6424 The installation of this device was allowed, after previously being forbidden by policy

Written when a device that was previously forbidden by policy is installed after being allowed. It captures the application of a device-control exception.

Overview

The subcategory is Audit PNP Activity. It is generated when a device that was once forbidden 6423 is installed after being allowed via a policy change or exception setting.

How it is triggered

When a previously-forbidden device is installed after a policy change or exception grant.

Security review points

A forbidden device turning into allowed and being installed signifies a loosening of the device-control policy. Check who allowed which device and why. Also consider the possibility of an attacker loosening control to introduce a USB device and the like.
Together with policy changes (6144 or GPO changes), track how the allowance came about. Correlate with forbidden 6423 and new recognition 6416.

Notes for log review

It carries meaning in environments running device control. Treat the forbidden-to-allowed change as a significant configuration change to confirm.
Check whether the allowing subject, target device, and timing are consistent with legitimate exception operations.

Key fields

Field	Meaning
`Device ID` / `Class`	The allowed and installed device
`Subject\Account Name`	The subject that performed the operation

References

Microsoft Learn: 6424(S) The installation of this device was allowed, after having previously been forbidden by policy.