Failed Logon Events ID 4625 When Successfully Scanning and Deploying to Computers

Purpose:

PDQ Deploy and PDQ Inventory successfully scans\deploys to computers, but it creates failed logon events ID 4625.

1.png

 

Resolution:

This is by design from Microsoft when a connection is made from a Domain > Workgroup computer. This happens outside of PDQ software when using SMB to transfer files from the PDQ Server to the Workgroup computer.

If the computer where the connection is being initiated on, is a part of a domain, it will first attempt to authenticate at the computer level and fails since the computer you are connecting to is not on the domain, then it authenticates at the user level using the account you have specified.

Every time you do an SMB file transfer it will attempt to reauthenticate at the computer level, thus generating the event ID 4625 multiple times.

To prevent this behavior, either both the PDQ Server and computers need to be on the same domain, or they both need to be in a Workgroup.

Was this article helpful?
Still have a question or want to share what you have learned? Visit our Community Discord to get help and collaborate with others.