Windows 10: ENtra ID audit last logon user

Look like the delay to get the last login is over 15 minutes, and the log get the information only if the computer reboot and the user login, if the user logout and login , no activity are record on the audit log, is this normal. how do we get the last login date and time the right way under entra id Azure joint or Hybrid user

:)

 

Understanding about Audit Logon Event

Hi

Welcome to Microsoft community.

The Audit Logon events in the Windows Event Log are generated by the operating system to track user logon and logoff activities on a system. These events can provide valuable information about who is accessing the system and when. However, it's essential to understand that these events can also be generated by various system processes, services, and background tasks, not just by physical user logins.

Here are some common scenarios where you might see duplicate login/logout events and Kerberos Ticket requests in the Event Log, even when there's no physical user logging into the client machine:

1. Scheduled Tasks: Some scheduled tasks or background processes may require authentication and generate logon events, even when no user is interacting with the machine. These tasks could include maintenance tasks, background updates, and other system-related activities.
   
2. Service Accounts: System services, applications, or tasks running under service accounts might trigger logon events for those accounts without involving physical users. Service accounts are often used to run various services in the background.
   
3. Network Access: If the system is accessed remotely via network shares or other network resources, logon events might be generated for that remote access, even if no user is directly interacting with the machine.
   
4. Cached Credentials: In some cases, cached credentials might be used to access network resources, which can lead to logon events, even if no fresh user authentication occurs.
   
5. Kerberos Ticket Renewal: Kerberos is the authentication protocol used in Windows environments. When a user logs in, a Kerberos Ticket is generated, and it may be automatically renewed by the system without requiring the user to log in again.
   
6. Terminal Services or Remote Desktop Services: In environments with remote desktop or terminal services enabled, logon events might be triggered for remote sessions.
   

To better understand the specific cause of the duplicate logon events in your environment, it's recommended to analyze the Event Log in more detail. Check the event IDs associated with the logon and logoff activities and look for information about the type of logon (e.g., interactive, network, batch, service, etc.), the user account involved, the source of the logon (e.g., Service, Network, LogonUI, etc.), and any associated IP addresses.

Remember that logs can vary depending on the system configuration and the applications running.

Please feel free to let me know if you have any further updates, thanks.

Best regards

Derrick Qian | Microsoft Community Support Specialist

 

Some windows 11 devices shows as Entra ID registered in Intune

Some devices onboarded to Intune with self deploying Autopilot mode, and now they shows as Entra ID registered in Intune and not Entra ID joined. Why these shows Entra ID registered and how to make them appear Entra ID joined.

 

Windows 11 can't logon as new User

Hello Daisy Zhou,

Thank you for your reply.



To Answer your Questions:

1. Yes, I mean the "Switch User" button, it's named a little different in German as it seems



2. There is no error massage, as there is no way of starting the process of logging into a new user



3. The device has not yet joined the Entra-ID/Azure-AD domain, as you would usually do that by logging in with an Office Account



4. Local users are possible to be logged into since they show up as a direct user login. Users that are not located on the machine itself don’t show up as they’ve never been logged into on the device.

Kind Regards,

-