6423 The installation of this device is forbidden by system policy

Written when the installation of a device is forbidden by system policy. It captures device control (USB restriction, etc.) taking effect.

Overview

The subcategory is Audit PNP Activity. It is generated when device introduction is blocked by a device-installation-restriction Group Policy or similar. It indicates an attempt to connect an unauthorized device.

How it is triggered

When a device connection such as USB storage is forbidden by the device-installation-restriction policy.

Security review points

An attempt to connect a forbidden device can be a sign of an attempt at data exfiltration or introducing a rogue device (BadUSB, etc.). Check the blocked device’s class, identifier, and user.
Check the user, machine, and device ID that attempted the connection, and track it together with repeated attempts and a switch from forbidden to allowed 6424. Correlate with new-device recognition 6416.

Notes for log review

It carries meaning in environments running device control. A forbidden-device connection attempt is both a record of the policy working correctly and a clue to the intent to exfiltrate or introduce a device.
Note repeatedly-forbidden connections or attempts by a specific user.

Key fields

Field	Meaning
`Device ID` / `Class`	The forbidden device
`Subject\Account Name`	The user who attempted the connection

References

Microsoft Learn: 6423(S) The installation of this device is forbidden by system policy.