
`Value` UInt32	—

Event ID 267 — Failed to read virtual desktop settings from registry.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to read virtual desktop settings from registry.

Message #

Failed to read virtual desktop settings from registry. 
Error: %1 
Registry key: %2

Fields #

Name	Description
`ExitCode` Int32	—
`RegistryKey` UnicodeString	—

Event ID 268 — The virtual desktop settings were successfully retrieved from the registry.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The virtual desktop settings were successfully retrieved from the registry.

Message #

The virtual desktop settings were successfully retrieved from the registry. 
Registry key: %1 
Provider: %2 
Type: %3 (%4) 
User mode: %5 (%6) 
Extensions: %7 
For the list of extensions, see "Extension" in EventData.

Fields #

Name	Description
`RegistryKey` UnicodeString	—
`Provider` UnicodeString	—
`Type` UInt32	—
`TypeName` UnicodeString	—
`UserMode` UInt32	—
`UserModeName` UnicodeString	—
`ExtensionsCount` UInt32	—
`Extension` UnicodeString	—

Event ID 269 — Unable to parse the AIK update server response.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to parse the AIK update server response.

Message #

Unable to parse the AIK update server response. 
HTTP status: %1 
Server response body: %2 
Error: %3

Fields #

Name	Description
`HttpStatus` UInt32	—
`ResponseBody` UnicodeString	—
`ErrorCode` Int32	—

Event ID 270 — Unable to start updating token binding AIK of the device object.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to start updating token binding AIK of the device object.

Message #

Unable to start updating token binding AIK of the device object. 
Exit code: %1 
Join type: %2 (%3) 
Tenant ID: %4 
Device ID: %5 
User SID: %6 
User token: %7 
Request ID: %8

Fields #

Name	Description
`ExitCode` Int32	—
`JoinType` Int32	—
`JoinTypeName` UnicodeString	—
`TenantId` UnicodeString	—
`DeviceId` UnicodeString	—
`UserSid` UnicodeString	—
`AuthToken` UnicodeString	—
`RequestId` UnicodeString	—

Event ID 271 — Updating token binding AIK of the device object started successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Updating token binding AIK of the device object started successfully.

Message #

Updating token binding AIK of the device object started successfully. 
Join type: %1 (%2) 
Tenant ID: %3 
Device ID: %4 
User SID: %5 
User token: %6 
Request ID: %7

Fields #

Name	Description
`JoinType` Int32	—
`JoinTypeName` UnicodeString	—
`TenantId` UnicodeString	—
`DeviceId` UnicodeString	—
`UserSid` UnicodeString	—
`AuthToken` UnicodeString	—
`RequestId` UnicodeString	—

Event ID 272 — The token binding AIK of the device object was updated successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The token binding AIK of the device object was updated successfully.

Message #

The token binding AIK of the device object was updated successfully. 
Join type: %1 (%2) 
Tenant ID: %3 
Device ID: %4 
User SID: %5 
Request ID: %6 
HTTP status: %7 
Time: %8

Fields #

Name	Description
`JoinType` Int32	—
`JoinTypeName` UnicodeString	—
`TenantId` UnicodeString	—
`DeviceId` UnicodeString	—
`UserSid` UnicodeString	—
`RequestId` UnicodeString	—
`HttpStatus` Int32	—
`ServerTime` UnicodeString	—

Event ID 273 — Unable to update the token binding AIK of the device object.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to update the token binding AIK of the device object.

Message #

Unable to update the token binding AIK of the device object. 
Exit code: %1 
Join type: %2 (%3) 
Tenant ID: %4 
Device ID: %5 
User SID: %6 
Request ID: %7 
HTTP status: %8 
Time: %9 
Error Code: %12 
Error Subcode: %13 
Server message: %10 
Server response body: %11

Fields #

Name	Description
`ExitCode` Int32	—
`JoinType` Int32	—
`JoinTypeName` UnicodeString	—
`TenantId` UnicodeString	—
`DeviceId` UnicodeString	—
`UserSid` UnicodeString	—
`RequestId` UnicodeString	—
`HttpStatus` Int32	—
`ServerTime` UnicodeString	—
`ServerMessage` UnicodeString	—
`ResponseBody` UnicodeString	—
`ErrorCode` UnicodeString	—
`ErrorSubcode` UnicodeString	—

Event ID 274 — Failed to configure KDC proxy group policy.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to configure KDC proxy group policy.

Message #

Failed to configure KDC proxy group policy. 
Exit code: %1 
Kerberos endpoint: %2 
Kerberos realm: %3 
KDC proxy server: %4 
Local group policy modified: %5

Fields #

Name	Description
`ExitCode` Int32	—
`KerbEndpoint` UnicodeString	—
`Realm` UnicodeString	—
`KdcProxyServer` UnicodeString	—
`LocalGpoModified` UnicodeString	—

Event ID 275 — Failed to restore KDC proxy local group policy to its original value.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to restore KDC proxy local group policy to its original value.

Message #

Failed to restore KDC proxy local group policy to its original value. 
Exit code: %1

Fields #

Name	Description
`ExitCode` Int32	—

Event ID 276 — The KDC Proxy group policy setting is incorrect.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The KDC Proxy group policy setting is incorrect.

Message #

The KDC Proxy group policy setting is incorrect. 
Expected value: 
  KdcProxyServer_Enabled: %1 
  NoRevocationCheck: %2 
  Proxy Server: %3 
Actual value: 
  KdcProxyServer_Enabled: %4 
  NoRevocationCheck: %5 
  Proxy Server: %6

Fields #

Name	Description
`ExpectedProxyEnabled` UnicodeString	—
`ExpectedNoRevocationCheck` UnicodeString	—
`ExpectedProxyServer` UnicodeString	—
`ActualProxyEnabled` UnicodeString	—
`ActualNoRevocationCheck` UnicodeString	—
`ActualProxyServer` UnicodeString	—

Event ID 277 — The KDC proxy group policy has been configured successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The KDC proxy group policy has been configured successfully.

Message #

The KDC proxy group policy has been configured successfully. 
Kerberos endpoint: %1 
Kerberos realm: %2 
KdcProxyServer_Enabled: %3 
NoRevocationCheck: %4 
KDC Proxy Server: %5

Fields #

Name	Description
`KerbEndpoint` UnicodeString	—
`Realm` UnicodeString	—
`ProxyEnabled` UnicodeString	—
`NoRevocationCheck` UnicodeString	—
`ProxyServer` UnicodeString	—

Event ID 278 — The KDC proxy local group policy has been restored to its original value.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The KDC proxy local group policy has been restored to its original value.

Message #

The KDC proxy local group policy has been restored to its original value. 
KdcProxyServer_Enabled: %1 
NoRevocationCheck: %2 
KDC Proxy Server: %3

Fields #

Name	Description
`ProxyEnabled` UnicodeString	—
`NoRevocationCheck` UnicodeString	—
`ProxyServer` UnicodeString	—

Event ID 300 — The Microsoft Passport key was successfully registered with Azure AD.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Microsoft Passport key was successfully registered with Microsoft Entra.

Message #

The Microsoft Passport key was successfully registered with Microsoft Entra. 
Key ID: %1 
UPN: %2 
Attestation: %3 
Client request ID: %4 
Server request ID: %5 
Server response: %6

Fields #

Name	Description
`KeyId` GUID	—
`UPN` UnicodeString	—
`Attestation` UnicodeString	—
`ClientRequestId` UnicodeString	—
`ServerRequestId` UnicodeString	—
`ServerResponse` UnicodeString	—

Event ID 301 — NGC key registration failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

NGC key registration failed.

Message #

NGC key registration failed. 
Exit code: %1 
Client request ID: %2 
Server request ID: %3 
Error code: %4 
Server error message: %5 
Recommended client response: %6 
Server response: %7

Fields #

Name	Description
`ExitCode` Int32	—
`ClientRequestId` UnicodeString	—
`ServerRequestId` UnicodeString	—
`ErrorCode` UnicodeString	—
`ServerErrorMessage` UnicodeString	—
`RecommendedClientResponse` UnicodeString	—
`ServerResponse` UnicodeString	—

Event ID 302 — The NGC key registration request was successfully sent.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The NGC key registration request was successfully sent. User email: Email.

Message #

The NGC key registration request was successfully sent. User email: %1.
Auth token: %2.

Fields #

Name	Description
`Email` UnicodeString	—
`AuthToken` UnicodeString	—

Event ID 303 — The NGC key registration initialization operation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The NGC key registration initialization operation failed. Exit code: ExitCode. User email: Email.

Message #

The NGC key registration initialization operation failed. Exit code: %1. User email: %2.
Auth token: %3.

Fields #

Name	Description
`ExitCode` Int32	—
`Email` UnicodeString	—
`AuthToken` UnicodeString	—

Event ID 304 — Automatic registration failed at join phase.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Error

Description

Automatic registration failed at join phase.

Message #

Automatic registration failed at join phase. 
Exit code: %1 
Server error: %2 
Tenant type: %3 
Registration type: %4 
Debug Output: 
%5

Fields #

Name	Description
`ExitCode` Int32	—
`ServerErrorMessage` UnicodeString	—
`TenantType` UnicodeString	—
`JoinType` UnicodeString	—
`DebugOutput` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 304,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:10:43.160191+00:00",
    "event_record_id": 37,
    "correlation": {},
    "execution": {
      "process_id": 1256,
      "thread_id": 5068
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ExitCode": -2145648611,
    "ServerErrorMessage": "",
    "TenantType": "undefined",
    "JoinType": "undefined",
    "DebugOutput": "joinMode: Join\ndrsInstance: undefined\nregistrationType: undefined\ntenantType: undefined\ntenantId: undefined\nconfigLocation: undefined\nerrorPhase: discover\nadalCorrelationId: 52807b09-dcaf-44b6-a94c-911b39350cb1\nadalLog:\nundefined\nadalResponseCode: 0x0\n"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 305 — Automatic registration failed at authentication phase.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Automatic registration failed at authentication phase. Unable to acquire access token.

Message #

Automatic registration failed at authentication phase. Unable to acquire access token. 
Exit code: %1 
Tenant Name: %4 
Tenant Type: %3 
Server error: 
%2

Fields #

Name	Description
`ExitCode` Int32	—
`ServerErrorMessage` UnicodeString	—
`TenantType` UnicodeString	—
`TenantName` UnicodeString	—

Event ID 306 — Automatic registration Succeeded.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Automatic registration Succeeded.

Message #

Automatic registration Succeeded.

Event ID 307 — Automatic registration failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Error

Description

Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: ExitCode. See http://go.microsoft.com/fwlink/?LinkId=623042.

Message #

Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: %1. See http://go.microsoft.com/fwlink/?LinkId=623042

Fields #

Name	Description
`ExitCode` Int32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 307,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:10:43.160164+00:00",
    "event_record_id": 36,
    "correlation": {},
    "execution": {
      "process_id": 1256,
      "thread_id": 5068
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ExitCode": -2145648611
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 308 — This Device is joined to Microsoft Entra, however, the user did not sign-in with a Microsoft Entra account.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

This Device is joined to Microsoft Entra, however, the user did not sign-in with a Microsoft Entra account. Microsoft Passport provisioning will not be enabled. User: UserSID.

Message #

This Device is joined to Microsoft Entra, however, the user did not sign-in with a Microsoft Entra account. Microsoft Passport provisioning will not be enabled. User: %1.

Fields #

Name	Description
`UserSID` UnicodeString	—

Event ID 309 — Failed to discover the Microsoft Entra DRS service.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to discover the Microsoft Entra DRS service. Exit code: ExitCode.

Message #

Failed to discover the Microsoft Entra DRS service. Exit code: %1.

Fields #

Name	Description
`ExitCode` Int32	—

Event ID 310 — Unable to retrieve the NGC user ID key with name KeyName.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to retrieve the NGC user ID key with name KeyName. Error: ErrorCode.

Message #

Unable to retrieve the NGC user ID key with name %1. Error: %2

Fields #

Name	Description
`KeyName` UnicodeString	—
`ErrorCode` Int32	—

Event ID 311 — The NGC create container operation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The NGC create container operation failed.

Message #

The NGC create container operation failed. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
Flags: %4 
Error: %5

Fields #

Name	Description
`UserSid` UnicodeString	—
`IdpDomain` UnicodeString	—
`TenantDomain` UnicodeString	—
`Flags` UInt32	—
`ErrorCode` Int32	—

Event ID 312 — The existing NGC container was successfully deleted.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The existing NGC container was successfully deleted.

Message #

The existing NGC container was successfully deleted. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3

Fields #

Name	Description
`UserSid` UnicodeString	—
`IdpDomain` UnicodeString	—
`TenantDomain` UnicodeString	—

Event ID 314 — Unable to delete NGC container.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to delete NGC container.

Message #

Unable to delete NGC container. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
Error: %4

Fields #

Name	Description
`UserSid` UnicodeString	—
`IdpDomain` UnicodeString	—
`TenantDomain` UnicodeString	—
`ErrorCode` Int32	—

Event ID 315 — Unable to create NGC user ID key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to create NGC user ID key.

Message #

Unable to create NGC user ID key. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Flags: %5 
Error: %6

Fields #

Name	Description
`UserSid` UnicodeString	—
`IdpDomain` UnicodeString	—
`TenantDomain` UnicodeString	—
`UserId` UnicodeString	—
`Flags` UInt32	—
`ErrorCode` Int32	—

Event ID 316 — Unable to retrieve the specified NGC user ID key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to retrieve the specified NGC user ID key.

Message #

Unable to retrieve the specified NGC user ID key. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Error: %5

Fields #

Name	Description
`UserSid` UnicodeString	—
`IdpDomain` UnicodeString	—
`TenantDomain` UnicodeString	—
`UserId` UnicodeString	—
`ErrorCode` Int32	—

Event ID 317 — Unable to delete NGC user ID key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to delete NGC user ID key. Key name: KeyName. Error: ErrorCode.

Message #

Unable to delete NGC user ID key. Key name: %1. Error: %2

Fields #

Name	Description
`KeyName` UnicodeString	—
`ErrorCode` Int32	—

Event ID 318 — Unable to create NGC transport key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to create NGC transport key.

Message #

Unable to create NGC transport key. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Key type: %5 
Flags: %6 
Error: %7

Fields #

Name	Description
`UserSid` UnicodeString	—
`IdpDomain` UnicodeString	—
`TenantDomain` UnicodeString	—
`UserId` UnicodeString	—
`KeyType` Int32	— Known values `%%2499` Machine key `%%2500` User key
`Flags` UInt32	—
`ErrorCode` Int32	—

Event ID 319 — Unable to delete NGC transport key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to delete NGC transport key.

Message #

Unable to delete NGC transport key. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Flags: %6 
Error: %5

Fields #

Name	Description
`UserSid` UnicodeString	—
`IdpDomain` UnicodeString	—
`TenantDomain` UnicodeString	—
`UserId` UnicodeString	—
`ErrorCode` Int32	—
`Flags` UInt32	—

Event ID 320 — Unable to parse the NGC registration server response.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to parse the NGC registration server response.

Message #

Unable to parse the NGC registration server response. 
HTTP status: %1 
Server response body: %2 
Error: %3

Fields #

Name	Description
`HttpStatus` UInt32	—
`ResponseBody` UnicodeString	—
`ErrorCode` Int32	—

Event ID 321 — Failed to enable the device lock PIN.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to enable the device lock PIN. Error: ErrorCode.

Message #

Failed to enable the device lock PIN. Error: %1

Fields #

Name	Description
`ErrorCode` Int32	—

Event ID 322 — The application does not have the permission to perform this operation.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The application does not have the permission to perform this operation. Application SID: AppSid.

Message #

The application does not have the permission to perform this operation. Application SID: %1

Fields #

Name	Description
`AppSid` UnicodeString	—

Event ID 323 — Preparing to send a request to the Web Account Manager.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Preparing to send a request to the Web Account Manager.

Message #

Preparing to send a request to the Web Account Manager. 
Account provider ID: %1 
Scope: %2 
Client ID: %3 
Authority: %4 
Resource: %5 
CorrelationId: %6

Fields #

Name	Description
`AccountProvider` UnicodeString	—
`Scope` UnicodeString	—
`Client` UnicodeString	—
`Authority` UnicodeString	—
`Resource` UnicodeString	—
`CorrelationId` UnicodeString	—

Event ID 324 — Unable to get a token using the Web Account Manager.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to get a token using the Web Account Manager. Error: ErrorCode.

Message #

Unable to get a token using the Web Account Manager. Error: %5 
Request status code: %1 (%2) 
Token provider error code: %3 
Token provider error message: %4 
CorrelationId: %6

Fields #

Name	Description
`RequestStatus` Int32	—
`RequestStatusSymbolicName` UnicodeString	—
`ProviderErrorCode` UInt32	—
`ProviderErrorMessage` UnicodeString	—
`ErrorCode` Int32	—
`CorrelationId` UnicodeString	—

Event ID 325 — Successfully obtained a token for the current user via token broker.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Successfully obtained a token for the current user via token broker.

Message #

Successfully obtained a token for the current user via token broker. 
CorrelationId: %1

Fields #

Name	Description
`CorrelationId` UnicodeString	—

Event ID 326 — Unable to get the application's core window.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to get the application's core window. Error: ErrorCode.

Message #

Unable to get the application's core window. Error: %1

Fields #

Name	Description
`ErrorCode` Int32	—

Event ID 327 — Unable to remove the PIN that has been created to use in place of the current user's logon password.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to remove the PIN that has been created to use in place of the current user's logon password.

Message #

Unable to remove the PIN that has been created to use in place of the current user's logon password. 
User SID: %1 
Error: %2

Fields #

Name	Description
`UserSid` UnicodeString	—
`ErrorCode` Int32	—

Event ID 328 — Unable to check whether a PIN has been created to use in place of the current user's logon password.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to check whether a PIN has been created to use in place of the current user's logon password.

Message #

Unable to check whether a PIN has been created to use in place of the current user's logon password. 
User SID: %1 
Error: %2

Fields #

Name	Description
`UserSid` UnicodeString	—
`ErrorCode` Int32	—

Event ID 329 — Preparing to send a request to the Web Account Manager silently (no UI mode).

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Preparing to send a request to the Web Account Manager silently (no UI mode).

Message #

Preparing to send a request to the Web Account Manager silently (no UI mode). 
Account provider ID: %1 
Scope: %2 
Client ID: %3 
Authority: %4 
Resource: %5 
CorrelationId: %6

Fields #

Name	Description
`AccountProvider` UnicodeString	—
`Scope` UnicodeString	—
`Client` UnicodeString	—
`Authority` UnicodeString	—
`Resource` UnicodeString	—
`CorrelationId` UnicodeString	—

Event ID 330 — Microsoft Entra DRS and Enterprise DRS are configured for this device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Microsoft Entra DRS and Enterprise DRS are configured for this device. Only one DRS instance can be configured for an environment. MicrosoftEntraTenantName:AzureADTenantName EnterpriseDrsName:EnterpriseDrsName.

Message #

Microsoft Entra DRS and Enterprise DRS are configured for this device. Only one DRS instance can be configured for an environment. MicrosoftEntraTenantName:%1 EnterpriseDrsName:%2

Fields #

Name	Description
`AzureADTenantName` UnicodeString	—
`EnterpriseDrsName` UnicodeString	—

Event ID 331 — Automatic device join pre-check tasks completed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

Automatic device join pre-check tasks completed. Details.

Message #

Automatic device join pre-check tasks completed. Details: 
%1

Fields #

Name	Description
`DebugOutput` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 331,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:10:43.101829+00:00",
    "event_record_id": 35,
    "correlation": {},
    "execution": {
      "process_id": 1256,
      "thread_id": 5068
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DebugOutput": "preCheckResult: Join\ndeviceKeysHealthy: undefined\nisJoined: undefined\nisDcAvailable: YES\nisSystem: YES\nkeyProvider: undefined\nkeyContainer: undefined\ndsrInstance: undefined\nelapsedSeconds: 0\nresultCode: 0x0\n"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 332 — Automatic device join pre-check tasks found that this device is joined, however, it is missing some required state.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Automatic device join pre-check tasks found that this device is joined, however, it is missing some required state. The device will be removed and then joined again.

Message #

Automatic device join pre-check tasks found that this device is joined, however, it is missing some required state. The device will be removed and then joined again.

Event ID 333 — Automatic device join pre-check tasks completed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Automatic device join pre-check tasks completed. The device can NOT be joined. The process MUST run as NT AUTHORITY\SYSTEM.

Message #

Automatic device join pre-check tasks completed. The device can NOT be joined. The process MUST run as NT AUTHORITY\SYSTEM.

Event ID 334 — Automatic device join pre-check tasks completed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Warning

Message #

Automatic device join pre-check tasks completed. The device can NOT be joined because a domain controller could not be located. The device must be connected to a network with connectivity to an Active Directory domain controller.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 334,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T08:31:21.022689+00:00",
    "event_record_id": 14,
    "correlation": {},
    "execution": {
      "process_id": 2328,
      "thread_id": 2332
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 335 — Automatic device join pre-check tasks completed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Automatic device join pre-check tasks completed. The device is already joined.

Message #

Automatic device join pre-check tasks completed. The device is already joined.

Event ID 336 — The Web Proxy Autodiscovery Protocol (WPAD) did NOT locate the URL of a configuration file using DHCP and/or DNS discovery methods.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Web Proxy Autodiscovery Protocol (WPAD) did NOT locate the URL of a configuration file using DHCP and/or DNS discovery methods. The request will be sent directly to the server.

Message #

The Web Proxy Autodiscovery Protocol (WPAD) did NOT locate the URL of a configuration file using DHCP and/or DNS discovery methods. The request will be sent directly to the server. 
WINHTTP_STATUS_CALLBACK dwInternetStatus is %1 (%4) 
WINHTTP_ASYNC_RESULT dwResult is %2 (%5) 
WINHTTP_ASYNC_RESULT dwError is %3

Fields #

Name	Description
`dwInternetStatus` UInt32	—
`dwResult` UInt64	—
`dwError` UInt32	—
`InternetStatus` UnicodeString	—
`Result` UnicodeString	—

Event ID 337 — The request was sent to the server through the out-bound proxy and failed with the following information.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The request was sent to the server through the out-bound proxy and failed with the following information. A fail-over proxy server will be used if available.

Message #

The request was sent to the server through the out-bound proxy and failed with the following information. A fail-over proxy server will be used if available. 
WINHTTP_STATUS_CALLBACK dwInternetStatus is %1 (%4) 
WINHTTP_ASYNC_RESULT dwResult is %2 (%5) 
WINHTTP_ASYNC_RESULT dwError is %3

Fields #

Name	Description
`dwInternetStatus` UInt32	—
`dwResult` UInt64	—
`dwError` UInt32	—
`InternetStatus` UnicodeString	—
`Result` UnicodeString	—

Event ID 338 — The Web Proxy Autodiscovery Protocol (WPAD) located the URL of a configuration file using DHCP and/or DNS discovery methods.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Web Proxy Autodiscovery Protocol (WPAD) located the URL of a configuration file using DHCP and/or DNS discovery methods. ProxyCount configuration entries were found in the configuration file.

Message #

The Web Proxy Autodiscovery Protocol (WPAD) located the URL of a configuration file using DHCP and/or DNS discovery methods. %1 configuration entries were found in the configuration file.

Fields #

Name	Description
`ProxyCount` UInt32	—

Event ID 339 — The following out-bound proxy information was set for this request.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The following out-bound proxy information was set for this request.

Message #

The following out-bound proxy information was set for this request. 
WINHTTP_PROXY_RESULT_ENTRY fProxy is: %1 
WINHTTP_PROXY_RESULT_ENTRY fBypass is: %2 
WINHTTP_PROXY_RESULT_ENTRY INTERNET_SCHEME is: %3 
WINHTTP_PROXY_RESULT_ENTRY pwszProxy is: %4 
WINHTTP_PROXY_RESULT_ENTRY ProxyPort is: %5

Fields #

Name	Description
`fProxy` UnicodeString	—
`fBypass` UnicodeString	—
`INTERNET_SCHEME` UInt32	—
`pwszProxy` UnicodeString	—
`ProxyPort` UInt32	—

Event ID 340 — The Web Proxy Autodiscovery Protocol (WPAD) encountered an unexpected error.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Web Proxy Autodiscovery Protocol (WPAD) encountered an unexpected error. The request may not have been sent to the server.

Message #

The Web Proxy Autodiscovery Protocol (WPAD) encountered an unexpected error. The request may not have been sent to the server. 
WINHTTP_STATUS_CALLBACK dwInternetStatus is %1 (%4) 
WINHTTP_ASYNC_RESULT dwResult is %2 (%5) 
WINHTTP_ASYNC_RESULT dwError is %3

Fields #

Name	Description
`dwInternetStatus` UInt32	—
`dwResult` UInt64	—
`dwError` UInt32	—
`InternetStatus` UnicodeString	—
`Result` UnicodeString	—

Event ID 341 — This request will NOT fail over to a proxy server.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

This request will NOT fail over to a proxy server. The end of the proxy configuration discovered by Web Proxy Autodiscovery Protocol (WPAD) has been reached. Error ErrorCode.

Message #

This request will NOT fail over to a proxy server. The end of the proxy configuration discovered by Web Proxy Autodiscovery Protocol (WPAD) has been reached. Error %1

Fields #

Name	Description
`ErrorCode` UInt32	—

Event ID 342 — Unable to query Passport for Work policies.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to query Passport for Work policies.

Message #

Unable to query Passport for Work policies. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
Error: %4

Fields #

Name	Description
`UserSid` UnicodeString	—
`IdpDomain` UnicodeString	—
`TenantDomain` UnicodeString	—
`ErrorCode` Int32	—

Event ID 343 — Unable to enumerate Passport for Work containers.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to enumerate Passport for Work containers.

Message #

Unable to enumerate Passport for Work containers. 
User SID: %1 
Error: %2

Fields #

Name	Description
`UserSid` UnicodeString	—
`ErrorCode` Int32	—

Event ID 344 — Failed to access the device key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to access the device key. If you have a TPM, it might be locked out or in an unknown state.

Message #

Failed to access the device key. If you have a TPM, it might be locked out or in an unknown state. 
Error: %1

Fields #

Name	Description
`ExitCode` Int32	—

Event ID 345 — Failed to access the device key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to access the device key. The device key has likely been removed.

Message #

Failed to access the device key. The device key has likely been removed. 
Error: %1

Fields #

Name	Description
`ExitCode` Int32	—

Event ID 346 — The Microsoft Passport key was successfully removed from Azure AD.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Microsoft Passport key was successfully removed from Microsoft Entra.

Message #

The Microsoft Passport key was successfully removed from Microsoft Entra. 
Key ID (encoded): %1 
UPN: %2 
Client request ID: %3 
Server request ID: %4 
Server response: %5

Fields #

Name	Description
`KeyHash` UnicodeString	—
`UPN` UnicodeString	—
`ClientRequestId` UnicodeString	—
`ServerRequestId` UnicodeString	—
`ServerResponse` UnicodeString	—

Event ID 347 — Failed to remove the Microsoft Passport key from Azure AD.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to remove the Microsoft Passport key from Microsoft Entra.

Message #

Failed to remove the Microsoft Passport key from Microsoft Entra. 
Error: %2 
Key ID (encoded): %1 
Client request ID: %3 
Server request ID: %4 
Server error code: %5 
Server error message: %6 
Recommended client response: %7 
Server response: %8

Fields #

Name	Description
`KeyHash` UnicodeString	—
`ErrorCode` Int32	—
`ClientRequestId` UnicodeString	—
`ServerRequestId` UnicodeString	—
`ServerErrorCode` UnicodeString	—
`ServerErrorMessage` UnicodeString	—
`RecommendedClientResponse` UnicodeString	—
`ServerResponse` UnicodeString	—

Event ID 348 — The Microsoft Passport delete key registration request was successfully sent.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Microsoft Passport delete key registration request was successfully sent. User email: Email. Tenant ID: TenantId. Auth token: AuthToken.

Message #

The Microsoft Passport delete key registration request was successfully sent. User email: %1. Tenant ID: %2. Auth token: %3.

Fields #

Name	Description
`Email` UnicodeString	—
`TenantId` UnicodeString	—
`AuthToken` UnicodeString	—

Event ID 349 — Failed to initialize the Microsoft Passport delete key registration request.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to initialize the Microsoft Passport delete key registration request. Exit code: ExitCode. User email: Email. Tenant ID: TenantId. Auth token: AuthToken.

Message #

Failed to initialize the Microsoft Passport delete key registration request. Exit code: %1. User email: %2. Tenant ID: %3. Auth token: %4.

Fields #

Name	Description
`ExitCode` Int32	—
`Email` UnicodeString	—
`TenantId` UnicodeString	—
`AuthToken` UnicodeString	—

Event ID 350 — The Microsoft Passport key information was successfully saved.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Microsoft Passport key information was successfully saved.

Message #

The Microsoft Passport key information was successfully saved. 
Key ID: %1 
Attestation level: %2 
AIK status: %3 
Key type: %4 
Key name: %5 
IDP domain: %6 
Tenant ID: %7 
User email: %8

Fields #

Name	Description
`KeyId` UnicodeString	—
`AttLevel` UInt64	—
`AikStatus` UInt64	—
`KeyType` UInt64	— Known values `%%2499` Machine key `%%2500` User key
`KeyName` UnicodeString	—
`IdpDomain` UnicodeString	—
`TenantId` UnicodeString	—
`UserEmail` UnicodeString	—

Event ID 351 — Failed to save the Microsoft Passport key information.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to save the Microsoft Passport key information.

Message #

Failed to save the Microsoft Passport key information. 
Error: %1 
Key ID: %2 
Attestation level: %3 
AIK status: %4 
Key type: %5 
Key name: %6 
IDP domain: %7 
Tenant ID: %8 
User email: %9

Fields #

Name	Description
`ErrorCode` Int32	—
`KeyId` UnicodeString	—
`AttLevel` UInt64	—
`AikStatus` UInt64	—
`KeyType` UInt64	— Known values `%%2499` Machine key `%%2500` User key
`KeyName` UnicodeString	—
`IdpDomain` UnicodeString	—
`TenantId` UnicodeString	—
`UserEmail` UnicodeString	—

Event ID 352 — The Microsoft Passport key information was successfully deleted.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Microsoft Passport key information was successfully deleted.

Message #

The Microsoft Passport key information was successfully deleted. 
Key ID: %1 
User SID: %2

Fields #

Name	Description
`KeyId` UnicodeString	—
`UserSid` UnicodeString	—

Event ID 353 — Failed to delete the Microsoft Passport key information.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to delete the Microsoft Passport key information.

Message #

Failed to delete the Microsoft Passport key information. 
Error: %1 
Key ID: %2 
User SID: %3

Fields #

Name	Description
`ErrorCode` Int32	—
`KeyId` UnicodeString	—
`UserSid` UnicodeString	—

Event ID 354 — Json Request Failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Json Request Failed. Exit code: ExitCode. httpStatus: HttpStatus Server response: ServerMessage.

Message #

Json Request Failed. Exit code: %1. httpStatus: %2 Server response: %3.

Fields #

Name	Description
`ExitCode` Int32	—
`HttpStatus` UInt32	—
`ServerMessage` UnicodeString	—

Event ID 355 — Successfully enrolled for a logon certificate using a Registration Authority.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Successfully enrolled for a logon certificate using a Registration Authority.

Message #

Successfully enrolled for a logon certificate using a Registration Authority. 
Upn: %1 
TenantId: %2 
Authority: %3 
Resource: %4 
ExitCode: %5

Fields #

Name	Description
`Upn` UnicodeString	—
`TenantId` UnicodeString	—
`Authority` UnicodeString	—
`Resource` UnicodeString	—
`ExitCode` Int32	—

Event ID 356 — Failed to enroll for a logon certificate using a Registration Authority.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to enroll for a logon certificate using a Registration Authority.

Message #

Failed to enroll for a logon certificate using a Registration Authority. 
UPN: %1 
TenantId: %2 
ExitCode: %3

Fields #

Name	Description
`UPN` UnicodeString	—
`TenantId` UnicodeString	—
`ExitCode` Int32	—

Event ID 357 — Group Policy indicates the user must enroll for a logon certificate along with their work PIN.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Group Policy indicates the user must enroll for a logon certificate along with their work PIN.

Message #

Group Policy indicates the user must enroll for a logon certificate along with their work PIN. 
Sid: %1 
TenantId: %2

Fields #

Name	Description
`Sid` UnicodeString	—
`TenantId` UnicodeString	—

Event ID 358 — Message Device is Microsoft Entra joined (or hybrid joined): DeviceIsJoined User has logged on with Microsoft Entra credentials: AADPrt Windows Hello for Business polic...

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Message #

%1 
Device is Microsoft Entra joined (or hybrid joined): %2 
User has logged on with Microsoft Entra credentials: %3 
Windows Hello for Business policy is enabled: %4 
Windows Hello for Business post-logon provisioning is enabled: %5 
Local computer meets Windows hello for business hardware requirements: %6 
User is not connected to the machine via Remote Desktop: %7 
User certificate for on premise auth policy is enabled: %8 
Machine is governed by %9 policy. 
Cloud trust for on premise auth policy is enabled: %10 
User account has Cloud to OnPrem TGT: %11 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

Fields #

Name	Description
`Message` UnicodeString	—
`DeviceIsJoined` UnicodeString	—
`AADPrt` UnicodeString	—
`NgcPolicyEnabled` UnicodeString	—
`NgcPostLogonProvisioningEnabled` UnicodeString	—
`NgcHardwarePolicyMet` UnicodeString	—
`UserIsRemote` UnicodeString	—
`LogonCertRequired` UnicodeString	—
`MachinePolicySource` UnicodeString	—
`UseCloudTrust` UnicodeString	—
`CloudTgt` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 358,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T16:57:32.679856+00:00",
    "event_record_id": 27,
    "correlation": {},
    "execution": {
      "process_id": 4128,
      "thread_id": 4156
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {
    "Message": "Windows Hello for Business provisioning will be launched.",
    "DeviceIsJoined": "Not Tested",
    "AADPrt": "Not Tested",
    "NgcPolicyEnabled": "Not Tested",
    "NgcPostLogonProvisioningEnabled": "Not Tested",
    "NgcHardwarePolicyMet": "Not Tested",
    "UserIsRemote": "Yes",
    "LogonCertRequired": "Not Tested",
    "MachinePolicySource": "none",
    "UseCloudTrust": "Not Tested",
    "CloudTgt": "Not Tested"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 359 — Windows Hello for Business provisioning has encountered an error during policy evaluation.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Error

Description

Windows Hello for Business provisioning has encountered an error during policy evaluation.

Message #

Windows Hello for Business provisioning has encountered an error during policy evaluation. 
ExitCode: %1 
Method: %2 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details

Fields #

Name	Description
`ExitCode` Int32	—
`Method` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 359,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T16:57:32.078732+00:00",
    "event_record_id": 26,
    "correlation": {},
    "execution": {
      "process_id": 4128,
      "thread_id": 4156
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {
    "ExitCode": -805175273,
    "Method": "LsaGetSSOAccountType"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 360 — Message Device is Microsoft Entra joined (or hybrid joined): DeviceIsJoined User has logged on with Microsoft Entra credentials: AADPrt Windows Hello for Business polic...

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Warning

Message #

%1 
Device is Microsoft Entra joined (or hybrid joined): %2 
User has logged on with Microsoft Entra credentials: %3 
Windows Hello for Business policy is enabled: %4 
Windows Hello for Business post-logon provisioning is enabled: %5 
Local computer meets Windows hello for business hardware requirements: %6 
User is not connected to the machine via Remote Desktop: %7 
User certificate for on premise auth policy is enabled: %8 
Machine is governed by %9 policy. 
Cloud trust for on premise auth policy is enabled: %10 
User account has Cloud to OnPrem TGT: %11 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

Fields #

Name	Description
`Message` UnicodeString	—
`DeviceIsJoined` UnicodeString	—
`AADPrt` UnicodeString	—
`NgcPolicyEnabled` UnicodeString	—
`NgcPostLogonProvisioningEnabled` UnicodeString	—
`NgcHardwarePolicyMet` UnicodeString	—
`UserIsRemote` UnicodeString	—
`LogonCertRequired` UnicodeString	—
`MachinePolicySource` UnicodeString	—
`UseCloudTrust` UnicodeString	—
`CloudTgt` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 360,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-05T23:54:10.290552+00:00",
    "event_record_id": 11,
    "correlation": {},
    "execution": {
      "process_id": 10860,
      "thread_id": 5432
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "Message": "Windows Hello for Business provisioning will not be launched.",
    "DeviceIsJoined": "Not Tested",
    "AADPrt": "No",
    "NgcPolicyEnabled": "Not Tested",
    "NgcPostLogonProvisioningEnabled": "Not Tested",
    "NgcHardwarePolicyMet": "Not Tested",
    "UserIsRemote": "Yes",
    "LogonCertRequired": "Not Tested",
    "MachinePolicySource": "none",
    "UseCloudTrust": "Not Tested",
    "CloudTgt": "Not Tested"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 361 — Message Device is Microsoft Entra joined (or hybrid joined): DeviceIsJoined User has logged on with Microsoft Entra credentials: AADPrt Windows Hello for Business polic...

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message #

%1 
Device is Microsoft Entra joined (or hybrid joined): %2 
User has logged on with Microsoft Entra credentials: %3 
Windows Hello for Business policy is enabled: %4 
Windows Hello for Business post-logon provisioning is enabled: %5 
Local computer meets Windows hello for business hardware requirements: %6 
User is not connected to the machine via Remote Desktop: %7 
User certificate for on premise auth policy is enabled: %8 
MDM user certificate enrollment is ready: %9 
Certificate enrollment method: %10 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details

Fields #

Name	Description
`Message` UnicodeString	—
`DeviceIsJoined` UnicodeString	—
`AADPrt` UnicodeString	—
`NgcPolicyEnabled` UnicodeString	—
`NgcPostLogonProvisioningEnabled` UnicodeString	—
`NgcHardwarePolicyMet` UnicodeString	—
`UserIsRemote` UnicodeString	—
`LogonCertRequired` UnicodeString	—
`MDMCertEnrollmentReady` UnicodeString	—
`MachinePolicySource` UnicodeString	—

Event ID 362 — Message Device is Microsoft Entra joined (or hybrid joined): DeviceIsJoined User has logged on with Microsoft Entra credentials: AADPrt Windows Hello for Business polic...

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message #

%1 
Device is Microsoft Entra joined (or hybrid joined): %2 
User has logged on with Microsoft Entra credentials: %3 
Windows Hello for Business policy is enabled: %4 
Windows Hello for Business post-logon provisioning is enabled: %5 
Local computer meets Windows hello for business hardware requirements: %6 
User is not connected to the machine via Remote Desktop: %7 
User certificate for on premise auth policy is enabled: %8 
Enterprise user logon certificate enrollment endpoint is ready: %9 
Enterprise user logon certificate template is : %10 
User has successfully authenticated to the enterprise STS: %11 
Certificate enrollment method: %12 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

Fields #

Name	Description
`Message` UnicodeString	—
`DeviceIsJoined` UnicodeString	—
`AADPrt` UnicodeString	—
`NgcPolicyEnabled` UnicodeString	—
`NgcPostLogonProvisioningEnabled` UnicodeString	—
`NgcHardwarePolicyMet` UnicodeString	—
`UserIsRemote` UnicodeString	—
`LogonCertRequired` UnicodeString	—
`ADFSRaReady` UnicodeString	—
`RATemplateReady` UnicodeString	—
`ADFSPrtPresent` UnicodeString	—
`MachinePolicySource` UnicodeString	—

Event ID 363 — The Microsoft Passport key is missing.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Microsoft Passport key is missing.

Message #

The Microsoft Passport key is missing. 
Key ID: %1 
Attestation level: %2 
AIK status: %3 
Key type: %4 
Key name: %5 
IDP domain: %6 
Tenant ID: %7 
User email: %8

Fields #

Name	Description
`KeyId` GUID	—
`AttLevel` UInt64	—
`AikStatus` UInt64	—
`KeyType` UInt64	— Known values `%%2499` Machine key `%%2500` User key
`KeyName` UnicodeString	—
`IdpDomain` UnicodeString	—
`TenantId` UnicodeString	—
`UserEmail` UnicodeString	—

Event ID 364 — The saved Microsoft Passport information does not match the key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The saved Microsoft Passport information does not match the key.

Message #

The saved Microsoft Passport information does not match the key. 
Saved information: 
  Key ID: %1 
  Key name: %2 
  IDP domain: %3 
  Tenant ID: %4 
  User email: %5 
The Microsoft Passport key: 
  Key name: %6 
  IDP domain: %7 
  Tenant ID: %8 
  User email: %9

Fields #

Name	Description
`SavedKeyId` GUID	—
`SavedKeyName` UnicodeString	—
`SavedIdpDomain` UnicodeString	—
`SavedTenantId` UnicodeString	—
`SavedUserEmail` UnicodeString	—
`KeyName` UnicodeString	—
`IdpDomain` UnicodeString	—
`TenantId` UnicodeString	—
`UserEmail` UnicodeString	—

Event ID 365 — Unable to enroll for a logon certificate using a Registration Authority.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to enroll for a logon certificate using a Registration Authority. Automatic certificate enrollment will retry at regular intervals.

Message #

Unable to enroll for a logon certificate using a Registration Authority. Automatic certificate enrollment will retry at regular intervals. 
UPN: %1 
TenantId: %2 
ExitCode: %3

Fields #

Name	Description
`UPN` UnicodeString	—
`TenantId` UnicodeString	—
`ExitCode` Int32	—

Event ID 366 — Unable to enroll for a logon certificate using a Registration Authority.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to enroll for a logon certificate using a Registration Authority.

Message #

Unable to enroll for a logon certificate using a Registration Authority. 
Resource: %1 
ExitCode: %2

Fields #

Name	Description
`Resource` UnicodeString	—
`ExitCode` Int32	—

Event ID 367 — Added following properties to the Web Account Manager access token request.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Added following properties to the Web Account Manager access token request.

Message #

Added following properties to the Web Account Manager access token request. 
Properties: 
%1

Fields #

Name	Description
`Properties` UnicodeString	—

Event ID 368 — The following token properties were recieved from the Web Account Manager.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The following token properties were recieved from the Web Account Manager.

Message #

The following token properties were recieved from the Web Account Manager: 
Properties: %1

Fields #

Name	Description
`Properties` UnicodeString	—

Event ID 369 — The Workstation Service logged a device registration message.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The Workstation Service logged a device registration message.

Message #

The Workstation Service logged a device registration message. 
Message: %1

Fields #

Name	Description
`Message` UnicodeString	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 369,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T16:53:14.439647+00:00",
    "event_record_id": 23,
    "correlation": {},
    "execution": {
      "process_id": 1792,
      "thread_id": 1992
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "Message": "AutoJoinSvc/WJSetScheduledTaskState: IRegisteredTask_Run(\"\\Microsoft\\Windows\\Workplace Join\\Automatic-Device-Join\") failed with code 0x80070490."
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 370 — The automatic device registration task failed to unregister device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The automatic device registration task failed to unregister device.

Message #

The automatic device registration task failed to unregister device. 
Exit code: %1 
Server error: %2 
Tenant type: %3 
Registration type: %4 
Debug Output: 
%5

Fields #

Name	Description
`ExitCode` Int32	—
`ServerErrorMessage` UnicodeString	—
`TenantType` UnicodeString	—
`JoinType` UnicodeString	—
`DebugOutput` UnicodeString	—

Event ID 371 — The automatic device registration task successfully unregistered device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The automatic device registration task successfully unregistered device.

Message #

The automatic device registration task successfully unregistered device.

Event ID 372 — The FIDO credential was successfully registered with Azure AD.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The FIDO credential was successfully registered with Microsoft Entra.

Message #

The FIDO credential was successfully registered with Microsoft Entra. 
Credential ID: %1 
UPN: %2 
Request ID: %3 
Time: %4 
Server response: %5

Fields #

Name	Description
`KeyId` UnicodeString	—
`UPN` UnicodeString	—
`RequestId` UnicodeString	—
`Time` UnicodeString	—
`ServerResponse` UnicodeString	—

Event ID 373 — FIDO credential registration failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

FIDO credential registration failed.

Message #

FIDO credential registration failed. 
Exit code: %1 
Request ID: %2 
Time: %3 
HTTP status: %4 
Error code: %5 
Error subcode: %6 
Server error message: %7 
Server response: %8

Fields #

Name	Description
`ExitCode` Int32	—
`RequestId` UnicodeString	—
`Time` UnicodeString	—
`HttpStatus` UInt32	—
`ErrorCode` UnicodeString	—
`ErrorSubCode` UnicodeString	—
`ServerErrorMessage` UnicodeString	—
`ServerResponse` UnicodeString	—

Event ID 374 — The FIDO credential registration request was successfully sent.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The FIDO credential registration request was successfully sent.

Message #

The FIDO credential registration request was successfully sent. 
RPID: %1 
UPN: %2 
Credential display name: %3 
User display name: %4 
User image URL: %5 
Key algorithm: %6 
Auth token: %7 
Request ID: %8 
Flags: %9

Fields #

Name	Description
`RPID` UnicodeString	—
`UPN` UnicodeString	—
`KeyDisplayName` UnicodeString	—
`UserDisplayName` UnicodeString	—
`UserImageUrl` UnicodeString	—
`KeyAlgorithm` UnicodeString	—
`AuthToken` UnicodeString	—
`RequestId` UnicodeString	—
`Flags` UInt32	—

Event ID 375 — The FIDO credential registration initialization operation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The FIDO credential registration initialization operation failed.

Message #

The FIDO credential registration initialization operation failed. 
Exit code: %1 
RPID: %2 
UPN: %3 
Credential display name: %4 
User display name: %5 
User image URL: %6 
Key algorithm: %7 
Auth token: %8 
Request ID: %9 
Flags: %10

Fields #

Name	Description
`ExitCode` Int32	—
`RPID` UnicodeString	—
`UPN` UnicodeString	—
`KeyDisplayName` UnicodeString	—
`UserDisplayName` UnicodeString	—
`UserImageUrl` UnicodeString	—
`KeyAlgorithm` UnicodeString	—
`AuthToken` UnicodeString	—
`RequestId` UnicodeString	—
`Flags` UInt32	—

Event ID 376 — The FIDO credential was successfully created.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The FIDO credential was successfully created.

Message #

The FIDO credential was successfully created. 
UPN: %1 
Credential display name: %2 
User display name: %3 
User image URL: %4 
Key algorithm: %5 
Auth token: %6 
Request ID: %7 
Flags: %8

Fields #

Name	Description
`UPN` UnicodeString	—
`KeyDisplayName` UnicodeString	—
`UserDisplayName` UnicodeString	—
`UserImageUrl` UnicodeString	—
`KeyAlgorithm` UnicodeString	—
`AuthToken` UnicodeString	—
`RequestId` UnicodeString	—
`Flags` UInt32	—
`PinStatus` UInt32	—
`PinRetries` UInt32	—

Event ID 377 — Unable to create FIDO credential.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to create FIDO credential.

Message #

Unable to create FIDO credential. 
Exit code: %1 
UPN: %2 
Credential display name: %3 
User display name: %4 
User image URL: %5 
Key algorithm: %6 
Auth token: %7 
Request ID: %8 
Flags: %9

Fields #

Name	Description
`ExitCode` Int32	—
`UPN` UnicodeString	—
`KeyDisplayName` UnicodeString	—
`UserDisplayName` UnicodeString	—
`UserImageUrl` UnicodeString	—
`KeyAlgorithm` UnicodeString	—
`AuthToken` UnicodeString	—
`RequestId` UnicodeString	—
`Flags` UInt32	—
`PinStatus` UInt32	—
`PinRetries` UInt32	—

Event ID 378 — The FIDO credentials were successfully deleted from Azure AD.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The FIDO credentials were successfully deleted from Microsoft Entra.

Message #

The FIDO credentials were successfully deleted from Microsoft Entra. 
Number of credentials: %1 
UPN: %3 
Request ID: %4 
Time: %5 
Server response: %6

Fields #

Name	Description
`NumOfKeyIds` UInt32	—
`KeyId` UnicodeString	—
`UPN` UnicodeString	—
`RequestId` UnicodeString	—
`Time` UnicodeString	—
`ServerResponse` UnicodeString	—

Event ID 379 — FIDO credential deletion failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

FIDO credential deletion failed.

Message #

FIDO credential deletion failed. 
Exit code: %1 
Request ID: %2 
Time: %3 
HTTP status: %4 
Error code: %5 
Error subcode: %6 
Server error message: %7 
Server response: %8

Fields #

Name	Description
`ExitCode` Int32	—
`RequestId` UnicodeString	—
`Time` UnicodeString	—
`HttpStatus` UInt32	—
`ErrorCode` UnicodeString	—
`ErrorSubCode` UnicodeString	—
`ServerErrorMessage` UnicodeString	—
`ServerResponse` UnicodeString	—

Event ID 380 — The FIDO credential deletion request was successfully sent.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The FIDO credential deletion request was successfully sent.

Message #

The FIDO credential deletion request was successfully sent. 
UPN: %1 
Credential ID: %2 
Auth token: %3 
Request ID: %4

Fields #

Name	Description
`UPN` UnicodeString	—
`KeyId` UnicodeString	—
`AuthToken` UnicodeString	—
`RequestId` UnicodeString	—

Event ID 381 — The FIDO credential deletion initialization operation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The FIDO credential deletion initialization operation failed.

Message #

The FIDO credential deletion initialization operation failed. 
Exit code: %1 
UPN: %2 
Credential ID: %3 
Auth token: %4 
Request ID: %5

Fields #

Name	Description
`ExitCode` Int32	—
`UPN` UnicodeString	—
`KeyId` UnicodeString	—
`AuthToken` UnicodeString	—
`RequestId` UnicodeString	—

Event ID 382 — Unable to parse the FIDO registration server response.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to parse the FIDO registration server response.

Message #

Unable to parse the FIDO registration server response. 
HTTP status: %1 
Server response body: %2 
Error: %3

Fields #

Name	Description
`HttpStatus` UInt32	—
`ResponseBody` UnicodeString	—
`ErrorCode` Int32	—

Event ID 383 — The PIN has been successfully recovered.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The PIN has been successfully recovered.

Message #

The PIN has been successfully recovered.

Fields #

Name	Description
`hWnd` Pointer	—

Event ID 384 — The PIN recover operation failed with exit code: ExitCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The PIN recover operation failed with exit code: ExitCode.

Message #

The PIN recover operation failed with exit code: %1.

Fields #

Name	Description
`ExitCode` Int32	—
`hWnd` Pointer	—

Event ID 385 — Unable to get attestation statement for Microsoft Passport key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to get attestation statement for Microsoft Passport key. Key name: KeyName, KeyStatus: KeyStatus (KeyStatusSymbolicName), Error: ErrorCode.

Message #

Unable to get attestation statement for Microsoft Passport key. Key name: %1,  KeyStatus: %2 (%3), Error: %4.

Fields #

Name	Description
`KeyName` UnicodeString	—
`KeyStatus` Int32	—
`KeyStatusSymbolicName` UnicodeString	—
`ErrorCode` Int32	—

Event ID 386 — Successfully got attestation statement for Microsoft Passport key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Successfully got attestation statement for Microsoft Passport key. Key name: KeyName, KeyStatus: KeyStatus (KeyStatusSymbolicName).

Message #

Successfully got attestation statement for Microsoft Passport key. Key name: %1, KeyStatus: %2 (%3).

Fields #

Name	Description
`KeyName` UnicodeString	—
`KeyStatus` Int32	—
`KeyStatusSymbolicName` UnicodeString	—

Event ID 387 — Unable to reset registry recovery flags.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to reset registry recovery flags. Error: ExitCode.

Message #

Unable to reset registry recovery flags. Error: %1

Fields #

Name	Description
`ExitCode` Int32	—

Event ID 388 — Recovery API APIName called.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Recovery API APIName called. Error: ExitCode.

Message #

Recovery API %1 called. Error: %2

Fields #

Name	Description
`APIName` UnicodeString	—
`ExitCode` Int32	—

Event ID 389 — Automatic Azure SecureVM Join Succeeded.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Automatic Microsoft Entra SecureVM Join Succeeded.

Message #

Automatic Microsoft Entra SecureVM Join Succeeded.

Event ID 390 — Resource account certificate does not match device ceritificate.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Resource account certificate does not match device ceritificate.

Message #

Resource account certificate does not match device ceritificate. 
Mismatch in: %1 
Resource account certificate's value: %2 
Device certificate's value: %3 
Request ID: %4 
Server time: %5

Fields #

Name	Description
`IdType` UnicodeString	—
`RACertificateId` UnicodeString	—
`DeviceCeritifcateId` UnicodeString	—
`ServerRequestId` UnicodeString	—
`ServerTime` UnicodeString	—

Event ID 391 — Unable to get the NGC user ID key container state.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to get the NGC user ID key container state.

Message #

Unable to get the NGC user ID key container state. 
SID: %1 
Key name: %2 
Error: %3

Fields #

Name	Description
`UserSid` UnicodeString	—
`UserKeyName` UnicodeString	—
`ErrorCode` Int32	—

Event ID 392 — The NGC user ID key container is in a bad state.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The NGC user ID key container is in a bad state.

Message #

The NGC user ID key container is in a bad state. 
SID: %1 
Key name: %2 
Container status: %3

Fields #

Name	Description
`UserSid` UnicodeString	—
`UserKeyName` UnicodeString	—
`ContainerStatus` UInt32	—

Event ID 393 — NGC logon certificate could not be renewed due to device ID flip.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

NGC logon certificate could not be renewed due to device ID flip.

Message #

NGC logon certificate could not be renewed due to device ID flip.

Event ID 394 — Unable to set registry value for device ID flip.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to set registry value for device ID flip.

Message #

Unable to set registry value for device ID flip. 
Exit code: %1

Fields #

Name	Description
`ExitCode` Int32	—

Event ID 395 — Unable to unset registry value for device ID flip.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to unset registry value for device ID flip.

Message #

Unable to unset registry value for device ID flip. 
Exit code: %1

Fields #

Name	Description
`ExitCode` Int32	—

Event ID 396 — Key policy in registry is set to unsupported value PolicyValue.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Key policy in registry is set to unsupported value PolicyValue. Default key policy will be used.

Message #

Key policy in registry is set to unsupported value %1. Default key policy will be used.

Fields #

Name	Description
`PolicyValue` Int32	—

Event ID 397 — MDM enrollment for Azure SecureVM succeeded.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

MDM enrollment for Microsoft Entra SecureVM succeeded.

Message #

MDM enrollment for Microsoft Entra SecureVM succeeded. 
MDM Enrollment URL: %1

Fields #

Name	Description
`URL` UnicodeString	—

Event ID 398 — MDM enrollment for Azure SecureVM failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

MDM enrollment for Microsoft Entra SecureVM failed. The device will be unjoined from Microsoft Entra.

Message #

MDM enrollment for Microsoft Entra SecureVM failed. The device will be unjoined from Microsoft Entra. 
MDM Enrollment URL: %1

Fields #

Name	Description
`URL` UnicodeString	—

Event ID 399 — Attempt to discover enrollment URL for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Attempt to discover enrollment URL for MDM auto-enrollment failed. AAD logs may contains additional details about the failure. Another attempt to discover MDM enrollment URL will be made later.

Message #

Attempt to discover enrollment URL for MDM auto-enrollment failed. AAD logs may contains additional details about the failure. Another attempt to discover MDM enrollment URL will be made later. 
CorrelationId: %1 
Additional information: %2

Fields #

Name	Description
`CorrelationId` UnicodeString	—
`AdditionalDetails` UnicodeString	—

Event ID 400 — All attempts to discover enrollment URL for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

All attempts to discover enrollment URL for MDM auto-enrollment failed.

Message #

All attempts to discover enrollment URL for MDM auto-enrollment failed.

Event ID 401 — No MDM enrollment URL was discoverered for MDM auto-enrollment.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Message #

No MDM enrollment URL was discoverered for MDM auto-enrollment. Verify MDM auto-enrollment configuration in the Microsoft Entra tenant is correct and the specified MDM application ID is successfully resolved by Microsoft Entra server. 
CorrelationId: %1 
MDM application ID: %2

Fields #

Name	Description
`CorrelationId` UnicodeString	—
`MDMAppID` UnicodeString	—

Event ID 402 — Attempt to discover enrollment URL for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Attempt to discover enrollment URL for MDM auto-enrollment failed. AAD logs may contains additional details about the failure.

Message #

Attempt to discover enrollment URL for MDM auto-enrollment failed. AAD logs may contains additional details about the failure. 
Error: %1 
CorrelationId: %2 
Additional information: %3

Fields #

Name	Description
`ErrorCode` Int32	—
`CorrelationId` UnicodeString	—
`AdditionalDetails` UnicodeString	—

Event ID 403 — Attempt to get token for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Attempt to get token for MDM auto-enrollment failed. AAD logs may contains additional details about the failure. Another attempt to get token for MDM auto-enrollment will be made later.

Message #

Attempt to get token for MDM auto-enrollment failed. AAD logs may contains additional details about the failure. Another attempt to get token for MDM auto-enrollment will be made later. 
CorrelationId: %1 
Additional information: %2

Fields #

Name	Description
`CorrelationId` UnicodeString	—
`AdditionalDetails` UnicodeString	—

Event ID 404 — All attempts to get WAM token for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

All attempts to get WAM token for MDM auto-enrollment failed.

Message #

All attempts to get WAM token for MDM auto-enrollment failed.

Event ID 405 — Requsting token for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Requsting token for MDM auto-enrollment failed. AAD logs may contains additional details about the failure.

Message #

Requsting token for MDM auto-enrollment failed. AAD logs may contains additional details about the failure. 
Error: %1 
CorrelationId: %2 
Additional information: %3

Fields #

Name	Description
`ErrorCode` Int32	—
`CorrelationId` UnicodeString	—
`AdditionalDetails` UnicodeString	—

Event ID 406 — Unenrolling from MDM failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unenrolling from MDM failed. MDM logs may contains additional details about the failure.

Message #

Unenrolling from MDM failed. MDM logs may contains additional details about the failure. 
Error: %1 
MDM enrollment ID: %2

Fields #

Name	Description
`ExitCode` Int32	—
`EnrollmentId` UnicodeString	—

Event ID 407 — Successfully unenrolled from MDM.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Successfully unenrolled from MDM.

Message #

Successfully unenrolled from MDM. 
MDM enrollment ID: %1

Fields #

Name	Description
`EnrollmentId` UnicodeString	—

Event ID 408 — Failed to import NGC proof-of-possession key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to import NGC proof-of-possession key. Falling back to software.

Message #

Failed to import NGC proof-of-possession key. Falling back to software.

Event ID 409 — Failed to get NGC transport key name.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to get NGC transport key name . Falling back to software.

Message #

Failed to get NGC transport key name . Falling back to software.

Event ID 410 — Failed to get NGC transport key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to get NGC transport key. Falling back to software.

Message #

Failed to get NGC transport key. Falling back to software.

Event ID 411 — The parameter is invalid.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The parameter is invalid. Function: FunctionName; Parameter: ParameterName.

Message #

The parameter is invalid. Function: %1; Parameter: %2.

Fields #

Name	Description
`FunctionName` UnicodeString	—
`ParameterName` UnicodeString	—
`ParameterValueLength` UInt32	—
`ParameterValue` Binary	—

Event ID 412 — Unsupported public key structure format encountered.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unsupported public key structure format encountered.

Message #

Unsupported public key structure format encountered. 
Functon: %1 
Magic value: %2

Fields #

Name	Description
`FunctionName` UnicodeString	—
`MagicValue` UInt32	—

Event ID 413 — Token binding AIK creation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Token binding AIK creation failed.

Message #

Token binding AIK creation failed. 
Key type: %1 
IDP domain: %2 
Tenant-based ID: %3 
User SID: %4 
Error: %5

Fields #

Name	Description
`KeyType` Int32	— Known values `%%2499` Machine key `%%2500` User key
`IdpDomain` UnicodeString	—
`TenantDomain` UnicodeString	—
`UserSid` UnicodeString	—
`ErrorCode` Int32	—

Event ID 414 — Token binding AIK deletion failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Token binding AIK deletion failed.

Message #

Token binding AIK deletion failed. 
Key type: %1 
IDP domain: %2 
Tenant-based ID: %3 
User SID: %4 
Error: %5

Fields #

Name	Description
`KeyType` Int32	— Known values `%%2499` Machine key `%%2500` User key
`IdpDomain` UnicodeString	—
`TenantDomain` UnicodeString	—
`UserSid` UnicodeString	—
`ErrorCode` Int32	—

Event ID 415 — Token binding AIK was successfully created.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Token binding AIK was successfully created.

Message #

Token binding AIK was successfully created. 
Key type: %1 
IDP domain: %2 
Tenant-based ID: %3 
User SID: %4

Fields #

Name	Description
`KeyType` Int32	— Known values `%%2499` Machine key `%%2500` User key
`IdpDomain` UnicodeString	—
`TenantDomain` UnicodeString	—
`UserSid` UnicodeString	—

Event ID 416 — Token binding AIK was successfully deleted.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Token binding AIK was successfully deleted.

Message #

Token binding AIK was successfully deleted. 
Key type: %1 
IDP domain: %2 
Tenant-based ID: %3 
User SID: %4

Fields #

Name	Description
`KeyType` Int32	— Known values `%%2499` Machine key `%%2500` User key
`IdpDomain` UnicodeString	—
`TenantDomain` UnicodeString	—
`UserSid` UnicodeString	—

Event ID 417 — Failed to get token binding AIK name.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to get token binding AIK name.

Message #

Failed to get token binding AIK name. 
Key type: %1 
IDP domain: %2 
Tenant-based ID: %3 
User SID: %4 
Error: %5

Fields #

Name	Description
`KeyType` Int32	— Known values `%%2499` Machine key `%%2500` User key
`IdpDomain` UnicodeString	—
`TenantDomain` UnicodeString	—
`UserSid` UnicodeString	—
`ErrorCode` Int32	—

Event ID 418 — Hardware policy in registry is set to unsupported value PolicyValue.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Hardware policy in registry is set to unsupported value PolicyValue. Default hardware policy will be used.

Message #

Hardware policy in registry is set to unsupported value %1. Default hardware policy will be used.

Fields #

Name	Description
`PolicyValue` Int32	—

Event ID 419 — NGC transport key creation with key type KeyType failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

NGC transport key creation with key type KeyType failed. Falling back to a different key type.

Message #

NGC transport key creation with key type %5 failed. Falling back to a different key type. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Flags: %6 
Error: %7

Fields #

Name	Description
`UserSid` UnicodeString	—
`IdpDomain` UnicodeString	—
`TenantDomain` UnicodeString	—
`UserId` UnicodeString	—
`KeyType` Int32	— Known values `%%2499` Machine key `%%2500` User key
`Flags` UInt32	—
`ErrorCode` Int32	—

Event ID 420 — Automatic registration failed at authentication phase.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Automatic registration failed at authentication phase. Unable to acquire Kerberos ticket.

Message #

Automatic registration failed at authentication phase. Unable to acquire Kerberos ticket. 
Exit code: %1 
Kerberos endpoint: %2 
SPN: %3

Fields #

Name	Description
`ExitCode` Int32	—
`Endpoint` UnicodeString	—
`SPN` UnicodeString	—

Event ID 421 —

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Fields #

Name	Description
`ErrorCode` Int32	—

Event ID 421 —

Provider: Microsoft-Windows-User Device Registration
Channel: Operational

Fields #

Name	Description
`ErrorCode` Int32	—

Event ID 500 — Message.

Provider: Microsoft-Windows-User Device Registration
Channel: Debug

Message #

%1

Fields #

Name	Description
`Message` UnicodeString	—

Event ID 501 — Message.

Provider: Microsoft-Windows-User Device Registration
Channel: Debug

Message #

%1

Fields #

Name	Description
`Message` UnicodeString	—

Event ID 502 — Message.

Provider: Microsoft-Windows-User Device Registration
Channel: Debug

Message #

%1

Fields #

Name	Description
`Message` UnicodeString	—

Event ID 503 — Message.

Provider: Microsoft-Windows-User Device Registration
Channel: Debug

Message #

%1

Fields #

Name	Description
`Message` UnicodeString	—

Event ID 504 — Message.

Provider: Microsoft-Windows-User Device Registration
Channel: Debug

Message #

%1

Fields #

Name	Description
`Message` UnicodeString	—

Event ID 4096 — The automatic device registration task will be triggered.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The automatic device registration task will be triggered.

Message #

The automatic device registration task will be triggered.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 4096,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T17:10:41.738174+00:00",
    "event_record_id": 34,
    "correlation": {},
    "execution": {
      "process_id": 1792,
      "thread_id": 2032
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "WIN-FPV0DSIC9O6.lab.local",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline