SCCM Security Logs Event ID 4625 Logon Type 3

Ronald Seow 206 Reputation points
2021-08-02T22:41:26.92+00:00

Good morning!

I have observed that there had been a lot of Logon Failures Security Log Event ID 4625 with Logon Type 3 (Network). These logons was on other machines that are SCCM Clients. The logs does indicate the user logon names as well as the machines it took place. However, I must say that the actual logons was legit, meaning user used the correct login name as well as passowrds but on SCCM Security Logs, it registered a failed login attempt with the Event ID 4625 and Logon Type 3. For info, there are no shared resources mapped to these machines.

Scenario

  1. User Logon to VM1 with username xxx
  2. Logon successful
  3. DC and VM1 register successful user logon on VM1 with username xxx, SCCM register failed logon on VM1 with username xxx Logon Type 3.

This is happening each time a legit user logon to a machine. But we also notice that no security event was created when an administrator of SCCM logons to a VM.

Is this the standard behavior of SCCM?

Appreciate any advise.

Thank you.
Ronald

Microsoft Configuration Manager
{count} votes

6 answers

Sort by: Most helpful
  1. Jason Sandys 31,316 Reputation points Microsoft Employee
    2021-08-03T13:38:26.993+00:00

    What does "SCCM register failed logon on VM1 with username xxx Logon Type 3." mean? ConfigMgr does not monitor logons on managed devices so not sure what you are referring to here. Can you provide more of exactly what you are seeing and where you are seeing it specific to this item.

    1 person found this answer helpful.
    0 comments No comments

  2. Jason Sandys 31,316 Reputation points Microsoft Employee
    2021-08-04T15:10:04.627+00:00

    I am also seeing an entry in SCCM security log.

    There is no security log in ConfigMgr so still not sure at all what you are referring to here. Are you talking about the security event log on the server hosting the ConfigMgr primary site server?

    1 person found this answer helpful.

  3. Ronald Seow 206 Reputation points
    2021-08-04T05:31:33.657+00:00

    Hi! Jason / Amanda,

    Unfortunately, I am not able to share any screenshots.

    Under normal circumstances, all machines joined to Domain will log failed login attempts in their own security logs in event viewer as well as that in a Domain Controller. This is also the first time I am seeing failed logon attempts logged for other machines in SCCM. If there are shared folders or printers etc, I can understand because it is logon type 3 but in our case, there are no shares to begin with. I am quite new to SCCM so just want to confirm whether this is a behavior of SCCM.

    Let me elaborate the scenario again.

    In a Domain, where there is a DC, SCCM and say 5 other Member Servers. In SCCM, we will see all the clients.

    When there is a failed logon attempt on any of the member servers, I will find an entry in the server's security log, the DC security log and on top of those I am also seeing an entry in SCCM security log.

    I can answer any question you may have but I'm not able to share screenshots.

    Sorry for the inconveniences caused.

    Hope you can help.

    Thank you and best regards.
    Ronald

    0 comments No comments

  4. Ronald Seow 206 Reputation points
    2021-08-11T00:43:55.137+00:00

    Hi!

    In fact mine is the opposite. The failed login attempts only shows those users who are not sccm admins.

    Regards
    Ronald


  5. Kenneth Nandfred Larsen 1 Reputation point
    2022-03-25T09:09:32.583+00:00

    Did Anybody figure this one out ?
    Seeing the same thing here, multiple failed user logins from untrusted domain computers towards the MP.

    It stops when i stop the SCCM Client agent, but why on earth is SCCM doing user logins ?

    I can see just as many successfull logins from users on computers inside the trusted domain.

    the SOC is going nuts over the failed logins :)

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.