Plug and Play Events constantly triggering coming up (EventCode 6416)

Question

Hello,

I recently upgraded two servers to new hardware and now they are generating a lot of 6416 eventcodes compared to the old servers which didn't generated that much events only when restarted. These servers have no internet access on purpose and there should be no way to print from them. I don't want to turn off the auditing for the event because just in case I want to be able to see if someone does succeed in mounting a printer or an external device to these servers. Also it is strange but it adds printers with the name redirected and a number behind it. Is there a way to stop this from happening?

Here are the logs.

11/24/2021 03:59:45 PM
LogName=Security
EventCode=6416
EventType=0
ComputerName=server1.my.domain.los
SourceName=Microsoft Windows security auditing.
Type=Information
RecordNumber=3471973
Keywords=Audit Success
TaskCategory=Plug and Play Events
OpCode=Info
Message=A new external device was recognized by the system.

Subject:
    Security ID:        NT AUTHORITY\SYSTEM
    Account Name:       SERVER1$
    Account Domain:     NETID
    Logon ID:       0x3E7

Device ID:  SWD\PRINTENUM\{3390369D-7DCB-4C2D-8C82-663A1AE7D5BF}

Device Name:    OneNote for Windows 10 (redirected 14)

Class ID:       {1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}

Class Name: PrintQueue

Vendor IDs: 
        PRINTENUM\LocalPrintQueue



Compatible IDs: 
        GenPrintQueue
        SWD\GenericRaw
        SWD\Generic



















11/24/2021 03:59:43 PM
    LogName=Security
    EventCode=6416
    EventType=0
    ComputerName=server1.my.domain.los
    SourceName=Microsoft Windows security auditing.
    Type=Information
    RecordNumber=3471971
    Keywords=Audit Success
    TaskCategory=Plug and Play Events
    OpCode=Info
    Message=A new external device was recognized by the system.

    Subject:
        Security ID:        NT AUTHORITY\SYSTEM
        Account Name:       SERVER1$
        Account Domain:     NETID
        Logon ID:       0x3E7

    Device ID:  SWD\PRINTENUM\{EF665D60-E606-415C-905C-587486A64AEC}

    Device Name:    Microsoft Print to PDF (redirected 14)

    Class ID:       {1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}

    Class Name: PrintQueue

    Vendor IDs: 
            PRINTENUM\LocalPrintQueue



    Compatible IDs: 
            GenPrintQueue
            SWD\GenericRaw
            SWD\Generic

















LogName=Security
    EventCode=6416
    EventType=0
    ComputerName=server1.my.domain.los
    SourceName=Microsoft Windows security auditing.
    Type=Information
    RecordNumber=3471970
    Keywords=Audit Success
    TaskCategory=Plug and Play Events
    OpCode=Info
    Message=A new external device was recognized by the system.

    Subject:
        Security ID:        NT AUTHORITY\SYSTEM
        Account Name:       SERVER1$
        Account Domain:     NETID
        Logon ID:       0x3E7

    Device ID:  SWD\PRINTENUM\{6693F307-9790-4CF4-9679-F3928131C0EB}

    Device Name:    Microsoft XPS Document Writer (redirected 14)

    Class ID:       {1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}

    Class Name: PrintQueue

    Vendor IDs: 
            PRINTENUM\LocalPrintQueue



    Compatible IDs: 
            GenPrintQueue
            SWD\GenericRaw
            SWD\Generic

Answer 1

Hello @MV

This is a usual behavior since this are "software printers" or print-to-file printers, even thought there is nothing attached.

You can remove this devices from the system successfully and safely from Settings>Devices>Printers&Scanners, but they may be recreated by the running services of their respective applications.

Hope this helps with your query,

-----------

--If the reply is helpful, please Upvote and Accept as answer--