Hello @Gracjan Podłęcki ,
Thank you for posting here.
If there is no non-compliant user account or no non-compliant devices account to perform Netlogon secure channel connections currently, there are no these events (5827, 5828, 5829, 5830,5831) currently.
If we install updates of phase one.
For event 5829
If there is non-compliant user account or non-compliant devices account to perform Netlogon secure channel connections, event ID 5829 will be logged.
If all domain controllers are in force mode.
For event 5827 and event 5828
Non-compliant user account or non-compliant devices account that memtioned by event ID 5829 are not configured in "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy, event ID 5827 and event ID 5828 will be logged.
For event 5830 and event 5831
Non-compliant user account or non-compliant devices account that memtioned by event ID 5829 are configured in "Domain controller: Allow vulnerable Netlogon secure channel connections" group policy, event ID 5830 and event ID 5831 will be logged.
Hope the information above is helpful. If anything is unclear, please feel free to let us know.
Best Regards,
Daisy Zhou