Microsoft-Windows-HelloForBusiness
181 events across 2 channels
Event ID 3045: Windows Hello processing started.
#Event ID 3052: The key pre-generation pool received a request for a new key.
#Description
The key pre-generation pool received a request for a new key.
Message #
Event ID 3052: The key pre-generation pool received a request for a new key.
#Description
The key pre-generation pool received a request for a new key.
Message #
Event ID 3053: The key pre-generation pool needs to pre-generate a key.
#Description
The key pre-generation pool needs to pre-generate a key.
Message #
Event ID 3053: The key pre-generation pool needs to pre-generate a key.
#Description
The key pre-generation pool needs to pre-generate a key.
Message #
Event ID 3054: Windows Hello for Business prerequisites check started.
#Description
Windows Hello for Business prerequisites check started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"event_id": 3054,
"level": "Information",
"task": "Prerequisites Check",
"opcode": "Start",
"time_created": "2026-04-23T15:41:39.4152735+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-HelloForBusiness/Operational"
},
"event_data": {}
}
Event ID 3054: Windows Hello for Business prerequisites check started.
#Description
Windows Hello for Business prerequisites check started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "{906B8A99-63CE-58D7-86AB-10989BBD5567}",
"event_source_name": "",
"event_id": 3054,
"version": 0,
"level": 4,
"task": 12,
"opcode": 10,
"keywords": -9223372036854775807,
"time_created": "2026-05-29T16:34:07.4598880+00:00",
"event_record_id": 67,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 6432
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": "Windows Hello for Business prerequisites check started."
}
Event ID 3055: Windows Hello container provisioning started.
#Description
Windows Hello container provisioning started.
Message #
Event ID 3060: Windows Hello is creating a PIN recovery key for user UserSid.
#Event ID 3060: Windows Hello is creating a PIN recovery key for user .
#Event ID 3065: The cloud experience host started.
#Event ID 3066: Windows Hello sign-in certificate enrollment started.
#Description
Windows Hello sign-in certificate enrollment started.
Message #
Event ID 3130: Windows Hello PIN Recovery is attempting to change user's PIN.
#Event ID 3130: Windows Hello PIN Recovery is attempting to change user's PIN.
#Event ID 3225: Windows Hello key creation started.
#Description
Windows Hello key creation started.
Message #
Event ID 3510: Windows Hello key registration started.
#Description
Windows Hello key registration started.
Message #
Event ID 3520: Attempting multi-factor unlock using provider Group_A.
#Event ID 3525: AD/Azure AD plugin request started.
#Description
AD/Azure AD plugin request started.
Message #
Event ID 3555: Windows Hello container creation started.
#Description
Windows Hello container creation started.
Message #
Event ID 3601: Windows Hello container deletion started in response to a policy change.
#Description
Windows Hello container deletion started in response to a policy change.
Message #
Event ID 3611: Windows Hello container deletion started from CallingAppName.
#Event ID 5000: TPM Manufacturer: TPM_Manufacturer.
#Event ID 5001: A user signed into the device with the following information.
#Event ID 5002: A user is signing into the device with the following gesture information.
#Event ID 5003: Windows Hello for Business Policy Enforcement Information for the user UserSid.
#Description
Windows Hello for Business Policy Enforcement Information for the user UserSid.
Message #
Fields #
| Name | Description |
|---|---|
UserSid SID | |
NgcEnabledPolicyState UInt32 | |
EnabledPolicySource UInt32 | |
DeploymentType UInt32 | |
CredentialType UInt32 | Known values
|
PinMinLength UInt32 | |
PinMaxLength UInt32 | |
PinUppercase UInt32 | |
PinLowercase UInt32 | |
PinDigits UInt32 | |
PinSpecial UInt32 | |
PinAllowSequences Boolean | |
PinHistory Boolean | |
PinExpiration Boolean | |
PinRecoveryPolicyState UInt32 | |
TPMRequired Boolean | |
HardwarePolicy UInt32 | |
MultifactorUnlock Boolean |
Event ID 5004: Windows Hello for Business Enabled Policy successfully enforced for the user UserSid.
#Event ID 5005: Enforcing the following Windows Hello for Business Enable Policies for the user UserSid.
#Event ID 5005
#Description
Enforcing the following Windows Hello for Business Enable Policies for the user.
Fields #
| Name | Description |
|---|---|
UserSid SID | |
NgcEnabledPolicyState UInt32 | |
EnabledPolicySource UInt32 | |
DeploymentType UInt32 |
Event ID 5050: The key pre-generation pool received a request.
#Event ID 5050: The key pre-generation pool received a request.
#Event ID 5055: Windows Hello is validating that the device can satisfy all applicable policies.
#Event ID 5060: Windows Hello is checking the PIN recovery policy.
#Event ID 5060: Windows Hello is checking the PIN recovery policy.
#Event ID 5061: Windows Hello is downloading the public encryption key from the PIN recovery service.
#Description
Windows Hello is downloading the public encryption key from the PIN recovery service.
Message #
Event ID 5061: Windows Hello is downloading the public encryption key from the PIN recovery service.
#Description
Windows Hello is downloading the public encryption key from the PIN recovery service.
Message #
Event ID 5062: Windows Hello found a PIN recovery key for user UserSid.
#Event ID 5062: Windows Hello found a PIN recovery key for user .
#Event ID 5063: Windows Hello is updating the PIN recovery key for user UserSid.
#Event ID 5063: Windows Hello is updating the PIN recovery key for user .
#Event ID 5064: Windows Hello is uploading the encrypted PIN recovery key to the PIN recovery service.
#Description
Windows Hello is uploading the encrypted PIN recovery key to the PIN recovery service.
Message #
Event ID 5064: Windows Hello is uploading the encrypted PIN recovery key to the PIN recovery service.
#Description
Windows Hello is uploading the encrypted PIN recovery key to the PIN recovery service.
Message #
Event ID 5204: Windows Hello for Business certificate enrollment configurations.
#Event ID 5204: Windows Hello for Business certificate enrollment configurations.
#Event ID 5205: Windows Hello for Business On-Premise authentication configurations.
#Description
Windows Hello for Business On-Premise authentication configurations.
Message #
Fields #
| Name | Description |
|---|---|
CertificateEnrollmentMethod UInt32 | |
CertificateRequired Boolean | |
UseCloudTrust Boolean | |
HasCloudTgt Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "906B8A99-63CE-58D7-86AB-10989BBD5567",
"event_source_name": "",
"event_id": 5205,
"version": 0,
"level": 4,
"task": 12,
"opcode": 12,
"keywords": 9223372036854775809,
"time_created": "2026-03-09T00:59:27.820700+00:00",
"event_record_id": 19,
"correlation": {},
"execution": {
"process_id": 9652,
"thread_id": 9984
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"CertificateEnrollmentMethod": 0,
"CertificateRequired": false,
"UseCloudTrust": false,
"HasCloudTgt": false
},
"message": ""
}
Event ID 5225: Creating a KeyProvider Windows Hello key with result Result.
#Event ID 5520: Multi-factor unlock policy is not configured on this device.
#Description
Multi-factor unlock policy is not configured on this device.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "{906B8A99-63CE-58D7-86AB-10989BBD5567}",
"event_source_name": "",
"event_id": 5520,
"version": 0,
"level": 4,
"task": 15,
"opcode": 12,
"keywords": -9223372036854775807,
"time_created": "2026-05-29T16:33:46.5624401+00:00",
"event_record_id": 66,
"correlation": {},
"execution": {
"process_id": 1112,
"thread_id": 6076
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "Device unlock policy is not configured on this device."
}
Event ID 5555: Windows Hello is validating that the device can satisfy all applicable policies.
#Description
Windows Hello is validating that the device can satisfy all applicable policies.
Message #
Fields #
| Name | Description |
|---|---|
TpmSupport UInt32 | |
HardwarePolicy UInt32 | |
IsTpm12Excluded Boolean | |
TpmVersion UInt32 | |
IsTpmFIPS Boolean | |
IsTpmLockedOut Boolean | |
IsKeyPregenPoolSatisfactory Boolean | |
KeyProvider UInt32 | |
Result HexInt32 |
Event ID 5601: Windows Hello detected and ignored a policy change to delete the container at the user's next sign out because the user is configured to have no pa...
#Description
Windows Hello detected and ignored a policy change to delete the container at the user's next sign out because the user is configured to have no password on this device.
Message #
Event ID 5602: Windows Hello was unable to check if there was a policy change that would trigger container deletion.
#Description
Windows Hello was unable to check if there was a policy change that would trigger container deletion.
Message #
Event ID 5641: Windows Hello successfully updated a Key_Name KeyProvider key from the Windows Hello container.
#Event ID 5701: Windows Hello read following protector properties from disk: PIN protector = Hr, Bio protector = PinProtector, Secure Bio Protector = BioProtector, Recovery protector ...
#Description
Windows Hello read following protector properties from disk: PIN protector = Hr, Bio protector = PinProtector, Secure Bio Protector = BioProtector, Recovery protector = SecureBioProtector, Preboot protector = RecoveryProtector.
Message #
Fields #
| Name | Description |
|---|---|
Hr HexInt32 | |
PinProtector Boolean | |
BioProtector Boolean | |
SecureBioProtector Boolean | |
RecoveryProtector Boolean | |
PrebootProtector Boolean |
Event ID 5702: Windows Hello wrote following protector properties to disk: PIN protector = Hr, Bio protector = PinProtector, Secure Bio Protector = BioProtector, Recovery protector =...
#Description
Windows Hello wrote following protector properties to disk: PIN protector = Hr, Bio protector = PinProtector, Secure Bio Protector = BioProtector, Recovery protector = SecureBioProtector, Preboot protector = RecoveryProtector.
Message #
Fields #
| Name | Description |
|---|---|
Hr HexInt32 | |
PinProtector Boolean | |
BioProtector Boolean | |
SecureBioProtector Boolean | |
RecoveryProtector Boolean | |
PrebootProtector Boolean |
Event ID 6010: A key credential was unavailable for use by an application because it did not meet all the requirements for use.
#Event ID 6045: Windows Hello processing stopped with warning Processing_time.
#Event ID 6055: Windows Hello container provisioning stopped with warning Processing_time.
#Event ID 6065: The cloud experience host scenario stopped with warning Processing_time.
#Event ID 6066: Windows Hello sign-in certificate enrollment was unable to enroll for a logon certificate.
#Event ID 6209: Windows Hello for Business was unable to evaluate the presence of a certificate payload for the sign-in certificate.
#Description
Windows Hello for Business was unable to evaluate the presence of a certificate payload for the sign-in certificate.
Message #
Event ID 6209: Windows Hello for Business was unable to evaluate the presence of a certificate payload for the sign-in certificate.
#Description
Windows Hello for Business was unable to evaluate the presence of a certificate payload for the sign-in certificate.
Message #
Event ID 6210: Windows Hello for Business was unable to detect whether the user is running in a remote desktop session.
#Description
Windows Hello for Business was unable to detect whether the user is running in a remote desktop session.
Message #
Event ID 6210: Windows Hello for Business was unable to detect whether the user is running in a remote desktop session.
#Description
Windows Hello for Business was unable to detect whether the user is running in a remote desktop session.
Message #
Event ID 6441: Windows Hello for Business certificate trust and cloud trust policies are both enabled.
#Description
Windows Hello for Business certificate trust and cloud trust policies are both enabled.
Message #
Event ID 6520: Provider is not in the acceptable provider list.
#Description
Provider is not in the acceptable provider list.
Message #
Event ID 6525: AD/Azure AD plugin request stopped with warning Processing_time.
#Event ID 6611: Windows Hello could not delete the container as no container currently exists for the user.
#Description
Windows Hello could not delete the container as no container currently exists for the user.
Message #
Event ID 7001: A user failed to sign into the device with the following information.
#Description
A user failed to sign into the device with the following information.
Message #
Fields #
| Name | Description |
|---|---|
UserName UnicodeString | |
UserSid SID | |
CredentialType UInt32 | Known values
|
DeploymentType UInt32 | |
SoftwareLockoutCounter UInt32 | |
AuthenticationErrorStatus HexInt32 | |
AuthenticationErrorSubStatus HexInt32 |
Event ID 7002: Failed to load an existing Windows Hello container.
#Event ID 7025: The Error service failed to start.
#Event ID 7030: Windows Hello failed to create the sign-in certificate request.
#Event ID 7031: Windows Hello failed to install the sign-in certificate.
#Event ID 7032: Windows Hello failed to roll back from an unsuccessful sign-in certificate enrollment.
#Event ID 7045: Windows Hello processing failed with Processing_time.
#Event ID 7052: The new key request from the key pre-generation pool failed.
#Event ID 7052: The new key request from the key pre-generation pool failed.
#Event ID 7053: The key pre-generation pool failed to pre-generate a key.
#Event ID 7053: The key pre-generation pool failed to pre-generate a key.
#Event ID 7054: Windows Hello for Business prerequisites check failed.
#Description
Windows Hello for Business prerequisites check failed.
Message #
Fields #
| Name | Description |
|---|---|
Error HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"event_id": 7054,
"level": "Error",
"task": "Prerequisites Check",
"opcode": "Stop",
"time_created": "2026-04-18T01:58:47.6807755+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-HelloForBusiness/Operational"
},
"event_data": {
"Error": "0x1"
}
}
Event ID 7054: Windows Hello for Business prerequisites check failed.
#Description
Windows Hello for Business prerequisites check failed.
Message #
Fields #
| Name | Description |
|---|---|
Error HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "906B8A99-63CE-58D7-86AB-10989BBD5567",
"event_source_name": "",
"event_id": 7054,
"version": 0,
"level": 2,
"task": 12,
"opcode": 11,
"keywords": 9223372036854775809,
"time_created": "2022-04-07T16:48:31.714659+00:00",
"event_record_id": 6,
"correlation": {},
"execution": {
"process_id": 4128,
"thread_id": 4228
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {
"Error": "0x1"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7055: Windows Hello container provisioning failed with Processing_time.
#Event ID 7060: Windows Hello failed to create a PIN recovery key for user Error.
#Event ID 7065: The cloud experience host scenario failed with Processing_time.
#Event ID 7066: Windows Hello sign-in certificate enrollment failed.
#Event ID 7067: Windows Hello failed to set a certificate property on a Windows Hello key.
#Event ID 7130: Windows Hello PIN Recovery failed to change the user's PIN.
#Event ID 7200: The device registration prerequisite check failed.
#Description
The device registration prerequisite check failed.
Message #
Event ID 7200: The device registration prerequisite check failed.
#Description
The device registration prerequisite check failed.
Message #
Event ID 7201: The Primary Account Primary Refresh Token prerequisite check failed.
#Description
The Primary Account Primary Refresh Token prerequisite check failed.
Message #
Event ID 7201: The Primary Account Primary Refresh Token prerequisite check failed.
#Description
The Primary Account Primary Refresh Token prerequisite check failed.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "906B8A99-63CE-58D7-86AB-10989BBD5567",
"event_source_name": "",
"event_id": 7201,
"version": 0,
"level": 2,
"task": 12,
"opcode": 12,
"keywords": 9223372036854775809,
"time_created": "2022-04-07T16:48:31.714659+00:00",
"event_record_id": 5,
"correlation": {},
"execution": {
"process_id": 4128,
"thread_id": 4228
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "WIN-FPV0DSIC9O6",
"security": {
"user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 7202: The device failed to meet the Windows Hello for Business hardware requirements.
#Description
The device failed to meet the Windows Hello for Business hardware requirements.
Message #
Event ID 7202: The device failed to meet the Windows Hello for Business hardware requirements.
#Description
The device failed to meet the Windows Hello for Business hardware requirements.
Message #
Event ID 7203: Windows Hello for Business is not enabled.
#Description
Windows Hello for Business is not enabled.
Message #
Event ID 7203: Windows Hello for Business is not enabled.
#Description
Windows Hello for Business is not enabled.
Message #
Event ID 7204: Windows Hello for Business post-logon provisioning is not enabled.
#Description
Windows Hello for Business post-logon provisioning is not enabled.
Message #
Event ID 7204: Windows Hello for Business post-logon provisioning is not enabled.
#Description
Windows Hello for Business post-logon provisioning is not enabled.
Message #
Event ID 7205: Windows Hello for Business failed to locate a usable sign-in certificate template.
#Event ID 7205: Windows Hello for Business failed to locate a usable sign-in certificate template.
#Event ID 7206: Windows Hello for Business failed to locate a certificate registration authority.
#Description
Windows Hello for Business failed to locate a certificate registration authority.
Message #
Event ID 7206: Windows Hello for Business failed to locate a certificate registration authority.
#Description
Windows Hello for Business failed to locate a certificate registration authority.
Message #
Event ID 7207: Windows Hello for Business failed to locate an enterprise management client.
#Description
Windows Hello for Business failed to locate an enterprise management client.
Message #
Event ID 7207: Windows Hello for Business failed to locate an enterprise management client.
#Description
Windows Hello for Business failed to locate an enterprise management client.
Message #
Event ID 7208: Windows Hello for Business failed to locate a sign-in certificate profile.
#Description
Windows Hello for Business failed to locate a sign-in certificate profile.
Message #
Event ID 7208: Windows Hello for Business failed to locate a sign-in certificate profile.
#Description
Windows Hello for Business failed to locate a sign-in certificate profile.
Message #
Event ID 7209: Windows Hello for Business failed to locate a certificate payload for the sign-in certificate.
#Description
Windows Hello for Business failed to locate a certificate payload for the sign-in certificate. The SCEP Request is not available.
Message #
Event ID 7209: Windows Hello for Business failed to locate a certificate payload for the sign-in certificate.
#Description
Windows Hello for Business failed to locate a certificate payload for the sign-in certificate. The SCEP Request is not available.
Message #
Event ID 7210: Windows Hello for Business detected the user running in a remote desktop session.
#Description
Windows Hello for Business detected the user running in a remote desktop session.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"event_id": 7210,
"level": "Error",
"task": "Prerequisites Check",
"opcode": "Informational",
"time_created": "2026-04-18T01:58:47.6807742+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-HelloForBusiness/Operational"
},
"event_data": {}
}
Event ID 7210: Windows Hello for Business detected the user running in a remote desktop session.
#Description
Windows Hello for Business detected the user running in a remote desktop session.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "906B8A99-63CE-58D7-86AB-10989BBD5567",
"event_source_name": "",
"event_id": 7210,
"version": 0,
"level": 2,
"task": 12,
"opcode": 12,
"keywords": 9223372036854775809,
"time_created": "2026-03-13T04:58:41.296416+00:00",
"event_record_id": 45,
"correlation": {},
"execution": {
"process_id": 3604,
"thread_id": 7852
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": ""
}
Event ID 7211: The Secondary Account Primary Refresh Token prerequisite check failed.
#Description
The Secondary Account Primary Refresh Token prerequisite check failed.
Message #
Event ID 7211: The Secondary Account Primary Refresh Token prerequisite check failed.
#Description
The Secondary Account Primary Refresh Token prerequisite check failed.
Message #
Event ID 7225: Windows Hello key creation failed with Processing_time.
#Event ID 7226: Windows Hello failed to delete the Key_Name key.
#Event ID 7510: Windows Hello key registration failed.
#Event ID 7520: Failed to authenticate the user's credential.
#Event ID 7525: AD/Azure AD plugin request failed with Processing_time.
#Event ID 7555: Windows Hello container creation failed.
#Event ID 7601: Windows Hello failed to delete the container in response to a policy change.
#Event ID 7611: Windows Hello failed to delete the container.
#Event ID 7621: Windows Hello failed to delete the user's Windows Hello certificates.
#Event ID 7631: Windows Hello failed to delete the user's biometric enrollments.
#Event ID 7701: Windows Hello failed to use secure biometrics protector due to secret encryption key loss.
#Description
Windows Hello failed to use secure biometrics protector due to secret encryption key loss.
Message #
Event ID 7703: Windows Hello operation failed because the Windows Hello for Business policy is set to disabled.
#Description
Windows Hello operation failed because the Windows Hello for Business policy is set to disabled.
Message #
Event ID 8002: Successfully loaded an existing KeyProvider Windows Hello container.
#Event ID 8025: The ServiceName service started successfully.
#Description
The ServiceName service started successfully.
Message #
Fields #
| Name | Description |
|---|---|
ServiceName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "{906B8A99-63CE-58D7-86AB-10989BBD5567}",
"event_source_name": "",
"event_id": 8025,
"version": 0,
"level": 16,
"task": 6,
"opcode": 12,
"keywords": -9223372036854775807,
"time_created": "2026-05-28T12:08:16.4045809+00:00",
"event_record_id": 28,
"correlation": {},
"execution": {
"process_id": 6132,
"thread_id": 5148
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-19"
}
},
"event_data": {
"ServiceName": "Microsoft Passport Container"
},
"message": "The Microsoft Passport Container service started successfully."
}
Event ID 8030: Windows Hello created the sign-in certificate request successfully.
#Description
Windows Hello created the sign-in certificate request successfully.
Message #
Event ID 8031: Windows Hello installed the sign-in certificate successfully.
#Description
Windows Hello installed the sign-in certificate successfully.
Message #
Event ID 8032: Windows Hello successfully rolled back from an unsuccessful sign-in certificate enrollment.
#Description
Windows Hello successfully rolled back from an unsuccessful sign-in certificate enrollment.
Message #
Event ID 8045: Windows Hello processing completed successfully.
#Event ID 8052: The new key request from the key pre-generation pool completed successfully.
#Event ID 8052: The new key request from the key pre-generation pool completed successfully.
#Event ID 8053: The key pre-generation pool successfully pre-generated a key.
#Event ID 8053: The key pre-generation pool successfully pre-generated a key.
#Event ID 8054: Windows Hello for Business prerequisites check completed successfully.
#Description
Windows Hello for Business prerequisites check completed successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"event_id": 8054,
"level": "Success",
"task": "Prerequisites Check",
"opcode": "Stop",
"time_created": "2026-04-23T15:41:39.4152865+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-HelloForBusiness/Operational"
},
"event_data": {}
}
Event ID 8054: Windows Hello for Business prerequisites check completed successfully.
#Description
Windows Hello for Business prerequisites check completed successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "{906B8A99-63CE-58D7-86AB-10989BBD5567}",
"event_source_name": "",
"event_id": 8054,
"version": 0,
"level": 16,
"task": 12,
"opcode": 11,
"keywords": -9223372036854775807,
"time_created": "2026-05-29T16:34:07.4598987+00:00",
"event_record_id": 69,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 6432
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": "Windows Hello for Business prerequisites check completed successfully."
}
Event ID 8055: Windows Hello container provisioning completed successfully.
#Event ID 8060: Windows Hello successfully created a PIN recovery key for user Processing_time.
#Event ID 8065: The cloud experience host completed successfully.
#Event ID 8066: Windows Hello sign-in certificate enrollment completed successfully.
#Event ID 8067: Windows Hello set a certificate property on a Windows Hello key.
#Event ID 8130: Windows Hello PIN Recovery successfully changed the user's PIN.
#Event ID 8200: The device registration prerequisite check completed successfully.
#Description
The device registration prerequisite check completed successfully.
Message #
Event ID 8200: The device registration prerequisite check completed successfully.
#Description
The device registration prerequisite check completed successfully.
Message #
Event ID 8201: The Primary Account Primary Refresh Token prerequisite check completed successfully.
#Description
The Primary Account Primary Refresh Token prerequisite check completed successfully.
Message #
Event ID 8201: The Primary Account Primary Refresh Token prerequisite check completed successfully.
#Description
The Primary Account Primary Refresh Token prerequisite check completed successfully.
Message #
Event ID 8202: The device meets Windows Hello for Business hardware requirements.
#Description
The device meets Windows Hello for Business hardware requirements.
Message #
Event ID 8202: The device meets Windows Hello for Business hardware requirements.
#Description
The device meets Windows Hello for Business hardware requirements.
Message #
Event ID 8203: Windows Hello for Business is enabled.
#Description
Windows Hello for Business is enabled.
Message #
Event ID 8203: Windows Hello for Business is enabled.
#Description
Windows Hello for Business is enabled.
Message #
Event ID 8204: Windows Hello for Business post-logon provisioning is enabled.
#Description
Windows Hello for Business post-logon provisioning is enabled.
Message #
Event ID 8204: Windows Hello for Business post-logon provisioning is enabled.
#Description
Windows Hello for Business post-logon provisioning is enabled.
Message #
Event ID 8205: Windows Hello for Business successfully located a usable sign-on certificate template.
#Description
Windows Hello for Business successfully located a usable sign-on certificate template.
Message #
Event ID 8205: Windows Hello for Business successfully located a usable sign-on certificate template.
#Description
Windows Hello for Business successfully located a usable sign-on certificate template.
Message #
Event ID 8206: Windows Hello for Business successfully located a certificate registration authority.
#Description
Windows Hello for Business successfully located a certificate registration authority.
Message #
Event ID 8206: Windows Hello for Business successfully located a certificate registration authority.
#Description
Windows Hello for Business successfully located a certificate registration authority.
Message #
Event ID 8207: Windows Hello for Business successfully located an enterprise management client.
#Description
Windows Hello for Business successfully located an enterprise management client.
Message #
Event ID 8207: Windows Hello for Business successfully located an enterprise management client.
#Description
Windows Hello for Business successfully located an enterprise management client.
Message #
Event ID 8208: Windows Hello for Business successfully located a sign-in certificate profile.
#Description
Windows Hello for Business successfully located a sign-in certificate profile.
Message #
Event ID 8208: Windows Hello for Business successfully located a sign-in certificate profile.
#Description
Windows Hello for Business successfully located a sign-in certificate profile.
Message #
Event ID 8209: Windows Hello for Business successfully located a certificate payload for the sign-in certificate.
#Description
Windows Hello for Business successfully located a certificate payload for the sign-in certificate. The SCEP Request is available.
Message #
Event ID 8209: Windows Hello for Business successfully located a certificate payload for the sign-in certificate.
#Description
Windows Hello for Business successfully located a certificate payload for the sign-in certificate. The SCEP Request is available.
Message #
Event ID 8210: Windows Hello for Business successfully completed the remote desktop prerequisite check.
#Description
Windows Hello for Business successfully completed the remote desktop prerequisite check.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"event_id": 8210,
"level": "Success",
"task": "Prerequisites Check",
"opcode": "Informational",
"time_created": "2026-04-23T15:41:39.4152745+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-HelloForBusiness/Operational"
},
"event_data": {}
}
Event ID 8210: Windows Hello for Business successfully completed the remote desktop prerequisite check.
#Description
Windows Hello for Business successfully completed the remote desktop prerequisite check.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-HelloForBusiness",
"guid": "{906B8A99-63CE-58D7-86AB-10989BBD5567}",
"event_source_name": "",
"event_id": 8210,
"version": 0,
"level": 16,
"task": 12,
"opcode": 12,
"keywords": -9223372036854775807,
"time_created": "2026-05-29T16:34:07.4598896+00:00",
"event_record_id": 68,
"correlation": {},
"execution": {
"process_id": 6328,
"thread_id": 6432
},
"channel": "Microsoft-Windows-HelloForBusiness/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": "Windows Hello for Business successfully completed the remote desktop prerequisite check."
}
Event ID 8211: The Secondary Account Primary Refresh Token prerequisite check completed successfully.
#Description
The Secondary Account Primary Refresh Token prerequisite check completed successfully.
Message #
Event ID 8211: The Secondary Account Primary Refresh Token prerequisite check completed successfully.
#Description
The Secondary Account Primary Refresh Token prerequisite check completed successfully.
Message #
Event ID 8225: Windows Hello key creation completed successfully.
#Event ID 8226: Windows Hello successfully deleted a Key_Name KeyProvider key from the Windows Hello container.
#Event ID 8510: Windows Hello key registration completed successfully.
#Description
Windows Hello key registration completed successfully.
Message #
Event ID 8520: Successfully authenticated the user's credential.
#Event ID 8525: AD/Azure AD plugin request completed successfully.
#Event ID 8555: The Windows Hello container creation completed successfully.
#Event ID 8601: Windows Hello successfully deleted the container in response to a policy change.
#Event ID 8611: Windows Hello successfully deleted the container.
#Description
Windows Hello successfully deleted the container.
Message #
Event ID 8621: Windows Hello successfully deleted the user's Windows Hello certificates.
#Description
Windows Hello successfully deleted the user's Windows Hello certificates.
Message #
Event ID 8631: Windows Hello successfully deleted the user's biometric enrollments.
#Description
Windows Hello successfully deleted the user's biometric enrollments.
Message #
Event ID 8632: Windows Hello for Business successfully added a user entry to the Username/SID cache with the following information.
#Description
Windows Hello for Business successfully added a user entry to the Username/SID cache with the following information.
Message #
Fields #
| Name | Description |
|---|---|
UserName UnicodeString | |
UserSid SID | |
Domain UnicodeString | [Windows Hello for Business successfully added a user entry to the Username/SID cache with the following information] Domain. |
UserEntered Boolean | [Windows Hello for Business successfully added a user entry to the Username/SID cache with the following information] User-Entered. |
Event ID 8633: Windows Hello for Business successfully removed a user entry to the Username/SID cache with the following information: User SID.
#Event ID 8634: Windows Hello for Business found a user entry with a duplicate SID and successfully removed the unused username from the Username/SID cache: User S...
#Event ID 8635: Windows Hello for Business found a user entry with a duplicate username and successfully removed the unused SID from the Username/SID cache: Userna...
#Event ID 8636: Windows Hello for Business found a stale SID in the Username/SID cache.
#Event ID 8637: Windows Hello for Business found a stale username in the Username/SID cache.
#Event ID 8638: Windows Hello for Business removed a stale SID from the Username/SID cache: Stale User SID.
#Event ID 8639: Windows Hello for Business removed a stale username from the Username/SID cache.
#Event ID 8640: Windows Hello for Business PIN was changed by a user with the following information: User SID.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 906b8a99-63ce-58d7-86ab-10989bbd5567
Defined in cryptngc.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3451, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02