TransWikia.com

Is this event a security concern: Windows 10: Event 360, User Device Registration?

Information Security Asked on December 4, 2021

My computer just froze, and I ended up having to reboot. It appears Windows Defender was coming up with a notification, but that froze as well. I was trying to see what went wrong in the event viewer, and noticed several application hangs (not really a security concern), and then this, in the Administrative Events: Warnings section, which is more of a concern to me:

Event 360, User Device Registration

Windows Hello for Business provisioning will not be launched.
Device is AAD joined ( AADJ or DJ++ ): Not Tested
User has logged on with AAD credentials: No
Windows Hello for Business policy is enabled: Not Tested
Local computer meets Windows hello for business hardware requirements: Not Tested
User is not connected to the machine via Remote Desktop: Yes
User certificate for on premise auth policy is enabled: Not Tested
Machine is governed by none policy.
See https://go.microsoft.com/fwlink/?linkid=832647 for more details.

I should not have any devices connected to my computer, it is a home computer. Google searching reveals that AAD is Azure Active Directory. Does this mean someone is connected to, or tried to connect to my computer? I ran an antivirus scan, and looked in the security event log, and both results were okay. Is this just a normal log entry, or indicating something possibly malicious (e.g. a person attempting to connect to my computer)? Is there anywhere else I should check / actions I should take?

Edit

I do connect to a wireless printer, so that might be a clue, not sure if this message is in reference to that. I did not try to print anything when the system froze.

Edit

I finally found after some more searching on revisiting this topic, that "Windows Hello" is likely associated with the finger print scanner. Odd this would have caused this event when I was already logged in though. I have seen other accounts of people running into this error, but not much explanation, and the nature of the event is still largely unclear to me (e.g. was the finger print scanner trying to register, or was it possibly a malicious user device trying to get into my computer, or something else?)

One Answer

I also try to get rid of this warning. I observed it from two types of environment: on Workgroup computers (typically at home) and with on-premise Active Directory joined computers (corporate network) on Windows 10 1607+. It doesn't seem to be linked to Windows Hello but rather to the Azure Active Directory (AAD) join and probe process. The event is logged when Windows starts, which is when it checks its domain relationship, so the same behavior occur with AAD.

As stated in this KB article about other events, I do think the event 360 can be ignored as it doesn't apply to your environment.

It's not a security concern to me, as long as there are not other events logged related to AAD. On a few machines, I found events reporting they were trying to register with AAD but failing (which make sense for on-premise AD joined boxes). In this case, the failing request probably contains personal data so here it could be a security concern at some point.

Even though it doesn't solve the problem, if you don't want to see this event anymore, you can disable the Microsoft-Windows-User Device Registration/Admin log.

Alternatively, there seem to be a scheduled task coming into place for this process, as described in this thread.

Answered by LoTus on December 4, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP