1 | User added to local admins group |
2 | User downgraded from administrator to user |
3 | Group removed from local adminstrators group |
5 | Audited administrator logged on |
6 | Unaudited administrator logged on |
8 | Support assist initiated |
10 | Password changed for local user |
11 | Local user disabled |
12 | Local user enabled |
13 | Local user created |
14 | Local user deleted |
20 | Policy registry key changed |
21 | Policy registry key added |
30 | Uninstall attempted |
31 | Uninstalled by PIN code |
32 | PIN code uninstall attempted unsuccessfully |
40 | Admin By Request Workstation installed |
41 | Admin By Request Workstation uninstalled |
42 | Admin By Request Server installed |
43 | Admin By Request Server uninstalled |
50 | Diagnostics submitted |
60 | User restored to local administrators group |
61 | Group restored to local administrators group |
70 | Break Glass Account created |
71 | Break Glass Account removed |
72 | Break Glass Account logged on |
73 | Clock tampering using Break Glass account |
74 | User tampered identity file |
80 | Azure Device Administrator restored |
81 | Azure Company Administrator restored |
90 | Admin Session denied by policy |
91 | Clock tampering during Admin Session |
92 | Execution of file blocked by policy |
93 | Execution of file blocked due to detected malware |
94 | Execution of file blocked due to suspected malware |
95 | Admin Session PIN code used |
97 | Application block PIN code used |
98 | Elevated application block PIN code used |
100 | Application block PIN 2 issued |
101 | Uninstall PIN issued |
102 | Break Glass Account issued |
103 | Admin Session PIN 2 issued |
110 | Local administrator account revoke issued |
111 | Local administrator group revoke issued |
112 | Local administrator account revoke cancelled |
113 | Local administrator group revoke cancelled |
114 | Local administrator account restore issued |
115 | Local administrator group restore issued |
116 | Local administrator account restore cancelled |
117 | Local administrator group restore cancelled |
120 | Device owner set |
121 | Device ownership released |
122 | Device owner set by administrator |
123 | Admin Session denied by lack of ownership |
124 | Execution of file blocked by lack of ownership |
130 | Admin Session denied by lack of Intune compliance |
131 | Execution of file blocked by lack of Intune compliance |
140 | Remote desktop account revoke issued |
141 | Remote desktop group revoke issued |
142 | Remote desktop account revoke cancelled |
143 | Remote desktop group revoke cancelled |
144 | Remote desktop account restore issued |
145 | Remote desktop group restore issued |
146 | Remote desktop account restore cancelled |
147 | Remote desktop group restore cancelled |
150 | User removed from remote desktop users |
151 | Group removed from remote desktop users |
152 | User restored to remote desktop users |
153 | Group restored to remote desktop users |
160 | Local administrator account addition issued |
161 | Local administrator group addition issued |
162 | Local administrator account addition cancelled |
163 | Local administrator group addition cancelled |
170 | Remote desktop account addition issued |
171 | Remote desktop group addition issued |
172 | Remote desktop account addition cancelled |
173 | Remote desktop group addition cancelled |
180 | Remote access account created |
181 | Remote access account removed |
182 | Remote access account logged on |