6421 A request was made to enable a device
Written when a request is made to enable a device. It captures the start of a device-enable operation.
Overview
The subcategory is Audit PNP Activity. It is generated when a request to enable a disabled device is issued. The actual enabling is 6422.
How it is triggered
- A device-enable request via Device Manager, an API, or policy.
Security review points
- A request to enable a previously forbidden/disabled device can relate to evading device control (lifting a USB restriction, etc.). Check the target device and requesting subject.
- Note enabling of a forbidden device (6424) or re-enabling from a disable 6420.
Notes for log review
- It also occurs during legitimate operations. Match the target device and subject against normal patterns.
- Confirm enable requests for devices restricted for security at high priority.
Key fields
| Field | Meaning |
|---|---|
Device ID | The target device |
Subject\Account Name | The requesting subject |