Audit PNP Activity

Applies to

  • Windows 10
  • Windows Server 2016

Audit PNP Activity determines when Plug and Play detects an external device.

A PnP audit event can be used to track down changes in system hardware and will be logged on the machine where the change took place. For example, when a keyboard is plugged into a computer, a PnP event is triggered.

Event volume: Varies, depending on how the computer is used. Typically Low.

Computer Type General Success General Failure Stronger Success Stronger Failure Comments
Domain Controller Yes No Yes No This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy.
You can track, for example, whether a USB flash drive or stick was attached to a domain controller, which is typically not allowed.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Member Server Yes No Yes No This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy.
You can track, for example, whether a USB flash drive or stick was attached to a critical server, which is typically not allowed.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.
Workstation Yes No Yes No This subcategory will help identify when and which Plug and Play device was attached, enabled, disabled or restricted by device installation policy.
You can track, for example, whether a USB flash drive or stick was attached to an administrative workstation or VIP workstation.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.

Events List:

  • 6416(S): A new external device was recognized by the System

  • 6419(S): A request was made to disable a device

  • 6420(S): A device was disabled.

  • 6421(S): A request was made to enable a device.

  • 6422(S): A device was enabled.

  • 6423(S): The installation of this device is forbidden by system policy.

  • 6424(S): The installation of this device was allowed, after having previously been forbidden by policy.