Elastic Windows Event Explorer


Publisher - Microsoft-Windows-User Device Registration

Event ID 358

Message:

%{Message} 
Device is AAD joined ( AADJ or DJ++ ): %{DeviceIsJoined} 
User has logged on with AAD credentials: %{AADPrt} 
Windows Hello for Business policy is enabled: %{NgcPolicyEnabled} 
Windows Hello for Business post-logon provisioning is enabled: %{NgcPostLogonProvisioningEnabled} 
Local computer meets Windows hello for business hardware requirements: %{NgcHardwarePolicyMet} 
User is not connected to the machine via Remote Desktop: %{UserIsRemote} 
User certificate for on premise auth policy is enabled: %{LogonCertRequired} 
Machine is governed by %{MachinePolicySource} policy. 
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

Event Data:

# Name In Type
Out Type
1 Message win:UnicodeString xs:string
2 DeviceIsJoined win:UnicodeString xs:string
3 AADPrt win:UnicodeString xs:string
4 NgcPolicyEnabled win:UnicodeString xs:string
5 NgcPostLogonProvisioningEnabled win:UnicodeString xs:string
6 NgcHardwarePolicyMet win:UnicodeString xs:string
7 UserIsRemote win:UnicodeString xs:string
8 LogonCertRequired win:UnicodeString xs:string
9 MachinePolicySource win:UnicodeString xs:string

Observed Windows Versions:

Version: 0

Fingerprint: EB33QFU4DNPO4