6420 A device was disabled

Written when a device is disabled. Paired with the request 6419, it captures the completion of a device disable.

Overview

The subcategory is Audit PNP Activity. It is generated when a device is actually disabled.

How it is triggered

When a device-disable request 6419 is processed and the device becomes disabled.

Security review points

Disabling a security-relevant device (network adapter, TPM, a device an EDR uses, etc.) can lead to weakening of defenses or evasion of isolation. Check the target device and subject.
Paired with the request 6419, track what was disabled and when. Note unexpected disabling.

Notes for log review

It also occurs during legitimate operations. Match the target device and subject against normal patterns.
Confirm disabling of security-related devices at high priority.

Key fields

Field	Meaning
`Device ID`	The disabled device
`Subject\Account Name`	The subject that performed the operation

References

Microsoft Learn: 6420(S) A device was disabled.