deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-17 15:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity
windows-itpro-docs/windows/device-security/auditing/audit-pnp-activity.md
Brian Lich 33c3fb2e74 New TOC for docs.microsoft.com
2017-04-19 14:12:47 -07:00

3.9 KiB
Raw Blame History

title, description, ms.assetid, ms.pagetype, ms.prod, ms.mktglfcycl, ms.sitesec, author
title description ms.assetid ms.pagetype ms.prod ms.mktglfcycl ms.sitesec author
Audit PNP Activity (Windows 10) This topic for the IT professional describes the advanced security audit policy setting, Audit PNP Activity, which determines when plug and play detects an external device. A3D87B3B-EBBE-442A-953B-9EB75A5F600E security w10 deploy library Mir0sh

Audit PNP Activity

Applies to

  • Windows 10
  • Windows Server 2016

Audit PNP Activity determines when Plug and Play detects an external device.

A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a computer, a PnP event is triggered.

Event volume: Varies, depending on how the computer is used. Typically Low.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller Yes No Yes No This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy.
You can track, for example, whether a USB flash drive or stick was attached to a domain controller, which is typically not allowed.
This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Member Server Yes No Yes No This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy.
You can track, for example, whether a USB flash drive or stick was attached to a critical server, which is typically not allowed.
This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Workstation Yes No Yes No This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy.
You can track, for example, whether a USB flash drive or stick was attached to an administrative workstation or VIP workstation.
This subcategory doesnt have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.

Events List:

  • 6416(S): A new external device was recognized by the System

  • 6419(S): A request was made to disable a device

  • 6420(S): A device was disabled.

  • 6421(S): A request was made to enable a device.

  • 6422(S): A device was enabled.

  • 6423(S): The installation of this device is forbidden by system policy.

  • 6424(S): The installation of this device was allowed, after having previously been forbidden by policy.