Microsoft-Windows-AAD
204 events across 2 channels
Event ID 1001: AadCloudAPPlugin Initialize Start
#Description
AadCloudAPPlugin Initialize Start.
Message #
Event ID 1002: AadCloudAPPlugin Initialize Stop.
#Description
AadCloudAPPlugin Initialize Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1003: AadCloudAPPlugin Uninitialize Start
#Description
AadCloudAPPlugin Uninitialize Start.
Message #
Event ID 1004: AadCloudAPPlugin ValidateUserInfo Start
#Description
AadCloudAPPlugin ValidateUserInfo Start.
Message #
Event ID 1005: AadCloudAPPlugin ValidateUserInfo Stop.
#Description
AadCloudAPPlugin ValidateUserInfo Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1007: AadCloudAPPlugin GetToken Stop.
#Description
AadCloudAPPlugin GetToken Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1009: AadCloudAPPlugin GetKeys Stop.
#Description
AadCloudAPPlugin GetKeys Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1010: AadCloudAPPlugin GetUnlockKey Start
#Description
AadCloudAPPlugin GetUnlockKey Start.
Message #
Event ID 1011: AadCloudAPPlugin GetUnlockKey Stop.
#Description
AadCloudAPPlugin GetUnlockKey Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1012: AadCloudAPPlugin PersistSSOTokens Start
#Description
AadCloudAPPlugin PersistSSOTokens Start.
Message #
Event ID 1013: AadCloudAPPlugin PersistSSOTokens Stop.
#Description
AadCloudAPPlugin PersistSSOTokens Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1015: AadCloudAPPlugin Realm discovery response: AadCloudAPPlugin_Realm_discovery_response.
#Description
AadCloudAPPlugin Realm discovery response: AadCloudAPPlugin_Realm_discovery_response.
Message #
Fields #
| Name | Description |
|---|---|
Response UnicodeString | |
Status Int32 | NTSTATUS reference |
Event ID 1016: AadCloudAPPlugin device is cloud domain joined
#Description
AadCloudAPPlugin device is cloud domain joined.
Message #
Event ID 1017: AadCloudAPPlugin device is domain joined
#Description
AadCloudAPPlugin device is domain joined.
Message #
Event ID 1018: AadCloudAPPlugin GetToken Correlation ID: AadCloudAPPlugin_GetToken_Correlation_ID.
#Event ID 1019: AadCloudAPPlugin GetKeys Correlation ID: AadCloudAPPlugin_GetKeys_Correlation_ID.
#Event ID 1020: AadCloudAPPlugin loaded as surrogate
#Description
AadCloudAPPlugin loaded as surrogate.
Message #
Event ID 1021: AadCloudAPPlugin MEX request status: AadCloudAPPlugin_MEX_request_status.
#Description
AadCloudAPPlugin MEX request status: AadCloudAPPlugin_MEX_request_status.
Message #
Fields #
| Name | Description |
|---|---|
Status Int32 | NTSTATUS reference |
Event ID 1022: Endpoint Uri: Endpoint_Uri.
#Event ID 1023: NGC UserID Key: NGC_UserID_Key.
#Event ID 1024: Http request status: Http_request_status.
#Event ID 1025: Http request status: Http_request_status.
#Event ID 1026: Credential type: Credential_type Correlation ID: Correlation_ID.
#Event ID 1027: AadCloudAPPlugin managed logon flow for federated NGC user.
#Description
AadCloudAPPlugin managed logon flow for federated NGC user.
Message #
Event ID 1028: AadCloudAPPlugin RefreshToken Start
#Description
AadCloudAPPlugin RefreshToken Start.
Message #
Event ID 1029: AadCloudAPPlugin RefreshToken Stop.
#Description
AadCloudAPPlugin RefreshToken Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1030: AadCloudAPPlugin RefreshToken Correlation ID: AadCloudAPPlugin_RefreshToken_Correlation_ID.
#Event ID 1031: AadCloudAPPlugin encrypted OAuth response received
#Description
AadCloudAPPlugin encrypted OAuth response received.
Message #
Event ID 1032: Number of groups received: value.
#Event ID 1033: Validation needed: Validation_needed.
#Event ID 1034: AadCloudAPPlugin GenericCallPkg Start
#Description
AadCloudAPPlugin GenericCallPkg Start.
Message #
Event ID 1035: AadCloudAPPlugin GenericCallPkg Stop.
#Description
AadCloudAPPlugin GenericCallPkg Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1081: OAuth response error: OAuth_response_error.
#Event ID 1082: Key error: Key_error.
#Event ID 1083: Protected key error: Protected_key_error.
#Event ID 1084: Http transport error.
#Event ID 1085: Logon failure.
#Description
Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
Event ID 1086: Get user realm failure.
#Description
Get user realm failure. Status: Get_user_realm_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
Event ID 1087: Get credential keys failure.
#Description
Get credential keys failure. Status: Get_credential_keys_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
Event ID 1088: WSTrust response error: WSTrust_response_error.
#Event ID 1089: Device is not cloud domain joined: Status.
#Description
Device is not cloud domain joined: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1090: NGC nonce response error: NGC_nonce_response_error.
#Event ID 1091: NGC auth ticket is not defined.
#Event ID 1092: OAuth request retry.
#Event ID 1093: NGC call API returned error: Result.
#Event ID 1094: Refresh token failure.
#Description
Refresh token failure. Status: Refresh_token_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
Event ID 1095: Refresh token user SIDs don't match.
#Event ID 1096: Refresh token is expired.
#Event ID 1097: Error: Error ErrorMessage AdditionalInformation.
#Description
Error: Error ErrorMessage AdditionalInformation
Message #
Fields #
| Name | Description |
|---|---|
Error UInt32 | |
ErrorMessage UnicodeString | |
AdditionalInformation UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AAD",
"guid": "{4DE9BC9C-B27A-43C9-8994-0915F1A5E24F}",
"event_source_name": "",
"event_id": 1097,
"version": 0,
"level": 3,
"task": 103,
"opcode": 0,
"keywords": 4611686018427387952,
"time_created": "2026-05-28T11:13:20.8708234+00:00",
"event_record_id": 15,
"correlation": {
"ActivityID": "{AFDF3271-EE92-0000-B545-DFAF92EEDC01}"
},
"execution": {
"process_id": 7736,
"thread_id": 7784
},
"channel": "Microsoft-Windows-AAD/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Error": "2325807322",
"ErrorMessage": "Upgrade default pawn task complete.",
"AdditionalInformation": "Logged at UpdateDefaultPawn.cpp, line: 43, method: UpdateDefaultPawn::Apply."
},
"message": "Error: 0x8AA100DA Upgrade default pawn task complete.\r\nLogged at UpdateDefaultPawn.cpp, line: 43, method: UpdateDefaultPawn::Apply."
}
Event ID 1098: Error: Error ErrorMessage AdditionalInformation.
#Description
Error: Error ErrorMessage AdditionalInformation
Message #
Fields #
| Name | Description |
|---|---|
Error UInt32 | |
ErrorMessage UnicodeString | |
AdditionalInformation UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AAD",
"guid": "4DE9BC9C-B27A-43C9-8994-0915F1A5E24F",
"event_source_name": "",
"event_id": 1098,
"version": 0,
"level": 2,
"task": 103,
"opcode": 0,
"keywords": 4611686018427387922,
"time_created": "2026-03-14T21:11:21.909514+00:00",
"event_record_id": 25,
"correlation": {},
"execution": {
"process_id": 10584,
"thread_id": 10312
},
"channel": "Microsoft-Windows-AAD/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Error": 3399811278,
"ErrorMessage": "User requested add account.",
"AdditionalInformation": "UI flow is completed with error\r\nLogged at WebUITokenRequest.cpp, line: 180, method: WebUITokenRequest::FinalizeUIFlow.\r\n\r\nRequest: authority: https://login.microsoftonline.com/organizations, client: d3590ed6-52b3-4102-aeff-aad2292ab01c, redirect URI: ms-appx-web://Microsoft.AAD.BrokerPlugin/d3590ed6-52b3-4102-aeff-aad2292ab01c, resource: , correlation ID (request): a315d45d-ad27-4338-a603-c6283cfa75d2"
},
"message": ""
}
Event ID 1099: Code: Code OperationCode OperationMessage.
#Event ID 1100: Error: Error ErrorMessage AdditionalInformation.
#Event ID 1101: Error: Error ErrorMessage AdditionalInformation.
#Event ID 1102: Code: Code OperationCode OperationMessage.
#Event ID 1103: Can't decrypt OAuth response.
#Event ID 1104: AAD Cloud AP plugin call API returned error: Result.
#Description
AAD Cloud AP plugin call API returned error: Result.
Message #
Fields #
| Name | Description |
|---|---|
API UnicodeString | |
Result UInt32 | 1 returned error. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AAD",
"guid": "{4DE9BC9C-B27A-43C9-8994-0915F1A5E24F}",
"event_source_name": "",
"event_id": 1104,
"version": 0,
"level": 2,
"task": 101,
"opcode": 0,
"keywords": 4611686018427387922,
"time_created": "2026-05-29T16:32:50.6948431+00:00",
"event_record_id": 25,
"correlation": {
"ActivityID": "{C6821FB2-EF88-0001-1820-82C688EFDC01}"
},
"execution": {
"process_id": 812,
"thread_id": 816
},
"channel": "Microsoft-Windows-AAD/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"API": "Plugin initialize",
"Result": "3221521494"
},
"message": "AAD Cloud AP plugin call Plugin initialize returned error: 0xC0048456"
}
Event ID 1105: Device registration API call API returned error: Result.
#Event ID 1106: Number of security groups received value.
#Event ID 1107: Error: Error ErrorMessage AdditionalInformation.
#Event ID 1108: Error: Error ErrorMessage AdditionalInformation.
#Event ID 1109: Error: Error ErrorMessage AdditionalInformation.
#Event ID 1110: Error: Error ErrorMessage AdditionalInformation.
#Event ID 1111: Error: Error ErrorMessage AdditionalInformation.
#Event ID 1112: Error: Error ErrorMessage AdditionalInformation.
#Event ID 1113: Code: Code OperationCode OperationMessage.
#Event ID 1114: Error: Error ErrorMessage AdditionalInformation.
#Event ID 1115: Error: Error ErrorMessage AdditionalInformation.
#Event ID 1116: Get Enterprise STS OAuth Info failure.
#Description
Get Enterprise STS OAuth Info failure. Status: Status Correlation ID: CorrelationID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
References #
Event ID 1117: Enterprise STS Refresh token failure.
#Description
Enterprise STS Refresh token failure. Status: Status Correlation ID: CorrelationID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
References #
Event ID 1118: Enterprise STS Logon failure.
#Description
Enterprise STS Logon failure. Status: Enterprise_STS_Logon_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
References #
Event ID 1119: Enterprise STS OAuth Info response: Enterprise_STS_OAuth_Info_response.
#Description
Enterprise STS OAuth Info response: Enterprise_STS_OAuth_Info_response.
Message #
Fields #
| Name | Description |
|---|---|
Response UnicodeString | |
Status Int32 | NTSTATUS reference |
References #
Event ID 1120: Enterprise STS Refresh token is expired.
#Event ID 1121: Enterprise STS RefreshToken Correlation ID: value.
#Event ID 1122: Refresh token subject don't match.
#Event ID 1123: AadCloudAPPlugin smart card logon for non-federated user.
#Description
AadCloudAPPlugin smart card logon for non-federated user.
Message #
Event ID 1124: Device is DRS joined but Enterprise STS is disabled: Status.
#Description
Device is DRS joined but Enterprise STS is disabled: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1125: AadCloudAPPlugin loaded as surrogate, no key recovery
#Description
AadCloudAPPlugin loaded as surrogate, no key recovery.
Message #
Event ID 1126: AadCloudAPPlugin device is Enterprise joined
#Description
AadCloudAPPlugin device is Enterprise joined.
Message #
Event ID 1127: AadCloudAPPlugin device P2P certificate update thread started
#Event ID 1128: AadCloudAPPlugin device P2P certificate update thread stopped
#Description
AadCloudAPPlugin device P2P certificate update thread stopped.
Message #
Event ID 1129: AadCloudAPPlugin Uninitialize Stop
#Description
AadCloudAPPlugin Uninitialize Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1130: AadCloudAPPlugin DeviceP2PCertificateUpdate Correlation ID: AadCloudAPPlugin_DeviceP2PCertificateUpdate_Correlation_ID.
#Event ID 1131: Update P2P device certificate failure.
#Description
Update P2P device certificate failure. Status: Status Correlation ID: CorrelationID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
Event ID 1132: AadCloudAPPlugin GetCertificateFromCred Correlation ID: AadCloudAPPlugin_GetCertificateFromCred_Correlation_ID.
#Event ID 1133: Update P2P user certificate failure.
#Description
Update P2P user certificate failure. Status: Status Correlation ID: CorrelationID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
Event ID 1134: AAD Cloud AP plugin call API returned error: Result.
#Event ID 1135: AadCloudAPPlugin RenewCertificate Correlation ID: AadCloudAPPlugin_RenewCertificate_Correlation_ID.
#Event ID 1136: AadCloudAPPlugin AcceptPeerCertificate Start
#Description
AadCloudAPPlugin AcceptPeerCertificate Start.
Message #
Event ID 1137: AadCloudAPPlugin AcceptPeerCertificate Stop.
#Description
AadCloudAPPlugin AcceptPeerCertificate Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1138: AadCloudAPPlugin RenewCertificate Start
#Description
AadCloudAPPlugin RenewCertificate Start.
Message #
Event ID 1139: AadCloudAPPlugin RenewCertificate Stop.
#Description
AadCloudAPPlugin RenewCertificate Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1140: AadCloudAPPlugin GetCertificateFromCred Start
#Description
AadCloudAPPlugin GetCertificateFromCred Start.
Message #
Event ID 1141: AadCloudAPPlugin GetCertificateFromCred Stop.
#Description
AadCloudAPPlugin GetCertificateFromCred Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1142: Get token user names don't match.
#Event ID 1143: Generic Call Package call type: Generic_Call_Packate_call_type.
#Event ID 1144: Realm discovery for: Method authority: EndpointUri fallback domain hint: CorrelationID useUpn: value.
#Event ID 1145: AAD Cloud AP plugin token needs refresh reason: value.
#Event ID 1146: Token is not refreshed.
#Event ID 1147: AadCloudAPPlugin AssembleOpaqueData Start
#Description
AadCloudAPPlugin AssembleOpaqueData Start.
Message #
Event ID 1148: AadCloudAPPlugin AssembleOpaqueData Stop.
#Description
AadCloudAPPlugin AssembleOpaqueData Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1149: AadCloudAPPlugin DisassembleOpaqueData Start
#Event ID 1150: AadCloudAPPlugin DisassembleOpaqueData Stop.
#Description
AadCloudAPPlugin DisassembleOpaqueData Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1151: AadCloudAPPlugin P2P device certificate update error: Status.
#Description
AadCloudAPPlugin P2P device certificate update error: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1152: AadCloudAPPlugin device certificate key error: Result.
#Event ID 1153: AadCloudAPPlugin device certificate not available for logon: value.
#Event ID 1154: Password expiration claims.
#Event ID 1155: Logon with session key failure.
#Description
Logon with session key failure. Retrying with device auth. Status: Status Correlation ID: CorrelationID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
Event ID 1156: Password expiration fields.
#Description
Password expiration fields. Status: Password_expiration_fields_Status Date: Date URI: URI.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
ExpiryTime FILETIME | |
PasswordChangeURI UnicodeString |
Event ID 1157: AadCloudAPPlugin PostLogonProcessing Start
#Description
AadCloudAPPlugin PostLogonProcessing Start.
Message #
Event ID 1158: AadCloudAPPlugin PostLogonProcessing Stop.
#Description
AadCloudAPPlugin PostLogonProcessing Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1159: AadCloudAPPlugin S4U logon failed.
#Description
AadCloudAPPlugin S4U logon failed. Status: AadCloudAPPlugin_S2U_logon_failed_Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1160: Logon failure.
#Description
Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
Event ID 1161: Logon failure.
#Description
Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
Event ID 1162: Logon failure.
#Description
Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
Event ID 1163: Logon failure.
#Description
Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
Event ID 1164: Logon failure.
#Description
Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
Event ID 1165: Logon failure.
#Description
Logon failure. Status: Logon_failure_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
Event ID 1201: BrowserCore operation completed successfully
#Event ID 1202: BrowserCore operation completed with a failure.
#Event ID 1203: BrowserCore inner operation FunctionName completed with error: Result.
#Event ID 1204: AadCloudAPPlugin LookupSIDFromIdentityName Start
#Description
AadCloudAPPlugin LookupSIDFromIdentityName Start.
Message #
Event ID 1205: AadCloudAPPlugin LookupSIDFromIdentityName Stop.
#Description
AadCloudAPPlugin LookupSIDFromIdentityName Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1206: AadCloudAPPlugin LookupIdentityFromSIDName Start
#Description
AadCloudAPPlugin LookupIdentityFromSIDName Start.
Message #
Event ID 1207: AadCloudAPPlugin LookupIdentityFromSIDName Stop.
#Description
AadCloudAPPlugin LookupIdentityFromSIDName Stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1208: AadCloudAPPlugin LookupSIDFromIdentity Identity: AadCloudAPPlugin_LookupSIDFromIdentity_Identity Correlation ID: Correlation_ID.
#Event ID 1209: AadCloudAPPlugin LookupIdentityFromSID SID: AadCloudAPPlugin_LookupIdentityFromSID_SID Correlation ID: Correlation_ID.
#Event ID 1210: AadCloudAPPlugin password expired, password change URI: value.
#Event ID 1211: Writing RunRecovery registry value failed.
#Description
Writing RunRecovery registry value failed.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1212: Enterprise logon.
#Description
Enterprise logon. Password is expired.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
Event ID 1213: WamExtension process token operation started
#Description
WamExtension process token operation started.
Message #
Event ID 1214: WamExtension process token operation completed successfully
#Description
WamExtension process token operation completed successfully.
Message #
Event ID 1215: WamExtension process token operation completed with error: Data.
#Description
WamExtension process token operation completed with error: Data.
Message #
Fields #
| Name | Description |
|---|---|
Result |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-AAD",
"guid": "4DE9BC9C-B27A-43C9-8994-0915F1A5E24F",
"event_source_name": "",
"event_id": 1215,
"version": 0,
"level": 2,
"task": 107,
"opcode": 2,
"keywords": 4611686018427387922,
"time_created": "2022-04-07T16:44:49.386586+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 2080,
"thread_id": 2748
},
"channel": "Microsoft-Windows-AAD/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Data": {
"Name": "Result",
"Value": "\u0004�\u0004�"
}
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1216: WamExtension device authentication call status: Result Correlation ID: Target.
#Event ID 1217: Get device token.
#Event ID 1218: StartFidoAuthenticationSession start
#Description
StartFidoAuthenticationSession start.
Message #
Event ID 1219: StartFidoAuthenticationSession stop.
#Description
StartFidoAuthenticationSession stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1220: CloseFidoAuthenticationSession start
#Description
CloseFidoAuthenticationSession start.
Message #
Event ID 1221: CloseFidoAuthenticationSession stop.
#Description
CloseFidoAuthenticationSession stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1223: GetClientData stop.
#Event ID 1225: SignClientDataFido stop.
#Description
SignClientDataFido stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1227: ChangePin stop.
#Event ID 1229: GetSerializedAuthBuffer stop.
#Description
GetSerializedAuthBuffer stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1230: AuthHelper call API returned error: Result.
#Event ID 1231: AadCloudAPPlugin Resource infomation: AadCloudAPPlugin_Resource_infomation.
#Description
AadCloudAPPlugin Resource infomation: AadCloudAPPlugin_Resource_infomation.
Message #
Fields #
| Name | Description |
|---|---|
Response UnicodeString | |
Status Int32 | NTSTATUS reference |
Event ID 1232: AadCloudAPPlugin RBAC authorization code response: Response.
#Description
AadCloudAPPlugin RBAC authorization code response: Response.
Message #
Fields #
| Name | Description |
|---|---|
Response UnicodeString | |
Status Int32 | NTSTATUS reference |
Event ID 1233: AadCloudAPPlugin User access control role: value.
#Event ID 1234: AadCloudAPPlugin using resource id from the Idtoken: value.
#Event ID 1235: RBAC Status: RBAC_Status Correlation ID: Correlation_ID.
#Description
RBAC Status: RBAC_Status Correlation ID: Correlation_ID.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
CorrelationID UnicodeString |
Event ID 1236: Failed to create the resource id
#Description
Failed to create the resource id.
Message #
Event ID 1237: Device is configured for RBAC authorization
#Description
Device is configured for RBAC authorization.
Message #
Event ID 1238: Not sending the client certificate as it is optional on the server
#Description
Not sending the client certificate as it is optional on the server.
Message #
Event ID 1239: Doing RBAC logon of the device type: value.
#Event ID 1240: Skipping Rbac Logon because AadCloudAPPlugin is loaded as surrogate
#Description
Skipping Rbac Logon because AadCloudAPPlugin is loaded as surrogate.
Message #
Event ID 1241: On-prem tgt error: Onprem_tgt_error.
#Event ID 1242: Added user to admins security group
#Description
Added user to admins security group.
Message #
Event ID 1243: Removed user from admins security group
#Description
Removed user from admins security group.
Message #
Event ID 1244: Security groups were not loaded.
#Description
Security groups were not loaded. Error: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1245: Security groups were not updated.
#Description
Security groups were not updated. Error: Status.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1246: User sid: User_sid Group sids: Group_sids.
#Event ID 1247: RunRecovery registry value (Context) successfully written.
#Event ID 1248: AuthHelper auth buff local nonce
#Description
AuthHelper auth buff local nonce.
Message #
Event ID 1249: Cloud tgt error: Cloud_tgt_error.
#Event ID 1250: DoGetToken Diagnostic Event.
#Description
DoGetToken Diagnostic Event.
Message #
Fields #
| Name | Description |
|---|---|
Result UInt32 | [DoGetToken Diagnostic Event] Result. |
UserIdentity UnicodeString | |
CredentialType Int32 | Known values
|
CorrelationID UnicodeString | |
EndpointUri UnicodeString | |
Method UnicodeString | |
HTTPTransportError Int32 | |
HTTPStatus Int32 | |
ErrorCode UnicodeString | [DoGetToken Diagnostic Event] ErrorCode. |
ErrorDescription UnicodeString |
Event ID 1251: DoGetEnterpriseToken Diagnostic Event.
#Description
DoGetEnterpriseToken Diagnostic Event.
Message #
Fields #
| Name | Description |
|---|---|
Result UInt32 | [DoGetEnterpriseToken Diagnostic Event] Result. |
UserIdentity UnicodeString | |
CredentialType Int32 | Known values
|
CorrelationID UnicodeString | |
EndpointUri UnicodeString | |
Method UnicodeString | |
HTTPTransportError Int32 | |
HTTPStatus Int32 | |
ErrorCode UnicodeString | [DoGetEnterpriseToken Diagnostic Event] ErrorCode. |
ErrorDescription UnicodeString |
Event ID 1252: DoRefreshToken Diagnostic Event.
#Description
DoRefreshToken Diagnostic Event.
Message #
Fields #
| Name | Description |
|---|---|
Result UInt32 | [DoRefreshToken Diagnostic Event] Result. |
UserIdentity UnicodeString | |
CredentialType Int32 | Known values
|
NewToken Boolean | |
CorrelationID UnicodeString | |
EndpointUri UnicodeString | |
Method UnicodeString | |
HTTPTransportError Int32 | |
HTTPStatus Int32 | |
ErrorCode UnicodeString | [DoRefreshToken Diagnostic Event] ErrorCode. |
ErrorDescription UnicodeString |
Event ID 1253: DoRefreshEnterpriseToken Diagnostic Event.
#Description
DoRefreshEnterpriseToken Diagnostic Event.
Message #
Fields #
| Name | Description |
|---|---|
Result UInt32 | [DoRefreshEnterpriseToken Diagnostic Event] Result. |
UserIdentity UnicodeString | |
CredentialType Int32 | Known values
|
NewToken Boolean | |
CorrelationID UnicodeString | |
EndpointUri UnicodeString | |
Method UnicodeString | |
HTTPTransportError Int32 | |
HTTPStatus Int32 | |
ErrorCode UnicodeString | [DoRefreshEnterpriseToken Diagnostic Event] ErrorCode. |
ErrorDescription UnicodeString |
Event ID 1254: Response content type: Response_content_type.
#Event ID 1255: AD TGT: AD_TGT Cloud TGT: Cloud_TGT.
#Event ID 1256: P2P certificate update error.
#Event ID 1257: Credbuffer correlation ID: Credbuffer_correlation_ID Correlation ID: Correlation_ID.
#Event ID 1258: CA cert hash (keyID): CA_cert_hash_keyID Correlation ID: Correlation_ID.
#Event ID 1259: CA certificate update error.
#Event ID 1261: RetryGetClientData stop.
#Description
RetryGetClientData stop.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1262: Binding key tag check failed: Binding_key_tag_check_failed.
#Description
Binding key tag check failed: Binding_key_tag_check_failed.
Message #
Fields #
| Name | Description |
|---|---|
Status HexInt32 | NTSTATUS reference |
Event ID 1263: BrowserCore inner operation FunctionName with account pairwiseID PairwiseID not found error.
#Event ID 1264: Token binding key created.
#Event ID 1265: WamExtension preprocess token operation started.
#Description
WamExtension preprocess token operation started.
Message #
Event ID 1266: WamExtension preprocess token operation completed successfully
#Description
WamExtension preprocess token operation completed successfully.
Message #
Event ID 1267: WamExtension preprocess token operation completed with error: Result.
#Event ID 1268: WamExtension postprocess token operation started.
#Event ID 1269: WamExtension postprocess token operation completed successfully.
#Event ID 1270: WamExtension postprocess token operation completed with error: Result.
#Event ID 1271: Token binding claim(s) included in the request.
#Event ID 1272: Token binding key is not healthy and needs to be re-created.
#Event ID 1273: Token binding claims need to be re-generated due to changes in attestation key(s).
#Event ID 1274: Token binding claims generated.
#Event ID 1275: Token binding claims generated for UI request.
#Event ID 1276: Token binding claims count: ClaimsCount.
#Event ID 1277: KeyGuard availability detection failed.
#Event ID 1278: KeyGuard with attestation support is not detected.
#Description
KeyGuard with attestation support is not detected.
Message #
Event ID 1279: Token binding claims of type KeyType could not be generated because AIK does not exist.
#Event ID 1280: PRT session key needs to be rolled.
#Event ID 1281: Token binding key deleted.
#Event ID 1282: SHR property in request is not allowed.
#Event ID 1283: Invalid registry value was ignored.
#Event ID 1284: Token binding claims need to be re-generated as cached claims were generated for different attestation key(s).
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 4de9bc9c-b27a-43c9-8994-0915f1a5e24f
Defined in aadcloudAP.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02