Microsoft-Windows-User Device Registration

220 events across 3 channels

Event	Title	Channel	Sample
100	The discovery request send operation was successful.	Admin	Y
101	The discovery operation callback was successful.	Admin	Y
102	The initialization of the join request was successful.	Admin	Y
103	The join request was successfully sent to server.	Admin	Y
104	The get join response operation callback was successful.	Admin	Y
105	The complete join response operation was successful.	Admin	Y
106	The post join tasks for the AAD Authentication Package completed successfully.	Admin	Y
107	The existing NGC user ID key was successfully deleted.	Admin	N
108	The NGC container was successfully created.	Admin	N
109	The NGC user ID key was successfully created.	Admin	N
110	The registration status has been successfully cleared from the device.	Admin	N
111	The registration status has been successfully flushed to disk.	Admin	Y
112	Hostname related error received.	Admin	N
200	The discovery request send operation failed with exit code: ExitCode.	Admin	N
201	The discovery operation callback failed with exit code: ExitCode.	Admin	N
202	The initialization of the join request failed with exit code: ExitCode.	Admin	N
203	The send join request operation failed with exit code: ExitCode.	Admin	N
204	The get join response operation callback failed with exit code: ExitCode.	Admin	N
205	The complete join response operation failed with exit code: ExitCode.	Admin	N
206	The post join tasks for the Microsoft Entra Authentication Package failed with …	Admin	N
207	The parameter value should not be NULL or empty.	Admin	N
208	Unable to remove account UserSID from group Group.	Admin	N
209	Unable to convert the string-format security identifier (SID) SID to a …	Admin	N
210	Unable to retrieve account information for security identifier (SID) SID.	Admin	N
211	Unable to add account UserSID to group Group.	Admin	N
212	Error happened while accessing registry: ErrorCode.	Admin	Y
213	Unable to connect to Local Security Authority (LSA) server.	Admin	N
214	Unable to lookup Local Security Authority (LSA) authentication package.	Admin	N
215	Local Security Authority (LSA) authentication failed.	Admin	N
216	The security identifier (SID) is invalid.	Admin	N
217	Unable to copy security identifier (SID) SID.	Admin	N
218	The string Email is not a valid email address.	Admin	N
219	Unable to retrieve the Active Directory domain join status information of the …	Admin	N
220	Unable to retrieve the local computer's name in the specified format Format.	Admin	Y
221	Unable to connect to the LDAP server Server:Port using authentication method …	Admin	Y
222	Unable to convert the SID structure to its string-format.	Admin	N
223	Unable to set WinHTTP option Option.	Admin	N
224	Unable to query WinHTTP option Option.	Admin	N
225	Unable to initialize WinHTTP.	Admin	N
226	Unable to connect to server Server:Port through WinHTTP.	Admin	N
227	Unable to open WinHTTP Verb request.	Admin	N
228	Unable to set WinHTTP call back function.	Admin	N
229	Unable to retrieve WinHTTP header information.	Admin	N
230	Unable to send WinHTTP request.	Admin	N
231	One or more errors were encountered while retrieving a Secure Sockets Layer …	Admin	N
232	The WinHTTP callback function was cancelled.	Admin	N
233	The WinHTTP callback function failed.	Admin	N
234	Unalbed to query the amount of data available to read through WinHTTP.	Admin	N
235	WinHTTP read data failure.	Admin	N
236	WinHTTP write data failure.	Admin	N
237	Unable to setup a certificate from the given encoded string.	Admin	N
238	Unable to save the certificate.	Admin	N
239	Unable to clear the registration status from the device.	Admin	N
240	Unable to flush the registration status to disk.	Admin	N
241	KSP session ID: KspSessionID.	Admin	N
242	Account UserSID was added to group Group.	Admin	N
243	Account UserSID was removed from group Group.	Admin	N
244	Unable to sign authentication data for managed automatic registration.	Admin	N
245	Unable to verify or update the signing certificate for automatic registration.	Admin	N
246	Unable to get persisted state location.	Admin	N
247	Unable to remove Microsoft Passport key registration for all local Active …	Admin	N
248	Unable to check whether the attribute value of the device object is up to date.	Admin	N
249	Unable to start updating attribute value of the device object.	Admin	N
250	Updating attribute value of the device object started successfully.	Admin	N
251	The attribute value of the device object was updated successfully.	Admin	N
252	Unable to update the attribute value of the device object.	Admin	N
253	Unable to parse the device attribute update server response.	Admin	N
254	Unable to check MDM enrollment status of the device.	Admin	N
255	Unable to trigger update task for this device.	Admin	N
256	The update task for this device was successfully triggered.	Admin	N
257	The task Folder\TaskName was successfully enabled.	Admin	Y
258	Failed to enable task Folder\TaskName.	Admin	Y
259	The task Folder\TaskName was successfully disabled.	Admin	N
260	Failed to disable task Folder\TaskName.	Admin	N
261	The repair join information operation failed.	Admin	N
262	The repair join information operation completed successfully.	Admin	N
263	The repair join information operation failed to start.	Admin	N
264	The repair join information operation started successfully.	Admin	N
265	The virtual desktop registry has ValuesCount value(s) missing.	Admin	N
266	The virtual desktop registry value is invalid.	Admin	N
267	Failed to read virtual desktop settings from registry.	Admin	N
268	The virtual desktop settings were successfully retrieved from the registry.	Admin	N
269	Unable to parse the AIK update server response.	Admin	N
270	Unable to start updating token binding AIK of the device object.	Admin	N
271	Updating token binding AIK of the device object started successfully.	Admin	N
272	The token binding AIK of the device object was updated successfully.	Admin	N
273	Unable to update the token binding AIK of the device object.	Admin	N
274	Failed to configure KDC proxy group policy.	Admin	N
275	Failed to restore KDC proxy local group policy to its original value.	Admin	N
276	The KDC Proxy group policy setting is incorrect.	Admin	N
277	The KDC proxy group policy has been configured successfully.	Admin	N
278	The KDC proxy local group policy has been restored to its original value.	Admin	N
300	The Microsoft Passport key was successfully registered with Azure AD.	Admin	N
301	NGC key registration failed.	Admin	N
302	The NGC key registration request was successfully sent.	Admin	N
303	The NGC key registration initialization operation failed.	Admin	N
304	Automatic registration failed at join phase.	Admin	Y
305	Automatic registration failed at authentication phase.	Admin	N
306	Automatic registration Succeeded.	Admin	N
307	Automatic registration failed.	Admin	Y
308	This Device is joined to Microsoft Entra, however, the user did not sign-in with …	Admin	N
309	Failed to discover the Microsoft Entra DRS service.	Admin	N
310	Unable to retrieve the NGC user ID key with name KeyName.	Admin	N
311	The NGC create container operation failed.	Admin	N
312	The existing NGC container was successfully deleted.	Admin	N
314	Unable to delete NGC container.	Admin	N
315	Unable to create NGC user ID key.	Admin	N
316	Unable to retrieve the specified NGC user ID key.	Admin	N
317	Unable to delete NGC user ID key.	Admin	N
318	Unable to create NGC transport key.	Admin	N
319	Unable to delete NGC transport key.	Admin	N
320	Unable to parse the NGC registration server response.	Admin	N
321	Failed to enable the device lock PIN.	Admin	N
322	The application does not have the permission to perform this operation.	Admin	N
323	Preparing to send a request to the Web Account Manager.	Admin	N
324	Unable to get a token using the Web Account Manager.	Admin	N
325	Successfully obtained a token for the current user via token broker.	Admin	N
326	Unable to get the application's core window.	Admin	N
327	Unable to remove the PIN that has been created to use in place of the current …	Admin	N
328	Unable to check whether a PIN has been created to use in place of the current …	Admin	N
329	Preparing to send a request to the Web Account Manager silently (no UI mode).	Admin	N
330	Microsoft Entra DRS and Enterprise DRS are configured for this device.	Admin	N
331	Automatic device join pre-check tasks completed.	Admin	Y
332	Automatic device join pre-check tasks found that this device is joined, however, …	Admin	N
333	Automatic device join pre-check tasks completed.	Admin	Y
334	Automatic device join pre-check tasks completed.	Admin	Y
335	Automatic device join pre-check tasks completed.	Admin	N
336	The Web Proxy Autodiscovery Protocol (WPAD) did NOT locate the URL of a …	Admin	N
337	The request was sent to the server through the out-bound proxy and failed with …	Admin	N
338	The Web Proxy Autodiscovery Protocol (WPAD) located the URL of a configuration …	Admin	N
339	The following out-bound proxy information was set for this request.	Admin	N
340	The Web Proxy Autodiscovery Protocol (WPAD) encountered an unexpected error.	Admin	N
341	This request will NOT fail over to a proxy server.	Admin	N
342	Unable to query Passport for Work policies.	Admin	N
343	Unable to enumerate Passport for Work containers.	Admin	N
344	Failed to access the device key.	Admin	N
345	Failed to access the device key.	Admin	N
346	The Microsoft Passport key was successfully removed from Azure AD.	Admin	N
347	Failed to remove the Microsoft Passport key from Azure AD.	Admin	N
348	The Microsoft Passport delete key registration request was successfully sent.	Admin	N
349	Failed to initialize the Microsoft Passport delete key registration request.	Admin	N
350	The Microsoft Passport key information was successfully saved.	Admin	N
351	Failed to save the Microsoft Passport key information.	Admin	N
352	The Microsoft Passport key information was successfully deleted.	Admin	N
353	Failed to delete the Microsoft Passport key information.	Admin	N
354	Json Request Failed.	Admin	N
355	Successfully enrolled for a logon certificate using a Registration Authority.	Admin	N
356	Failed to enroll for a logon certificate using a Registration Authority.	Admin	N
357	Group Policy indicates the user must enroll for a logon certificate along with …	Admin	N
358	Message Device is Microsoft Entra joined (or hybrid joined): DeviceIsJoined User …	Admin	Y
359	Windows Hello for Business provisioning has encountered an error during policy …	Admin	Y
360	Message Device is Microsoft Entra joined (or hybrid joined): DeviceIsJoined User …	Admin	Y
361	Message Device is Microsoft Entra joined (or hybrid joined): DeviceIsJoined User …	Admin	N
362	Message Device is Microsoft Entra joined (or hybrid joined): DeviceIsJoined User …	Admin	N
363	The Microsoft Passport key is missing.	Admin	N
364	The saved Microsoft Passport information does not match the key.	Admin	N
365	Unable to enroll for a logon certificate using a Registration Authority.	Admin	N
366	Unable to enroll for a logon certificate using a Registration Authority.	Admin	N
367	Added following properties to the Web Account Manager access token request.	Admin	N
368	The following token properties were recieved from the Web Account Manager.	Admin	N
369	The Workstation Service logged a device registration message.	Admin	Y
370	The automatic device registration task failed to unregister device.	Admin	N
371	The automatic device registration task successfully unregistered device.	Admin	N
372	The FIDO credential was successfully registered with Azure AD.	Admin	N
373	FIDO credential registration failed.	Admin	N
374	The FIDO credential registration request was successfully sent.	Admin	N
375	The FIDO credential registration initialization operation failed.	Admin	N
376	The FIDO credential was successfully created.	Admin	N
377	Unable to create FIDO credential.	Admin	N
378	The FIDO credentials were successfully deleted from Azure AD.	Admin	N
379	FIDO credential deletion failed.	Admin	N
380	The FIDO credential deletion request was successfully sent.	Admin	N
381	The FIDO credential deletion initialization operation failed.	Admin	N
382	Unable to parse the FIDO registration server response.	Admin	N
383	The PIN has been successfully recovered.	Admin	N
384	The PIN recover operation failed with exit code: ExitCode.	Admin	N
385	Unable to get attestation statement for Microsoft Passport key.	Admin	N
386	Successfully got attestation statement for Microsoft Passport key.	Admin	N
387	Unable to reset registry recovery flags.	Admin	N
388	Recovery API APIName called.	Admin	N
389	Automatic Azure SecureVM Join Succeeded.	Admin	N
390	Resource account certificate does not match device ceritificate.	Admin	N
391	Unable to get the NGC user ID key container state.	Admin	N
392	The NGC user ID key container is in a bad state.	Admin	N
393	NGC logon certificate could not be renewed due to device ID flip.	Admin	N
394	Unable to set registry value for device ID flip.	Admin	N
395	Unable to unset registry value for device ID flip.	Admin	N
396	Key policy in registry is set to unsupported value PolicyValue.	Admin	N
397	MDM enrollment for Azure SecureVM succeeded.	Admin	N
398	MDM enrollment for Azure SecureVM failed.	Admin	N
399	Attempt to discover enrollment URL for MDM auto-enrollment failed.	Admin	N
400	All attempts to discover enrollment URL for MDM auto-enrollment failed.	Admin	N
401	No MDM enrollment URL was discoverered for MDM auto-enrollment.	Admin	N
402	Attempt to discover enrollment URL for MDM auto-enrollment failed.	Admin	N
403	Attempt to get token for MDM auto-enrollment failed.	Admin	N
404	All attempts to get WAM token for MDM auto-enrollment failed.	Admin	N
405	Requsting token for MDM auto-enrollment failed.	Admin	N
406	Unenrolling from MDM failed.	Admin	N
407	Successfully unenrolled from MDM.	Admin	N
408	Failed to import NGC proof-of-possession key.	Admin	N
409	Failed to get NGC transport key name.	Admin	N
410	Failed to get NGC transport key.	Admin	N
411	The parameter is invalid.	Admin	N
412	Unsupported public key structure format encountered.	Admin	N
413	Token binding AIK creation failed.	Admin	N
414	Token binding AIK deletion failed.	Admin	N
415	Token binding AIK was successfully created.	Admin	N
416	Token binding AIK was successfully deleted.	Admin	N
417	Failed to get token binding AIK name.	Admin	N
418	Hardware policy in registry is set to unsupported value PolicyValue.	Admin	N
419	NGC transport key creation with key type KeyType failed.	Admin	N
420	Automatic registration failed at authentication phase.	Admin	N
421	Event ID 421	Admin	N
421	Event ID 421	Operational	N
500	Message.	Debug	N
501	Message.	Debug	N
502	Message.	Debug	N
503	Message.	Debug	N
504	Message.	Debug	N
4096	The automatic device registration task will be triggered.	Admin	Y

Event ID 100: The discovery request send operation was successful.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The discovery request send operation was successful.

Message #

The discovery request send operation was successful.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 100,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T21:11:23.195032+00:00",
    "event_record_id": 565,
    "correlation": {},
    "execution": {
      "process_id": 9420,
      "thread_id": 12040
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 101: The discovery operation callback was successful.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The discovery operation callback was successful.

Message #

The discovery operation callback was successful. 
Server response was: %1

Fields #

Name	Description
`ServerMessage` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 101,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T21:11:23.777637+00:00",
    "event_record_id": 566,
    "correlation": {},
    "execution": {
      "process_id": 9420,
      "thread_id": 11132
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "ServerMessage": "{\"DiscoveryService\":{\"DiscoveryEndpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/contoso.onmicrosoft.com\\/Discover\",\"ServiceVersion\":\"1.7\"},\"DeviceRegistrationService\":{\"RegistrationEndpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/EnrollmentServer\\/DeviceEnrollmentWebService.svc\",\"RegistrationResourceId\":\"urn:ms-drs:enterpriseregistration.windows.net\",\"ServiceVersion\":\"1.0\"},\"AuthenticationService\":{\"OAuth2\":{\"AuthCodeEndpoint\":\"https:\\/\\/login.microsoftonline.com\\/1e64ccd8-db90-4ab1-be9c-c04de7241eca\\/oauth2\\/authorize\",\"TokenEndpoint\":\"https:\\/\\/login.microsoftonline.com\\/1e64ccd8-db90-4ab1-be9c-c04de7241eca\\/oauth2\\/token\"}},\"IdentityProviderService\":{\"Federated\":false,\"PassiveAuthEndpoint\":\"https:\\/\\/login.microsoftonline.com\\/contoso.onmicrosoft.com\\/wsfed\"},\"DeviceJoinService\":{\"JoinEndpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/EnrollmentServer\\/device\\/\",\"JoinResourceId\":\"urn:ms-drs:enterpriseregistration.windows.net\",\"ServiceVersion\":\"2.0\"},\"KeyProvisioningService\":{\"KeyProvisionEndpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/EnrollmentServer\\/key\\/\",\"KeyProvisionResourceId\":\"urn:ms-drs:enterpriseregistration.windows.net\",\"ServiceVersion\":\"1.0\"},\"WebAuthNService\":{\"ServiceVersion\":\"1.0\",\"WebAuthNEndpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/webauthn\\/1e64ccd8-db90-4ab1-be9c-c04de7241eca\\/\",\"WebAuthNResourceId\":\"urn:ms-drs:enterpriseregistration.windows.net\"},\"DeviceManagementService\":{\"DeviceManagementEndpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/manage\\/1e64ccd8-db90-4ab1-be9c-c04de7241eca\\/\",\"DeviceManagementResourceId\":\"urn:ms-drs:enterpriseregistration.windows.net\",\"ServiceVersion\":\"1.0\"},\"MsaProviderData\":{\"SiteId\":\"295958\",\"SiteUrl\":\"enterpriseregistration.windows.net\"},\"PrecreateService\":{\"PrecreateEndpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/EnrollmentServer\\/device\\/precreate\\/1e64ccd8-db90-4ab1-be9c-c04de7241eca\\/\",\"PrecreateResourceId\":\"urn:ms-drs:enterpriseregistration.windows.net\",\"ServiceVersion\":\"2.0\"},\"TenantInfo\":{\"TenantId\":\"1e64ccd8-db90-4ab1-be9c-c04de7241eca\",\"TenantName\":\"contoso.onmicrosoft.com\"},\"AzureRbacService\":{\"RbacPolicyEndpoint\":\"https:\\/\\/pas.windows.net\"},\"BPLService\":{\"BPLProxyServicePrincipalId\":\"dda27c27-f274-469f-8005-cce10f270009\",\"BPLResourceId\":\"urn:ms-drs:enterpriseregistration.windows.net\",\"BPLServiceEndpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/aadpasswordpolicy\\/1e64ccd8-db90-4ab1-be9c-c04de7241eca\\/\",\"ServiceVersion\":\"1.0\"},\"DeviceJoinResourceService\":{\"Endpoint\":\"https:\\/\\/enterpriseregistration.windows.net\\/EnrollmentServer\\/device\\/resource\\/1e64ccd8-db90-4ab1-be9c-c04de7241eca\\/\",\"JoinResourceEndpointTLS\":null,\"ResourceId\":\"urn:ms-drs:enterpriseregistration.windows.net\",\"ServiceVersion\":\"2.0\"}}"
  },
  "message": ""
}

Event ID 102: The initialization of the join request was successful.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The initialization of the join request was successful. Inputs.

Message #

The initialization of the join request was successful. Inputs:
 JoinRequest: %1 (%2)
 Domain: %3

Fields #

Name	Description
`JoinRequestType` Int32
`JoinRequestTypeSymbolicName` UnicodeString
`Domain` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 102,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T21:11:23.874759+00:00",
    "event_record_id": 567,
    "correlation": {
      "ActivityID": "D73F5340-B345-0006-CF04-40D745B3DC01"
    },
    "execution": {
      "process_id": 9420,
      "thread_id": 12040
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "JoinRequestType": 5,
    "JoinRequestTypeSymbolicName": "WORKPLACE",
    "Domain": "contoso.onmicrosoft.com"
  },
  "message": ""
}

Event ID 103: The join request was successfully sent to server.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The join request was successfully sent to server. Inputs.

Message #

The join request was successfully sent to server. Inputs:
 AuthToken: %1

Fields #

Name	Description
`AuthToken` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 103,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T21:11:24.436419+00:00",
    "event_record_id": 568,
    "correlation": {
      "ActivityID": "D73F5340-B345-0006-CF04-40D745B3DC01"
    },
    "execution": {
      "process_id": 9420,
      "thread_id": 12040
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "AuthToken": "<Present; Snipped>"
  },
  "message": ""
}

Event ID 104: The get join response operation callback was successful.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The get join response operation callback was successful.

Message #

The get join response operation callback was successful. 
Activity Id: %2 
Server response was: %1

Fields #

Name	Description
`ServerResponse` UnicodeString
`ActivityId` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 104,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T21:11:28.473964+00:00",
    "event_record_id": 569,
    "correlation": {},
    "execution": {
      "process_id": 9420,
      "thread_id": 11132
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "ServerResponse": "{\"Certificate\":{\"Thumbprint\":\"25A0849791D73569B739463793F2D6FE8B537CB1\",\"RawBody\":\"MIID8jCCAtqgAwIBAgIQ/uYcFQ+SyYBADB2zdnI1rjANBgkqhkiG9w0BAQsFADB4MXYwEQYKCZImiZPyLGQBGRYDbmV0MBUGCgmSJomT8ixkARkWB3dpbmRvd3MwHQYDVQQDExZNUy1Pcmdhbml6YXRpb24tQWNjZXNzMCsGA1UECxMkODJkYmFjYTQtM2U4MS00NmNhLTljNzMtMDk1MGMxZWFjYTk3MB4XDTI2MDMxNDIwNDEyN1oXDTM2MDMxNDIxMTEyN1owLzEtMCsGA1UEAxMkZWYwMWI5OWQtN2Y0Zi00Y2E1LWEwM2MtOTU2ZThmYTdmMmExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwdBuTpxq8zFwuHDPpAmdbuwivMhdDv+0kBMzYiHzXpaV8nb1dhk22G8GltrLbv/laYt+QP0Ca6rkRrnyY8UCoxmgBLQb/NeM7NnHFTWG7sSVVfL8Pjgkkpx6NAh518EVLtLlfU6dF6FIWkO+QqmpjdoLtXBQLH93zvKECyDFuSYXJoFzmCUiyFqUTk4ueejA10PPfq6YBk4JAaytEZ6PAutmEicFt+fGg4vVyMPjaQ8vWpadY+HvbCKAkLH41lgEDpR4icTZOhdUHrnld4p04RgTTyulFYgEHjsIR5udbtzESg9AtbWBjD75ZB0SYhQGj2/5wjIXG/K0307Rnp9N4QIDAQABo4HAMIG9MAwGA1UdEwEB/wQCMAAwFgYDVR0lAQH/BAwwCgYIKwYBBQUHAwIwIgYLKoZIhvcUAQWCHAIEEwSBEJ25Ae9Pf6VMoDyVbo+n8qEwIgYLKoZIhvcUAQWCHAMEEwSBEGnWW4NI3klAvtJ1/ppArPgwIgYLKoZIhvcUAQWCHAUEEwSBENjMZB6Q27FKvpzATeckHsowFAYLKoZIhvcUAQWCHAgEBQSBAk5BMBMGCyqGSIb3FAEFghwHBAQEgQEwMA0GCSqGSIb3DQEBCwUAA4IBAQAo6t7fWMVuGniVRcEqD1U+NehXmlUPHIuIVJBSmar6EYw9ACwCd9n/WKM3LtgMDLQ3nwXroVHJwpxK3IiCqgDnAHuhcQHOWbwhnuuttoXRGm7vj0pj3d0Ap9mJsd2CJj5OvTXtxIeui/Te3enG3WWuvpx0Qu5RIJqwmr031QBunzcsNncvpyhPWFNzotuMTiRORvJh8n1i44VrIthbjl2VgMdSoHE6vNQlefuQZ7a27+Ph0KJeqMo5v6jqLMamfp5U/VyjZ4zssg1IbrW5gfhUDZnQyb+cWcDVMnEdCV585QUzAYIlDjR8Vg3iaAIfPrfJ7oO/k28Q/MOweAv4y/hD\"},\"User\":{\"Upn\":\"labuser@contoso.onmicrosoft.com\"},\"MembershipChanges\":[{\"LocalSID\":\"S-1-5-32-544\",\"AddSIDs\":[\"S-1-12-1-2117376648-1315835739-3444453811-542002737\",\"S-1-12-1-2359094871-1093718557-3030428564-552357830\"]}]}",
    "ActivityId": "a315d45d-ad27-4338-a603-c6283cfa75d2"
  },
  "message": ""
}

Event ID 105: The complete join response operation was successful.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The complete join response operation was successful.

Message #

The complete join response operation was successful.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 105,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T21:11:28.486079+00:00",
    "event_record_id": 572,
    "correlation": {
      "ActivityID": "D73F5340-B345-000B-88D0-3FD745B3DC01"
    },
    "execution": {
      "process_id": 9420,
      "thread_id": 11132
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 106: The post join tasks for the AAD Authentication Package completed successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The post join tasks for the Microsoft Entra Authentication Package completed successfully.

Message #

The post join tasks for the Microsoft Entra Authentication Package completed successfully.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 106,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T21:11:28.474004+00:00",
    "event_record_id": 570,
    "correlation": {
      "ActivityID": "D73F5340-B345-000B-88D0-3FD745B3DC01"
    },
    "execution": {
      "process_id": 9420,
      "thread_id": 11132
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": ""
}

Event ID 107: The existing NGC user ID key was successfully deleted.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The existing NGC user ID key was successfully deleted. Key name: KeyName.

Message #

The existing NGC user ID key was successfully deleted. Key name: %1.

Fields #

Name	Description
`KeyName` UnicodeString

Event ID 108: The NGC container was successfully created.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The NGC container was successfully created.

Message #

The NGC container was successfully created. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
Flags: %4

Fields #

Name	Description
`UserSid` UnicodeString
`IdpDomain` UnicodeString
`TenantDomain` UnicodeString
`Flags` UInt32

Event ID 109: The NGC user ID key was successfully created.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The NGC user ID key was successfully created.

Message #

The NGC user ID key was successfully created. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Flags: %5

Fields #

Name	Description
`UserSid` UnicodeString
`IdpDomain` UnicodeString
`TenantDomain` UnicodeString
`UserId` UnicodeString
`Flags` UInt32

Event ID 110: The registration status has been successfully cleared from the device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The registration status has been successfully cleared from the device.

Message #

The registration status has been successfully cleared from the device. 
Join type: %1 (%2) 
Tenant ID: %3 
UPN: %4

Fields #

Name	Description
`JoinType` Int32
`JoinTypeSymbolicName` UnicodeString
`TenantId` UnicodeString
`UPN` UnicodeString

Event ID 111: The registration status has been successfully flushed to disk.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The registration status has been successfully flushed to disk.

Message #

The registration status has been successfully flushed to disk. 
Join type: %1 (%2)

Fields #

Name	Description
`JoinRequestType` Int32
`JoinRequestTypeSymbolicName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 111,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-03-14T21:11:28.486074+00:00",
    "event_record_id": 571,
    "correlation": {
      "ActivityID": "D73F5340-B345-000B-88D0-3FD745B3DC01"
    },
    "execution": {
      "process_id": 9420,
      "thread_id": 11132
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "JoinRequestType": 5,
    "JoinRequestTypeSymbolicName": "WORKPLACE"
  },
  "message": ""
}

Event ID 112: Hostname related error received.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Hostname related error received. Retry join without hostnames.

Message #

Hostname related error received. Retry join without hostnames.

Event ID 200: The discovery request send operation failed with exit code: ExitCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The discovery request send operation failed with exit code: ExitCode. Inputs.

Message #

The discovery request send operation failed with exit code: %1. Inputs:
 Domain: %2

Fields #

Name	Description
`ExitCode` Int32
`Domain` UnicodeString

Event ID 201: The discovery operation callback failed with exit code: ExitCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The discovery operation callback failed with exit code: ExitCode. The server returned HTTP status: HttpStatus.

Message #

The discovery operation callback failed with exit code: %1. The server returned HTTP status: %2. 
Server response was:
%3

Fields #

Name	Description
`ExitCode` Int32
`HttpStatus` UInt32
`ServerMessage` UnicodeString

Event ID 202: The initialization of the join request failed with exit code: ExitCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The initialization of the join request failed with exit code: ExitCode. Inputs.

Message #

The initialization of the join request failed with exit code: %1. Inputs:
 JoinRequest: %2 (%3)
 Domain: %4

Fields #

Name	Description
`ExitCode` Int32
`JoinRequestType` Int32
`JoinRequestTypeSymbolicName` UnicodeString
`Domain` UnicodeString

Event ID 203: The send join request operation failed with exit code: ExitCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The send join request operation failed with exit code: ExitCode. Inputs.

Message #

The send join request operation failed with exit code: %1. Inputs:
 AuthToken: %2

Fields #

Name	Description
`ExitCode` Int32
`ActivityId` UnicodeString

Event ID 204: The get join response operation callback failed with exit code: ExitCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The get join response operation callback failed with exit code: ExitCode.

Message #

The get join response operation callback failed with exit code: %1. 
Activity Id: %2 
The server returned HTTP status: %3 
Server response was: %4

Fields #

Name	Description
`ExitCode` Int32
`ActivityId` UnicodeString
`HttpStatus` UInt32
`ServerResponse` UnicodeString

Event ID 205: The complete join response operation failed with exit code: ExitCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The complete join response operation failed with exit code: ExitCode.

Message #

The complete join response operation failed with exit code: %1.

Fields #

Name	Description
`ExitCode` Int32

Event ID 206: The post join tasks for the Microsoft Entra Authentication Package failed with exit code: ExitCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The post join tasks for the Microsoft Entra Authentication Package failed with exit code: ExitCode.

Message #

The post join tasks for the Microsoft Entra Authentication Package failed with exit code: %1

Fields #

Name	Description
`ExitCode` Int32

Event ID 207: The parameter value should not be NULL or empty.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The parameter value should not be NULL or empty. Function: FunctionName; Parameter: ParameterName.

Message #

The parameter value should not be NULL or empty. Function: %1; Parameter: %2.

Fields #

Name	Description
`FunctionName` UnicodeString
`ParameterName` UnicodeString

Event ID 208: Unable to remove account UserSID from group Group.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to remove account UserSID from group Group. Error: ErrorCode.

Message #

Unable to remove account %2 from group %1. Error: %3

Fields #

Name	Description
`Group` UnicodeString
`UserSID` SID
`ErrorCode` UInt32

Event ID 209: Unable to convert the string-format security identifier (SID) SID to a functional SID.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to convert the string-format security identifier (SID) SID to a functional SID. Error: ErrorCode.

Message #

Unable to convert the string-format security identifier (SID) %1 to a functional SID. Error: %2

Fields #

Name	Description
`SID` UnicodeString
`ErrorCode` UInt32

Event ID 210: Unable to retrieve account information for security identifier (SID) SID.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to retrieve account information for security identifier (SID) SID. Error: ErrorCode.

Message #

Unable to retrieve account information for security identifier (SID) %1. Error: %2

Fields #

Name	Description
`SID` SID
`ErrorCode` UInt32

Event ID 211: Unable to add account UserSID to group Group.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to add account UserSID to group Group. Error: ErrorCode.

Message #

Unable to add account %2 to group %1. Error: %3

Fields #

Name	Description
`Group` UnicodeString
`UserSID` SID
`ErrorCode` UInt32

Event ID 212: Error happened while accessing registry: ErrorCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Error happened while accessing registry: ErrorCode. Operation: Operation. Path: Path.

Message #

Error happened while accessing registry: %1. Operation: %2. Path: %3.

Fields #

Name	Description
`ErrorCode` UInt32
`Operation` UnicodeString	Known values `%%2456` Open key file. `%%2457` Delete key file. `%%2458` Read persisted key from file. `%%2459` Write persisted key to file. `%%2464` Export of persistent cryptographic key. `%%2465` Import of persistent cryptographic key. `%%2480` Open Key. `%%2481` Create Key. `%%2482` Delete Key. `%%2483` Encrypt. `%%2484` Decrypt. `%%2485` Sign hash. `%%2486` Secret agreement. `%%2487` Domain settings. `%%2488` Local settings. `%%2489` Add provider. `%%2490` Remove provider. `%%2491` Add context. `%%2492` Remove context. `%%2493` Add function. `%%2494` Remove function. `%%2495` Add function provider. `%%2496` Remove function provider. `%%2497` Add function property. `%%2498` Remove function property. `%%2499` Machine key. `%%2500` User key. `%%2501` Key Derivation. `%%2502` Claim Creation. `%%2503` Claim Verification.
`Path` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "event_id": 212,
    "level": "Information",
    "task": null,
    "opcode": "Info",
    "time_created": "2026-03-18T03:42:51.7111254+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "Microsoft-Windows-User Device Registration/Admin"
  },
  "event_data": {
    "ErrorCode": "2",
    "Path": "HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WorkplaceJoin\\JoinInfo\\ef01b99d-7f4f-4ca5-a03c-956e8fa7f2a1",
    "Operation": "RegOpenKeyExW"
  }
}

Event ID 213: Unable to connect to Local Security Authority (LSA) server.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to connect to Local Security Authority (LSA) server. Error: NtStatus.

Message #

Unable to connect to Local Security Authority (LSA) server. Error: %1

Fields #

Name	Description
`NtStatus` UInt32

Event ID 214: Unable to lookup Local Security Authority (LSA) authentication package.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to lookup Local Security Authority (LSA) authentication package. Package name: PackageName. Error: NtStatus.

Message #

Unable to lookup Local Security Authority (LSA) authentication package. Package name: %1. Error: %2

Fields #

Name	Description
`PackageName` AnsiString
`NtStatus` UInt32

Event ID 215: Local Security Authority (LSA) authentication failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Local Security Authority (LSA) authentication failed.

Message #

Local Security Authority (LSA) authentication failed. 
Authentication package identifier: %1. 
Authentication package name: %2. 
Authentication package message: %3. 
Error: %4

Fields #

Name	Description
`PackageId` UInt32
`PackageName` AnsiString
`PackageMessage` UnicodeString
`NtStatus` UInt32

Event ID 216: The security identifier (SID) is invalid.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The security identifier (SID) is invalid. Function name: FunctionName. Parameter name: ParameterName.

Message #

The security identifier (SID) is invalid. Function name: %1. Parameter name: %2.

Fields #

Name	Description
`FunctionName` UnicodeString
`ParameterName` UnicodeString

Event ID 217: Unable to copy security identifier (SID) SID.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to copy security identifier (SID) SID. Error: ErrorCode.

Message #

Unable to copy security identifier (SID) %1. Error: %2

Fields #

Name	Description
`SID` SID
`ErrorCode` UInt32

Event ID 218: The string Email is not a valid email address.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The string Email is not a valid email address.

Message #

The string %1 is not a valid email address.

Fields #

Name	Description
`Email` UnicodeString

Event ID 219: Unable to retrieve the Active Directory domain join status information of the computer.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to retrieve the Active Directory domain join status information of the computer. Error: ErrorCode.

Message #

Unable to retrieve the Active Directory domain join status information of the computer. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 220: Unable to retrieve the local computer's name in the specified format Format.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

Unable to retrieve the local computer's name in the specified format Format. Error: ErrorCode.

Message #

Unable to retrieve the local computer's name in the specified format %1. Error: %2

Fields #

Name	Description
`Format` UnicodeString
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 220,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-18T05:25:02.728108+00:00",
    "event_record_id": 144,
    "correlation": {},
    "execution": {
      "process_id": 3728,
      "thread_id": 6640
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Format": "NameFullyQualifiedDN",
    "ErrorCode": 1398
  },
  "message": ""
}

Event ID 221: Unable to connect to the LDAP server Server:Port using authentication method AuthMethod.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

Unable to connect to the LDAP server Server:Port using authentication method AuthMethod. Error: ErrorCode.

Message #

Unable to connect to the LDAP server %1:%2 using authentication method %3. Error: %4

Fields #

Name	Description
`Server` UnicodeString
`Port` UInt32
`AuthMethod` UInt32
`ErrorCode` UInt32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 221,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2026-02-10T01:11:25.427288+00:00",
    "event_record_id": 14,
    "correlation": {},
    "execution": {
      "process_id": 2936,
      "thread_id": 4644
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "Server": "",
    "Port": 389,
    "AuthMethod": 1158,
    "ErrorCode": 81
  },
  "message": ""
}

Event ID 222: Unable to convert the SID structure to its string-format.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to convert the SID structure to its string-format. Error: ErrorCode.

Message #

Unable to convert the SID structure to its string-format. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 223: Unable to set WinHTTP option Option.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to set WinHTTP option Option. Error: ErrorCode.

Message #

Unable to set WinHTTP option %1. Error: %2

Fields #

Name	Description
`Option` UInt32
`ErrorCode` UInt32

Event ID 224: Unable to query WinHTTP option Option.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to query WinHTTP option Option. Error: ErrorCode.

Message #

Unable to query WinHTTP option %1. Error: %2

Fields #

Name	Description
`Option` UInt32
`ErrorCode` UInt32

Event ID 225: Unable to initialize WinHTTP.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to initialize WinHTTP.

Message #

Unable to initialize WinHTTP. 
User agent: %1 
Access type: %2 
Proxy name: %3 
Proxy bypass address list: %4 
Flags: %5 
Error: %6

Fields #

Name	Description
`UserAgent` UnicodeString
`AccessType` UInt32
`ProxyName` UnicodeString
`ProxyBypassList` UnicodeString
`Flags` UInt32
`ErrorCode` UInt32

Event ID 226: Unable to connect to server Server:Port through WinHTTP.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to connect to server Server:Port through WinHTTP. Error: ErrorCode.

Message #

Unable to connect to server %1:%2 through WinHTTP. Error: %3

Fields #

Name	Description
`Server` UnicodeString
`Port` UInt16
`ErrorCode` UInt32

Event ID 227: Unable to open WinHTTP Verb request.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to open WinHTTP Verb request. Flags: Flags. Error: ErrorCode.

Message #

Unable to open WinHTTP %1 request. Flags: %2. Error: %3

Fields #

Name	Description
`Verb` UnicodeString
`Flags` UInt32
`ErrorCode` UInt32

Event ID 228: Unable to set WinHTTP call back function.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to set WinHTTP call back function. Notification flags: NotificationFlags. Error: ErrorCode.

Message #

Unable to set WinHTTP call back function. Notification flags: %1. Error: %2

Fields #

Name	Description
`NotificationFlags` UInt32
`ErrorCode` UInt32

Event ID 229: Unable to retrieve WinHTTP header information.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to retrieve WinHTTP header information. Flags: Flags. Name: HeaderName. Error: ErrorCode.

Message #

Unable to retrieve WinHTTP header information. Flags: %1. Name: %2. Error: %3

Fields #

Name	Description
`Flags` UInt32
`HeaderName` UnicodeString
`ErrorCode` UInt32

Event ID 230: Unable to send WinHTTP request.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to send WinHTTP request. Error: ErrorCode.

Message #

Unable to send WinHTTP request. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 231: One or more errors were encountered while retrieving a Secure Sockets Layer (SSL) certificate from the server.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

One or more errors were encountered while retrieving a Secure Sockets Layer (SSL) certificate from the server.

Message #

One or more errors were encountered while retrieving a Secure Sockets Layer (SSL) certificate from the server.  
Error code: %1 
WinHTTP status: %2 (%3)

Fields #

Name	Description
`ErrorCode` UInt32
`WinHttpStatus` UInt32
`WinHttpStatusFlag` UnicodeString

Event ID 232: The WinHTTP callback function was cancelled.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The WinHTTP callback function was cancelled. WINHTTP_STATUS_CALLBACK status code: StatusCode (StatusName).

Message #

The WinHTTP callback function was cancelled. WINHTTP_STATUS_CALLBACK status code: %1 (%2)

Fields #

Name	Description
`StatusCode` UInt32	NTSTATUS reference
`StatusName` UnicodeString

Event ID 233: The WinHTTP callback function failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The WinHTTP callback function failed. WINHTTP_STATUS_CALLBACK status code: StatusCode (StatusName). Error: ErrorCode.

Message #

The WinHTTP callback function failed. WINHTTP_STATUS_CALLBACK status code: %1 (%3). Error: %2

Fields #

Name	Description
`StatusCode` UInt32	NTSTATUS reference
`ErrorCode` Int32
`StatusName` UnicodeString

Event ID 234: Unalbed to query the amount of data available to read through WinHTTP.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unalbed to query the amount of data available to read through WinHTTP. Error: ErrorCode.

Message #

Unalbed to query the amount of data available to read through WinHTTP. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 235: WinHTTP read data failure.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

WinHTTP read data failure. Error: ErrorCode.

Message #

WinHTTP read data failure. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 236: WinHTTP write data failure.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

WinHTTP write data failure. Error: ErrorCode.

Message #

WinHTTP write data failure. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 237: Unable to setup a certificate from the given encoded string.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to setup a certificate from the given encoded string. Error: ErrorCode.

Message #

Unable to setup a certificate from the given encoded string. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 238: Unable to save the certificate.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to save the certificate. Error: ErrorCode.

Message #

Unable to save the certificate. Error: %1

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 239: Unable to clear the registration status from the device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to clear the registration status from the device.

Message #

Unable to clear the registration status from the device. 
Exit code: %1 
Join type: %2 (%3) 
Tenant ID: %4 
UPN: %5

Fields #

Name	Description
`ExitCode` Int32
`JoinType` Int32
`JoinTypeSymbolicName` UnicodeString
`TenantId` UnicodeString
`UPN` UnicodeString

Event ID 240: Unable to flush the registration status to disk.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to flush the registration status to disk.

Message #

Unable to flush the registration status to disk. 
Exit code: %1 
Join type: %2 (%3)

Fields #

Name	Description
`ExitCode` Int32
`JoinRequestType` Int32
`JoinRequestTypeSymbolicName` UnicodeString

Event ID 241: KSP session ID: KspSessionID.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

KSP session ID: KspSessionID.

Message #

KSP session ID: %1

Fields #

Name	Description
`KspSessionID` UnicodeString

Event ID 242: Account UserSID was added to group Group.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Account UserSID was added to group Group.

Message #

Account %2 was added to group %1.

Fields #

Name	Description
`Group` UnicodeString
`UserSID` SID

Event ID 243: Account UserSID was removed from group Group.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Account UserSID was removed from group Group.

Message #

Account %2 was removed from group %1.

Fields #

Name	Description
`Group` UnicodeString
`UserSID` SID

Event ID 244: Unable to sign authentication data for managed automatic registration.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to sign authentication data for managed automatic registration. Exit code: ExitCode.

Message #

Unable to sign authentication data for managed automatic registration. Exit code: %1.

Fields #

Name	Description
`ExitCode` Int32

Event ID 245: Unable to verify or update the signing certificate for automatic registration.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to verify or update the signing certificate for automatic registration. Exit code: ExitCode.

Message #

Unable to verify or update the signing certificate for automatic registration. Exit code: %1.

Fields #

Name	Description
`ExitCode` Int32

Event ID 246: Unable to get persisted state location.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to get persisted state location.

Message #

Unable to get persisted state location. 
Exit code: %1 
Resource ID: %2 
Default location: %3 
Location type: %4 (%5)

Fields #

Name	Description
`ErrorCode` HexInt32
`SourceId` UnicodeString
`DefaultPath` UnicodeString
`LocationType` Int32
`LocationTypeName` UnicodeString

Event ID 247: Unable to remove Microsoft Passport key registration for all local Active Directory and Azure Active Directory users.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to remove Microsoft Passport key registration for all local Active Directory and Microsoft Entra users.

Message #

Unable to remove Microsoft Passport key registration for all local Active Directory and Microsoft Entra users. 
Exit code: %1

Fields #

Name	Description
`ExitCode` Int32

Event ID 248: Unable to check whether the attribute value of the device object is up to date.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to check whether the attribute value of the device object is up to date.

Message #

Unable to check whether the attribute value of the device object is up to date. 
Exit code: %1 
Attribute: %2 
Tenant ID: %3 
Device ID: %4 
Join type: %5 (%6)

Fields #

Name	Description
`ExitCode` Int32
`Attribute` UnicodeString
`TenantId` UnicodeString
`DeviceId` UnicodeString
`JoinType` Int32
`JoinTypeName` UnicodeString

Event ID 249: Unable to start updating attribute value of the device object.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to start updating attribute value of the device object.

Message #

Unable to start updating attribute value of the device object. 
Exit code: %1 
Attribute: %2 
Tenant ID: %3 
Device ID: %4 
Join type: %5 (%6) 
Request ID: %7

Fields #

Name	Description
`ExitCode` Int32
`Attribute` UnicodeString
`TenantId` UnicodeString
`DeviceId` UnicodeString
`JoinType` Int32
`JoinTypeName` UnicodeString
`RequestId` UnicodeString

Event ID 250: Updating attribute value of the device object started successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Updating attribute value of the device object started successfully.

Message #

Updating attribute value of the device object started successfully. 
Attribute: %1 
Tenant ID: %2 
Device ID: %3 
Join type: %4 (%5) 
Request ID: %6

Fields #

Name	Description
`Attribute` UnicodeString
`TenantId` UnicodeString
`DeviceId` UnicodeString
`JoinType` Int32
`JoinTypeName` UnicodeString
`RequestId` UnicodeString

Event ID 251: The attribute value of the device object was updated successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The attribute value of the device object was updated successfully.

Message #

The attribute value of the device object was updated successfully. 
Attribute: %1 
Tenant ID: %2 
Device ID: %3 
Join type: %4 (%5) 
Request ID: %6 
HTTP status: %7 
Time: %8 
Server message: %9 
Server response body: %10

Fields #

Name	Description
`Attribute` UnicodeString
`TenantId` UnicodeString
`DeviceId` UnicodeString
`JoinType` Int32
`JoinTypeName` UnicodeString
`RequestId` UnicodeString
`HttpStatus` Int32
`ServerTime` UnicodeString
`ServerMessage` UnicodeString
`ResponseBody` UnicodeString

Event ID 252: Unable to update the attribute value of the device object.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to update the attribute value of the device object.

Message #

Unable to update the attribute value of the device object. 
Exit code: %1 
Attribute: %2 
Tenant ID: %3 
Device ID: %4 
Join type: %5 (%6) 
Request ID: %7 
HTTP status: %8 
Time: %9 
Error Code: %12 
Error Subcode: %13 
Server message: %10 
Server response body: %11

Fields #

Name	Description
`ExitCode` Int32
`Attribute` UnicodeString
`TenantId` UnicodeString
`DeviceId` UnicodeString
`JoinType` Int32
`JoinTypeName` UnicodeString
`RequestId` UnicodeString
`HttpStatus` Int32
`ServerTime` UnicodeString
`ServerMessage` UnicodeString
`ResponseBody` UnicodeString
`ErrorCode` UnicodeString
`ErrorSubcode` UnicodeString

Event ID 253: Unable to parse the device attribute update server response.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to parse the device attribute update server response.

Message #

Unable to parse the device attribute update server response. 
HTTP status: %1 
Server response body: %2 
Error: %3

Fields #

Name	Description
`HttpStatus` UInt32
`ResponseBody` UnicodeString
`ErrorCode` Int32

Event ID 254: Unable to check MDM enrollment status of the device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to check MDM enrollment status of the device.

Message #

Unable to check MDM enrollment status of the device. 
Error: %1

Fields #

Name	Description
`ErrorCode` Int32

Event ID 255: Unable to trigger update task for this device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to trigger update task for this device.

Message #

Unable to trigger update task for this device. 
Error: %1 
Join type: %2 (%3) 
Tenant ID: %4

Fields #

Name	Description
`ErrorCode` Int32
`JoinType` Int32
`JoinTypeName` UnicodeString
`TenantId` UnicodeString

Event ID 256: The update task for this device was successfully triggered.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The update task for this device was successfully triggered.

Message #

The update task for this device was successfully triggered. 
Join type: %1 (%2) 
Tenant ID: %3

Fields #

Name	Description
`JoinType` Int32
`JoinTypeName` UnicodeString
`TenantId` UnicodeString

Event ID 257: The task Folder\TaskName was successfully enabled.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The task Folder\TaskName was successfully enabled.

Message #

The task %1\%2 was successfully enabled.

Fields #

Name	Description
`Folder` UnicodeString
`TaskName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "{23B8D46B-67DD-40A3-B636-D43E50552C6D}",
    "event_source_name": "",
    "event_id": 257,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T01:33:24.8474390+00:00",
    "event_record_id": 217,
    "correlation": {},
    "execution": {
      "process_id": 2660,
      "thread_id": 2908
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "Folder": "\\Microsoft\\Windows\\Workplace Join",
    "TaskName": "Automatic-Device-Join"
  },
  "message": "The task \\Microsoft\\Windows\\Workplace Join\\Automatic-Device-Join was successfully enabled."
}

Event ID 258: Failed to enable task Folder\TaskName.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Warning

Description

Failed to enable task Folder\TaskName. Error: ErrorCode.

Message #

Failed to enable task %2\%3. Error: %1

Fields #

Name	Description
`ErrorCode` Int32
`Folder` UnicodeString
`TaskName` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "{23B8D46B-67DD-40A3-B636-D43E50552C6D}",
    "event_source_name": "",
    "event_id": 258,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T01:34:10.7479055+00:00",
    "event_record_id": 316,
    "correlation": {},
    "execution": {
      "process_id": 2348,
      "thread_id": 2848
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "telemetry-DC-b.cell-b.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "ErrorCode": "-2147023728",
    "Folder": "\\Microsoft\\Windows\\Workplace Join",
    "TaskName": "Automatic-Device-Join"
  },
  "message": "Failed to enable task \\Microsoft\\Windows\\Workplace Join\\Automatic-Device-Join. Error: Element not found."
}

Event ID 259: The task Folder\TaskName was successfully disabled.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The task Folder\TaskName was successfully disabled.

Message #

The task %1\%2 was successfully disabled.

Fields #

Name	Description
`Folder` UnicodeString
`TaskName` UnicodeString

Event ID 260: Failed to disable task Folder\TaskName.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to disable task Folder\TaskName. Error: ErrorCode.

Message #

Failed to disable task %2\%3. Error: %1

Fields #

Name	Description
`ErrorCode` Int32
`Folder` UnicodeString
`TaskName` UnicodeString

Event ID 261: The repair join information operation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The repair join information operation failed.

Message #

The repair join information operation failed. 
Exit code: %1 
Tenant ID: %2 
Device ID: %3 
Join Type: %4 (%5) 
Request Id: %6 
Time: %7 
Http Status: %8 
Error Code: %9 
Error Subcode: %10 
Server Message: %11 
Server Operation: %12

Fields #

Name	Description
`ExitCode` Int32
`TenantId` UnicodeString
`DeviceId` UnicodeString
`JoinType` Int32
`JoinTypeName` UnicodeString
`RequestId` UnicodeString
`Time` UnicodeString
`HttpStatus` UInt32
`ErrorCode` UnicodeString
`ErrorSubcode` UnicodeString
`ServerMessage` UnicodeString
`ServerOperation` UnicodeString

Event ID 262: The repair join information operation completed successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The repair join information operation completed successfully.

Message #

The repair join information operation completed successfully. 
Tenant ID: %1 
Device ID: %2 
Join UPN: %3 
Join Type: %4 (%5) 
Request Id: %6 
Time: %7 
Http Status: %8

Fields #

Name	Description
`TenantId` UnicodeString
`DeviceId` UnicodeString
`JoinUpn` UnicodeString
`JoinType` Int32
`JoinTypeName` UnicodeString
`RequestId` UnicodeString
`Time` UnicodeString
`HttpStatus` UInt32

Event ID 263: The repair join information operation failed to start.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The repair join information operation failed to start.

Message #

The repair join information operation failed to start. 
Exit code: %1 
Tenant ID: %2 
Join Type: %3 (%4) 
Input UPN: %5 
Input UPN Count: %6 
Request ID: %7

Fields #

Name	Description
`ExitCode` Int32
`TenantId` UnicodeString
`JoinType` Int32
`JoinTypeName` UnicodeString
`InputUpn` UnicodeString
`InputUpnCount` UInt32
`RequestId` UnicodeString

Event ID 264: The repair join information operation started successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The repair join information operation started successfully.

Message #

The repair join information operation started successfully. 
Tenant ID: %1 
Device ID: %2 
Join UPN: %5 
Input UPN Count: %6 
Join Type: %3 (%4) 
Request Id: %7

Fields #

Name	Description
`TenantId` UnicodeString
`DeviceId` UnicodeString
`JoinType` Int32
`JoinTypeName` UnicodeString
`JoinUpn` UnicodeString
`InputUpnCount` UInt32
`RequestId` UnicodeString

Event ID 265: The virtual desktop registry has ValuesCount value(s) missing.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The virtual desktop registry has ValuesCount value(s) missing.

Message #

The virtual desktop registry has %2 value(s) missing. 
Registry key: %1 
Missing values: %4

Fields #

Name	Description
`RegistryKey` UnicodeString
`ValuesCount` UInt32
`Value` UnicodeString
`ValuesList` UnicodeString

Event ID 266: The virtual desktop registry value is invalid.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The virtual desktop registry value is invalid.

Message #

The virtual desktop registry value is invalid. 
Registry key: %1 
Value name: %2 
Value: %3

Fields #

Name	Description
`RegistryKey` UnicodeString
`ValueName` UnicodeString
`Value` UInt32

Event ID 267: Failed to read virtual desktop settings from registry.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to read virtual desktop settings from registry.

Message #

Failed to read virtual desktop settings from registry. 
Error: %1 
Registry key: %2

Fields #

Name	Description
`ExitCode` Int32
`RegistryKey` UnicodeString

Event ID 268: The virtual desktop settings were successfully retrieved from the registry.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The virtual desktop settings were successfully retrieved from the registry.

Message #

The virtual desktop settings were successfully retrieved from the registry. 
Registry key: %1 
Provider: %2 
Type: %3 (%4) 
User mode: %5 (%6) 
Extensions: %7 
For the list of extensions, see "Extension" in EventData.

Fields #

Name	Description
`RegistryKey` UnicodeString
`Provider` UnicodeString
`Type` UInt32
`TypeName` UnicodeString
`UserMode` UInt32
`UserModeName` UnicodeString
`ExtensionsCount` UInt32
`Extension` UnicodeString

Event ID 269: Unable to parse the AIK update server response.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to parse the AIK update server response.

Message #

Unable to parse the AIK update server response. 
HTTP status: %1 
Server response body: %2 
Error: %3

Fields #

Name	Description
`HttpStatus` UInt32
`ResponseBody` UnicodeString
`ErrorCode` Int32

Event ID 270: Unable to start updating token binding AIK of the device object.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to start updating token binding AIK of the device object.

Message #

Unable to start updating token binding AIK of the device object. 
Exit code: %1 
Join type: %2 (%3) 
Tenant ID: %4 
Device ID: %5 
User SID: %6 
User token: %7 
Request ID: %8

Fields #

Name	Description
`ExitCode` Int32
`JoinType` Int32
`JoinTypeName` UnicodeString
`TenantId` UnicodeString
`DeviceId` UnicodeString
`UserSid` UnicodeString
`AuthToken` UnicodeString
`RequestId` UnicodeString

Event ID 271: Updating token binding AIK of the device object started successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Updating token binding AIK of the device object started successfully.

Message #

Updating token binding AIK of the device object started successfully. 
Join type: %1 (%2) 
Tenant ID: %3 
Device ID: %4 
User SID: %5 
User token: %6 
Request ID: %7

Fields #

Name	Description
`JoinType` Int32
`JoinTypeName` UnicodeString
`TenantId` UnicodeString
`DeviceId` UnicodeString
`UserSid` UnicodeString
`AuthToken` UnicodeString
`RequestId` UnicodeString

Event ID 272: The token binding AIK of the device object was updated successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The token binding AIK of the device object was updated successfully.

Message #

The token binding AIK of the device object was updated successfully. 
Join type: %1 (%2) 
Tenant ID: %3 
Device ID: %4 
User SID: %5 
Request ID: %6 
HTTP status: %7 
Time: %8

Fields #

Name	Description
`JoinType` Int32
`JoinTypeName` UnicodeString
`TenantId` UnicodeString
`DeviceId` UnicodeString
`UserSid` UnicodeString
`RequestId` UnicodeString
`HttpStatus` Int32
`ServerTime` UnicodeString

Event ID 273: Unable to update the token binding AIK of the device object.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to update the token binding AIK of the device object.

Message #

Unable to update the token binding AIK of the device object. 
Exit code: %1 
Join type: %2 (%3) 
Tenant ID: %4 
Device ID: %5 
User SID: %6 
Request ID: %7 
HTTP status: %8 
Time: %9 
Error Code: %12 
Error Subcode: %13 
Server message: %10 
Server response body: %11

Fields #

Name	Description
`ExitCode` Int32
`JoinType` Int32
`JoinTypeName` UnicodeString
`TenantId` UnicodeString
`DeviceId` UnicodeString
`UserSid` UnicodeString
`RequestId` UnicodeString
`HttpStatus` Int32
`ServerTime` UnicodeString
`ServerMessage` UnicodeString
`ResponseBody` UnicodeString
`ErrorCode` UnicodeString
`ErrorSubcode` UnicodeString

Event ID 274: Failed to configure KDC proxy group policy.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to configure KDC proxy group policy.

Message #

Failed to configure KDC proxy group policy. 
Exit code: %1 
Kerberos endpoint: %2 
Kerberos realm: %3 
KDC proxy server: %4 
Local group policy modified: %5

Fields #

Name	Description
`ExitCode` Int32
`KerbEndpoint` UnicodeString
`Realm` UnicodeString
`KdcProxyServer` UnicodeString
`LocalGpoModified` UnicodeString

Event ID 275: Failed to restore KDC proxy local group policy to its original value.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to restore KDC proxy local group policy to its original value.

Message #

Failed to restore KDC proxy local group policy to its original value. 
Exit code: %1

Fields #

Name	Description
`ExitCode` Int32

Event ID 276: The KDC Proxy group policy setting is incorrect.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The KDC Proxy group policy setting is incorrect.

Message #

The KDC Proxy group policy setting is incorrect. 
Expected value: 
  KdcProxyServer_Enabled: %1 
  NoRevocationCheck: %2 
  Proxy Server: %3 
Actual value: 
  KdcProxyServer_Enabled: %4 
  NoRevocationCheck: %5 
  Proxy Server: %6

Fields #

Name	Description
`ExpectedProxyEnabled` UnicodeString
`ExpectedNoRevocationCheck` UnicodeString
`ExpectedProxyServer` UnicodeString
`ActualProxyEnabled` UnicodeString
`ActualNoRevocationCheck` UnicodeString
`ActualProxyServer` UnicodeString

Event ID 277: The KDC proxy group policy has been configured successfully.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The KDC proxy group policy has been configured successfully.

Message #

The KDC proxy group policy has been configured successfully. 
Kerberos endpoint: %1 
Kerberos realm: %2 
KdcProxyServer_Enabled: %3 
NoRevocationCheck: %4 
KDC Proxy Server: %5

Fields #

Name	Description
`KerbEndpoint` UnicodeString
`Realm` UnicodeString
`ProxyEnabled` UnicodeString
`NoRevocationCheck` UnicodeString
`ProxyServer` UnicodeString

Event ID 278: The KDC proxy local group policy has been restored to its original value.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The KDC proxy local group policy has been restored to its original value.

Message #

The KDC proxy local group policy has been restored to its original value. 
KdcProxyServer_Enabled: %1 
NoRevocationCheck: %2 
KDC Proxy Server: %3

Fields #

Name	Description
`ProxyEnabled` UnicodeString
`NoRevocationCheck` UnicodeString
`ProxyServer` UnicodeString

Event ID 300: The Microsoft Passport key was successfully registered with Azure AD.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Microsoft Passport key was successfully registered with Microsoft Entra.

Message #

The Microsoft Passport key was successfully registered with Microsoft Entra. 
Key ID: %1 
UPN: %2 
Attestation: %3 
Client request ID: %4 
Server request ID: %5 
Server response: %6

Fields #

Name	Description
`KeyId` GUID
`UPN` UnicodeString
`Attestation` UnicodeString
`ClientRequestId` UnicodeString
`ServerRequestId` UnicodeString
`ServerResponse` UnicodeString

Event ID 301: NGC key registration failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

NGC key registration failed.

Message #

NGC key registration failed. 
Exit code: %1 
Client request ID: %2 
Server request ID: %3 
Error code: %4 
Server error message: %5 
Recommended client response: %6 
Server response: %7

Fields #

Name	Description
`ExitCode` Int32
`ClientRequestId` UnicodeString
`ServerRequestId` UnicodeString
`ErrorCode` UnicodeString
`ServerErrorMessage` UnicodeString
`RecommendedClientResponse` UnicodeString
`ServerResponse` UnicodeString

Event ID 302: The NGC key registration request was successfully sent.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The NGC key registration request was successfully sent. User email: Email.

Message #

The NGC key registration request was successfully sent. User email: %1.
Auth token: %2.

Fields #

Name	Description
`Email` UnicodeString
`AuthToken` UnicodeString

Event ID 303: The NGC key registration initialization operation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The NGC key registration initialization operation failed. Exit code: ExitCode. User email: Email.

Message #

The NGC key registration initialization operation failed. Exit code: %1. User email: %2.
Auth token: %3.

Fields #

Name	Description
`ExitCode` Int32
`Email` UnicodeString
`AuthToken` UnicodeString

Event ID 304: Automatic registration failed at join phase.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Error

Description

Automatic registration failed at join phase.

Message #

Automatic registration failed at join phase. 
Exit code: %1 
Server error: %2 
Tenant type: %3 
Registration type: %4 
Debug Output: 
%5

Fields #

Name	Description
`ExitCode` Int32
`ServerErrorMessage` UnicodeString
`TenantType` UnicodeString
`JoinType` UnicodeString
`DebugOutput` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "{23B8D46B-67DD-40A3-B636-D43E50552C6D}",
    "event_source_name": "",
    "event_id": 304,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:08:20.3012732+00:00",
    "event_record_id": 280,
    "correlation": {},
    "execution": {
      "process_id": 5708,
      "thread_id": 4012
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ExitCode": "-2145648611",
    "ServerErrorMessage": "",
    "TenantType": "undefined",
    "JoinType": "undefined",
    "DebugOutput": "joinMode: Join\ndrsInstance: undefined\nregistrationType: undefined\ntenantType: undefined\ntenantId: undefined\nconfigLocation: undefined\nerrorPhase: discover\nadalCorrelationId: 8a6409b3-b95a-4ebe-82db-ac7c31c92149\nadalLog:\nundefined\nadalResponseCode: 0x0\n"
  },
  "message": "Automatic registration failed at join phase. \r\nExit code: Unknown HResult Error code: 0x801c001d \r\nServer error:  \r\nTenant type: undefined \r\nRegistration type: undefined \r\nDebug Output: \r\njoinMode: Join\ndrsInstance: undefined\nregistrationType: undefined\ntenantType: undefined\ntenantId: undefined\nconfigLocation: undefined\nerrorPhase: discover\nadalCorrelationId: 8a6409b3-b95a-4ebe-82db-ac7c31c92149\nadalLog:\nundefined\nadalResponseCode: 0x0\n"
}

Event ID 305: Automatic registration failed at authentication phase.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Automatic registration failed at authentication phase. Unable to acquire access token.

Message #

Automatic registration failed at authentication phase. Unable to acquire access token. 
Exit code: %1 
Tenant Name: %4 
Tenant Type: %3 
Server error: 
%2

Fields #

Name	Description
`ExitCode` Int32
`ServerErrorMessage` UnicodeString
`TenantType` UnicodeString
`TenantName` UnicodeString

Event ID 306: Automatic registration Succeeded.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Automatic registration Succeeded.

Message #

Automatic registration Succeeded.

Event ID 307: Automatic registration failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Error

Description

Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: ExitCode. See http://go.microsoft.com/fwlink/?LinkId=623042.

Message #

Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: %1. See http://go.microsoft.com/fwlink/?LinkId=623042

Fields #

Name	Description
`ExitCode` Int32

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "{23B8D46B-67DD-40A3-B636-D43E50552C6D}",
    "event_source_name": "",
    "event_id": 307,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:08:20.3012457+00:00",
    "event_record_id": 279,
    "correlation": {},
    "execution": {
      "process_id": 5708,
      "thread_id": 4012
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "ExitCode": "-2145648611"
  },
  "message": "Automatic registration failed. Failed to lookup the registration service information from Active Directory. Exit code: Unknown HResult Error code: 0x801c001d. See http://go.microsoft.com/fwlink/?LinkId=623042"
}

Event ID 308: This Device is joined to Microsoft Entra, however, the user did not sign-in with a Microsoft Entra account.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

This Device is joined to Microsoft Entra, however, the user did not sign-in with a Microsoft Entra account. Microsoft Passport provisioning will not be enabled. User: UserSID.

Message #

This Device is joined to Microsoft Entra, however, the user did not sign-in with a Microsoft Entra account. Microsoft Passport provisioning will not be enabled. User: %1.

Fields #

Name	Description
`UserSID` UnicodeString

Event ID 309: Failed to discover the Microsoft Entra DRS service.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to discover the Microsoft Entra DRS service. Exit code: ExitCode.

Message #

Failed to discover the Microsoft Entra DRS service. Exit code: %1.

Fields #

Name	Description
`ExitCode` Int32

Event ID 310: Unable to retrieve the NGC user ID key with name KeyName.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to retrieve the NGC user ID key with name KeyName. Error: ErrorCode.

Message #

Unable to retrieve the NGC user ID key with name %1. Error: %2

Fields #

Name	Description
`KeyName` UnicodeString
`ErrorCode` Int32

Event ID 311: The NGC create container operation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The NGC create container operation failed.

Message #

The NGC create container operation failed. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
Flags: %4 
Error: %5

Fields #

Name	Description
`UserSid` UnicodeString
`IdpDomain` UnicodeString
`TenantDomain` UnicodeString
`Flags` UInt32
`ErrorCode` Int32

Event ID 312: The existing NGC container was successfully deleted.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The existing NGC container was successfully deleted.

Message #

The existing NGC container was successfully deleted. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3

Fields #

Name	Description
`UserSid` UnicodeString
`IdpDomain` UnicodeString
`TenantDomain` UnicodeString

Event ID 314: Unable to delete NGC container.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to delete NGC container.

Message #

Unable to delete NGC container. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
Error: %4

Fields #

Name	Description
`UserSid` UnicodeString
`IdpDomain` UnicodeString
`TenantDomain` UnicodeString
`ErrorCode` Int32

Event ID 315: Unable to create NGC user ID key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to create NGC user ID key.

Message #

Unable to create NGC user ID key. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Flags: %5 
Error: %6

Fields #

Name	Description
`UserSid` UnicodeString
`IdpDomain` UnicodeString
`TenantDomain` UnicodeString
`UserId` UnicodeString
`Flags` UInt32
`ErrorCode` Int32

Event ID 316: Unable to retrieve the specified NGC user ID key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to retrieve the specified NGC user ID key.

Message #

Unable to retrieve the specified NGC user ID key. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Error: %5

Fields #

Name	Description
`UserSid` UnicodeString
`IdpDomain` UnicodeString
`TenantDomain` UnicodeString
`UserId` UnicodeString
`ErrorCode` Int32

Event ID 317: Unable to delete NGC user ID key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to delete NGC user ID key. Key name: KeyName. Error: ErrorCode.

Message #

Unable to delete NGC user ID key. Key name: %1. Error: %2

Fields #

Name	Description
`KeyName` UnicodeString
`ErrorCode` Int32

Event ID 318: Unable to create NGC transport key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to create NGC transport key.

Message #

Unable to create NGC transport key. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Key type: %5 
Flags: %6 
Error: %7

Fields #

Name	Description
`UserSid` UnicodeString
`IdpDomain` UnicodeString
`TenantDomain` UnicodeString
`UserId` UnicodeString
`KeyType` Int32	Known values `%%2499` Machine key `%%2500` User key
`Flags` UInt32
`ErrorCode` Int32

Event ID 319: Unable to delete NGC transport key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to delete NGC transport key.

Message #

Unable to delete NGC transport key. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Flags: %6 
Error: %5

Fields #

Name	Description
`UserSid` UnicodeString
`IdpDomain` UnicodeString
`TenantDomain` UnicodeString
`UserId` UnicodeString
`ErrorCode` Int32
`Flags` UInt32

Event ID 320: Unable to parse the NGC registration server response.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to parse the NGC registration server response.

Message #

Unable to parse the NGC registration server response. 
HTTP status: %1 
Server response body: %2 
Error: %3

Fields #

Name	Description
`HttpStatus` UInt32
`ResponseBody` UnicodeString
`ErrorCode` Int32

Event ID 321: Failed to enable the device lock PIN.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to enable the device lock PIN. Error: ErrorCode.

Message #

Failed to enable the device lock PIN. Error: %1

Fields #

Name	Description
`ErrorCode` Int32

Event ID 322: The application does not have the permission to perform this operation.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The application does not have the permission to perform this operation. Application SID: AppSid.

Message #

The application does not have the permission to perform this operation. Application SID: %1

Fields #

Name	Description
`AppSid` UnicodeString

Event ID 323: Preparing to send a request to the Web Account Manager.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Preparing to send a request to the Web Account Manager.

Message #

Preparing to send a request to the Web Account Manager. 
Account provider ID: %1 
Scope: %2 
Client ID: %3 
Authority: %4 
Resource: %5 
CorrelationId: %6

Fields #

Name	Description
`AccountProvider` UnicodeString
`Scope` UnicodeString
`Client` UnicodeString
`Authority` UnicodeString
`Resource` UnicodeString
`CorrelationId` UnicodeString

Event ID 324: Unable to get a token using the Web Account Manager.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to get a token using the Web Account Manager. Error: ErrorCode.

Message #

Unable to get a token using the Web Account Manager. Error: %5 
Request status code: %1 (%2) 
Token provider error code: %3 
Token provider error message: %4 
CorrelationId: %6

Fields #

Name	Description
`RequestStatus` Int32
`RequestStatusSymbolicName` UnicodeString
`ProviderErrorCode` UInt32
`ProviderErrorMessage` UnicodeString
`ErrorCode` Int32
`CorrelationId` UnicodeString

Event ID 325: Successfully obtained a token for the current user via token broker.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Successfully obtained a token for the current user via token broker.

Message #

Successfully obtained a token for the current user via token broker. 
CorrelationId: %1

Fields #

Name	Description
`CorrelationId` UnicodeString

Event ID 326: Unable to get the application's core window.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to get the application's core window. Error: ErrorCode.

Message #

Unable to get the application's core window. Error: %1

Fields #

Name	Description
`ErrorCode` Int32

Event ID 327: Unable to remove the PIN that has been created to use in place of the current user's logon password.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to remove the PIN that has been created to use in place of the current user's logon password.

Message #

Unable to remove the PIN that has been created to use in place of the current user's logon password. 
User SID: %1 
Error: %2

Fields #

Name	Description
`UserSid` UnicodeString
`ErrorCode` Int32

Event ID 328: Unable to check whether a PIN has been created to use in place of the current user's logon password.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to check whether a PIN has been created to use in place of the current user's logon password.

Message #

Unable to check whether a PIN has been created to use in place of the current user's logon password. 
User SID: %1 
Error: %2

Fields #

Name	Description
`UserSid` UnicodeString
`ErrorCode` Int32

Event ID 329: Preparing to send a request to the Web Account Manager silently (no UI mode).

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Preparing to send a request to the Web Account Manager silently (no UI mode).

Message #

Preparing to send a request to the Web Account Manager silently (no UI mode). 
Account provider ID: %1 
Scope: %2 
Client ID: %3 
Authority: %4 
Resource: %5 
CorrelationId: %6

Fields #

Name	Description
`AccountProvider` UnicodeString
`Scope` UnicodeString
`Client` UnicodeString
`Authority` UnicodeString
`Resource` UnicodeString
`CorrelationId` UnicodeString

Event ID 330: Microsoft Entra DRS and Enterprise DRS are configured for this device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Microsoft Entra DRS and Enterprise DRS are configured for this device. Only one DRS instance can be configured for an environment. MicrosoftEntraTenantName:AzureADTenantName EnterpriseDrsName:EnterpriseDrsName.

Message #

Microsoft Entra DRS and Enterprise DRS are configured for this device. Only one DRS instance can be configured for an environment. MicrosoftEntraTenantName:%1 EnterpriseDrsName:%2

Fields #

Name	Description
`AzureADTenantName` UnicodeString
`EnterpriseDrsName` UnicodeString

Event ID 331: Automatic device join pre-check tasks completed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

Automatic device join pre-check tasks completed. Details.

Message #

Automatic device join pre-check tasks completed. Details: 
%1

Fields #

Name	Description
`DebugOutput` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "{23B8D46B-67DD-40A3-B636-D43E50552C6D}",
    "event_source_name": "",
    "event_id": 331,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-06-13T14:08:20.1462206+00:00",
    "event_record_id": 278,
    "correlation": {},
    "execution": {
      "process_id": 5708,
      "thread_id": 4012
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "DebugOutput": "preCheckResult: Join\ndeviceKeysHealthy: undefined\nisJoined: undefined\nisDcAvailable: YES\nisSystem: YES\nkeyProvider: undefined\nkeyContainer: undefined\ndsrInstance: undefined\nelapsedSeconds: 0\nresultCode: 0x0\n"
  },
  "message": "Automatic device join pre-check tasks completed. Debug output:\\r\\n preCheckResult: Join\ndeviceKeysHealthy: undefined\nisJoined: undefined\nisDcAvailable: YES\nisSystem: YES\nkeyProvider: undefined\nkeyContainer: undefined\ndsrInstance: undefined\nelapsedSeconds: 0\nresultCode: 0x0\n"
}

Event ID 332: Automatic device join pre-check tasks found that this device is joined, however, it is missing some required state.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Automatic device join pre-check tasks found that this device is joined, however, it is missing some required state. The device will be removed and then joined again.

Message #

Automatic device join pre-check tasks found that this device is joined, however, it is missing some required state. The device will be removed and then joined again.

Event ID 333: Automatic device join pre-check tasks completed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Warning

Description

Automatic device join pre-check tasks completed. The device can NOT be joined. The process MUST run as NT AUTHORITY\SYSTEM.

Message #

Automatic device join pre-check tasks completed. The device can NOT be joined. The process MUST run as NT AUTHORITY\SYSTEM.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "{23B8D46B-67DD-40A3-B636-D43E50552C6D}",
    "event_source_name": "",
    "event_id": 333,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-04-18T00:27:56.6691141+00:00",
    "event_record_id": 554,
    "correlation": {},
    "execution": {
      "process_id": 6284,
      "thread_id": 5848
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "JD-WIN11-22H2-1.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {},
  "message": "Automatic device join pre-check tasks completed. The device can NOT be joined. The process MUST run as NT AUTHORITY\\SYSTEM."
}

Event ID 334: Automatic device join pre-check tasks completed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Warning

Description

Automatic device join pre-check tasks completed. The device can NOT be joined because a domain controller could not be located. The device must be connected to a network with connectivity to an Active Directory domain controller.

Message #

Automatic device join pre-check tasks completed. The device can NOT be joined because a domain controller could not be located. The device must be connected to a network with connectivity to an Active Directory domain controller.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "{23B8D46B-67DD-40A3-B636-D43E50552C6D}",
    "event_source_name": "",
    "event_id": 334,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T16:33:10.1475963+00:00",
    "event_record_id": 237,
    "correlation": {},
    "execution": {
      "process_id": 3136,
      "thread_id": 3140
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": "Automatic device join pre-check tasks completed. The device can NOT be joined because a domain controller could not be located. The device must be connected to a network with connectivity to an Active Directory domain controller."
}

Event ID 335: Automatic device join pre-check tasks completed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Automatic device join pre-check tasks completed. The device is already joined.

Message #

Automatic device join pre-check tasks completed. The device is already joined.

Event ID 336: The Web Proxy Autodiscovery Protocol (WPAD) did NOT locate the URL of a configuration file using DHCP and/or DNS discovery methods.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Web Proxy Autodiscovery Protocol (WPAD) did NOT locate the URL of a configuration file using DHCP and/or DNS discovery methods. The request will be sent directly to the server.

Message #

The Web Proxy Autodiscovery Protocol (WPAD) did NOT locate the URL of a configuration file using DHCP and/or DNS discovery methods. The request will be sent directly to the server. 
WINHTTP_STATUS_CALLBACK dwInternetStatus is %1 (%4) 
WINHTTP_ASYNC_RESULT dwResult is %2 (%5) 
WINHTTP_ASYNC_RESULT dwError is %3

Fields #

Name	Description
`dwInternetStatus` UInt32
`dwResult` UInt64
`dwError` UInt32
`InternetStatus` UnicodeString
`Result` UnicodeString

Event ID 337: The request was sent to the server through the out-bound proxy and failed with the following information.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The request was sent to the server through the out-bound proxy and failed with the following information. A fail-over proxy server will be used if available.

Message #

The request was sent to the server through the out-bound proxy and failed with the following information. A fail-over proxy server will be used if available. 
WINHTTP_STATUS_CALLBACK dwInternetStatus is %1 (%4) 
WINHTTP_ASYNC_RESULT dwResult is %2 (%5) 
WINHTTP_ASYNC_RESULT dwError is %3

Fields #

Name	Description
`dwInternetStatus` UInt32
`dwResult` UInt64
`dwError` UInt32
`InternetStatus` UnicodeString
`Result` UnicodeString

Event ID 338: The Web Proxy Autodiscovery Protocol (WPAD) located the URL of a configuration file using DHCP and/or DNS discovery methods.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Web Proxy Autodiscovery Protocol (WPAD) located the URL of a configuration file using DHCP and/or DNS discovery methods. ProxyCount configuration entries were found in the configuration file.

Message #

The Web Proxy Autodiscovery Protocol (WPAD) located the URL of a configuration file using DHCP and/or DNS discovery methods. %1 configuration entries were found in the configuration file.

Fields #

Name	Description
`ProxyCount` UInt32

Event ID 339: The following out-bound proxy information was set for this request.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The following out-bound proxy information was set for this request.

Message #

The following out-bound proxy information was set for this request. 
WINHTTP_PROXY_RESULT_ENTRY fProxy is: %1 
WINHTTP_PROXY_RESULT_ENTRY fBypass is: %2 
WINHTTP_PROXY_RESULT_ENTRY INTERNET_SCHEME is: %3 
WINHTTP_PROXY_RESULT_ENTRY pwszProxy is: %4 
WINHTTP_PROXY_RESULT_ENTRY ProxyPort is: %5

Fields #

Name	Description
`fProxy` UnicodeString
`fBypass` UnicodeString
`INTERNET_SCHEME` UInt32
`pwszProxy` UnicodeString
`ProxyPort` UInt32

Event ID 340: The Web Proxy Autodiscovery Protocol (WPAD) encountered an unexpected error.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Web Proxy Autodiscovery Protocol (WPAD) encountered an unexpected error. The request may not have been sent to the server.

Message #

The Web Proxy Autodiscovery Protocol (WPAD) encountered an unexpected error. The request may not have been sent to the server. 
WINHTTP_STATUS_CALLBACK dwInternetStatus is %1 (%4) 
WINHTTP_ASYNC_RESULT dwResult is %2 (%5) 
WINHTTP_ASYNC_RESULT dwError is %3

Fields #

Name	Description
`dwInternetStatus` UInt32
`dwResult` UInt64
`dwError` UInt32
`InternetStatus` UnicodeString
`Result` UnicodeString

Event ID 341: This request will NOT fail over to a proxy server.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

This request will NOT fail over to a proxy server. The end of the proxy configuration discovered by Web Proxy Autodiscovery Protocol (WPAD) has been reached. Error ErrorCode.

Message #

This request will NOT fail over to a proxy server. The end of the proxy configuration discovered by Web Proxy Autodiscovery Protocol (WPAD) has been reached. Error %1

Fields #

Name	Description
`ErrorCode` UInt32

Event ID 342: Unable to query Passport for Work policies.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to query Passport for Work policies.

Message #

Unable to query Passport for Work policies. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
Error: %4

Fields #

Name	Description
`UserSid` UnicodeString
`IdpDomain` UnicodeString
`TenantDomain` UnicodeString
`ErrorCode` Int32

Event ID 343: Unable to enumerate Passport for Work containers.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to enumerate Passport for Work containers.

Message #

Unable to enumerate Passport for Work containers. 
User SID: %1 
Error: %2

Fields #

Name	Description
`UserSid` UnicodeString
`ErrorCode` Int32

Event ID 344: Failed to access the device key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to access the device key. If you have a TPM, it might be locked out or in an unknown state.

Message #

Failed to access the device key. If you have a TPM, it might be locked out or in an unknown state. 
Error: %1

Fields #

Name	Description
`ExitCode` Int32

Event ID 345: Failed to access the device key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to access the device key. The device key has likely been removed.

Message #

Failed to access the device key. The device key has likely been removed. 
Error: %1

Fields #

Name	Description
`ExitCode` Int32

Event ID 346: The Microsoft Passport key was successfully removed from Azure AD.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Microsoft Passport key was successfully removed from Microsoft Entra.

Message #

The Microsoft Passport key was successfully removed from Microsoft Entra. 
Key ID (encoded): %1 
UPN: %2 
Client request ID: %3 
Server request ID: %4 
Server response: %5

Fields #

Name	Description
`KeyHash` UnicodeString
`UPN` UnicodeString
`ClientRequestId` UnicodeString
`ServerRequestId` UnicodeString
`ServerResponse` UnicodeString

Event ID 347: Failed to remove the Microsoft Passport key from Azure AD.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to remove the Microsoft Passport key from Microsoft Entra.

Message #

Failed to remove the Microsoft Passport key from Microsoft Entra. 
Error: %2 
Key ID (encoded): %1 
Client request ID: %3 
Server request ID: %4 
Server error code: %5 
Server error message: %6 
Recommended client response: %7 
Server response: %8

Fields #

Name	Description
`KeyHash` UnicodeString
`ErrorCode` Int32
`ClientRequestId` UnicodeString
`ServerRequestId` UnicodeString
`ServerErrorCode` UnicodeString
`ServerErrorMessage` UnicodeString
`RecommendedClientResponse` UnicodeString
`ServerResponse` UnicodeString

Event ID 348: The Microsoft Passport delete key registration request was successfully sent.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Microsoft Passport delete key registration request was successfully sent. User email: Email. Tenant ID: TenantId. Auth token: AuthToken.

Message #

The Microsoft Passport delete key registration request was successfully sent. User email: %1. Tenant ID: %2. Auth token: %3.

Fields #

Name	Description
`Email` UnicodeString
`TenantId` UnicodeString
`AuthToken` UnicodeString

Event ID 349: Failed to initialize the Microsoft Passport delete key registration request.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to initialize the Microsoft Passport delete key registration request. Exit code: ExitCode. User email: Email. Tenant ID: TenantId. Auth token: AuthToken.

Message #

Failed to initialize the Microsoft Passport delete key registration request. Exit code: %1. User email: %2. Tenant ID: %3. Auth token: %4.

Fields #

Name	Description
`ExitCode` Int32
`Email` UnicodeString
`TenantId` UnicodeString
`AuthToken` UnicodeString

Event ID 350: The Microsoft Passport key information was successfully saved.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Microsoft Passport key information was successfully saved.

Message #

The Microsoft Passport key information was successfully saved. 
Key ID: %1 
Attestation level: %2 
AIK status: %3 
Key type: %4 
Key name: %5 
IDP domain: %6 
Tenant ID: %7 
User email: %8

Fields #

Name	Description
`KeyId` UnicodeString
`AttLevel` UInt64
`AikStatus` UInt64
`KeyType` UInt64	Known values `%%2499` Machine key `%%2500` User key
`KeyName` UnicodeString
`IdpDomain` UnicodeString
`TenantId` UnicodeString
`UserEmail` UnicodeString

Event ID 351: Failed to save the Microsoft Passport key information.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to save the Microsoft Passport key information.

Message #

Failed to save the Microsoft Passport key information. 
Error: %1 
Key ID: %2 
Attestation level: %3 
AIK status: %4 
Key type: %5 
Key name: %6 
IDP domain: %7 
Tenant ID: %8 
User email: %9

Fields #

Name	Description
`ErrorCode` Int32
`KeyId` UnicodeString
`AttLevel` UInt64
`AikStatus` UInt64
`KeyType` UInt64	Known values `%%2499` Machine key `%%2500` User key
`KeyName` UnicodeString
`IdpDomain` UnicodeString
`TenantId` UnicodeString
`UserEmail` UnicodeString

Event ID 352: The Microsoft Passport key information was successfully deleted.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Microsoft Passport key information was successfully deleted.

Message #

The Microsoft Passport key information was successfully deleted. 
Key ID: %1 
User SID: %2

Fields #

Name	Description
`KeyId` UnicodeString
`UserSid` UnicodeString

Event ID 353: Failed to delete the Microsoft Passport key information.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to delete the Microsoft Passport key information.

Message #

Failed to delete the Microsoft Passport key information. 
Error: %1 
Key ID: %2 
User SID: %3

Fields #

Name	Description
`ErrorCode` Int32
`KeyId` UnicodeString
`UserSid` UnicodeString

Event ID 354: Json Request Failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Json Request Failed. Exit code: ExitCode. httpStatus: HttpStatus Server response: ServerMessage.

Message #

Json Request Failed. Exit code: %1. httpStatus: %2 Server response: %3.

Fields #

Name	Description
`ExitCode` Int32
`HttpStatus` UInt32
`ServerMessage` UnicodeString

Event ID 355: Successfully enrolled for a logon certificate using a Registration Authority.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Successfully enrolled for a logon certificate using a Registration Authority.

Message #

Successfully enrolled for a logon certificate using a Registration Authority. 
Upn: %1 
TenantId: %2 
Authority: %3 
Resource: %4 
ExitCode: %5

Fields #

Name	Description
`Upn` UnicodeString
`TenantId` UnicodeString
`Authority` UnicodeString
`Resource` UnicodeString
`ExitCode` Int32

Event ID 356: Failed to enroll for a logon certificate using a Registration Authority.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to enroll for a logon certificate using a Registration Authority.

Message #

Failed to enroll for a logon certificate using a Registration Authority. 
UPN: %1 
TenantId: %2 
ExitCode: %3

Fields #

Name	Description
`UPN` UnicodeString
`TenantId` UnicodeString
`ExitCode` Int32

Event ID 357: Group Policy indicates the user must enroll for a logon certificate along with their work PIN.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Group Policy indicates the user must enroll for a logon certificate along with their work PIN.

Message #

Group Policy indicates the user must enroll for a logon certificate along with their work PIN. 
Sid: %1 
TenantId: %2

Fields #

Name	Description
`Sid` UnicodeString
`TenantId` UnicodeString

Event ID 358: Message Device is Microsoft Entra joined (or hybrid joined): DeviceIsJoined User has logged on with Microsoft Entra credentials: AADPrt Windows Hello for Business polic...

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

Message Device is AAD joined ( AADJ or DJ++ ): DeviceIsJoined User has logged on with AAD credentials: AADPrt Windows Hello for Business policy is enabled: NgcPolicyEnabled Windows Hello for Business post-logon provisioning is enabled: NgcPostLogonProvisioningEnabled Local computer meets Windows hello for business hardware requirements: NgcHardwarePolicyMet User is not connected to the machine via Remote Desktop: UserIsRemote User certificate for on premise auth policy is enabled: LogonCertRequired Machine is governed by MachinePolicySource policy. Cloud trust for on premise auth policy is enabled: UseCloudTrust User account has Cloud TGT: CloudTgt See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

Message #

%1 
Device is Microsoft Entra joined (or hybrid joined): %2 
User has logged on with Microsoft Entra credentials: %3 
Windows Hello for Business policy is enabled: %4 
Windows Hello for Business post-logon provisioning is enabled: %5 
Local computer meets Windows hello for business hardware requirements: %6 
User is not connected to the machine via Remote Desktop: %7 
User certificate for on premise auth policy is enabled: %8 
Machine is governed by %9 policy. 
Cloud trust for on premise auth policy is enabled: %10 
User account has Cloud to OnPrem TGT: %11 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

Fields #

Name	Description
`Message` UnicodeString
`DeviceIsJoined` UnicodeString
`AADPrt` UnicodeString
`NgcPolicyEnabled` UnicodeString
`NgcPostLogonProvisioningEnabled` UnicodeString
`NgcHardwarePolicyMet` UnicodeString
`UserIsRemote` UnicodeString
`LogonCertRequired` UnicodeString
`MachinePolicySource` UnicodeString
`UseCloudTrust` UnicodeString
`CloudTgt` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "{23B8D46B-67DD-40A3-B636-D43E50552C6D}",
    "event_source_name": "",
    "event_id": 358,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T16:34:07.6228753+00:00",
    "event_record_id": 240,
    "correlation": {},
    "execution": {
      "process_id": 6328,
      "thread_id": 6432
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "Message": "Windows Hello for Business provisioning will be launched.",
    "DeviceIsJoined": "Not Tested",
    "AADPrt": "Not Tested",
    "NgcPolicyEnabled": "Not Tested",
    "NgcPostLogonProvisioningEnabled": "Not Tested",
    "NgcHardwarePolicyMet": "Not Tested",
    "UserIsRemote": "Yes",
    "LogonCertRequired": "Not Tested",
    "MachinePolicySource": "none",
    "UseCloudTrust": "Not Tested",
    "CloudTgt": "Not Tested"
  },
  "message": "Windows Hello for Business provisioning will be launched. \r\nDevice is AAD joined ( AADJ or DJ++ ): Not Tested \r\nUser has logged on with AAD credentials: Not Tested \r\nWindows Hello for Business policy is enabled: Not Tested \r\nWindows Hello for Business post-logon provisioning is enabled: Not Tested \r\nLocal computer meets Windows hello for business hardware requirements: Not Tested \r\nUser is not connected to the machine via Remote Desktop: Yes \r\nUser certificate for on premise auth policy is enabled: Not Tested \r\nMachine is governed by none policy. \r\nCloud trust for on premise auth policy is enabled: Not Tested \r\nUser account has Cloud TGT: Not Tested \r\nSee https://go.microsoft.com/fwlink/?linkid=832647 for more details."
}

Event ID 359: Windows Hello for Business provisioning has encountered an error during policy evaluation.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Error

Description

Windows Hello for Business provisioning has encountered an error during policy evaluation.

Message #

Windows Hello for Business provisioning has encountered an error during policy evaluation. 
ExitCode: %1 
Method: %2 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details

Fields #

Name	Description
`ExitCode` Int32
`Method` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "{23B8D46B-67DD-40A3-B636-D43E50552C6D}",
    "event_source_name": "",
    "event_id": 359,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T16:34:07.1985476+00:00",
    "event_record_id": 239,
    "correlation": {},
    "execution": {
      "process_id": 6328,
      "thread_id": 6432
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
    }
  },
  "event_data": {
    "ExitCode": "-805175273",
    "Method": "LsaGetSSOAccountType"
  },
  "message": "Windows Hello for Business provisioning has encountered an error during policy evaluation. \r\nExitCode: The RPC server is unavailable. \r\nMethod: LsaGetSSOAccountType \r\nSee https://go.microsoft.com/fwlink/?linkid=832647 for more details"
}

Event ID 360: Message Device is Microsoft Entra joined (or hybrid joined): DeviceIsJoined User has logged on with Microsoft Entra credentials: AADPrt Windows Hello for Business polic...

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Warning

Description

Message #

%1 
Device is Microsoft Entra joined (or hybrid joined): %2 
User has logged on with Microsoft Entra credentials: %3 
Windows Hello for Business policy is enabled: %4 
Windows Hello for Business post-logon provisioning is enabled: %5 
Local computer meets Windows hello for business hardware requirements: %6 
User is not connected to the machine via Remote Desktop: %7 
User certificate for on premise auth policy is enabled: %8 
Machine is governed by %9 policy. 
Cloud trust for on premise auth policy is enabled: %10 
User account has Cloud to OnPrem TGT: %11 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

Fields #

Name	Description
`Message` UnicodeString
`DeviceIsJoined` UnicodeString
`AADPrt` UnicodeString
`NgcPolicyEnabled` UnicodeString
`NgcPostLogonProvisioningEnabled` UnicodeString
`NgcHardwarePolicyMet` UnicodeString
`UserIsRemote` UnicodeString
`LogonCertRequired` UnicodeString
`MachinePolicySource` UnicodeString
`UseCloudTrust` UnicodeString
`CloudTgt` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "23B8D46B-67DD-40A3-B636-D43E50552C6D",
    "event_source_name": "",
    "event_id": 360,
    "version": 0,
    "level": 3,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-05T23:54:10.290552+00:00",
    "event_record_id": 11,
    "correlation": {},
    "execution": {
      "process_id": 10860,
      "thread_id": 5432
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-21-1992711665-1655669231-58201500-1000"
    }
  },
  "event_data": {
    "Message": "Windows Hello for Business provisioning will not be launched.",
    "DeviceIsJoined": "Not Tested",
    "AADPrt": "No",
    "NgcPolicyEnabled": "Not Tested",
    "NgcPostLogonProvisioningEnabled": "Not Tested",
    "NgcHardwarePolicyMet": "Not Tested",
    "UserIsRemote": "Yes",
    "LogonCertRequired": "Not Tested",
    "MachinePolicySource": "none",
    "UseCloudTrust": "Not Tested",
    "CloudTgt": "Not Tested"
  },
  "message": ""
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 361: Message Device is Microsoft Entra joined (or hybrid joined): DeviceIsJoined User has logged on with Microsoft Entra credentials: AADPrt Windows Hello for Business polic...

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Message Device is AAD joined ( AADJ or DJ++ ): DeviceIsJoined User has logged on with AAD credentials: AADPrt Windows Hello for Business policy is enabled: NgcPolicyEnabled Windows Hello for Business post-logon provisioning is enabled: NgcPostLogonProvisioningEnabled Local computer meets Windows hello for business hardware requirements: NgcHardwarePolicyMet User is not connected to the machine via Remote Desktop: UserIsRemote User certificate for on premise auth policy is enabled: LogonCertRequired MDM user certificate enrollment is ready: MDMCertEnrollmentReady Certificate enrollment method: MachinePolicySource See https://go.microsoft.com/fwlink/?linkid=832647 for more details

Message #

%1 
Device is Microsoft Entra joined (or hybrid joined): %2 
User has logged on with Microsoft Entra credentials: %3 
Windows Hello for Business policy is enabled: %4 
Windows Hello for Business post-logon provisioning is enabled: %5 
Local computer meets Windows hello for business hardware requirements: %6 
User is not connected to the machine via Remote Desktop: %7 
User certificate for on premise auth policy is enabled: %8 
MDM user certificate enrollment is ready: %9 
Certificate enrollment method: %10 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details

Fields #

Name	Description
`Message` UnicodeString
`DeviceIsJoined` UnicodeString
`AADPrt` UnicodeString
`NgcPolicyEnabled` UnicodeString
`NgcPostLogonProvisioningEnabled` UnicodeString
`NgcHardwarePolicyMet` UnicodeString
`UserIsRemote` UnicodeString
`LogonCertRequired` UnicodeString
`MDMCertEnrollmentReady` UnicodeString
`MachinePolicySource` UnicodeString

Event ID 362: Message Device is Microsoft Entra joined (or hybrid joined): DeviceIsJoined User has logged on with Microsoft Entra credentials: AADPrt Windows Hello for Business polic...

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Message Device is AAD joined ( AADJ or DJ++ ): DeviceIsJoined User has logged on with AAD credentials: AADPrt Windows Hello for Business policy is enabled: NgcPolicyEnabled Windows Hello for Business post-logon provisioning is enabled: NgcPostLogonProvisioningEnabled Local computer meets Windows hello for business hardware requirements: NgcHardwarePolicyMet User is not connected to the machine via Remote Desktop: UserIsRemote User certificate for on premise auth policy is enabled: LogonCertRequired Enterprise user logon certificate enrollment endpoint is ready: ADFSRaReady Enterprise user logon certificate template is : RATemplateReady User has successfully authenticated to the enterprise STS: ADFSPrtPresent Certificate enrollment method: MachinePolicySource See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

Message #

%1 
Device is Microsoft Entra joined (or hybrid joined): %2 
User has logged on with Microsoft Entra credentials: %3 
Windows Hello for Business policy is enabled: %4 
Windows Hello for Business post-logon provisioning is enabled: %5 
Local computer meets Windows hello for business hardware requirements: %6 
User is not connected to the machine via Remote Desktop: %7 
User certificate for on premise auth policy is enabled: %8 
Enterprise user logon certificate enrollment endpoint is ready: %9 
Enterprise user logon certificate template is : %10 
User has successfully authenticated to the enterprise STS: %11 
Certificate enrollment method: %12 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

Fields #

Name	Description
`Message` UnicodeString
`DeviceIsJoined` UnicodeString
`AADPrt` UnicodeString
`NgcPolicyEnabled` UnicodeString
`NgcPostLogonProvisioningEnabled` UnicodeString
`NgcHardwarePolicyMet` UnicodeString
`UserIsRemote` UnicodeString
`LogonCertRequired` UnicodeString
`ADFSRaReady` UnicodeString
`RATemplateReady` UnicodeString
`ADFSPrtPresent` UnicodeString
`MachinePolicySource` UnicodeString

Event ID 363: The Microsoft Passport key is missing.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The Microsoft Passport key is missing.

Message #

The Microsoft Passport key is missing. 
Key ID: %1 
Attestation level: %2 
AIK status: %3 
Key type: %4 
Key name: %5 
IDP domain: %6 
Tenant ID: %7 
User email: %8

Fields #

Name	Description
`KeyId` GUID
`AttLevel` UInt64
`AikStatus` UInt64
`KeyType` UInt64	Known values `%%2499` Machine key `%%2500` User key
`KeyName` UnicodeString
`IdpDomain` UnicodeString
`TenantId` UnicodeString
`UserEmail` UnicodeString

Event ID 364: The saved Microsoft Passport information does not match the key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The saved Microsoft Passport information does not match the key.

Message #

The saved Microsoft Passport information does not match the key. 
Saved information: 
  Key ID: %1 
  Key name: %2 
  IDP domain: %3 
  Tenant ID: %4 
  User email: %5 
The Microsoft Passport key: 
  Key name: %6 
  IDP domain: %7 
  Tenant ID: %8 
  User email: %9

Fields #

Name	Description
`SavedKeyId` GUID
`SavedKeyName` UnicodeString
`SavedIdpDomain` UnicodeString
`SavedTenantId` UnicodeString
`SavedUserEmail` UnicodeString
`KeyName` UnicodeString
`IdpDomain` UnicodeString
`TenantId` UnicodeString
`UserEmail` UnicodeString

Event ID 365: Unable to enroll for a logon certificate using a Registration Authority.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to enroll for a logon certificate using a Registration Authority. Automatic certificate enrollment will retry at regular intervals.

Message #

Unable to enroll for a logon certificate using a Registration Authority. Automatic certificate enrollment will retry at regular intervals. 
UPN: %1 
TenantId: %2 
ExitCode: %3

Fields #

Name	Description
`UPN` UnicodeString
`TenantId` UnicodeString
`ExitCode` Int32

Event ID 366: Unable to enroll for a logon certificate using a Registration Authority.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to enroll for a logon certificate using a Registration Authority.

Message #

Unable to enroll for a logon certificate using a Registration Authority. 
Resource: %1 
ExitCode: %2

Fields #

Name	Description
`Resource` UnicodeString
`ExitCode` Int32

Event ID 367: Added following properties to the Web Account Manager access token request.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Added following properties to the Web Account Manager access token request.

Message #

Added following properties to the Web Account Manager access token request. 
Properties: 
%1

Fields #

Name	Description
`Properties` UnicodeString

Event ID 368: The following token properties were recieved from the Web Account Manager.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The following token properties were recieved from the Web Account Manager.

Message #

The following token properties were recieved from the Web Account Manager: 
Properties: %1

Fields #

Name	Description
`Properties` UnicodeString

Event ID 369: The Workstation Service logged a device registration message.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The Workstation Service logged a device registration message.

Message #

The Workstation Service logged a device registration message. 
Message: %1

Fields #

Name	Description
`Message` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "{23B8D46B-67DD-40A3-B636-D43E50552C6D}",
    "event_source_name": "",
    "event_id": 369,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-29T16:32:57.5044901+00:00",
    "event_record_id": 236,
    "correlation": {},
    "execution": {
      "process_id": 2812,
      "thread_id": 3116
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "Message": "AutoJoinSvc/WJSetScheduledTaskState: Running task \"\\Microsoft\\Windows\\Workplace Join\\Automatic-Device-Join\"."
  },
  "message": "The Workstation Service logged a device registration message. \r\nMessage: AutoJoinSvc/WJSetScheduledTaskState: Running task \"\\Microsoft\\Windows\\Workplace Join\\Automatic-Device-Join\". "
}

Event ID 370: The automatic device registration task failed to unregister device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The automatic device registration task failed to unregister device.

Message #

The automatic device registration task failed to unregister device. 
Exit code: %1 
Server error: %2 
Tenant type: %3 
Registration type: %4 
Debug Output: 
%5

Fields #

Name	Description
`ExitCode` Int32
`ServerErrorMessage` UnicodeString
`TenantType` UnicodeString
`JoinType` UnicodeString
`DebugOutput` UnicodeString

Event ID 371: The automatic device registration task successfully unregistered device.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The automatic device registration task successfully unregistered device.

Message #

The automatic device registration task successfully unregistered device.

Event ID 372: The FIDO credential was successfully registered with Azure AD.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The FIDO credential was successfully registered with Microsoft Entra.

Message #

The FIDO credential was successfully registered with Microsoft Entra. 
Credential ID: %1 
UPN: %2 
Request ID: %3 
Time: %4 
Server response: %5

Fields #

Name	Description
`KeyId` UnicodeString
`UPN` UnicodeString
`RequestId` UnicodeString
`Time` UnicodeString
`ServerResponse` UnicodeString

Event ID 373: FIDO credential registration failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

FIDO credential registration failed.

Message #

FIDO credential registration failed. 
Exit code: %1 
Request ID: %2 
Time: %3 
HTTP status: %4 
Error code: %5 
Error subcode: %6 
Server error message: %7 
Server response: %8

Fields #

Name	Description
`ExitCode` Int32
`RequestId` UnicodeString
`Time` UnicodeString
`HttpStatus` UInt32
`ErrorCode` UnicodeString
`ErrorSubCode` UnicodeString
`ServerErrorMessage` UnicodeString
`ServerResponse` UnicodeString

Event ID 374: The FIDO credential registration request was successfully sent.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The FIDO credential registration request was successfully sent.

Message #

The FIDO credential registration request was successfully sent. 
RPID: %1 
UPN: %2 
Credential display name: %3 
User display name: %4 
User image URL: %5 
Key algorithm: %6 
Auth token: %7 
Request ID: %8 
Flags: %9

Fields #

Name	Description
`RPID` UnicodeString
`UPN` UnicodeString
`KeyDisplayName` UnicodeString
`UserDisplayName` UnicodeString
`UserImageUrl` UnicodeString
`KeyAlgorithm` UnicodeString
`AuthToken` UnicodeString
`RequestId` UnicodeString
`Flags` UInt32

Event ID 375: The FIDO credential registration initialization operation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The FIDO credential registration initialization operation failed.

Message #

The FIDO credential registration initialization operation failed. 
Exit code: %1 
RPID: %2 
UPN: %3 
Credential display name: %4 
User display name: %5 
User image URL: %6 
Key algorithm: %7 
Auth token: %8 
Request ID: %9 
Flags: %10

Fields #

Name	Description
`ExitCode` Int32
`RPID` UnicodeString
`UPN` UnicodeString
`KeyDisplayName` UnicodeString
`UserDisplayName` UnicodeString
`UserImageUrl` UnicodeString
`KeyAlgorithm` UnicodeString
`AuthToken` UnicodeString
`RequestId` UnicodeString
`Flags` UInt32

Event ID 376: The FIDO credential was successfully created.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The FIDO credential was successfully created.

Message #

The FIDO credential was successfully created. 
UPN: %1 
Credential display name: %2 
User display name: %3 
User image URL: %4 
Key algorithm: %5 
Auth token: %6 
Request ID: %7 
Flags: %8

Fields #

Name	Description
`UPN` UnicodeString
`KeyDisplayName` UnicodeString
`UserDisplayName` UnicodeString
`UserImageUrl` UnicodeString
`KeyAlgorithm` UnicodeString
`AuthToken` UnicodeString
`RequestId` UnicodeString
`Flags` UInt32
`PinStatus` UInt32
`PinRetries` UInt32

Event ID 377: Unable to create FIDO credential.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to create FIDO credential.

Message #

Unable to create FIDO credential. 
Exit code: %1 
UPN: %2 
Credential display name: %3 
User display name: %4 
User image URL: %5 
Key algorithm: %6 
Auth token: %7 
Request ID: %8 
Flags: %9

Fields #

Name	Description
`ExitCode` Int32
`UPN` UnicodeString
`KeyDisplayName` UnicodeString
`UserDisplayName` UnicodeString
`UserImageUrl` UnicodeString
`KeyAlgorithm` UnicodeString
`AuthToken` UnicodeString
`RequestId` UnicodeString
`Flags` UInt32
`PinStatus` UInt32
`PinRetries` UInt32

Event ID 378: The FIDO credentials were successfully deleted from Azure AD.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The FIDO credentials were successfully deleted from Microsoft Entra.

Message #

The FIDO credentials were successfully deleted from Microsoft Entra. 
Number of credentials: %1 
UPN: %3 
Request ID: %4 
Time: %5 
Server response: %6

Fields #

Name	Description
`NumOfKeyIds` UInt32
`KeyId` UnicodeString
`UPN` UnicodeString
`RequestId` UnicodeString
`Time` UnicodeString
`ServerResponse` UnicodeString

Event ID 379: FIDO credential deletion failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

FIDO credential deletion failed.

Message #

FIDO credential deletion failed. 
Exit code: %1 
Request ID: %2 
Time: %3 
HTTP status: %4 
Error code: %5 
Error subcode: %6 
Server error message: %7 
Server response: %8

Fields #

Name	Description
`ExitCode` Int32
`RequestId` UnicodeString
`Time` UnicodeString
`HttpStatus` UInt32
`ErrorCode` UnicodeString
`ErrorSubCode` UnicodeString
`ServerErrorMessage` UnicodeString
`ServerResponse` UnicodeString

Event ID 380: The FIDO credential deletion request was successfully sent.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The FIDO credential deletion request was successfully sent.

Message #

The FIDO credential deletion request was successfully sent. 
UPN: %1 
Credential ID: %2 
Auth token: %3 
Request ID: %4

Fields #

Name	Description
`UPN` UnicodeString
`KeyId` UnicodeString
`AuthToken` UnicodeString
`RequestId` UnicodeString

Event ID 381: The FIDO credential deletion initialization operation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The FIDO credential deletion initialization operation failed.

Message #

The FIDO credential deletion initialization operation failed. 
Exit code: %1 
UPN: %2 
Credential ID: %3 
Auth token: %4 
Request ID: %5

Fields #

Name	Description
`ExitCode` Int32
`UPN` UnicodeString
`KeyId` UnicodeString
`AuthToken` UnicodeString
`RequestId` UnicodeString

Event ID 382: Unable to parse the FIDO registration server response.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to parse the FIDO registration server response.

Message #

Unable to parse the FIDO registration server response. 
HTTP status: %1 
Server response body: %2 
Error: %3

Fields #

Name	Description
`HttpStatus` UInt32
`ResponseBody` UnicodeString
`ErrorCode` Int32

Event ID 383: The PIN has been successfully recovered.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The PIN has been successfully recovered.

Message #

The PIN has been successfully recovered.

Fields #

Name	Description
`hWnd` Pointer

Event ID 384: The PIN recover operation failed with exit code: ExitCode.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The PIN recover operation failed with exit code: ExitCode.

Message #

The PIN recover operation failed with exit code: %1.

Fields #

Name	Description
`ExitCode` Int32
`hWnd` Pointer

Event ID 385: Unable to get attestation statement for Microsoft Passport key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to get attestation statement for Microsoft Passport key. Key name: KeyName, KeyStatus: KeyStatus (KeyStatusSymbolicName), Error: ErrorCode.

Message #

Unable to get attestation statement for Microsoft Passport key. Key name: %1,  KeyStatus: %2 (%3), Error: %4.

Fields #

Name	Description
`KeyName` UnicodeString
`KeyStatus` Int32
`KeyStatusSymbolicName` UnicodeString
`ErrorCode` Int32

Event ID 386: Successfully got attestation statement for Microsoft Passport key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Successfully got attestation statement for Microsoft Passport key. Key name: KeyName, KeyStatus: KeyStatus (KeyStatusSymbolicName).

Message #

Successfully got attestation statement for Microsoft Passport key. Key name: %1, KeyStatus: %2 (%3).

Fields #

Name	Description
`KeyName` UnicodeString
`KeyStatus` Int32
`KeyStatusSymbolicName` UnicodeString

Event ID 387: Unable to reset registry recovery flags.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to reset registry recovery flags. Error: ExitCode.

Message #

Unable to reset registry recovery flags. Error: %1

Fields #

Name	Description
`ExitCode` Int32

Event ID 388: Recovery API APIName called.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Recovery API APIName called. Error: ExitCode.

Message #

Recovery API %1 called. Error: %2

Fields #

Name	Description
`APIName` UnicodeString
`ExitCode` Int32

Event ID 389: Automatic Azure SecureVM Join Succeeded.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Automatic Microsoft Entra SecureVM Join Succeeded.

Message #

Automatic Microsoft Entra SecureVM Join Succeeded.

Event ID 390: Resource account certificate does not match device ceritificate.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Resource account certificate does not match device ceritificate.

Message #

Resource account certificate does not match device ceritificate. 
Mismatch in: %1 
Resource account certificate's value: %2 
Device certificate's value: %3 
Request ID: %4 
Server time: %5

Fields #

Name	Description
`IdType` UnicodeString
`RACertificateId` UnicodeString
`DeviceCeritifcateId` UnicodeString
`ServerRequestId` UnicodeString
`ServerTime` UnicodeString

Event ID 391: Unable to get the NGC user ID key container state.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to get the NGC user ID key container state.

Message #

Unable to get the NGC user ID key container state. 
SID: %1 
Key name: %2 
Error: %3

Fields #

Name	Description
`UserSid` UnicodeString
`UserKeyName` UnicodeString
`ErrorCode` Int32

Event ID 392: The NGC user ID key container is in a bad state.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The NGC user ID key container is in a bad state.

Message #

The NGC user ID key container is in a bad state. 
SID: %1 
Key name: %2 
Container status: %3

Fields #

Name	Description
`UserSid` UnicodeString
`UserKeyName` UnicodeString
`ContainerStatus` UInt32

Event ID 393: NGC logon certificate could not be renewed due to device ID flip.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

NGC logon certificate could not be renewed due to device ID flip.

Message #

NGC logon certificate could not be renewed due to device ID flip.

Event ID 394: Unable to set registry value for device ID flip.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to set registry value for device ID flip.

Message #

Unable to set registry value for device ID flip. 
Exit code: %1

Fields #

Name	Description
`ExitCode` Int32

Event ID 395: Unable to unset registry value for device ID flip.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unable to unset registry value for device ID flip.

Message #

Unable to unset registry value for device ID flip. 
Exit code: %1

Fields #

Name	Description
`ExitCode` Int32

Event ID 396: Key policy in registry is set to unsupported value PolicyValue.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Key policy in registry is set to unsupported value PolicyValue. Default key policy will be used.

Message #

Key policy in registry is set to unsupported value %1. Default key policy will be used.

Fields #

Name	Description
`PolicyValue` Int32

Event ID 397: MDM enrollment for Azure SecureVM succeeded.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

MDM enrollment for Microsoft Entra SecureVM succeeded.

Message #

MDM enrollment for Microsoft Entra SecureVM succeeded. 
MDM Enrollment URL: %1

Fields #

Name	Description
`URL` UnicodeString

Event ID 398: MDM enrollment for Azure SecureVM failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

MDM enrollment for Microsoft Entra SecureVM failed. The device will be unjoined from Microsoft Entra.

Message #

MDM enrollment for Microsoft Entra SecureVM failed. The device will be unjoined from Microsoft Entra. 
MDM Enrollment URL: %1

Fields #

Name	Description
`URL` UnicodeString

Event ID 399: Attempt to discover enrollment URL for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Attempt to discover enrollment URL for MDM auto-enrollment failed. AAD logs may contains additional details about the failure. Another attempt to discover MDM enrollment URL will be made later.

Message #

Attempt to discover enrollment URL for MDM auto-enrollment failed. AAD logs may contains additional details about the failure. Another attempt to discover MDM enrollment URL will be made later. 
CorrelationId: %1 
Additional information: %2

Fields #

Name	Description
`CorrelationId` UnicodeString
`AdditionalDetails` UnicodeString

Event ID 400: All attempts to discover enrollment URL for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

All attempts to discover enrollment URL for MDM auto-enrollment failed.

Message #

All attempts to discover enrollment URL for MDM auto-enrollment failed.

Event ID 401: No MDM enrollment URL was discoverered for MDM auto-enrollment.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

No MDM enrollment URL was discoverered for MDM auto-enrollment. Verify MDM auto-enrollment configuration in the AAD tenant is correct and the specified MDM application ID is successfully resolved by AAD server. CorrelationId: CorrelationId MDM application ID: MDMAppID

Message #

No MDM enrollment URL was discoverered for MDM auto-enrollment. Verify MDM auto-enrollment configuration in the Microsoft Entra tenant is correct and the specified MDM application ID is successfully resolved by Microsoft Entra server. 
CorrelationId: %1 
MDM application ID: %2

Fields #

Name	Description
`CorrelationId` UnicodeString
`MDMAppID` UnicodeString

Event ID 402: Attempt to discover enrollment URL for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Attempt to discover enrollment URL for MDM auto-enrollment failed. AAD logs may contains additional details about the failure.

Message #

Attempt to discover enrollment URL for MDM auto-enrollment failed. AAD logs may contains additional details about the failure. 
Error: %1 
CorrelationId: %2 
Additional information: %3

Fields #

Name	Description
`ErrorCode` Int32
`CorrelationId` UnicodeString
`AdditionalDetails` UnicodeString

Event ID 403: Attempt to get token for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Attempt to get token for MDM auto-enrollment failed. AAD logs may contains additional details about the failure. Another attempt to get token for MDM auto-enrollment will be made later.

Message #

Attempt to get token for MDM auto-enrollment failed. AAD logs may contains additional details about the failure. Another attempt to get token for MDM auto-enrollment will be made later. 
CorrelationId: %1 
Additional information: %2

Fields #

Name	Description
`CorrelationId` UnicodeString
`AdditionalDetails` UnicodeString

Event ID 404: All attempts to get WAM token for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

All attempts to get WAM token for MDM auto-enrollment failed.

Message #

All attempts to get WAM token for MDM auto-enrollment failed.

Event ID 405: Requsting token for MDM auto-enrollment failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Requsting token for MDM auto-enrollment failed. AAD logs may contains additional details about the failure.

Message #

Requsting token for MDM auto-enrollment failed. AAD logs may contains additional details about the failure. 
Error: %1 
CorrelationId: %2 
Additional information: %3

Fields #

Name	Description
`ErrorCode` Int32
`CorrelationId` UnicodeString
`AdditionalDetails` UnicodeString

Event ID 406: Unenrolling from MDM failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unenrolling from MDM failed. MDM logs may contains additional details about the failure.

Message #

Unenrolling from MDM failed. MDM logs may contains additional details about the failure. 
Error: %1 
MDM enrollment ID: %2

Fields #

Name	Description
`ExitCode` Int32
`EnrollmentId` UnicodeString

Event ID 407: Successfully unenrolled from MDM.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Successfully unenrolled from MDM.

Message #

Successfully unenrolled from MDM. 
MDM enrollment ID: %1

Fields #

Name	Description
`EnrollmentId` UnicodeString

Event ID 408: Failed to import NGC proof-of-possession key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to import NGC proof-of-possession key. Falling back to software.

Message #

Failed to import NGC proof-of-possession key. Falling back to software.

Event ID 409: Failed to get NGC transport key name.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to get NGC transport key name . Falling back to software.

Message #

Failed to get NGC transport key name . Falling back to software.

Event ID 410: Failed to get NGC transport key.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to get NGC transport key. Falling back to software.

Message #

Failed to get NGC transport key. Falling back to software.

Event ID 411: The parameter is invalid.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

The parameter is invalid. Function: FunctionName; Parameter: ParameterName.

Message #

The parameter is invalid. Function: %1; Parameter: %2.

Fields #

Name	Description
`FunctionName` UnicodeString
`ParameterName` UnicodeString
`ParameterValueLength` UInt32
`ParameterValue` Binary

Event ID 412: Unsupported public key structure format encountered.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Unsupported public key structure format encountered.

Message #

Unsupported public key structure format encountered. 
Functon: %1 
Magic value: %2

Fields #

Name	Description
`FunctionName` UnicodeString
`MagicValue` UInt32

Event ID 413: Token binding AIK creation failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Token binding AIK creation failed.

Message #

Token binding AIK creation failed. 
Key type: %1 
IDP domain: %2 
Tenant-based ID: %3 
User SID: %4 
Error: %5

Fields #

Name	Description
`KeyType` Int32	Known values `%%2499` Machine key `%%2500` User key
`IdpDomain` UnicodeString
`TenantDomain` UnicodeString
`UserSid` UnicodeString
`ErrorCode` Int32

Event ID 414: Token binding AIK deletion failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Token binding AIK deletion failed.

Message #

Token binding AIK deletion failed. 
Key type: %1 
IDP domain: %2 
Tenant-based ID: %3 
User SID: %4 
Error: %5

Fields #

Name	Description
`KeyType` Int32	Known values `%%2499` Machine key `%%2500` User key
`IdpDomain` UnicodeString
`TenantDomain` UnicodeString
`UserSid` UnicodeString
`ErrorCode` Int32

Event ID 415: Token binding AIK was successfully created.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Token binding AIK was successfully created.

Message #

Token binding AIK was successfully created. 
Key type: %1 
IDP domain: %2 
Tenant-based ID: %3 
User SID: %4

Fields #

Name	Description
`KeyType` Int32	Known values `%%2499` Machine key `%%2500` User key
`IdpDomain` UnicodeString
`TenantDomain` UnicodeString
`UserSid` UnicodeString

Event ID 416: Token binding AIK was successfully deleted.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Token binding AIK was successfully deleted.

Message #

Token binding AIK was successfully deleted. 
Key type: %1 
IDP domain: %2 
Tenant-based ID: %3 
User SID: %4

Fields #

Name	Description
`KeyType` Int32	Known values `%%2499` Machine key `%%2500` User key
`IdpDomain` UnicodeString
`TenantDomain` UnicodeString
`UserSid` UnicodeString

Event ID 417: Failed to get token binding AIK name.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Failed to get token binding AIK name.

Message #

Failed to get token binding AIK name. 
Key type: %1 
IDP domain: %2 
Tenant-based ID: %3 
User SID: %4 
Error: %5

Fields #

Name	Description
`KeyType` Int32	Known values `%%2499` Machine key `%%2500` User key
`IdpDomain` UnicodeString
`TenantDomain` UnicodeString
`UserSid` UnicodeString
`ErrorCode` Int32

Event ID 418: Hardware policy in registry is set to unsupported value PolicyValue.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Hardware policy in registry is set to unsupported value PolicyValue. Default hardware policy will be used.

Message #

Hardware policy in registry is set to unsupported value %1. Default hardware policy will be used.

Fields #

Name	Description
`PolicyValue` Int32

Event ID 419: NGC transport key creation with key type KeyType failed.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

NGC transport key creation with key type KeyType failed. Falling back to a different key type.

Message #

NGC transport key creation with key type %5 failed. Falling back to a different key type. 
User SID: %1 
IDP domain: %2 
Tenant domain: %3 
User ID: %4 
Flags: %6 
Error: %7

Fields #

Name	Description
`UserSid` UnicodeString
`IdpDomain` UnicodeString
`TenantDomain` UnicodeString
`UserId` UnicodeString
`KeyType` Int32	Known values `%%2499` Machine key `%%2500` User key
`Flags` UInt32
`ErrorCode` Int32

Event ID 420: Automatic registration failed at authentication phase.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Description

Automatic registration failed at authentication phase. Unable to acquire Kerberos ticket.

Message #

Automatic registration failed at authentication phase. Unable to acquire Kerberos ticket. 
Exit code: %1 
Kerberos endpoint: %2 
SPN: %3

Fields #

Name	Description
`ExitCode` Int32
`Endpoint` UnicodeString
`SPN` UnicodeString

Event ID 421

Provider: Microsoft-Windows-User Device Registration
Channel: Admin

Fields #

Name	Description
`ErrorCode` Int32

Event ID 421

Provider: Microsoft-Windows-User Device Registration
Channel: Operational

Fields #

Name	Description
`ErrorCode` Int32

Event ID 500: Message.

Provider: Microsoft-Windows-User Device Registration
Channel: Debug

Description

Message

Message #

%1

Fields #

Name	Description
`Message` UnicodeString

Event ID 501: Message.

Provider: Microsoft-Windows-User Device Registration
Channel: Debug

Description

Message

Message #

%1

Fields #

Name	Description
`Message` UnicodeString

Event ID 502: Message.

Provider: Microsoft-Windows-User Device Registration
Channel: Debug

Description

Message

Message #

%1

Fields #

Name	Description
`Message` UnicodeString

Event ID 503: Message.

Provider: Microsoft-Windows-User Device Registration
Channel: Debug

Description

Message

Message #

%1

Fields #

Name	Description
`Message` UnicodeString

Event ID 504: Message.

Provider: Microsoft-Windows-User Device Registration
Channel: Debug

Description

Message

Message #

%1

Fields #

Name	Description
`Message` UnicodeString

Event ID 4096: The automatic device registration task will be triggered.

Provider: Microsoft-Windows-User Device Registration
Channel: Admin
Level: Informational

Description

The automatic device registration task will be triggered.

Message #

The automatic device registration task will be triggered.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-User Device Registration",
    "guid": "{23B8D46B-67DD-40A3-B636-D43E50552C6D}",
    "event_source_name": "",
    "event_id": 4096,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-05-30T00:08:18.4671518+00:00",
    "event_record_id": 244,
    "correlation": {},
    "execution": {
      "process_id": 2812,
      "thread_id": 3164
    },
    "channel": "Microsoft-Windows-User Device Registration/Admin",
    "computer": "telemetry-DC-a.cell-a.ludus.domain",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {},
  "message": "The automatic device registration task will be triggered."
}

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 23b8d46b-67dd-40a3-b636-d43e50552c6d

Defined in dsreg.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.3915, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)