1002 — SERVER_ERROR
Description: System/server error, often due to corrupt/incorrect service key or unreachable endpoint.
Observation: Untrusted/self‑signed certs; wrong service key; proxy blocking (e.g., MS error 12002 in sdorest*.log); nonce issues in Desk 3.8.4+.
Steps to Resolve: Validate endpoint URL; trust the NGINX web service certificate; correct service key (avoid Firefox paste artifacts); fix proxy; address “Wrong Server nonce” on server.

1003 — CERT_ERROR
Description: Client ADPA certificate mismatch/rotation/corruption.
Observation: The installed certificate doesn’t match the service.
Steps to Resolve: Repackage/recreate MSI; as a workaround, place cert.pem in the Octopus client directory (avoid Firefox download that adds spaces). 

1006 — REG_ERROR
Description: Agent cannot find required Octopus registry keys.
Observation: Wrong MSIUpdater; manual registry deletions/changes (URLs, service keys).
Steps to Resolve: Reinstall agent with correct MSIUpdater; restore required registry keys/values.

1007 — GET_CERT_ERROR
Description: Private key cannot open/decrypt password for distributed vault.
Observation: TPM reset/corruption or suspected tamper/theft.
Steps to Resolve: Delete the workstation under the user on Octopus Server (to clear stale public key) and re‑enroll.  

1009 — BLE_ERROR
Description: BLE authentication error.
Observation: No enrolled/nearby phone; wrong phone; BLE provided incorrect password (see c:\windows\temp\sdoble*.log).
Steps to Resolve: Validate enrolled phone and proximity; review BLE logs for protocol errors; re‑enroll device if needed. 

1010 — BLE_REJECT
Description: BLE client rejected the request.
Observation: User pressed deny in mobile app; mismatched enrolled machine; smartphone bugs/permissions.
Steps to Resolve: Approve requests; delete and re‑enroll authenticator smartphone; check app permissions; share app logs with support if needed. 

1011 — DENY
Description: User denied PUSH authentication.
Observation: Similar causes to BLE_REJECT.
Steps to Resolve: Re‑enroll user/smartphone; ensure app permissions; advise user to approve prompts.  

1012 — BYPASS
Description: User bypass not allowed.
Observation: User profile in bypass/panic mode; attempting Octopus app/FIDO login when only username/password is permitted.
Steps to Resolve: Use username and password until bypass/panic is cleared.  

1013 — EXPIRED (log‑only)
Description: Password expired per policy.
Observation: Checked during BLE online login; can auto‑lock to force rotation.
Steps to Resolve: Change password online per policy.  

1014 — NOEXPIRED (log‑only)
Description: Password not expired.
Observation: Informational; may influence whether to run BLE or PUSH.
Steps to Resolve: None; proceed with normal authentication.  

1016 — FIDO2ERROR
Description: FIDO hardware/auth error.
Observation: Wrong PIN/HW blocked; unsupported vendor for Windows (use Yubico); outdated firmware; directory missing valid email; PIN usage conflicts with MFA.
Steps to Resolve: Use supported Yubico for Windows login (others OK on portal); update firmware; ensure directory email; register new device; avoid PIN for MFA; reconnect and use online auth if vault/passwords are out of sync, then reset via MC if changed in AD. 

1017 — USERNAMEPASSNOTALLOW
Description: You cannot log in with username/password on this workstation.
Observation: Blocks bypass when FIDO key is present; see sdofido*.log.
Steps to Resolve: Use the permitted method (username/password if required by policy) or adjust policy.  

1018 — FIDOERRPINREQUIRED
Description: PIN required for FIDO authentication.
Observation: BIO login attempted where FIDO+PIN is required.
Steps to Resolve: Enter FIDO PIN or switch to BIO‑capable device if policy allows.  

1019 — TIMEOUT
Description: No response/timeout between credential provider and SDO service (SDOGUARD).
Observation: Base URL unreachable; SDOGUARD service missing or failed registration; invalid cert; WMI corruption (noted post April 2022 MS updates); machine not fully domain‑joined; SDOGUARD crash.
Steps to Resolve: Verify enterprise base URL (ping/open); confirm SDOGUARD.exe exists and runs; reinstall Octopus Desk (3.5.4+ if WMI issues); validate certificates/CA; check WMI health; disjoin/rejoin domain if needed; contact support with logs on crashes.  

1020 — CANTSETLOCALPASSWORD
Description: Error setting local credentials.
Observation: Timeout with SDO Safeguard service.
Steps to Resolve: Check and restart SDO Safeguard service; verify local credential policies.

1021 — NOTFOUND (User Bypass not allowed)
Description: Bypass denied; must use username/password.
Observation: Same message as 1012 in UI context.
Steps to Resolve: Log in with username/password per policy.  

1022 — WEBAUTHN
Description: WebAuthN error.
Observation: Generic failure in WebAuthN flow.
Steps to Resolve: Retry; verify browser/device compatibility and server configuration; check logs for specific cause.  

1023 — OTPNMFA (OTP passwordless is not allowed)
Description: OTP cannot be used for passwordless authentication.
Observation: Attempted to use OTP for passwordless.
Steps to Resolve: Use supported passwordless methods (BLE/FIDO/etc.); reserve OTP for MFA.  

1024 — OTPOFFLINEENDOFBUFFER (OTP Expired)
Description: Offline OTP token expired.
Observation: One‑time password buffer exhausted/expired.
Steps to Resolve: Perform one online authentication to renew the OTP token buffer.  

1025 — RESERVED (Internal use)
Description: Reserved.
Observation: Internal only.
Steps to Resolve: N/A (contact support if observed externally).  

1026 — AUTHTIMEOUT
Description: Timeout/no response during authentication.
Observation: Generic timeout similar to 1019 but at auth phase.
Steps to Resolve: Check network/service availability; retry; inspect client/server logs.  

1027 — MFABYPASS
Description: MFA bypass not allowed.
Observation: Policy requires MFA; bypass attempt blocked.
Steps to Resolve: Complete MFA per policy or adjust policy via admin.  

1028 — NOMEMORY
Description: Insufficient memory to run.
Observation: Client reports low memory.
Steps to Resolve: Close apps; increase RAM; reboot; ensure agent minimum system requirements are met.  

1029 — Credentials Decrypt Error
Description: Cannot decrypt credentials.
Observation: Vault/keys mismatch or local crypto failure.
Steps to Resolve: Recheck key/cert state; re‑enroll machine; ensure secure storage integrity.  

1030 — OTHER (Unknown Error)
Description: Oops, something went wrong.
Observation: Requires SDO tech support investigation.
Steps to Resolve: Collect and send logs; contact support.  

1031 — OTP1MIN (Lock for 1 minute)
Description: Computer temporarily locked (1 minute).
Observation: Short lock due to OTP/failed attempts.
Steps to Resolve: Wait 1 minute; retry with correct OTP/auth method.  

1032 — OTP30MIN (Lock for 30 minutes)
Description: Computer locked (30 minutes).
Observation: Extended lock due to repeated failures.
Steps to Resolve: Wait 30 minutes; ensure correct credentials/method.  

1033 — OTP1H (Lock for 1 hour)
Description: Computer locked (1 hour).
Observation: Severe lock due to multiple failures.
Steps to Resolve: Wait 1 hour; review cause of failures before retrying.

1034 — OTPBLOCKED (Locked)
Description: Computer locked.
Observation: Lock persists until policy/timeout clears.
Steps to Resolve: Follow policy or contact admin to clear lock.  

1035 — NOTSUPPORTED (Reset Credentials not set)
Description: Reset Credentials not configured.
Observation: Feature disabled/not set by admin.
Steps to Resolve: Admin must enable/configure Reset Credentials.  

1036 — MUSTCHANGEPASSWORD (Credentials out of sync)
Description: Credentials out of sync.
Observation: Vault/AD mismatch.
Steps to Resolve: Contact admin; rotate/reset password via official MC process. 

1037 — ACCOUNTLOCKEDOUT (Your account is locked)
Description: Account locked.
Observation: With MS error 1385, network login not allowed—remove “network LogonUser” under WCPS.
Steps to Resolve: Unlock account per policy; fix WCPS “network LogonUser” setting; retry.  

1038 — RESERVED (Internal use)
Description/Observation/Steps: Reserved/internal.  

1039 — RESERVED (Internal use)
Description/Observation/Steps: Reserved/internal.

1040 — REJECTANDALLOWBLE (Server Reject request)
Description: Authentication failed; server rejected request (same messaging as 1004).
Observation: Conditions lead to reject but BLE may be allowed.
Steps to Resolve: Identify reject reason from server; use BLE if permitted; fix root cause.  

1041 — No Challenge from Server
Description: Incomplete/missing challenge from server.
Observation: Client expected challenge code; not received/readable.
Steps to Resolve: Verify configuration; recheck server response formatting; contact support.  

1042 — RESERVED (Internal)
Description/Observation/Steps: Reserved/internal.  

1043 — No OTP from Server
Description: Cannot retrieve forward‑OTP from server.
Observation: Server didn’t send OTP or client couldn’t read it.
Steps to Resolve: Check server OTP service; network; retry; contact admin.  

1044 — RESERVED (Internal)
Description/Observation/Steps: Reserved/internal.  

1045 — Certificate Error
Description: Invalid/wrong/untrusted certificate.
Observation: Client cert not trusted or wrong.
Steps to Resolve: Use valid CA‑trusted certificate; correct cert configuration; retry.  

1046 — Sign‑in method isn’t allowed
Description: Attempted sign‑in method blocked by policy.
Observation: Method disallowed for scenario/workstation.
Steps to Resolve: Use allowed methods or change policy via admin.  

1047 — Offline Login Error
Description: Offline certificate‑based login failed.
Observation: Client cannot authenticate offline via certificate.
Steps to Resolve: Re‑validate offline certificates; ensure offline configuration and pre‑sync; retry.  

1048 — Your account is restricted
Description: Account has restrictions.
Observation: Policy/admin restriction in effect.
Steps to Resolve: Contact administrator to lift/adjust restriction.  

1049 — Bypass token not supported
Description: Bypass token unsupported or misconfigured (MFA/ForceAuth/bypass not allowed).
Observation: Policy conflict.
Steps to Resolve: Align policy (MFA/ForceAuth) and configuration; avoid unsupported bypass.  

1050 — Wrong user format (Azure)
Description: Wrong user string format for Azure login.
Observation: Needs UPN format.
Steps to Resolve: Enter username in UPN (user@domain) format. 

1051 — FFU (Error 1051)
Description/Observation/Steps: Labeled “FFU”; details not provided.
Steps: Check logs; contact support for FFU specifics.  

1052 — Fingerprint error
Description: Can’t read fingerprint.
Observation: Security key sensor read failure.
Steps to Resolve: Retry; reset security key; re‑enroll.  

1053 — Enhanced Assurance Server error — AAL3
Description: Server returned wrong info for Enhanced Assurance.
Observation: AAL3 mismatch.
Steps to Resolve: Verify EA/AAL3 configuration on server; contact admin.  

1054 — Enhanced Assurance Mobile/Server error — AAL3
Description: Mobile returned wrong info or not found for Enhanced Assurance.
Observation: AAL3 data problem from mobile side.
Steps to Resolve: Re‑enroll mobile; check EA configuration; contact admin.  

1055 — FIDO key not found
Description: No FIDO device detected.
Observation: Key not inserted/recognized.
Steps to Resolve: Insert FIDO device; verify driver/support; retry.  

1056 — No Radius Token
Description: Radius token not found.
Observation: Missing token for Radius flow.
Steps to Resolve: Provision Radius token; sync with server/admin.

1057 — Offline Radius Token Error
Description: Cannot retrieve Radius token in offline mode.
Observation: Offline environment lacks token retrieval capability.
Steps to Resolve: Connect to network; retrieve token online; retry.  

1058 — OTP Offline Error
Description: Cannot retrieve credentials for OTP offline.
Observation: Offline retrieval failed.
Steps to Resolve: Connect to network; perform online authentication; refresh offline cache.  

1059 — Clipboard Error (Failed to set)
Description: Failed to set clipboard.
Observation: OS/app restriction interrupted clipboard set.
Steps to Resolve: Retry; close interfering apps; check permissions.  

1060 — Clipboard Error (Failed to clear)
Description: Failed to clear clipboard.
Observation: OS/app restriction interrupted clipboard clear.
Steps to Resolve: Retry; close interfering apps; check permissions.  

1061 — Lock Error (Can’t lock workstation)
Description: Agent couldn’t lock the workstation.
Observation: System API failure or policy block.
Steps to Resolve: Check system policies; restart agent; verify OS APIs.  

1062 — Check Error (Credentials check failed)
Description: Credentials validation failed.
Observation: Mismatch or validation failure.
Steps to Resolve: Re‑enter credentials; check policy/source of truth; review logs.  

1063 — Credential Error (Wrong username or password)
Description: Username/password incorrect.
Observation: Typo or wrong credential source.
Steps to Resolve: Use correct credentials; reset via MC if needed.  

1064 — Code Error (No verification code entered)
Description: User didn’t enter verification code.
Observation: Missing input.
Steps to Resolve: Enter the code; retry.  

1065 — SSO Error (Fail to launch SSO)
Description: SSO launch failed.
Observation: App/config problem.
Steps to Resolve: Verify SSO configuration and prerequisites; relaunch.  

1066 — SSH Error (Fail to launch SSH)
Description: SSH launch failed.
Observation: App/config problem.
Steps to Resolve: Validate SSH settings; ensure keys/paths; retry.  

1067 — OTP error (Wrong OTP)
Description: OTP entered is incorrect.
Observation: Typo or expired token.
Steps to Resolve: Enter correct/current OTP; resync token; renew if expired.  

1068 — Session id
Description: “session id” placeholder only.
Observation: No detail provided.
Steps to Resolve: Check logs/context for session issues; contact support.  

1069 — VPN Error (Launch VPN Error)
Description: Failed to launch VPN.
Observation: VPN client/config issue.
Steps to Resolve: Validate VPN profile, credentials, and client; retry.

1070 — Bad Application Token Error
Description: Bad app token.
Observation: Token invalid/expired/mismatched.
Steps to Resolve: Refresh/regenerate application token; sign in again.  

1071 — Offline Error (Cannot use Offline Login)
Description: Must log in online before using offline.
Observation: No initial offline cache established.
Steps to Resolve: Perform an online login to seed offline cache; then retry offline.  

1072 — No Network error
Description: No network connectivity.
Observation: Connection absent.
Steps to Resolve: Connect to network; verify adapters/proxy.  

1073 — Server Error
Description: Server error occurred.
Observation: Transient or configuration issue.
Steps to Resolve: Retry later; check server health/status; contact admin.  

1074 — Secure Server Error
Description: Server address not using HTTPS.
Observation: Security requirement violation.
Steps to Resolve: Use https:// in server address; update configs.  

1075 — Application Disabled Error
Description: Application disabled.
Observation: Admin disabled app or policy.
Steps to Resolve: Contact administrator to enable the application.  

1076 — Password Free wrong password
Description: Wrong password used in Password Free flow.
Observation: Credentials mismatch.
Steps to Resolve: Use correct password; reset via MC if needed.  

1077 — RFID no reader found
Description: No RFID reader detected.
Observation: Hardware missing/disconnected.
Steps to Resolve: Connect/enable RFID reader; install drivers; retry.  

1078 — RFID no card found
Description: No RFID card detected.
Observation: Card absent or unreadable.
Steps to Resolve: Present supported RFID card; check reader/card health.  

1079 — RFID not supported on this platform
Description: Platform doesn’t support RFID authenticator.
Observation: Trying RFID where unsupported.
Steps to Resolve: Use a supported authenticator (BLE, FIDO, OTP, etc.) for this platform.