Microsoft-Windows-BitLocker-API

211 events across 5 channels

Event ID	Title	Channel
513	BitLocker Drive Encryption recovery information was backed up successfully to …	System
514	Failed to backup BitLocker Drive Encryption recovery information to Active …	System
515	BitLocker Drive Encryption recovery information for the specified protector is …	System
516	A BitLocker certificate data recovery agent was created, because it was missing …	System
517	A BitLocker certificate data recovery agent was removed, because is no longer in …	System
518	The attempt to create a data recovery agent protector on the BitLocker volume …	System
519	The servicing of the data recovery agents on the volume failed.	System
520	The management of the data recovery agents failed on this drive because this …	System
521	Bootmgr failed to obtain the BitLocker volume master key from the TPM because …	System
522	Bootmgr determined that the following boot application has changed.	System
523	Bootmgr determined that the boot configuration data setting %1 has changed for …	System
524	Bootmgr determined that the authorization data for the SRK of the TPM is …	System
525	Bootmgr determined that the TPM is disabled.	System
526	Bootmgr determined that the TPM is not accessible.	System
527	The partition size specified in the partition table is smaller than the size of …	System
528	Boot debugging is enabled on Bootmgr so TPM based keys cannot be obtained.	System
529	Bootmgr determined that driver signature enforcement has been disabled.	System
530	Bootmgr determined that the device was locked out due to too many failed …	System
531	Bootmgr determined that the device was locked out due to Device Lockout state …	System
532	Bootmgr determined that the TPM is not present or recognized.	System
768	BitLocker encryption was started for volume %3 using %4 algorithm.	BitLocker Management
769	BitLocker encryption will occur for volume %3 when the computer is restarted …	BitLocker Management
770	BitLocker decryption was started for volume %3.	BitLocker Management
771	BitLocker encryption was stopped for volume %3.	BitLocker Management
772	BitLocker encryption was restarted for volume %3 using %4 algorithm.	BitLocker Management
773	BitLocker was suspended for volume %3.	BitLocker Management
774	BitLocker was resumed for volume %3.	BitLocker Management
775	A BitLocker key protector was created.	BitLocker Management
776	A BitLocker key protector was removed.	BitLocker Management
777	The PIN was updated for the operating system volume.	BitLocker Management
778	The BitLocker volume %3 was reverted to an unprotected state.	BitLocker Management
779	The BitLocker volume %3 was erased.	BitLocker Management
780	The identification field was changed.	BitLocker Management
781	The BitLocker protected volume %3 was locked.	BitLocker Management
782	The BitLocker protected volume %3 was unlocked.	BitLocker Management
783	BitLocker Drive Encryption recovery information for the specified protector is …	BitLocker Management
784	BitLocker Drive Encryption recovery information was backed up successfully to …	BitLocker Management
785	Failed to backup BitLocker Drive Encryption recovery information to Active …	BitLocker Management
786	BitLocker free space wiping was started for volume %3.	BitLocker Management
787	BitLocker free space wiping was stopped for volume %3.	BitLocker Management
788	BitLocker free space wiping was restarted for volume %3.	BitLocker Management
789	The PIN was changed.	BitLocker Management
790	A PIN change attempt failed.	BitLocker Management
791	The BitLocker Service (BdeSvc) PIN and password change facility is locked out …	BitLocker Management
792	BitLocker encountered a failure to commit metadata changes for volume %3.	BitLocker Management
793	BitLocker resealed boot settings to the TPM for volume %3.	BitLocker Management
794	BitLocker failed to reseal boot settings to the TPM.	BitLocker Management
795	BitLocker failed to initialize hardware encryption for volume %3 due to group …	BitLocker Management
796	BitLocker Drive Encryption is using software-based encryption to protect volume …	BitLocker Management
797	Group Policy settings prevented BitLocker Drive Encryption from reverting to …	BitLocker Management
798	BitLocker failed to initialize hardware encryption for volume %3.	BitLocker Management
799	BitLocker failed to initialize hardware encryption for volume %3.	BitLocker Management
800	BitLocker failed to initialize hardware encryption for volume %3.	BitLocker Management
801	BitLocker failed to initialize hardware encryption for volume %3.	BitLocker Management
802	BitLocker failed to initialize hardware encryption for volume %3.	BitLocker Management
803	BitLocker failed to initialize hardware encryption for volume %3.	BitLocker Management
804	The target drive cannot be managed by BitLocker because the drive's hardware …	BitLocker Management
805	The BitLocker protected volume was unlocked in the Windows Recovery Environment.	BitLocker Management
806	BitLocker resealed boot settings to the TPM in the Windows Recovery Environment.	BitLocker Management
807	BitLocker free space wiping was canceled for volume %3.	BitLocker Management
808	BitLocker failed to initialize hardware encryption for volume %3.	BitLocker Management
809	BitLocker cannot use Secure Boot for integrity because it is disabled in Group …	BitLocker Management
810	BitLocker cannot use Secure Boot for integrity because it is disabled.	BitLocker Management
811	BitLocker cannot use Secure Boot for integrity because the required UEFI …	BitLocker Management
812	BitLocker cannot use Secure Boot for integrity because the UEFI variable '.	BitLocker Management
813	BitLocker cannot use Secure Boot for integrity because the expected TCG Log …	BitLocker Management
814	BitLocker cannot use Secure Boot for integrity because the expected TCG Log …	BitLocker Management
815	BitLocker cannot use Secure Boot for integrity because the expected TCG Log …	BitLocker Management
816	BitLocker cannot use Secure Boot for integrity because the TCG Log for PCR [7] …	BitLocker Management
817	BitLocker successfully sealed a key to the TPM.	BitLocker Management
818	BitLocker encountered a failure attempting to configure network unlock for …	BitLocker Management
819	The BitLocker service could not resume protection on the OS volume %3, due to …	BitLocker Management
820	The BitLocker service could not resume protection on the OS volume %3, due to …	BitLocker Management
821	The BitLocker service could not resume protection on the OS volume %3, due to …	BitLocker Management
822	The BitLocker service could not resume protection on the OS volume %3, due to …	BitLocker Management
823	Bootmgr failed to obtain the BitLocker volume master key from the TPM because …	System
824	Bootmgr failed to obtain the BitLocker volume master key from the TPM because …	System
825	BitLocker failed to initialize hardware encryption for volume %3.	BitLocker Management
826	The password was changed.	BitLocker Management
827	A password change attempt failed.	BitLocker Management
828	BitLocker Drive Encryption recovery information for volume %3 was backed up …	BitLocker Management
829	Failed to backup BitLocker Drive Encryption recovery information for volume %3 …	BitLocker Management
830	The BitLocker Drive Encryption recovery information already exists in your …	BitLocker Management
831	Failed to save BitLocker Drive Encryption recovery information to your Microsoft …	BitLocker Management
832	TCG Log parsing failure.	BitLocker Management
833	BitLocker detected that custom Secure Boot policy is installed, and will seal to …	BitLocker Management
834	BitLocker determined that the TCG log is invalid for use of Secure Boot.	BitLocker Management
835	BitLocker cannot use Secure Boot for integrity because the expected TCG Log …	BitLocker Management
836	BitLocker cannot use Secure Boot for integrity because the expected TCG Log …	BitLocker Management
837	BitLocker cannot use Secure Boot for integrity because the expected TCG Log …	BitLocker Management
838	BitLocker cannot use Secure Boot for integrity because the signature of the boot …	BitLocker Management
839	BitLocker cannot use Secure Boot for integrity because the TCG Log entry for the …	BitLocker Management
840	A trusted WIM file has been added for volume %3.	BitLocker Management
841	BitLocker was unable to update a key for volume %3 due to the following error: …	BitLocker Management
842	BitLocker was unable to reseal boot settings to the TPM in the Windows Recovery …	BitLocker Management
843	BitLocker was suspended from within the Windows Recovery Environment.	BitLocker Management
844	BitLocker was unable to recover from device lock in the Windows Recovery …	BitLocker Management
845	BitLocker Drive Encryption recovery information for volume %1 was backed up …	BitLocker Management
846	Failed to backup BitLocker Drive Encryption recovery information for volume %1 …	BitLocker Management
847	Failed to save BitLocker Drive Encryption recovery information to your Azure AD …	BitLocker Management
848	Failed to update BCD store with the Recovery URL for OS volume.	BitLocker Management
849	Failed to set the TPM dictionary attack parameters to the legacy behavior.	BitLocker Management
850	Successfully set the TPM dictionary attack parameters to the legacy behavior.	BitLocker Management
851	Failed to enable Silent Encryption.	BitLocker Management
852	Failed to enable Silent Encryption.	BitLocker Management
853	Failed to enable Silent Encryption.	BitLocker Management
854	Failed to enable Silent Encryption.	BitLocker Management
855	Recovery Password Rotation initiated.	BitLocker Management
856	Failed to initiate the Recovery Password Rotation Error.	BitLocker Management
857	Recovery Passwords Rotation done successfully	BitLocker Management
858	Recovery Password Rotation failed.	BitLocker Management
859	Recovery Password Rotation failed.	BitLocker Operational
860	Failed to delete recovery password from AAD.	BitLocker Operational
861	Failed to create clinet recovery password rotation request.	BitLocker Operational
862	Failed to Create AAD recovery Password Delete request.	BitLocker Operational
863	Failed to initiate the Recovery Password Rotation and Entra ID Deletion requests …	BitLocker Management
864	Recovery Passwords Rotation and AAD Deletion requests processing initiated …	BitLocker Management
865	BitLocker was unable to verify if TPM protector resealing is possible for volume …	BitLocker Management
866	A BitLocker key protector which uses PBKDF2 was created.	BitLocker Management
867	Failed to delete BitLocker Drive Encryption recovery information for volume %1 …	BitLocker Management
868	Failed while attempting to get BitLocker Drive Encryption recovery information …	BitLocker Management
869	An operating system volume BitLocker recovery key password for the currently …	BitLocker Management
870	Failed to register information for reverted volume.	BitLocker Management
871	Failed to register timer for recovery password cleanup.	BitLocker Management
872	Failed to save request.	BitLocker Management
873	Server reported a failure while attempting to backup a recovery password.	BitLocker Management
874	Server reported a failure while attempting to delete recovery password(s) from …	BitLocker Management
875	Server reported a failure while attempting to retrieve recovery password …	BitLocker Management
876	Failed to delete BitLocker Drive Encryption recovery information from Azure AD.	BitLocker Management
877	Not all privileges requested are assigned to the caller.	Tracing
878	BitLocker failed to validate secure boot state.	BitLocker Management
879	BitLocker failed to add a recovery password because the maximum number of …	BitLocker Management
880	BitLocker is unable to predict PCR7 value and will attempt to seal to current …	BitLocker Management
881	The signature contained in the EFI_SIGNATURE_DATA structure from the TCG Log OS …	BitLocker Management
882	BitLocker cannot use Secure Boot for integrity because hash of the boot manager …	BitLocker Management
883	BitLocker cannot use Secure Boot for integrity because the expected TCG Log …	BitLocker Management
884	BitLocker cannot use Secure Boot for integrity because the signature in a TCG …	BitLocker Management
885	BitLocker cannot use Secure Boot for integrity because the signature predicted …	BitLocker Management
886	BitLocker removed an orphaned TPM digest datum with identifier %2.	BitLocker Management
887	There was a problem communicating with the TPM at boot.	System
888	BitLocker failed to obtain the key from the TPM due to an unforseen TPM failure.	System
889	BitLocker is attempting to seal to a PCR which is known to have events extended …	BitLocker Management
890		Operational
890	BitLocker conducted a TPM binding census.	BitLocker Management
891		Operational
891	BitLocker updated its TPM bindings in response to a PCR Prediction Framework …	BitLocker Management
892		Operational
892	BitLocker successfully sealed a key to the TPM.	BitLocker Management
893		Operational
893	BitLocker determined that the TCG log is invalid for use of Secure Boot.	BitLocker Management
896		Operational
896	BitLocker is currently excluding PCRs %1 from its TPM protector PCR profile (%2) …	BitLocker Management
897		Operational
897	BitLocker Drive Encryption recovery information for volume %3 was backed up …	BitLocker Management
898		Operational
898	Failed to backup BitLocker Drive Encryption recovery information for volume %3 …	BitLocker Management
899		Operational
899	BitLocker is reading the TPM to calculate the PCR %1 value.	BitLocker Management
900		Operational
900	BitLocker successfully committed metadata changes for volume %3.	BitLocker Management
4096	Device Encryption could not be initialized.	BitLocker Management
4097	Device Encryption initialization start.	Tracing
4098	Device Encryption initialization stop.	Tracing
4099	Device Encryption failed to process user logon event.	BitLocker Management
4100	Beginning Device Encryption user logon processing.	Tracing
4101	Ending Device Encryption user logon processing.	Tracing
4102	BitLocker failed to recover after Device Lock.	BitLocker Management
4103	Failed to automatically enable Device Encryption.	BitLocker Management
4104	Begin Enable Protection.	Tracing
4105	End Enable Protection.	Tracing
4106	Failed to automatically back up recovery password to your Microsoft account.	BitLocker Management
4107	Begin Recovery Password Backup.	Tracing
4108	End Recovery Password Backup.	Tracing
4109	Begin Query Protection Status.	Tracing
4110	End Query Protection Status.	Tracing
4111	Device Lock recovery event initiated for volume %3.	BitLocker Management
4112	MaxPasswordRetry policy enforced with TPM-based hardening for volume %3.	BitLocker Management
4113	MaxPasswordRetry policy enforced without hardware based hardening for volume %3.	BitLocker Management
4114	Device Lock recovery event initiated due to protected state mismatch for volume …	BitLocker Management
4116	Device Encryption initialization for volume %3 start.	Tracing
4117	Device Encryption initialization for volume %3 stop.	Tracing
4118	Volume %3 could not be initialized for Device Encryption.	BitLocker Operational
4119	Windows RE is not correctly configured for device encryption.	BitLocker Operational
4120	The TPM is not provisioned for device encryption.	BitLocker Operational
4121	Sign in with a Microsoft account to finish provisioning device encryption.	BitLocker Operational
4122	The following DMA (Direct Memory Access) capable devices are not declared as …	BitLocker Management
4123	BitLocker Drive Encryption recovery information for volume %1 was deleted …	BitLocker Management
4124	HSTI is not supported on this device	Tracing
4125	Failed to query HSTI data size.	Tracing
4126	Actual HSTI data size.	Tracing
4127	HSTI provider count.	Tracing
4128	HSTI data version.	Tracing
4129	HSTI security features size mismatch for HSTI provider %1: expected %2, actual …	Tracing
4130	HSTI provider %1 found with unknown version %2.	Tracing
4131	HSTI provider %1 found.	Tracing
4132	HSTI provider %1 found.	Tracing
4133	No HSTI provider with PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE found	Tracing
4134	HSTI provider %1 (which is not PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE) set …	Tracing
4135	HSTI combined results report secure Intel Thunderbolt configuration bit.	Tracing
4136	Required HSTI features were not verified by any provider.	Tracing
4137	HSTI tests failed.	Tracing
4138	Successfully setup TPM API callback.	BitLocker Management
4139	Failed to setup TPM API callback.	BitLocker Management
4140	Successfully added predicted TPM protector.	BitLocker Management
4141	Failed to add predicted TPM protector.	BitLocker Management
4142	Predicted PCR4 value for TPM info based protector.	BitLocker Management
4143	Failed to evaluate PCR4 predicted value from TPM info.	BitLocker Management
4144	Predicted PCR7 value for TPM info based protector.	BitLocker Management
4145	Failed to evaluate PCR7 predicted value from TPM info.	BitLocker Management
4146	Device Encryption initialized automatically for volume %3.	BitLocker Management
4147	Device Encryption initialized by user for volume %3.	BitLocker Management

Event ID 513 — BitLocker Drive Encryption recovery information was backed up successfully to Active Directory Domain Services.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

BitLocker Drive Encryption recovery information was backed up successfully to Active Directory Domain Services.
Protector GUID: %1
Volume GUID: %2

Fields

Name	Description
`Protector_GUID`	—
`Volume_GUID`	—
`ProtectorGUID`	—
`VolumeGUID`	—

Event ID 514 — Failed to backup BitLocker Drive Encryption recovery information to Active Directory Domain Services.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

Failed to backup BitLocker Drive Encryption recovery information to Active Directory Domain Services.
Errorcode: %2
Protector GUID: %1
Volume GUID: %3

Fields

Name	Description
`Protector_GUID`	—
`Errorcode`	—
`Volume_GUID`	—
`ProtectorGUID`	—
`ErrorCode`	—
`VolumeGUID`	—

Event ID 515 — BitLocker Drive Encryption recovery information for the specified protector is already present in Active Directory Domain Services.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

BitLocker Drive Encryption recovery information for the specified protector is already present in Active Directory Domain Services.
Protector GUID: %1
Volume GUID: %2

Fields

Name	Description
`Protector_GUID`	—
`Volume_GUID`	—
`ProtectorGUID`	—
`VolumeGUID`	—

Event ID 516 — A BitLocker certificate data recovery agent was created, because it was missing on the volume or added to the list of data recovery agents.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

A BitLocker certificate data recovery agent was created, because it was missing on the volume or added to the list of data recovery agents.
Certificate thumbprint: %2
Protector GUID: %1
Volume GUID: %3

Fields

Name	Description
`Protector_GUID`	—
`Certificate_thumbprint`	—
`Volume_GUID`	—
`ProtectorGUID`	—
`Thumbprint`	—
`VolumeGUID`	—

Event ID 517 — A BitLocker certificate data recovery agent was removed, because is no longer in the list of data recovery agents.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

A BitLocker certificate data recovery agent was removed, because is no longer in the list of data recovery agents.
Certificate thumbprint: %2
Protector GUID: %1
Volume GUID: %3

Fields

Name	Description
`Protector_GUID`	—
`Certificate_thumbprint`	—
`Volume_GUID`	—
`ProtectorGUID`	—
`Thumbprint`	—
`VolumeGUID`	—

Event ID 518 — The attempt to create a data recovery agent protector on the BitLocker volume failed.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

The attempt to create a data recovery agent protector on the BitLocker volume failed.
Errorcode: %1
Certificate thumbprint: %2
Volume GUID: %3

Fields

Name	Description
`Errorcode`	—
`Certificate_thumbprint`	—
`Volume_GUID`	—
`ErrorCode`	—
`Thumbprint`	—
`VolumeGUID`	—

Event ID 519 — The servicing of the data recovery agents on the volume failed.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

The servicing of the data recovery agents on the volume failed.
Errorcode: %1
Volume GUID: %2

Fields

Name	Description
`Errorcode`	—
`Volume_GUID`	—
`ErrorCode`	—
`VolumeGUID`	—

Event ID 520 — The management of the data recovery agents failed on this drive because this feature of BitLocker Drive Encryption is not supported in this edition...

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

The management of the data recovery agents failed on this drive because this feature of BitLocker Drive Encryption is not supported in this edition of the Windows operating system. 
Errorcode: %1
Volume GUID: %2

Fields

Name	Description
`Errorcode`	—
`Volume_GUID`	—
`ErrorCode`	—
`VolumeGUID`	—

Event ID 521 — Bootmgr failed to obtain the BitLocker volume master key from the TPM because the PCRs did not match.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

Bootmgr failed to obtain the BitLocker volume master key from the TPM because the PCRs did not match.

Fields

Name	Description
`VolumeGUID`	—

Event ID 522 — Bootmgr determined that the following boot application has changed.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

Bootmgr determined that the following boot application has changed: %1

Fields

Name	Description
`BootApplication`	—
`VolumeGUID`	—

Event ID 523 — Bootmgr determined that the boot configuration data setting %1 has changed for the following boot application: %2.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

Bootmgr determined that the boot configuration data setting %1 has changed for the following boot application: %2

Fields

Name	Description
`BCDSetting`	—
`BootApplication`	—
`VolumeGUID`	—

Event ID 524 — Bootmgr determined that the authorization data for the SRK of the TPM is incompatible with BitLocker.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

Bootmgr determined that the authorization data for the SRK of the TPM is incompatible with BitLocker.

Fields

Name	Description
`VolumeGUID`	—

Event ID 525 — Bootmgr determined that the TPM is disabled.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

Bootmgr determined that the TPM is disabled.

Fields

Name	Description
`VolumeGUID`	—

Event ID 526 — Bootmgr determined that the TPM is not accessible.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

Bootmgr determined that the TPM is not accessible.

Fields

Name	Description
`VolumeGUID`	—

Event ID 527 — The partition size specified in the partition table is smaller than the size of the file system contained by that partition.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

The partition size specified in the partition table is smaller than the size of the file system contained by that partition.  BitLocker TPM based keys cannot be used until the size of the partition calculated from the partition table is consistent with the size of the file system calculated from the bytes per sector and number of sectors fields in the boot sector.

Fields

Name	Description
`VolumeGUID`	—

Event ID 528 — Boot debugging is enabled on Bootmgr so TPM based keys cannot be obtained.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

Boot debugging is enabled on Bootmgr so TPM based keys cannot be obtained.

Fields

Name	Description
`VolumeGUID`	—

Event ID 529 — Bootmgr determined that driver signature enforcement has been disabled.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

Bootmgr determined that driver signature enforcement has been disabled.

Fields

Name	Description
`VolumeGUID`	—

Event ID 530 — Bootmgr determined that the device was locked out due to too many failed password attempts.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

Bootmgr determined that the device was locked out due to too many failed password attempts.

Fields

Name	Description
`VolumeGUID`	—

Event ID 531 — Bootmgr determined that the device was locked out due to Device Lockout state validation failure.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

Bootmgr determined that the device was locked out due to Device Lockout state validation failure.

Fields

Name	Description
`VolumeGUID`	—

Event ID 532 — Bootmgr determined that the TPM is not present or recognized.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

Bootmgr determined that the TPM is not present or recognized.

Fields

Name	Description
`VolumeGUID`	—

Event ID 768 — BitLocker encryption was started for volume %3 using %4 algorithm.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management
Level: 4
Samples: 1

Message

BitLocker encryption was started for volume %3 using %4 algorithm.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`AlgorithmType`	—

Example Event

system:
  provider: Microsoft-Windows-BitLocker-API
  guid: 5D674230-CA9F-11DA-A94D-0800200C9A66
  event_source_name: ''
  event_id: 768
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2022-11-01T21:26:46.384614Z'
  event_record_id: 21
  correlation: {}
  execution:
    process_id: 10108
    thread_id: 9288
  channel: Microsoft-Windows-BitLocker/BitLocker Management
  computer: GUAPOS-PC
  security:
    user_id: S-1-5-21-2296991126-4013933037-3802873755-1001
event_data:
  IdentificationGUID: 45A9DCBD-40EC-4295-A9E6-C2E63844F040
  VolumeName: \\?\Volume{95b548ac-9d1a-4f36-96fc-2c67e06caefb}
  VolumeMountPoint: 'C:'
  AlgorithmType: 32772

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 769 — BitLocker encryption will occur for volume %3 when the computer is restarted using %4 algorithm.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker encryption will occur for volume %3 when the computer is restarted using %4 algorithm.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`AlgorithmType`	—

Event ID 770 — BitLocker decryption was started for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker decryption was started for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 771 — BitLocker encryption was stopped for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker encryption was stopped for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 772 — BitLocker encryption was restarted for volume %3 using %4 algorithm.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker encryption was restarted for volume %3 using %4 algorithm.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`AlgorithmType`	—

Event ID 773 — BitLocker was suspended for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker was suspended for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 774 — BitLocker was resumed for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker was resumed for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 775 — A BitLocker key protector was created.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management
Level: 4
Samples: 1

Message

A BitLocker key protector was created.
Protector GUID: %4
Identification GUID: %1

Fields

Name	Description
`Identification_GUID`	—
`Protector_GUID`	—

Example Event

system:
  provider: Microsoft-Windows-BitLocker-API
  guid: 5D674230-CA9F-11DA-A94D-0800200C9A66
  event_source_name: ''
  event_id: 775
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2022-11-01T21:25:03.283252Z'
  event_record_id: 18
  correlation: {}
  execution:
    process_id: 10108
    thread_id: 1924
  channel: Microsoft-Windows-BitLocker/BitLocker Management
  computer: GUAPOS-PC
  security:
    user_id: S-1-5-21-2296991126-4013933037-3802873755-1001
event_data:
  IdentificationGUID: 45A9DCBD-40EC-4295-A9E6-C2E63844F040
  VolumeName: \\?\Volume{95b548ac-9d1a-4f36-96fc-2c67e06caefb}
  VolumeMountPoint: 'C:'
  ProtectorGUID: 354C0BE9-1562-417A-A871-247448EDE788
  ProtectorType: '0x1'

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 776 — A BitLocker key protector was removed.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

A BitLocker key protector was removed.
Protector GUID: %4
Identification GUID: %1

Fields

Name	Description
`Identification_GUID`	—
`Protector_GUID`	—
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ProtectorGUID`	—

Event ID 777 — The PIN was updated for the operating system volume.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

The PIN was updated for the operating system volume.
Protector GUID: %4
Identification GUID: %1

Fields

Name	Description
`Identification_GUID`	—
`Protector_GUID`	—
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ProtectorGUID`	—

Event ID 778 — The BitLocker volume %3 was reverted to an unprotected state.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

The BitLocker volume %3 was reverted to an unprotected state.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 779 — The BitLocker volume %3 was erased.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

The BitLocker volume %3 was erased.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 780 — The identification field was changed.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management
Level: 4
Samples: 1

Message

The identification field was changed. 
Identification GUID: %1

Fields

Name	Description
`Identification_GUID`	—

Example Event

system:
  provider: Microsoft-Windows-BitLocker-API
  guid: 5D674230-CA9F-11DA-A94D-0800200C9A66
  event_source_name: ''
  event_id: 780
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2022-11-01T21:26:46.325697Z'
  event_record_id: 20
  correlation: {}
  execution:
    process_id: 10108
    thread_id: 9288
  channel: Microsoft-Windows-BitLocker/BitLocker Management
  computer: GUAPOS-PC
  security:
    user_id: S-1-5-21-2296991126-4013933037-3802873755-1001
event_data:
  IdentificationGUID: 45A9DCBD-40EC-4295-A9E6-C2E63844F040
  VolumeName: \\?\Volume{95b548ac-9d1a-4f36-96fc-2c67e06caefb}
  VolumeMountPoint: 'C:'

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 781 — The BitLocker protected volume %3 was locked.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

The BitLocker protected volume %3 was locked. 
Identification GUID: %1

Fields

Name	Description
`Identification_GUID`	—
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 782 — The BitLocker protected volume %3 was unlocked.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

The BitLocker protected volume %3 was unlocked.
Protector GUID: %4
Identification GUID: %1

Fields

Name	Description
`Identification_GUID`	—
`Protector_GUID`	—
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ProtectorGUID`	—
`ProtectorType`	—

Event ID 783 — BitLocker Drive Encryption recovery information for the specified protector is already present in Active Directory Domain Services.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker Drive Encryption recovery information for the specified protector is already present in Active Directory Domain Services.
Protector GUID: %4
Identification GUID: %1

Fields

Name	Description
`Identification_GUID`	—
`Protector_GUID`	—
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ProtectorGUID`	—

Event ID 784 — BitLocker Drive Encryption recovery information was backed up successfully to Active Directory Domain Services.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker Drive Encryption recovery information was backed up successfully to Active Directory Domain Services.
Protector GUID: %4
Identification GUID: %1

Fields

Name	Description
`Identification_GUID`	—
`Protector_GUID`	—
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ProtectorGUID`	—

Event ID 785 — Failed to backup BitLocker Drive Encryption recovery information to Active Directory Domain Services.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to backup BitLocker Drive Encryption recovery information to Active Directory Domain Services.
Protector GUID: %4
Identification GUID: %1

Fields

Name	Description
`Identification_GUID`	—
`Protector_GUID`	—
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ProtectorGUID`	—

Event ID 786 — BitLocker free space wiping was started for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker free space wiping was started for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 787 — BitLocker free space wiping was stopped for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker free space wiping was stopped for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 788 — BitLocker free space wiping was restarted for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker free space wiping was restarted for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 789 — The PIN was changed.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

The PIN was changed.

Event ID 790 — A PIN change attempt failed.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

A PIN change attempt failed.
Error message: %1

Fields

Name	Description
`Error_message`	—
`ErrorCode`	—

Event ID 791 — The BitLocker Service (BdeSvc) PIN and password change facility is locked out due to too many failed PIN or password change attempts.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

The BitLocker Service (BdeSvc) PIN and password change facility is locked out due to too many failed PIN or password change attempts.

Event ID 792 — BitLocker encountered a failure to commit metadata changes for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker encountered a failure to commit metadata changes for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 793 — BitLocker resealed boot settings to the TPM for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management
Level: 3
Samples: 1

Message

BitLocker resealed boot settings to the TPM for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Example Event

system:
  provider: Microsoft-Windows-BitLocker-API
  guid: 5D674230-CA9F-11DA-A94D-0800200C9A66
  event_source_name: ''
  event_id: 793
  version: 0
  level: 3
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2022-11-09T22:40:09.768066Z'
  event_record_id: 28
  correlation: {}
  execution:
    process_id: 1224
    thread_id: 2092
  channel: Microsoft-Windows-BitLocker/BitLocker Management
  computer: GUAPOS-PC
  security:
    user_id: S-1-5-18
event_data:
  IdentificationGUID: 45A9DCBD-40EC-4295-A9E6-C2E63844F040
  VolumeName: \\?\Volume{95b548ac-9d1a-4f36-96fc-2c67e06caefb}
  VolumeMountPoint: 'C:'

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 794 — BitLocker failed to reseal boot settings to the TPM.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker failed to reseal boot settings to the TPM.
Error message: %1.

Fields

Name	Description
`Error_message`	—
`ErrorCode`	—

Event ID 795 — BitLocker failed to initialize hardware encryption for volume %3 due to group policy.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker failed to initialize hardware encryption for volume %3 due to group policy.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 796 — BitLocker Drive Encryption is using software-based encryption to protect volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management
Level: 4
Samples: 1

Message

BitLocker Drive Encryption is using software-based encryption to protect volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Example Event

system:
  provider: Microsoft-Windows-BitLocker-API
  guid: 5D674230-CA9F-11DA-A94D-0800200C9A66
  event_source_name: ''
  event_id: 796
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2022-11-01T21:25:02.989680Z'
  event_record_id: 15
  correlation: {}
  execution:
    process_id: 10108
    thread_id: 1924
  channel: Microsoft-Windows-BitLocker/BitLocker Management
  computer: GUAPOS-PC
  security:
    user_id: S-1-5-21-2296991126-4013933037-3802873755-1001
event_data:
  IdentificationGUID: 00000000-0000-0000-0000-000000000000
  VolumeName: \\?\Volume{95b548ac-9d1a-4f36-96fc-2c67e06caefb}
  VolumeMountPoint: 'C:'

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 797 — Group Policy settings prevented BitLocker Drive Encryption from reverting to BitLocker software-based encryption.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Group Policy settings prevented BitLocker Drive Encryption from reverting to BitLocker software-based encryption. Volume %3 is not protected by BitLocker.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 798 — BitLocker failed to initialize hardware encryption for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker failed to initialize hardware encryption for volume %3.
Drive is not provisioned for use with BitLocker hardware encryption:
Hardware-based encryption is not activated on this drive.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 799 — BitLocker failed to initialize hardware encryption for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker failed to initialize hardware encryption for volume %3.
Drive is not provisioned for use with BitLocker hardware encryption:
The hardware-based encryption of this drive does not allow BitLocker to cryptographically protect the drive's media encryption key.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 800 — BitLocker failed to initialize hardware encryption for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker failed to initialize hardware encryption for volume %3.
Drive is not provisioned for use with BitLocker hardware encryption:
Hardware-based encryption is either not configured or has been configured improperly on this volume.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 801 — BitLocker failed to initialize hardware encryption for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker failed to initialize hardware encryption for volume %3.
Drive is not provisioned for use with BitLocker hardware encryption:
Hardware-based encryption cannot be used with this drive because the hardware encryption method used by this drive does not comply with the Group Policy requirement for drive encryption.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 802 — BitLocker failed to initialize hardware encryption for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker failed to initialize hardware encryption for volume %3.
Drive is not provisioned for use with BitLocker hardware encryption:
The key length, %5 bits, required to enable hardware-based encryption is below the minimum key length supported by the drive: %4.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ExpectedKeyLength`	—
`ActualKeyLength`	—

Event ID 803 — BitLocker failed to initialize hardware encryption for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker failed to initialize hardware encryption for volume %3.
Drive is not provisioned for use with BitLocker hardware encryption:
The key length, %5 bits, required to enable hardware-based encryption is above the maximum key length supported by the drive: %4.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ExpectedKeyLength`	—
`ActualKeyLength`	—

Event ID 804 — The target drive cannot be managed by BitLocker because the drive's hardware encryption feature is already in use.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

The target drive (%3) cannot be managed by BitLocker because the drive's hardware encryption feature is already in use.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 805 — The BitLocker protected volume was unlocked in the Windows Recovery Environment.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

The BitLocker protected volume was unlocked in the Windows Recovery Environment.
Protector GUID: %2
Identification GUID: %1
Unlock time: %4

Fields

Name	Description
`Identification_GUID`	—
`Protector_GUID`	—
`Unlock_time`	—
`IdentificationGUID`	—
`ProtectorGUID`	—
`ProtectorType`	—
`UnlockTime`	—

Event ID 806 — BitLocker resealed boot settings to the TPM in the Windows Recovery Environment.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker resealed boot settings to the TPM in the Windows Recovery Environment.
Reseal time: %2

Fields

Name	Description
`Reseal_time`	—
`IdentificationGUID`	—
`ResealTime`	—

Event ID 807 — BitLocker free space wiping was canceled for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker free space wiping was canceled for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 808 — BitLocker failed to initialize hardware encryption for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker failed to initialize hardware encryption for volume %3.
Drive is not provisioned for use with BitLocker hardware encryption:
SID authority is not disabled on this drive.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 809 — BitLocker cannot use Secure Boot for integrity because it is disabled in Group Policy.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because it is disabled in Group Policy.

Event ID 810 — BitLocker cannot use Secure Boot for integrity because it is disabled.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because it is disabled.

Event ID 811 — BitLocker cannot use Secure Boot for integrity because the required UEFI variable '.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because the required UEFI variable '%1' is not present.

Fields

Name	Description
`VariableName`	—

Event ID 812 — BitLocker cannot use Secure Boot for integrity because the UEFI variable '.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because the UEFI variable '%1' could not be read.

Error Message: %2

Fields

Name	Description
`Error_Message`	—
`VariableName`	—
`ErrorCode`	—

Event ID 813 — BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable '.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable '%1' is missing or invalid.

Fields

Name	Description
`VariableName`	—

Event ID 814 — BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority is missing or invalid.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority is missing or invalid.

Event ID 815 — BitLocker cannot use Secure Boot for integrity because the expected TCG Log separator entry is missing or invalid.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because the expected TCG Log separator entry is missing or invalid.

Event ID 816 — BitLocker cannot use Secure Boot for integrity because the TCG Log for PCR [7] contains invalid entries.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because the TCG Log for PCR [7] contains invalid entries.

Event ID 817 — BitLocker successfully sealed a key to the TPM.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management
Level: 4
Samples: 1

Message

BitLocker successfully sealed a key to the TPM.

PCRs measured include [%1].

The source for these PCRs was: %2.

Fields

Name	Description
`The_source_for_these_PCRs_was`	—

Example Event

system:
  provider: Microsoft-Windows-BitLocker-API
  guid: 5D674230-CA9F-11DA-A94D-0800200C9A66
  event_source_name: ''
  event_id: 817
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2022-11-01T21:25:03.260930Z'
  event_record_id: 16
  correlation: {}
  execution:
    process_id: 10108
    thread_id: 1924
  channel: Microsoft-Windows-BitLocker/BitLocker Management
  computer: GUAPOS-PC
  security:
    user_id: S-1-5-21-2296991126-4013933037-3802873755-1001
event_data:
  PCRBitmap: 2176
  PCRBitmapSource: 3
  PCRValuesSize: 72
  PCRValues: 0B002000717ED786CD9A22923647FED0AEC18A34EE2097E0690619882C649ABD7377A1910B0020000000000000000000000000000000000000000000000000000000000000000000
  FilteredTcgLogSize: 17035
  FilteredTcgLog: 0700000001000080010000000B00CCFC4BB32888A345BC8AEADABA552B627D99348C767681AB3141F5B01E40A40E3500000061DFE48BCA93D211AA0D00E098032B8C0A00000000000000010000000000000053006500630075007200650042006F006F007400010700000001000080010000000B008C489E6B771E4BF95226F2D25C9F0F91E50E51052B25AA9DB534A40D9A3AC99F9A03000061DFE48BCA93D211AA0D00E098032B8C0200000000000000760300000000000050004B00A159C0A5E494A74A87B5AB155C2BF07276030000000000005A0300009130053B9F6CCC04B1ACE2A51E3BE5F5308203463082022EA00302010202105341E015C43AF8A84836B9A5FF691488300D06092A864886F70D01010B0500302D312B3029060355040313224153555354654B204D6F74686572426F61726420504B204365727469666963617465301E170D3131313232363233333435305A170D3331313232363233333434395A302D312B3029060355040313224153555354654B204D6F74686572426F61726420504B20436572746966696361746530820122300D06092A864886F70D01010105000382010F003082010A0282010100D9841536C5D4CE8AA15616A0E874CD581E2A02961BC43764DA8C6A2484CDDCC4680415C7E9CF20A4451A42F0A39B62226E2A4367178D4D10AAF8DDF22A9E86BA91D0327E95BE0178733AD3987E19F8160E27CCEAC5BEB5807EE8BCA81741B3EA55341953D77E7D50C75AB8EF54F9136EABD645CD1D0294E278D788A810528D7EBAF14936C06870F9D50C5AFD6B1A6F88C23769224292F39DAEEF73ECF40F324264C3E9B989DD06E5CC2F6BF8004E9164F70345F04FA41183E98397E9A0DC2DC80356B4DF61A632A58BA61B4ED81CA7A3F3724E72F8FE6949CF61F2E6599658B8147CCAF5E56BF06DDAF7BC085B7F57E99637595A7079570EC882C8917B67F92D0203010001A3623060305E0603551D01045730558010A28F65A66A296438D8D6720D3F3DE3E9A12F302D312B3029060355040313224153555354654B204D6F74686572426F61726420504B20436572746966696361746582105341E015C43AF8A84836B9A5FF691488300D06092A864886F70D01010B0500038201010073271A32880EDB138DF57EFC94F21A276BC2CA79D0BAB658BCDF97135A4CDCA2E490397B24847D2EA3959639A66BC2A651386FE50BAFC0910A903F3E5AE479169896329449AE002818AAEFFB549593C7FCE489EF9600CED6C68A4D85CA9C6CFB8AA74360365E7397172F1646D0CEF0A00777624D150E22F691711A79E1851C0B2C949F9D97CF49B5DDEA6AE5A761EC820D95E8985CE872C6DA8DDF21EC05300F79B8AFE9B02BC08373FEBF9D4A6DDAA5A06537CF2C87F12BC6A30E9264571A77EDD9474047DAEAFF2398D125B972F5383AB333A55DF144DCD8637DF92F7DF1D1D095C0A675A870C9C42BC04504D0405B757DE2B20A3C1E642230D20284C5B7BB0700000001000080010000000B002BAEA0FCF3EADBF39ECD8A4F7C5BF80D65C75B71FE00CD841C515A9DB8425E9D1B0E000061DFE48BCA93D211AA0D00E098032B8C0300000000000000F50D0000000000004B0045004B00A159C0A5E494A74A87B5AB155C2BF07279030000000000005D0300009130053B9F6CCC04B1ACE2A51E3BE5F53082034930820231A0030201020210311E46C51600A1A440F1C150E217C271300D06092A864886F70D01010B0500302E312C302A060355040313234153555354654B204D6F74686572426F617264204B454B204365727469666963617465301E170D3131313232363233333435395A170D3331313232363233333435385A302E312C302A060355040313234153555354654B204D6F74686572426F617264204B454B20436572746966696361746530820122300D06092A864886F70D01010105000382010F003082010A0282010100890984DEA721161B454D9C21738084F6D113E792A4B51D0AE34BC5A3009F64B9800FC21416D8D79E1EACA42FD8E8E23723D47580FAA32ADE8C352575F8C67736F21074A98E0849C7D536AB82FC266B53A2AB75A63EC223FB054B51D173CEBFDE88E5960C4A1F679A81E846A80945122F0F2939E9B1292BAC0C73AAFB784BD5297E352CAA842CE36279D35129D6ECF2E54045A09F174EB2F0DC3834C3C77CF605E827A1469B068C6F230A6A97EA22579969D37FEB2FD9592126065B367D1FB387056AA5FEE2AA4D8EC8365763BDB8ECDC8B8BA0252A4ACC839F05552B644BDF1006E56A0A7DD60C9EEDA9A7AEF126A6314C4B771DEB8D50CFA8D5176805973ADB0203010001A3633061305F0603551D010458305680105915D5B5698AB89D28C872DB3F5A9CF0A130302E312C302A060355040313234153555354654B204D6F74686572426F617264204B454B2043657274696669636174658210311E46C51600A1A440F1C150E217C271300D06092A864886F70D01010B050003820101002158304F95F59F66E6020C685EFC2824A78A33B7318126653D5BC0BAA348E5A0E81AC9A956E10685875697F32679CCB198DB741D954C3EF9DD91977633DBB2699571F25E8B9AEC370D367C306C5C99171049C86DB7CE17F30C2E0A728C32D0108F8B76DAC506B75B11CD393C68716F2AB167B46DAEC8852D8CAE9D45B7E1E171088F7699DDBCF8EEA7B75907DBF5CA56988F9F793BC33812F70C6DAD834C49938F829004E300E7DF677984FEAA4072E1370B715AFE9496D1F24C5B3B3BFCD71BA74DE276E6CA63F9C94B4AE7922CE4B1754692D7916B213D38E01D7E322A282A08E5F9ED14F23C589C4852E08343A809FE3A35FB26BC7B87CA51E52424305CDCA159C0A5E494A74A87B5AB155C2BF0721806000000000000FC050000BD9AFA775903324DBD6028F4E78F784B308205E8308203D0A003020102020A610AD188000000000003300D06092A864886F70D01010B0500308191310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E313B3039060355040313324D6963726F736F667420436F72706F726174696F6E205468697264205061727479204D61726B6574706C61636520526F6F74301E170D3131303632343230343132395A170D3236303632343230353132395A308180310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E312A3028060355040313214D6963726F736F667420436F72706F726174696F6E204B454B204341203230313130820122300D06092A864886F70D01010105000382010F003082010A0282010100C4E8B58ABFAD5726B026C3EAE7FB577A44025D070DDA4AE5742AE6B00FEC6DEBEC7FB9E35A63327C11174F0EE30BA73815938EC6F5E084B19A9B2CE7F5B791D609E1E2C004A8AC301CDF48F306509A64A7517FC8854F8F2086CEFE2FE19FFF82C0EDE9CDCEF4536A623A0B43B9E225FDFE05F9D4C414AB11E223898D70B7A41D4DECAEE59CFA16C2D7C1CBD4E8C42FE599EE248B03EC8DF28BEAC34AFB4311120B7EB547926CDCE60489EBF53304EB10012A71E5F983133CFF25092F687646FFBA4FBEDCAD712A58AAFB0ED2793DE49B653BCC292A9FFC7259A2EBAE92EFF6351380C602ECE45FCC9D76CDEF6392C1AF79408479877FE352A8E89D7B07698F150203010001A382014F3082014B301006092B06010401823715010403020100301D0603551D0E0416041462FC43CDA03EA4CB6712D25BD955AC7BCCB68A5F301906092B0601040182371402040C1E0A00530075006200430041300B0603551D0F040403020186300F0603551D130101FF040530030101FF301F0603551D2304183016801445665243E17E5811BFD64E9E2355083B3A226AA8305C0603551D1F045530533051A04FA04D864B687474703A2F2F63726C2E6D6963726F736F66742E636F6D2F706B692F63726C2F70726F64756374732F4D6963436F725468695061724D6172526F6F5F323031302D31302D30352E63726C306006082B0601050507010104543052305006082B060105050730028644687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B692F63657274732F4D6963436F725468695061724D6172526F6F5F323031302D31302D30352E637274300D06092A864886F70D01010B05000382020100D48488F514941802CA2A3CFB2A921C0CD7A0D1F1E85266A8EEA2B5757A9000AA2DA4765AEA79B7B9376A517B1064F6E164F20267BEF7A81B78BDBACE8858640CD657C819A35F05D6DBC6D069CE484B32B7EB5DD230F5C0F5B8BA7807A32BFE9BDB345684EC82CAAE4125709C6BE9FE900FD7961FE5E7941FB22A0C8D4BFF2829107BF7D77CA5D176B905C879ED0F90929CC2FEDF6F7E6C0F7BD4C145DD345196390FE55E56D8180596F407A642B3A077FD0819F27156CC9F8623A487CBA6FD587ED4696715917E81F27F13E50D8B8A3C8784EBE3CEBD43E5AD2D84938E6A2B5A7C44FA52AA81C82D1CBBE052DF0011F89A3DC160B0E133B5A388D165190A1AE7AC7CA4C182874E38B12F0DC514876FFD8D2EBC39B6E7E6C3E0E4CD2784EF9442EF298B9046413B811B67D8F9435965CB0DBCFD00924FF4753BA7A924FC50414079E02D4F0A6A27766E52ED96697BAF0FF78705D045C2AD5314811FFB3004AA373661DA4A691B34D868EDD602CF6C940CD3CF6C2279ADB1F0BC03A24660A9C407C22182F1FDF2E8793260BFD8ACA522144BCAC1D84BEB7D3F5735B2E64F75B4B060032253AE91791DD69B411F15865470B2DE0D350F7CB03472BA97603BF079EBA2B21C5DA216B887C5E91BF6B597256F389FE391FA8A7998C3690EB7A31C200597F8CA14AE00D7C4F3C01410756B34A01BB59960F35CB0C5574E36D23284BF9EA159C0A5E494A74A87B5AB155C2BF072640400000000000048040000E40AC46DE82E4C9CA3140FC7B2008710308204343082031CA003020102020900B94124A0182C9267300D06092A864886F70D01010B0500308184310B30090603550406130247423114301206035504080C0B49736C65206F66204D616E3110300E06035504070C07446F75676C617331173015060355040A0C0E43616E6F6E6963616C204C74642E3134303206035504030C2B43616E6F6E6963616C204C74642E204D617374657220436572746966696361746520417574686F72697479301E170D3132303431323131313235315A170D3432303431313131313235315A308184310B30090603550406130247423114301206035504080C0B49736C65206F66204D616E3110300E06035504070C07446F75676C617331173015060355040A0C0E43616E6F6E6963616C204C74642E3134303206035504030C2B43616E6F6E6963616C204C74642E204D617374657220436572746966696361746520417574686F7269747930820122300D06092A864886F70D01010105000382010F003082010A0282010100BF5B3A1674EE215DAE61ED9D56ACBDDEDE72F3DD7E2D4C620FACC06D480811CF8D8BFB611F27CC116ED9553D3954EB403BB1BBE2853479CAF77BBFBA7AC8102D197DAD59CFA6D4E94E0FDAAE52EA4C9E90CEC6990D4E6765785DF9D1D5384A4A7A8F939C7F1AA385DBCEFA8BF7C2A2212D9B5441351057138D6CBC2906504A7EEA99A968A73BC7071B329EA019870E79BB68992D7E9352E5F6EBC99BF92BEDB86849BCD99550405BC5B271AAEB5C57DE71F9400ADD5BAC1E842D501A52D6E1F36B6E90644F5BB4EB20E46110DA5AF0EAE442D701C4FE211FD9B9C05495428152721F49647AC86C24F108700B4DA5A032D1A01C57A84DE3AFA58E05053E1043A10203010001A381A63081A3301D0603551D0E04160414AD91990BC22AB1F517048C23B6655A268E345A63301F0603551D23041830168014AD91990BC22AB1F517048C23B6655A268E345A63300F0603551D130101FF040530030101FF300B0603551D0F04040302018630430603551D1F043C303A3038A036A0348632687474703A2F2F7777772E63616E6F6E6963616C2E636F6D2F7365637572652D626F6F742D6D61737465722D63612E63726C300D06092A864886F70D01010B050003820101003F7DF676A5B383B42B7AD06D521A0383C412A7509C4792CCC0947782D2AE57B39904F5323AC6551D07DB12A956FAD8D47620EBE4C351DB9A5C9C923F1873DA946AA199388CA4886DC1FC3971D0747616033E562335D555475B1A1D41C2D3124CDCFFAE0A929C620A17019C73E05EB1FDBCD6B519117A7ECD3E037E66DB5BA8C9394851FF53E19C3153911B3B10750317BAE681028094704C46B794B03D15CD1F8E02E068028FFBF9471D7DA201C60751C49ACCEDDDCFA35DED92BBBED1FDE6EC1F33517304BE3C72B07D08F801FF987DCB9CE069397725477188B18D27A52EA8F73F5F8069973EA9F49914DBCE030E0B66C41C6DBDB82777C14294BDFC6A0ABC0700000001000080010000000B005B463B6C9B68D073CA57C50C08B4D7D43EA0881F0C9A91D87748FE5E4488208AD6180000CBB219D73A3D9645A3BCDAD00E67656F0200000000000000B21800000000000064006200A159C0A5E494A74A87B5AB155C2BF0728203000000000000660300009130053B9F6CCC04B1ACE2A51E3BE5F5308203523082023AA0030201020210DA83B990422EBC8C441F8D8B039A65A2300D06092A864886F70D01010B05003031312F302D060355040313264153555354654B204D6F74686572426F617264205357204B6579204365727469666963617465301E170D3131313232363233333530355A170D3331313232363233333530345A3031312F302D060355040313264153555354654B204D6F74686572426F617264205357204B657920436572746966696361746530820122300D06092A864886F70D01010105000382010F003082010A02820101008CF6A6EB77FC838AA49FD5F8CF3F37F26E2D0A62C5D89B1D160B227F295F3A26DF53978C7894199042730F85C2FFA4857C812E0B51BA562327923DA3F2DCE277849E50BE8AEB5134A4F8EF5DD751FE70424C4206EF692CA2D325E1265723856DD0A77BC045287E89D5B40AEBAF417921D2D700EC48F944F65BBEB62524F08E2EB4523EE10EC1A467EAFEE593CCB9C43621CB54FAAF9D9C8578CCE588F3840C67DB266958CADE4734ECCF2FB64959B556DB58457B219D990B5FDE5716A6ABC8793F9D7689E209F98DE26337FC74EA737E70AC1516A5ED88605F33ED949E0A05DEC785C3C17A54FB4ECBCBE85E447C39DB2DB2B76CCECA2F639D164EA6E5EFD6CF0203010001A366306430620603551D01045B3059801056B08B2AA7FECCF10CED8762DCD51DC3A1333031312F302D060355040313264153555354654B204D6F74686572426F617264205357204B65792043657274696669636174658210DA83B990422EBC8C441F8D8B039A65A2300D06092A864886F70D01010B0500038201010002CF526F0B91EBE43BB2700C072D7980019E4B4D92BBDC9EE5E53185E39A75EDCADE8CEE2834018314479E3AD4435B2CC441C8407DB5087686802BA8009FB7D3B1E6605C32B0A0010FBA368BB7B54E87D5B70A2CBDBC6A433CEE767C7620ED3991A8BF701ED6A81A3E81366B7D1D8DF6F8AF5B38536A040D7EAE4DEEAB02D4A4A2A9CFB6E366A3CA4D5DD418614DDA83284EAA2AAFDAEBDF2A20BD7880EFD1B0DD9B77DBC925394BCFA2861AACCC32E787D459B203C469028F17C9DE52CBE7ABB835C5F83306039352CFB368D2B35C1CE819FE7526EDD16572134D69345A9B0CB4E356533CB46727F8FAD320DA3758F6ADE28259A2B8222F9E56FEBC17491DAFA159C0A5E494A74A87B5AB155C2BF07279030000000000005D0300009130053B9F6CCC04B1ACE2A51E3BE5F53082034930820231A0030201020210B8E581E4DF77A5BB4282D5CCFC00C071300D06092A864886F70D01010B0500302E312C302A060355040313234153555354654B204E6F7465626F6F6B205357204B6579204365727469666963617465301E170D3131313232373030313835335A170D3331313232373030313835325A302E312C302A060355040313234153555354654B204E6F7465626F6F6B205357204B657920436572746966696361746530820122300D06092A864886F70D01010105000382010F003082010A02820101009E61FA742C2A8817C4BD77190DB333270C0E94ECB08B71B30877B7D2089D324F5CF70CCFE0295356ED2491D8BD532A89898C7428AB162D4F9B65FC637DED23B6975C6D04E4157FDCF8BA6B08CCC921E9B5DE8E03281263F06AB6E5DF1D7228CC64D663662F04526A1D257DC7BDE078FB0CB737E5AEF70DD6B5B4BFF5F1C68256785CA8F3532EF5EC153F12622FEBB6797986AC76FFB66645F533DADD25D6A7BFF8D9DBD3F1FACE0E2230D7D48002BDD32C1EEC462E2FCA0F7AFAB95CFF2B16C66A6B8D9464927EF955EE96004D042E4B15EDF108496A078669C8C564FAAD2C4F0250E41F83C72F199FE8A562D9513218B683CA080AA1ABA765709C1E48C30F490203010001A3633061305F0603551D01045830568010006511E3CA0F96E88D5B04A4E7FECEAAA130302E312C302A060355040313234153555354654B204E6F7465626F6F6B205357204B65792043657274696669636174658210B8E581E4DF77A5BB4282D5CCFC00C071300D06092A864886F70D01010B050003820101003118F4EEE372BABE33446174191F66AC5CFD1D9A2675D014CD6838B3A83F4FB44AE91E21F2C9EE379626BE1D589BAD21CE587953D3FF38EF8F22CD900EC63221759B5AABAF08FF05CD2BF88CE79747BB78E45F5647D2BCC8A595CB76895C65240218069C125FEFE05C19453896DF7A605D61BA4DC87B6E8D8C6E1DA9E59235A24F36D340ADD74012AB6C488D1892E4005203DF14AC663F6AAE423A0650AAA50D40A77BEBFD4149FFEBA3B4504FF754133B1F8EB44504204274FE783DBE7CDBA72A2A9D0648C09A0223AFF2980795DE3B3073EC3E73588F07534096D824D966807A758DB7392710897AB453BF3BC2E29793378A9D4D236EACEB0D53214D0B3413A159C0A5E494A74A87B5AB155C2BF072400600000000000024060000BD9AFA775903324DBD6028F4E78F784B30820610308203F8A003020102020A6108D3C4000000000004300D06092A864886F70D01010B0500308191310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E313B3039060355040313324D6963726F736F667420436F72706F726174696F6E205468697264205061727479204D61726B6574706C61636520526F6F74301E170D3131303632373231323234355A170D3236303632373231333234355A308181310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E312B3029060355040313224D6963726F736F667420436F72706F726174696F6E2055454649204341203230313130820122300D06092A864886F70D01010105000382010F003082010A0282010100A5086C4CC745096A4B0CA4C0877F06750C43015464E0167F07ED927D0BB273BF0C0AC64A4561A0C5162D96D3F52BA0FB4D499B4180903CB954FDE6BCD19DC4A4188A7F418A5C59836832BB8C47C9EE71BC214F9A8A7CFF443F8D8F32B22648AE75B5EEC94C1E4A197EE4829A1D78774D0CB0BDF60FD316D3BCFA2BA551385DF5FBBADB7802DBFFEC0A1B96D583B81913E9B6C07B407BE11F2827C9FAEF565E1CE67E947EC0F044B27939E5DAB2628B4DBF3870E2682414C933A40837D558695ED37CEDC1045308E74EB02A876308616F631559EAB22B79D70C61678A5BFD5EAD877FBA86674F71581222042222CE8BEF547100CE503558769508EE6AB1A201D50203010001A382017630820172301206092B060104018237150104050203010001302306092B060104018237150204160414F8C16BB77F77534AF325371D4EA1267B0F207080301D0603551D0E0416041413ADBF4309BD82709C8CD54F316ED522988A1BD4301906092B0601040182371402040C1E0A00530075006200430041300B0603551D0F040403020186300F0603551D130101FF040530030101FF301F0603551D2304183016801445665243E17E5811BFD64E9E2355083B3A226AA8305C0603551D1F045530533051A04FA04D864B687474703A2F2F63726C2E6D6963726F736F66742E636F6D2F706B692F63726C2F70726F64756374732F4D6963436F725468695061724D6172526F6F5F323031302D31302D30352E63726C306006082B0601050507010104543052305006082B060105050730028644687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B692F63657274732F4D6963436F725468695061724D6172526F6F5F323031302D31302D30352E637274300D06092A864886F70D01010B05000382020100350842FF30CCCEF7760CAD1068583529463276277CEF124127421B4AAA6D813848591355F3E95834A6160B82AA5DAD82DA808341068FB41DF203B9F31A5D1BF15090F9B3558442281C20BDB2AE5114C5C0AC9795211C90DB0FFC779E95739188CABDBD52B905500DDF579EA061ED0DE56D25D9400F1740C8CEA34AC24DAF9A121D08548FBDC7BCB92B3D492B1F32FC6A21694F9BC87E4234FC3606178B8F2040C0B39A257527CDC903A3F65DD1E736547AB950B5D312D107BFBB74DFDC1E8F80D5ED18F42F14166B2FDE668CB023E5C784D8EDEAC13382AD564B182DF1689507CDCFF072F0AEBBDD8685982C214C332BF00F4AF06887B592553275A16A826A3CA32511A4EDADD704AECBD84059A084D1954C6291221A741D8C3D470E44A6E4B09B3435B1FAB653A82C81ECA40571C89DB8BAE81B4466E447540E8E567FB39F1698B286D0683E9023B52F5E8F50858DC68D825F41A1F42E0DE099D26C75E4B669B52186FA07D1F6E24DD1DAAD2C77531E253237C76C52729586B0F135616A19F5B23B815056A6322DFEA289F94286271855A182CA5A9BF830985414A64796252FC826E441941A5C023FE596E3855B3C3E3FBB47167255E22522B1D97BE703062AA3F71E9046C3000DD61989E30E352762037115A6EFD027A0A0593760F83894B8E07870F8BA4C868794F6E0AE0245EE65C2B6A37E69167507929BF5A6BC598358A159C0A5E494A74A87B5AB155C2BF0720706000000000000EB050000BD9AFA775903324DBD6028F4E78F784B308205D7308203BFA003020102020A61077656000000000008300D06092A864886F70D01010B0500308188310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E31323030060355040313294D6963726F736F667420526F6F7420436572746966696361746520417574686F726974792032303130301E170D3131313031393138343134325A170D3236313031393138353134325A308184310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E312E302C060355040313254D6963726F736F66742057696E646F77732050726F64756374696F6E20504341203230313130820122300D06092A864886F70D01010105000382010F003082010A0282010100DD0CBBA2E42E09E3E7C5F79669BC0021BD693333EFAD04CB5480EE0683BBC52084D9F7D28BF338B0ABA4AD2D7C627905FFE34A3F04352070E3C4E76BE09CC03675E98A31DD8D70E5DC37B5744696285B8760232CBFDC47A567F751279E72EB07A6C9B91E3B53357CE5D3EC27B9871CFEB9C923096FA84691C16E963C41D3CBA33F5D026A4DEC691F25285C36FFFD43150A94E019B4CFDFC212E2C25B27EE2778308B5B2A096B22895360162CC0681D53BAEC49F39D618C85680973445D7DA2542BDD79F715CF355D6C1C2B5CCEBC9C238B6F6EB526D93613C34FD627AEB9323B41922CE1C7CD77E8AA544EF75C0B048765B44318A8B2E06D1977EC5A24FA48030203010001A38201433082013F301006092B06010401823715010403020100301D0603551D0E04160414A92902398E16C49778CD90F99E4F9AE17C55AF53301906092B0601040182371402040C1E0A00530075006200430041300B0603551D0F040403020186300F0603551D130101FF040530030101FF301F0603551D23041830168014D5F656CB8FE8A25C6268D13D94905BD7CE9A18C430560603551D1F044F304D304BA049A0478645687474703A2F2F63726C2E6D6963726F736F66742E636F6D2F706B692F63726C2F70726F64756374732F4D6963526F6F4365724175745F323031302D30362D32332E63726C305A06082B06010505070101044E304C304A06082B06010505073002863E687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B692F63657274732F4D6963526F6F4365724175745F323031302D30362D32332E637274300D06092A864886F70D01010B0500038202010014FC7C7151A579C26EB2EF393EBC3C520F6E2B3F101373FEA868D048A6344D8A960526EE3146906179D6FF382E456BF4C0E528B8DA1D8F8ADB09D71AC74C0A36666A8CEC1BD70490A81817A49BB9E240323676C4C15AC6BFE404C0EA16D3ACC368EF62ACDD546C503058A6EB7CFE94A74E8EF4EC7C867357C2522173345AF3A38A56C804DA0709EDF88BE3CEF47E8EAEF0F60B8A08FB3FC91D727F53B8EBBE63E0E33D3165B081E5F2ACCD16A49F3DA8B19BC242D090845F541DFF89EABA1D47906FB0734E419F409F5FE5A12AB21191738A2128F0CEDE73395F3EAB5C60ECDF0310A8D309E9F4F69685B67F51886647198DA2B0123D812A680577BB914C627BB6C107C7BA7A8734030E4B627A99E9CAFCCE4A37C92DA4577C1CFE3DDCB80F5AFAD6C4B30285023AEAB3D96EE4692137DE81D1F675190567D393575E291B39C8EE2DE1CDE445735BD0D2CE7AAB1619824658D05E9D81B367AF6C35F2BCE53F24E235A20A7506F6185699D4782CD1051BEBD088019DAA10F105DFBA7E2C63B7069B2321C4F9786CE2581706362B911203CCA4D9F22DBAF9949D40ED1845F1CE8A5C6B3EAB03D370182A0A6AE05F47D1D5630A32F2AFD7361F2A705AE5425908714B57BA7E8381F0213CF41CC1C5B990930E88459386E9B12099BE98CBC595A45D62D6A0630820BD7510777D3DF345B99F979FCB57806F33A904CF77A4621C597EA159C0A5E494A74A87B5AB155C2BF072640400000000000048040000E40AC46DE82E4C9CA3140FC7B2008710308204343082031CA003020102020900B94124A0182C9267300D06092A864886F70D01010B0500308184310B30090603550406130247423114301206035504080C0B49736C65206F66204D616E3110300E06035504070C07446F75676C617331173015060355040A0C0E43616E6F6E6963616C204C74642E3134303206035504030C2B43616E6F6E6963616C204C74642E204D617374657220436572746966696361746520417574686F72697479301E170D3132303431323131313235315A170D3432303431313131313235315A308184310B30090603550406130247423114301206035504080C0B49736C65206F66204D616E3110300E06035504070C07446F75676C617331173015060355040A0C0E43616E6F6E6963616C204C74642E3134303206035504030C2B43616E6F6E6963616C204C74642E204D617374657220436572746966696361746520417574686F7269747930820122300D06092A864886F70D01010105000382010F003082010A0282010100BF5B3A1674EE215DAE61ED9D56ACBDDEDE72F3DD7E2D4C620FACC06D480811CF8D8BFB611F27CC116ED9553D3954EB403BB1BBE2853479CAF77BBFBA7AC8102D197DAD59CFA6D4E94E0FDAAE52EA4C9E90CEC6990D4E6765785DF9D1D5384A4A7A8F939C7F1AA385DBCEFA8BF7C2A2212D9B5441351057138D6CBC2906504A7EEA99A968A73BC7071B329EA019870E79BB68992D7E9352E5F6EBC99BF92BEDB86849BCD99550405BC5B271AAEB5C57DE71F9400ADD5BAC1E842D501A52D6E1F36B6E90644F5BB4EB20E46110DA5AF0EAE442D701C4FE211FD9B9C05495428152721F49647AC86C24F108700B4DA5A032D1A01C57A84DE3AFA58E05053E1043A10203010001A381A63081A3301D0603551D0E04160414AD91990BC22AB1F517048C23B6655A268E345A63301F0603551D23041830168014AD91990BC22AB1F517048C23B6655A268E345A63300F0603551D130101FF040530030101FF300B0603551D0F04040302018630430603551D1F043C303A3038A036A0348632687474703A2F2F7777772E63616E6F6E6963616C2E636F6D2F7365637572652D626F6F742D6D61737465722D63612E63726C300D06092A864886F70D01010B050003820101003F7DF676A5B383B42B7AD06D521A0383C412A7509C4792CCC0947782D2AE57B39904F5323AC6551D07DB12A956FAD8D47620EBE4C351DB9A5C9C923F1873DA946AA199388CA4886DC1FC3971D0747616033E562335D555475B1A1D41C2D3124CDCFFAE0A929C620A17019C73E05EB1FDBCD6B519117A7ECD3E037E66DB5BA8C9394851FF53E19C3153911B3B10750317BAE681028094704C46B794B03D15CD1F8E02E068028FFBF9471D7DA201C60751C49ACCEDDDCFA35DED92BBBED1FDE6EC1F33517304BE3C72B07D08F801FF987DCB9CE069397725477188B18D27A52EA8F73F5F8069973EA9F49914DBCE030E0B66C41C6DBDB82777C14294BDFC6A0ABC2616C4C14C509240ACA941F9369343280C010000000000003000000000000000000000000000000000000000F58FBDF71BE8C37CBBD6944E472C450B1043817B972914487C221033F3079E430000000000000000000000000000000004970157DE52CDAE14CF17EE369881D6245B3A6AB6352EABAEE588A0584B030300000000000000000000000000000000F16B5FC361183F587120E602C0D65773AFDFE786124184FA70805258D76D594C000000000000000000000000000000007E021F15E3A67B75ACE884999BEDFFE34213792A611E40E562E87E6B9A0CB28200000000000000000000000000000000A5D109B2AFA3FA90878F70382B2388FCD2FEAEAE8A51B80ADD048E9F876B2A4E0700000001000080010000000B008BC595AFE91665472BF77EB8874BEA431442530E0B1C993D48C0A3FFD307BEFBEE0F0000CBB219D73A3D9645A3BCDAD00E67656F0300000000000000C80F0000000000006400620078002616C4C14C509240ACA941F9369343288C0E00000000000030000000BD9AFA775903324DBD6028F4E78F784B80B4D96931BF0D02FD91A61E19D14F1DA452E66DB2408CA8604D411F92659F0ABD9AFA775903324DBD6028F4E78F784BF52F83A3FA9CFBD6920F722824DBE4034534D25B8507246B3B957DAC6E1BCE7ABD9AFA775903324DBD6028F4E78F784BC5D9D8A186E2C82D09AFAA2A6F7F2E73870D3E64F72C4E08EF67796A840F0FBDBD9AFA775903324DBD6028F4E78F784B363384D14D1F2E0B7815626484C459AD57A318EF4396266048D058C5A19BBF76BD9AFA775903324DBD6028F4E78F784B1AEC84B84B6C65A51220A9BE7181965230210D62D6D33C48999C6B295A2B0A06BD9AFA775903324DBD6028F4E78F784BE6CA68E94146629AF03F69C2F86E6BEF62F930B37C6FBCC878B78DF98C0334E5BD9AFA775903324DBD6028F4E78F784BC3A99A460DA464A057C3586D83CEF5F4AE08B7103979ED8932742DF0ED530C66BD9AFA775903324DBD6028F4E78F784B58FB941AEF95A25943B3FB5F2510A0DF3FE44C58C95E0AB80487297568AB9771BD9AFA775903324DBD6028F4E78F784B5391C3A2FB112102A6AA1EDC25AE77E19F5D6F09CD09EEB2509922BFCD5992EABD9AFA775903324DBD6028F4E78F784BD626157E1D6A718BC124AB8DA27CBB65072CA03A7B6B257DBDCBBD60F65EF3D1BD9AFA775903324DBD6028F4E78F784BD063EC28F67EBA53F1642DBF7DFF33C6A32ADD869F6013FE162E2C32F1CBE56DBD9AFA775903324DBD6028F4E78F784B29C6EB52B43C3AA18B2CD8ED6EA8607CEF3CFAE1BAFE1165755CF2E614844A44BD9AFA775903324DBD6028F4E78F784B90FBE70E69D633408D3E170C6832DBB2D209E0272527DFB63D49D29572A6F44CBD9AFA775903324DBD6028F4E78F784B075EEA060589548BA060B2FEED10DA3C20C7FE9B17CD026B94E8A683B8115238BD9AFA775903324DBD6028F4E78F784B07E6C6A858646FB1EFC67903FE28B116011F2367FE92E6BE2B36999EFF39D09EBD9AFA775903324DBD6028F4E78F784B09DF5F4E511208EC78B96D12D08125FDB603868DE39F6F72927852599B659C26BD9AFA775903324DBD6028F4E78F784B0BBB4392DAAC7AB89B30A4AC657531B97BFAAB04F90B0DAFE5F9B6EB90A06374BD9AFA775903324DBD6028F4E78F784B0C189339762DF336AB3DD006A463DF715A39CFB0F492465C600E6C6BD7BD898CBD9AFA775903324DBD6028F4E78F784B0D0DBECA6F29ECA06F331A7D72E4884B12097FB348983A2A14A0D73F4F10140FBD9AFA775903324DBD6028F4E78F784B0DC9F3FB99962148C3CA833632758D3ED4FC8D0B0007B95B31E6528F2ACD5BFCBD9AFA775903324DBD6028F4E78F784B106FACEACFECFD4E303B74F480A08098E2D0802B936F8EC774CE21F31686689CBD9AFA775903324DBD6028F4E78F784B174E3A0B5B43C6A607BBD3404F05341E3DCF396267CE94F8B50E2E23A9DA920CBD9AFA775903324DBD6028F4E78F784B18333429FF0562ED9F97033E1148DCEEE52DBE2E496D5410B5CFD6C864D2D10FBD9AFA775903324DBD6028F4E78F784B2B99CF26422E92FE365FBF4BC30D27086C9EE14B7A6FFF44FB2F6B9001699939BD9AFA775903324DBD6028F4E78F784B2BBF2CA7B8F1D91F27EE52B6FB2A5DD049B85A2B9B529C5D6662068104B055F8BD9AFA775903324DBD6028F4E78F784B2C73D93325BA6DCBE589D4A4C63C5B935559EF92FBF050ED50C4E2085206F17DBD9AFA775903324DBD6028F4E78F784B2E70916786A6F773511FA7181FAB0F1D70B557C6322EA923B2A8D3B92B51AF7DBD9AFA775903324DBD6028F4E78F784B306628FA5477305728BA4A467DE7D0387A54F569D3769FCE5E75EC89D28D1593BD9AFA775903324DBD6028F4E78F784B3608EDBAF5AD0F41A414A1777ABF2FAF5E670334675EC3995E6935829E0CAAD2BD9AFA775903324DBD6028F4E78F784B3841D221368D1583D75C0A02E62160394D6C4E0A6760B6F607B90362BC855B02BD9AFA775903324DBD6028F4E78F784B3FCE9B9FDF3EF09D5452B0F95EE481C2B7F06D743A737971558E70136ACE3E73BD9AFA775903324DBD6028F4E78F784B4397DACA839E7F63077CB50C92DF43BC2D2FB2A8F59F26FC7A0E4BD4D9751692BD9AFA775903324DBD6028F4E78F784B47CC086127E2069A86E03A6BEF2CD410F8C55A6D6BDB362168C31B2CE32A5ADFBD9AFA775903324DBD6028F4E78F784B518831FE7382B514D03E15C621228B8AB65479BD0CBFA3C5C1D0F48D9C306135BD9AFA775903324DBD6028F4E78F784B5AE949EA8855EB93E439DBC65BDA2E42852C2FDF6789FA146736E3C3410F2B5CBD9AFA775903324DBD6028F4E78F784B6B1D138078E4418AA68DEB7BB35E066092CF479EEB8CE4CD12E7D072CCB42F66BD9AFA775903324DBD6028F4E78F784B6C8854478DD559E29351B826C06CB8BFEF2B94AD3538358772D193F82ED1CA11BD9AFA775903324DBD6028F4E78F784B6F1428FF71C9DB0ED5AF1F2E7BBFCBAB647CC265DDF5B293CDB626F50A3A785EBD9AFA775903324DBD6028F4E78F784B71F2906FD222497E54A34662AB2497FCC81020770FF51368E9E3D9BFCBFD6375BD9AFA775903324DBD6028F4E78F784B726B3EB654046A30F3F83D9B96CE03F670E9A806D1708A0371E62DC49D2C23C1BD9AFA775903324DBD6028F4E78F784B72E0BD1867CF5D9D56AB158ADF3BDDBC82BF32A8D8AA1D8C5E2F6DF29428D6D8BD9AFA775903324DBD6028F4E78F784B7827AF99362CFAF0717DADE4B1BFE0438AD171C15ADDC248B75BF8CAA44BB2C5BD9AFA775903324DBD6028F4E78F784B81A8B965BB84D3876B9429A95481CC955318CFAA1412D808C8A33BFD33FFF0E4BD9AFA775903324DBD6028F4E78F784B82DB3BCEB4F60843CE9D97C3D187CD9B5941CD3DE8100E586F2BDA5637575F67BD9AFA775903324DBD6028F4E78F784B895A9785F617CA1D7ED44FC1A1470B71F3F1223862D9FF9DCC3AE2DF92163DAFBD9AFA775903324DBD6028F4E78F784B8AD64859F195B5F58DAFAA940B6A6167ACD67A886E8F469364177221C55945B9BD9AFA775903324DBD6028F4E78F784B8BF434B49E00CCF71502A2CD900865CB01EC3B3DA03C35BE505FDF7BD563F521BD9AFA775903324DBD6028F4E78F784B8D8EA289CFE70A1C07AB7365CB28EE51EDD33CF2506DE888FBADD60EBF80481CBD9AFA775903324DBD6028F4E78F784B9998D363C491BE16BD74BA10B94D9291001611736FDCA643A36664BC0F315A42BD9AFA775903324DBD6028F4E78F784B9E4A69173161682E55FDE8FEF560EB88EC1FFEDCAF04001F66C0CAF707B2B734BD9AFA775903324DBD6028F4E78F784BA6B5151F3655D3A2AF0D472759796BE4A4200E5495A7D869754C4848857408A7BD9AFA775903324DBD6028F4E78F784BA7F32F508D4EB0FEAD9A087EF94ED1BA0AEC5DE6F7EF6FF0A62B93BEDF5D458DBD9AFA775903324DBD6028F4E78F784BAD6826E1946D26D3EAF3685C88D97D85DE3B4DCB3D0EE2AE81C70560D13C5720BD9AFA775903324DBD6028F4E78F784BAEEBAE3151271273ED95AA2E671139ED31A98567303A332298F83709A9D55AA1BD9AFA775903324DBD6028F4E78F784BAFE2030AFB7D2CDA13F9FA333A02E34F6751AFEC11B010DBCD441FDF4C4002B3BD9AFA775903324DBD6028F4E78F784BB54F1EE636631FAD68058D3B0937031AC1B90CCB17062A391CCA68AFDBE40D55BD9AFA775903324DBD6028F4E78F784BB8F078D983A24AC433216393883514CD932C33AF18E7DD70884C8235F4275736BD9AFA775903324DBD6028F4E78F784BB97A0889059C035FF1D54B6DB53B11B9766668D9F955247C028B2837D7A04CD9BD9AFA775903324DBD6028F4E78F784BBC87A668E81966489CB508EE805183C19E6ACD24CF17799CA062D2E384DA0EA7BD9AFA775903324DBD6028F4E78F784BC409BDAC4775ADD8DB92AA22B5B718FB8C94A1462C1FE9A416B95D8A3388C2FCBD9AFA775903324DBD6028F4E78F784BC617C1A8B1EE2A811C28B5A81B4C83D7C98B5B0C27281D610207EBE692C2967FBD9AFA775903324DBD6028F4E78F784BC90F336617B8E7F983975413C997F10B73EB267FD8A10CB9E3BDBFC667ABDB8BBD9AFA775903324DBD6028F4E78F784BCB6B858B40D3A098765815B592C1514A49604FAFD60819DA88D7A76E9778FEF7BD9AFA775903324DBD6028F4E78F784BCE3BFABE59D67CE8AC8DFD4A16F7C43EF9C224513FBC655957D735FA29F540CEBD9AFA775903324DBD6028F4E78F784BD8CBEB9735F5672B367E4F96CDC74969615D17074AE96C724D42CE0216F8F3FABD9AFA775903324DBD6028F4E78F784BE92C22EB3B5642D65C1EC2CAF247D2594738EEBB7FB3841A44956F59E2B0D1FABD9AFA775903324DBD6028F4E78F784BFDDD6E3D29EA84C7743DAD4A1BDBC700B5FEC1B391F932409086ACC71DD6DBD8BD9AFA775903324DBD6028F4E78F784BFE63A84F782CC9D3FCF2CCF9FC11FBD03760878758D26285ED12669BDC6E6D01BD9AFA775903324DBD6028F4E78F784BFECFB232D12E994B6D485D2C7167728AA5525984AD5CA61E7516221F079A1436BD9AFA775903324DBD6028F4E78F784BCA171D614A8D7E121C93948CD0FE55D39981F9D11AA96E03450A415227C2C65BBD9AFA775903324DBD6028F4E78F784B55B99B0DE53DBCFE485AA9C737CF3FB616EF3D91FAB599AA7CAB19EDA763B5BABD9AFA775903324DBD6028F4E78F784B77DD190FA30D88FF5E3B011A0AE61E6209780C130B535ECB87E6F0888A0B6B2FBD9AFA775903324DBD6028F4E78F784BC83CB13922AD99F560744675DD37CC94DCAD5A1FCBA6472FEE341171D939E884BD9AFA775903324DBD6028F4E78F784B3B0287533E0CC3D0EC1AA823CBF0A941AAD8721579D1C499802DD1C3A636B8A9BD9AFA775903324DBD6028F4E78F784B939AEEF4F5FA51E23340C3F2E49048CE8872526AFDF752C3A7F3A3F2BC9F6049BD9AFA775903324DBD6028F4E78F784B64575BD912789A2E14AD56F6341F52AF6BF80CF94400785975E9F04E2D64D745BD9AFA775903324DBD6028F4E78F784B45C7C8AE750ACFBB48FC37527D6412DD644DAED8913CCD8A24C94D856967DF8E2616C4C14C509240ACA941F9369343283C0100000000000030000000BD9AFA775903324DBD6028F4E78F784B81D8FB4C9E2E7A8225656B4B8273B7CBA4B03EF2E9EB20E0A0291624ECA1BA86BD9AFA775903324DBD6028F4E78F784BB92AF298DC08049B78C77492D6551B710CD72AADA3D77BE54609E43278EF6E4DBD9AFA775903324DBD6028F4E78F784BE19DAE83C02E6F281358D4EBD11D7723B4F5EA0E357907D5443DECC5F93C1E9DBD9AFA775903324DBD6028F4E78F784B39DBC2288EF44B5F95332CB777E31103E840DBA680634AA806F5C9B100061802BD9AFA775903324DBD6028F4E78F784B32F5940CA29DD812A2C145E6FC89646628FFCC7C7A42CAE512337D8D29C40BBDBD9AFA775903324DBD6028F4E78F784B10D45FCBA396AEF3153EE8F6ECAE58AFE8476A280A2026FC71F6217DCF49BA2F0700000004000000010000000B00DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119040000000000000007000000E0000080010000000B0030BF464EE37F1BC0C7B1A5BF25ECED275347C3AB1492D5623AE9F7663BE07DD50F060000CBB219D73A3D9645A3BCDAD00E67656F0200000000000000EB0500000000000064006200BD9AFA775903324DBD6028F4E78F784B308205D7308203BFA003020102020A61077656000000000008300D06092A864886F70D01010B0500308188310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E31323030060355040313294D6963726F736F667420526F6F7420436572746966696361746520417574686F726974792032303130301E170D3131313031393138343134325A170D3236313031393138353134325A308184310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E312E302C060355040313254D6963726F736F66742057696E646F77732050726F64756374696F6E20504341203230313130820122300D06092A864886F70D01010105000382010F003082010A0282010100DD0CBBA2E42E09E3E7C5F79669BC0021BD693333EFAD04CB5480EE0683BBC52084D9F7D28BF338B0ABA4AD2D7C627905FFE34A3F04352070E3C4E76BE09CC03675E98A31DD8D70E5DC37B5744696285B8760232CBFDC47A567F751279E72EB07A6C9B91E3B53357CE5D3EC27B9871CFEB9C923096FA84691C16E963C41D3CBA33F5D026A4DEC691F25285C36FFFD43150A94E019B4CFDFC212E2C25B27EE2778308B5B2A096B22895360162CC0681D53BAEC49F39D618C85680973445D7DA2542BDD79F715CF355D6C1C2B5CCEBC9C238B6F6EB526D93613C34FD627AEB9323B41922CE1C7CD77E8AA544EF75C0B048765B44318A8B2E06D1977EC5A24FA48030203010001A38201433082013F301006092B06010401823715010403020100301D0603551D0E04160414A92902398E16C49778CD90F99E4F9AE17C55AF53301906092B0601040182371402040C1E0A00530075006200430041300B0603551D0F040403020186300F0603551D130101FF040530030101FF301F0603551D23041830168014D5F656CB8FE8A25C6268D13D94905BD7CE9A18C430560603551D1F044F304D304BA049A0478645687474703A2F2F63726C2E6D6963726F736F66742E636F6D2F706B692F63726C2F70726F64756374732F4D6963526F6F4365724175745F323031302D30362D32332E63726C305A06082B06010505070101044E304C304A06082B06010505073002863E687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B692F63657274732F4D6963526F6F4365724175745F323031302D30362D32332E637274300D06092A864886F70D01010B0500038202010014FC7C7151A579C26EB2EF393EBC3C520F6E2B3F101373FEA868D048A6344D8A960526EE3146906179D6FF382E456BF4C0E528B8DA1D8F8ADB09D71AC74C0A36666A8CEC1BD70490A81817A49BB9E240323676C4C15AC6BFE404C0EA16D3ACC368EF62ACDD546C503058A6EB7CFE94A74E8EF4EC7C867357C2522173345AF3A38A56C804DA0709EDF88BE3CEF47E8EAEF0F60B8A08FB3FC91D727F53B8EBBE63E0E33D3165B081E5F2ACCD16A49F3DA8B19BC242D090845F541DFF89EABA1D47906FB0734E419F409F5FE5A12AB21191738A2128F0CEDE73395F3EAB5C60ECDF0310A8D309E9F4F69685B67F51886647198DA2B0123D812A680577BB914C627BB6C107C7BA7A8734030E4B627A99E9CAFCCE4A37C92DA4577C1CFE3DDCB80F5AFAD6C4B30285023AEAB3D96EE4692137DE81D1F675190567D393575E291B39C8EE2DE1CDE445735BD0D2CE7AAB1619824658D05E9D81B367AF6C35F2BCE53F24E235A20A7506F6185699D4782CD1051BEBD088019DAA10F105DFBA7E2C63B7069B2321C4F9786CE2581706362B911203CCA4D9F22DBAF9949D40ED1845F1CE8A5C6B3EAB03D370182A0A6AE05F47D1D5630A32F2AFD7361F2A705AE5425908714B57BA7E8381F0213CF41CC1C5B990930E88459386E9B12099BE98CBC595A45D62D6A0630820BD7510777D3DF345B99F979FCB57806F33A904CF77A4621C597E0B0000000C000000010000000B00097328E8C957DE2428283954F6A1EE8FF7AD7DEF12E100A600178407F5DECF2404000000100000000B0000000C000000010000000B0008EFEA1C0957A5A1FE019E6EDB21FDC9FBE5DE2213487EAB7A05E06ECA1C978404000000FFFF0000

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 818 — BitLocker encountered a failure attempting to configure network unlock for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker encountered a failure attempting to configure network unlock for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 819 — The BitLocker service could not resume protection on the OS volume %3, due to the following error: Bootable media in the drive.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

The BitLocker service could not resume protection on the OS volume %3, due to the following error: Bootable media in the drive.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 820 — The BitLocker service could not resume protection on the OS volume %3, due to the following error: TPM is locked out.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

The BitLocker service could not resume protection on the OS volume %3, due to the following error: TPM is locked out.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 821 — The BitLocker service could not resume protection on the OS volume %3, due to the following error: Group policy conflict.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

The BitLocker service could not resume protection on the OS volume %3, due to the following error: Group policy conflict.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 822 — The BitLocker service could not resume protection on the OS volume %3, due to the following error code: %4.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

The BitLocker service could not resume protection on the OS volume %3, due to the following error code: %4.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 823 — Bootmgr failed to obtain the BitLocker volume master key from the TPM because Secure Boot was disabled.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

Bootmgr failed to obtain the BitLocker volume master key from the TPM because Secure Boot was disabled.

Fields

Name	Description
`VolumeGUID`	—

Event ID 824 — Bootmgr failed to obtain the BitLocker volume master key from the TPM because Secure Boot configuration changed unexpectedly.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

Bootmgr failed to obtain the BitLocker volume master key from the TPM because Secure Boot configuration changed unexpectedly.

Fields

Name	Description
`VolumeGUID`	—

Event ID 825 — BitLocker failed to initialize hardware encryption for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker failed to initialize hardware encryption for volume %3.
This PC's firmware is not capable of supporting hardware encryption.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 826 — The password was changed.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

The password was changed.

Event ID 827 — A password change attempt failed.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

A password change attempt failed.
Error message: %1

Fields

Name	Description
`Error_message`	—
`ErrorCode`	—

Event ID 828 — BitLocker Drive Encryption recovery information for volume %3 was backed up successfully to your Microsoft account.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker Drive Encryption recovery information for volume %3 was backed up successfully to your Microsoft account.
Protector GUID: %4

Fields

Name	Description
`Protector_GUID`	—
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ProtectorGUID`	—

Event ID 829 — Failed to backup BitLocker Drive Encryption recovery information for volume %3 to your Microsoft account.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to backup BitLocker Drive Encryption recovery information for volume %3 to your Microsoft account.

Error: %4

Fields

Name	Description
`Error`	—
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 830 — The BitLocker Drive Encryption recovery information already exists in your Microsoft account.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

The BitLocker Drive Encryption recovery information already exists in your Microsoft account.

Event ID 831 — Failed to save BitLocker Drive Encryption recovery information to your Microsoft account due to an error.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to save BitLocker Drive Encryption recovery information to your Microsoft account due to an error.

Error Code: %1
Localized Error Message: %2

Fields

Name	Description
`Error_Code`	—
`Localized_Error_Message`	—
`JsonErrorCode`	—
`LocalizedJsonError`	—

Event ID 832 — TCG Log parsing failure.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

TCG Log parsing failure.

Error: %1.

Fields

Name	Description
`Error`	—
`ErrorCode`	—

Event ID 833 — BitLocker detected that custom Secure Boot policy is installed, and will seal to this configuration.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker detected that custom Secure Boot policy is installed, and will seal to this configuration. Sealing to a custom policy may reduce the integrity provided by Secure Boot.

Event ID 834 — BitLocker determined that the TCG log is invalid for use of Secure Boot.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.

Fields

Name	Description
`PCRBitmap`	—
`PCRBitmapSource`	—
`PCRValuesSize`	—
`PCRValues`	—
`FilteredTcgLogSize`	—
`FilteredTcgLog`	—
`TpmSrkAesStrengthInBits`	—

Event ID 835 — BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority has invalid structure.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority has invalid structure.

The event is expected to be an EV_EFI_VARIABLE_AUTHORITY event. The event data must be formatted as an EFI_VARIABLE_DATA structure with VariableName set to EFI_IMAGE_SECURITY_DATABASEGUID and UnicodeName set to 'db'.

Event ID 836 — BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority is invalid.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority is invalid.

The contents of the EFI_VARIABLE_DATA.VariableData field should be an EFI_SIGNATURE_DATA structure with SignatureOwner set to the GUID {77fa9abd-0359-4d32-bd60-28f4e78f784b} (Microsoft).

Event ID 837 — BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority is invalid.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority is invalid.

The EFI_SIGNATURE_DATA structure contained in the OS authority event could not be found in the Secure Boot 'db' signature database.

Event ID 838 — BitLocker cannot use Secure Boot for integrity because the signature of the boot manager could not be validated as a Windows signature chained to a...

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because the signature of the boot manager could not be validated as a Windows signature chained to a trusted Microsoft root certificate.

Event ID 839 — BitLocker cannot use Secure Boot for integrity because the TCG Log entry for the OS Loader Authority is invalid.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because the TCG Log entry for the OS Loader Authority is invalid.

The signature contained in the EFI_SIGNATURE_DATA structure from the OS authority event could not be found in the verified certificate chain for the boot manager.

Event ID 840 — A trusted WIM file has been added for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management
Level: 4
Samples: 1

Message

A trusted WIM file has been added for volume %3.
The SHA-256 hash of the WIM file is: %5

Fields

Name	Description
`The_SHA256_hash_of_the_WIM_file_is`	—

Example Event

system:
  provider: Microsoft-Windows-BitLocker-API
  guid: 5D674230-CA9F-11DA-A94D-0800200C9A66
  event_source_name: ''
  event_id: 840
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2022-11-01T21:25:03.283160Z'
  event_record_id: 17
  correlation: {}
  execution:
    process_id: 10108
    thread_id: 1924
  channel: Microsoft-Windows-BitLocker/BitLocker Management
  computer: GUAPOS-PC
  security:
    user_id: S-1-5-21-2296991126-4013933037-3802873755-1001
event_data:
  IdentificationGUID: 45A9DCBD-40EC-4295-A9E6-C2E63844F040
  VolumeName: \\?\Volume{95b548ac-9d1a-4f36-96fc-2c67e06caefb}
  VolumeMountPoint: 'C:'
  BinaryDataSize: 32
  BinaryData: F97AFF018A007ACD584A246C1F49D2BB8CD9AB4E7E461D52AE4623CB0A1260DB

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 841 — BitLocker was unable to update a key for volume %3 due to the following error: %4.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker was unable to update a key for volume %3 due to the following error: %4

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 842 — BitLocker was unable to reseal boot settings to the TPM in the Windows Recovery Environment.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker was unable to reseal boot settings to the TPM in the Windows Recovery Environment.

Error: %1

Protection has been temporarily suspended.

Fields

Name	Description
`Error`	—
`ErrorCode`	—

Event ID 843 — BitLocker was suspended from within the Windows Recovery Environment.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker was suspended from within the Windows Recovery Environment.
Suspend time: %2

Fields

Name	Description
`Suspend_time`	—
`IdentificationGUID`	—
`ResealTime`	—

Event ID 844 — BitLocker was unable to recover from device lock in the Windows Recovery Environment.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker was unable to recover from device lock in the Windows Recovery Environment.

Error: %1

Protection has been temporarily suspended.

Fields

Name	Description
`Error`	—
`ErrorCode`	—

Event ID 845 — BitLocker Drive Encryption recovery information for volume %1 was backed up successfully to your Entra ID.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker Drive Encryption recovery information for volume %1 was backed up successfully to your Entra ID.
Protector GUID: %2.
TraceId: %3

Fields

Name	Description
`Protector_GUID`	—
`TraceId`	—
`VolumeMountPoint`	—
`ProtectorGUID`	—
`TraceGUID`	—

Event ID 846 — Failed to backup BitLocker Drive Encryption recovery information for volume %1 to your Entra ID.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to backup BitLocker Drive Encryption recovery information for volume %1 to your Entra ID.
TraceId: %2

Error: %3

Fields

Name	Description
`TraceId`	—
`Error`	—
`VolumeMountPoint`	—
`TraceGUID`	—
`ErrorCode`	—

Event ID 847 — Failed to save BitLocker Drive Encryption recovery information to your Azure AD due to an error.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to save BitLocker Drive Encryption recovery information to your Entra ID due to an error.

 Request Id: %1
 Response Time: %2
Error Code: %3
Error Subcode: %4
Error message: %5

Fields

Name	Description
`Request_Id`	—
`Response_Time`	—
`Error_Code`	—
`Error_Subcode`	—
`Error_message`	—
`JsonRequestId`	—
`JsonTime`	—
`JsonErrorCode`	—
`JsonSubCode`	—
`JsonMessage`	—

Event ID 848 — Failed to update BCD store with the Recovery URL for OS volume.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to update BCD store with the Recovery URL for OS volume.

Error: %1

Fields

Name	Description
`Error`	—
`ErrorCode`	—

Event ID 849 — Failed to set the TPM dictionary attack parameters to the legacy behavior.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to set the TPM dictionary attack parameters to the legacy behavior.

Error: %1.

Fields

Name	Description
`Error`	—
`ErrorCode`	—

Event ID 850 — Successfully set the TPM dictionary attack parameters to the legacy behavior.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Successfully set the TPM dictionary attack parameters to the legacy behavior.

Fields

Name	Description
`ErrorCode`	—

Event ID 851 — Failed to enable Silent Encryption.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to enable Silent Encryption. 

Error: %1.

Fields

Name	Description
`Error`	—
`ErrorCode`	—

Event ID 852 — Failed to enable Silent Encryption.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to enable Silent Encryption. Device is not Entra ID joined. 

Error: %1.

Fields

Name	Description
`Error`	—
`ErrorCode`	—

Event ID 853 — Failed to enable Silent Encryption.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to enable Silent Encryption. TPM is not available. 

Error: %1.

Fields

Name	Description
`Error`	—
`ErrorCode`	—

Event ID 854 — Failed to enable Silent Encryption.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to enable Silent Encryption. WinRe is not configured. 

Error: %1.

Fields

Name	Description
`Error`	—
`ErrorCode`	—

Event ID 855 — Recovery Password Rotation initiated.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Recovery Password Rotation initiated.

Event ID 856 — Failed to initiate the Recovery Password Rotation Error.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to initiate the Recovery Password Rotation 

Error:%1.

Fields

Name	Description
`Error`	—
`ErrorCode`	—

Event ID 857 — Recovery Passwords Rotation done successfully

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Recovery Passwords Rotation done successfully

Event ID 858 — Recovery Password Rotation failed.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Recovery Password Rotation failed. 

Error: %1.

Fields

Name	Description
`Error`	—
`ErrorCode`	—

Event ID 859 — Recovery Password Rotation failed.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Operational

Message

Recovery Password Rotation failed.
Volume: %1
Mount: %2
ReqID: %3
Error:%4.

Fields

Name	Description
`Volume`	—
`Mount`	—
`ReqID`	—
`Error`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ProtectorGUID`	—
`ErrorCode`	—

Event ID 860 — Failed to delete recovery password from AAD.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Operational

Message

Failed to delete recovery password from AAD.
Error:%1.

Fields

Name	Description
`Error`	—
`ErrorCode`	—

Event ID 861 — Failed to create clinet recovery password rotation request.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Operational

Message

Failed to create clinet recovery password rotation request. 
volume: %1
Mount: %2
ReqId: %3
Error: %4.

Fields

Name	Description
`volume`	—
`Mount`	—
`ReqId`	—
`Error`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ProtectorGUID`	—
`ErrorCode`	—

Event ID 862 — Failed to Create AAD recovery Password Delete request.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Operational

Message

Failed to Create Entra ID recovery Password Delete request.
Volume: %1
Mount: %2
ReqID: %3
Error:%4.

Fields

Name	Description
`Volume`	—
`Mount`	—
`ReqID`	—
`Error`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ProtectorGUID`	—
`ErrorCode`	—

Event ID 863 — Failed to initiate the Recovery Password Rotation and Entra ID Deletion requests processing Error.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to initiate the Recovery Password Rotation and Entra ID Deletion requests processing 

Error:%1.

Fields

Name	Description
`Error`	—
`ErrorCode`	—

Event ID 864 — Recovery Passwords Rotation and AAD Deletion requests processing initiated successfully

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Recovery Passwords Rotation and Entra ID Deletion requests processing initiated successfully

Event ID 865 — BitLocker was unable to verify if TPM protector resealing is possible for volume %3 due to the following error: %4.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker was unable to verify if TPM protector resealing is possible for volume %3 due to the following error: %4

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 866 — A BitLocker key protector which uses PBKDF2 was created.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

A BitLocker key protector which uses PBKDF2 was created.
Protector GUID: %4
Identification GUID: %1
Protector Type: %5

Fields

Name	Description
`Identification_GUID`	—
`Protector_GUID`	—
`Protector_Type`	—
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ProtectorGUID`	—
`ProtectorType`	—

Event ID 867 — Failed to delete BitLocker Drive Encryption recovery information for volume %1 from Entra ID.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to delete BitLocker Drive Encryption recovery information for volume %1 from Entra ID. 
Protector GUID: %2.
TraceId: %3

Fields

Name	Description
`Protector_GUID`	—
`TraceId`	—
`VolumeMountPoint`	—
`ProtectorGUIDs`	—
`TraceGUID`	—

Event ID 868 — Failed while attempting to get BitLocker Drive Encryption recovery information from Azure AD.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed while attempting to get BitLocker Drive Encryption recovery information from Entra ID.
Error code: %1

Fields

Name	Description
`Error_code`	—
`ErrorCode`	—

Event ID 869 — An operating system volume BitLocker recovery key password for the currently signed in user has not been backed up.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

An operating system volume BitLocker recovery key password for the currently signed in user has not been backed up.

Event ID 870 — Failed to register information for reverted volume.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to register information for reverted volume. 
Volume: %1
Mount: %2
ReqID: %3
Error:%4.

Fields

Name	Description
`Volume`	—
`Mount`	—
`ReqID`	—
`Error`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ProtectorGUID`	—
`ErrorCode`	—

Event ID 871 — Failed to register timer for recovery password cleanup.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to register timer for recovery password cleanup. Error Code: %1

Fields

Name	Description
`ErrorCode`	—

Event ID 872 — Failed to save request.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to save request. Protector ID: %1 , RequestType: %2, VolumeName: %3, Error: %4

Fields

Name	Description
`ProtectorGUID`	—
`RequestType`	—
`VolumeName`	—
`ErrorCode`	—

Event ID 873 — Server reported a failure while attempting to backup a recovery password.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Server reported a failure while attempting to backup a recovery password.
Error: %1 
HTTP Status Code: %2 
RetryRequest: %3 
DidSetRetryHint: %4 
RetryHintSeconds: %5

Fields

Name	Description
`Error`	—
`HTTP_Status_Code`	—
`RetryRequest`	—
`DidSetRetryHint`	—
`RetryHintSeconds`	—
`ErrorCode`	—
`HttpStatusCode`	—
`RetryHint`	—

Event ID 874 — Server reported a failure while attempting to delete recovery password(s) from AAD.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Server reported a failure while attempting to delete recovery password(s) from AAD.
Error: %1 
HTTP Status Code: %2 
RetryRequest: %3 
DidSetRetryHint: %4 
RetryHintSeconds: %5

Fields

Name	Description
`Error`	—
`HTTP_Status_Code`	—
`RetryRequest`	—
`DidSetRetryHint`	—
`RetryHintSeconds`	—
`ErrorCode`	—
`HttpStatusCode`	—
`RetryHint`	—

Event ID 875 — Server reported a failure while attempting to retrieve recovery password information from AAD.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Server reported a failure while attempting to retrieve recovery password information from AAD.
Error: %1 
HTTP Status Code: %2 
RetryRequest: %3 
DidSetRetryHint: %4 
RetryHintSeconds: %5

Fields

Name	Description
`Error`	—
`HTTP_Status_Code`	—
`RetryRequest`	—
`DidSetRetryHint`	—
`RetryHintSeconds`	—
`ErrorCode`	—
`HttpStatusCode`	—
`RetryHint`	—

Event ID 876 — Failed to delete BitLocker Drive Encryption recovery information from Azure AD.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to delete BitLocker Drive Encryption recovery information from Entra ID.
Error: %1

Fields

Name	Description
`Error`	—
`ErrorCode`	—

Event ID 877 — Not all privileges requested are assigned to the caller.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

Not all privileges requested are assigned to the caller.

Event ID 878 — BitLocker failed to validate secure boot state.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker failed to validate secure boot state.

Error: %1.

Fields

Name	Description
`ErrorCode`	—

Event ID 879 — BitLocker failed to add a recovery password because the maximum number of recovery passwords has been reached.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker failed to add a recovery password because the maximum number of recovery passwords has been reached. Volume ID: %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 880 — BitLocker is unable to predict PCR7 value and will attempt to seal to current TPM PCR7 value as required by policy Policy PCR profile.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker is unable to predict PCR7 value and will attempt to seal to current TPM PCR7 value as required by policy 
Policy PCR profile: %1.

Fields

Name	Description
`ErrorCode`	—

Event ID 881 — The signature contained in the EFI_SIGNATURE_DATA structure from the TCG Log OS Loader Authority event could not be found in the verified certifica...

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

The signature contained in the EFI_SIGNATURE_DATA structure from the TCG Log OS Loader Authority event could not be found in the verified certificate chain for the boot manager.

Event ID 882 — BitLocker cannot use Secure Boot for integrity because hash of the boot manager for the TCG Log OS Loader Authority event could not be predicted.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because hash of the boot manager for the TCG Log OS Loader Authority event could not be predicted.

Event ID 883 — BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority is invalid.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority is invalid.

The EFI_SIGNATURE_DATA structure contained in the OS authority event could not be found in the Secure Boot 'db' signature database. Signature database type: %1

Fields

Name	Description
`SignatureDBType`	—

Event ID 884 — BitLocker cannot use Secure Boot for integrity because the signature in a TCG Log Authority event was not found in the Secure Boot 'db' signature d...

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because the signature in a TCG Log Authority event was not found in the Secure Boot 'db' signature database. Signature database type: %1

Fields

Name	Description
`SignatureDBType`	—

Event ID 885 — BitLocker cannot use Secure Boot for integrity because the signature predicted for the boot manager was not found in the Secure Boot 'db' signature...

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker cannot use Secure Boot for integrity because the signature predicted for the boot manager was not found in the Secure Boot 'db' signature database. Signature database type: %1

Fields

Name	Description
`SignatureDBType`	—

Event ID 886 — BitLocker removed an orphaned TPM digest datum with identifier %2.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker removed an orphaned TPM digest datum with identifier %2.

Fields

Name	Description
`ErrorCode`	—
`IdentityGUID`	—

Event ID 887 — There was a problem communicating with the TPM at boot.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

There was a problem communicating with the TPM at boot.

Fields

Name	Description
`VolumeGUID`	—

Event ID 888 — BitLocker failed to obtain the key from the TPM due to an unforseen TPM failure.

Provider: Microsoft-Windows-BitLocker-API
Channel: System

Message

BitLocker failed to obtain the key from the TPM due to an unforseen TPM failure.

Fields

Name	Description
`VolumeGUID`	—

Event ID 889 — BitLocker is attempting to seal to a PCR which is known to have events extended into the TPM after the BitLocker TPM cap event.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker is attempting to seal to a PCR which is known to have events extended into the TPM after the BitLocker TPM cap event. This may cause BitLocker recovery.

Fields

Name	Description
`Pcr`	—
`PostBootLockEventPCRBitmap`	—

Event ID 890 —

Provider: Microsoft-Windows-BitLocker-API
Channel: Operational

Fields

Name	Description
`CountTpmBindings`	—
`TpmBindingsTotalSizeTpmDatumsOnly`	—
`TpmBindingsTotalSizeIncludingDigestDatums`	—
`CensusData`	—

Event ID 890 — BitLocker conducted a TPM binding census.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker conducted a TPM binding census.

Fields

Name	Description
`CountTpmBindings`	—
`TpmBindingsTotalSizeTpmDatumsOnly`	—
`TpmBindingsTotalSizeIncludingDigestDatums`	—
`CensusData`	—

Event ID 891 —

Provider: Microsoft-Windows-BitLocker-API
Channel: Operational

Fields

Name	Description
`ErrorCode`	—
`USN`	—
`Scenario`	—
`VolumeMountPoint`	—

Event ID 891 — BitLocker updated its TPM bindings in response to a PCR Prediction Framework callback.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker updated its TPM bindings in response to a PCR Prediction Framework callback. USN: %2, Scenario: %3, Volume: %4, Error: %1.

Fields

Name	Description
`ErrorCode`	—
`USN`	—
`Scenario`	—
`VolumeMountPoint`	—

Event ID 892 —

Provider: Microsoft-Windows-BitLocker-API
Channel: Operational

Fields

Name	Description
`PCRBitmap`	—
`PCRBitmapSource`	—
`PCRValuesSize`	—
`PCRValues`	—
`FilteredLog`	—
`TpmSrkAesStrengthInBits`	—
`ExcludedPcrsBitmap`	—

Event ID 892 — BitLocker successfully sealed a key to the TPM.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker successfully sealed a key to the TPM.

PCRs measured include [%1].

The source for these PCRs was: %2.

Fields

Name	Description
`PCRBitmap`	—
`PCRBitmapSource`	—
`PCRValuesSize`	—
`PCRValues`	—
`FilteredLog`	—
`TpmSrkAesStrengthInBits`	—
`ExcludedPcrsBitmap`	—

Event ID 893 —

Provider: Microsoft-Windows-BitLocker-API
Channel: Operational

Fields

Name	Description
`PCRBitmap`	—
`PCRBitmapSource`	—
`PCRValuesSize`	—
`PCRValues`	—
`FilteredLog`	—
`TpmSrkAesStrengthInBits`	—
`ExcludedPcrsBitmap`	—

Event ID 893 — BitLocker determined that the TCG log is invalid for use of Secure Boot.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.

Fields

Name	Description
`PCRBitmap`	—
`PCRBitmapSource`	—
`PCRValuesSize`	—
`PCRValues`	—
`FilteredLog`	—
`TpmSrkAesStrengthInBits`	—
`ExcludedPcrsBitmap`	—

Event ID 896 —

Provider: Microsoft-Windows-BitLocker-API
Channel: Operational

Fields

Name	Description
`ExcludedPcrsBitmap`	—
`PcrProfile`	—

Event ID 896 — BitLocker is currently excluding PCRs %1 from its TPM protector PCR profile (%2) as required by a firmware update installation.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker is currently excluding PCRs %1 from its TPM protector PCR profile (%2) as required by a firmware update installation.

Fields

Name	Description
`ExcludedPcrsBitmap`	—
`PcrProfile`	—

Event ID 897 —

Provider: Microsoft-Windows-BitLocker-API
Channel: Operational

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ProtectorGUID`	—
`BackendName`	—

Event ID 897 — BitLocker Drive Encryption recovery information for volume %3 was backed up successfully to your Microsoft account.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker Drive Encryption recovery information for volume %3 was backed up successfully to your Microsoft account.
Protector GUID: %4

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ProtectorGUID`	—
`BackendName`	—

Event ID 898 —

Provider: Microsoft-Windows-BitLocker-API
Channel: Operational

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—
`BackendName`	—

Event ID 898 — Failed to backup BitLocker Drive Encryption recovery information for volume %3 to your Microsoft account.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to backup BitLocker Drive Encryption recovery information for volume %3 to your Microsoft account.

Error: %4

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—
`BackendName`	—

Event ID 899 —

Provider: Microsoft-Windows-BitLocker-API
Channel: Operational

Fields

Name	Description
`Pcr`	—

Event ID 899 — BitLocker is reading the TPM to calculate the PCR %1 value.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker is reading the TPM to calculate the PCR %1 value.

Fields

Name	Description
`Pcr`	—

Event ID 900 —

Provider: Microsoft-Windows-BitLocker-API
Channel: Operational

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 900 — BitLocker successfully committed metadata changes for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker successfully committed metadata changes for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 4096 — Device Encryption could not be initialized.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Device Encryption could not be initialized.

Error: %1.

Fields

Name	Description
`Error`	—
`ErrorCode`	—

Event ID 4097 — Device Encryption initialization start.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

Device Encryption initialization start.

Event ID 4098 — Device Encryption initialization stop.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

Device Encryption initialization stop.

Event ID 4099 — Device Encryption failed to process user logon event.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Device Encryption failed to process user logon event.

Error: %1.

Fields

Name	Description
`Error`	—
`ErrorCode`	—

Event ID 4100 — Beginning Device Encryption user logon processing.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

Beginning Device Encryption user logon processing.

Event ID 4101 — Ending Device Encryption user logon processing.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

Ending Device Encryption user logon processing.

Event ID 4102 — BitLocker failed to recover after Device Lock.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker failed to recover after Device Lock.
Error message: %1.

Fields

Name	Description
`Error_message`	—
`ErrorCode`	—

Event ID 4103 — Failed to automatically enable Device Encryption.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to automatically enable Device Encryption.

Error Message: %1

Fields

Name	Description
`Error_Message`	—
`ErrorCode`	—

Event ID 4104 — Begin Enable Protection.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

Begin Enable Protection.

Event ID 4105 — End Enable Protection.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

End Enable Protection.

Event ID 4106 — Failed to automatically back up recovery password to your Microsoft account.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to automatically back up recovery password to your Microsoft account.

Error Message: %1

Fields

Name	Description
`Error_Message`	—
`ErrorCode`	—

Event ID 4107 — Begin Recovery Password Backup.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

Begin Recovery Password Backup.

Event ID 4108 — End Recovery Password Backup.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

End Recovery Password Backup.

Event ID 4109 — Begin Query Protection Status.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

Begin Query Protection Status.

Event ID 4110 — End Query Protection Status.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

End Query Protection Status.

Event ID 4111 — Device Lock recovery event initiated for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Device Lock recovery event initiated for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 4112 — MaxPasswordRetry policy enforced with TPM-based hardening for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

MaxPasswordRetry policy enforced with TPM-based hardening for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 4113 — MaxPasswordRetry policy enforced without hardware based hardening for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

MaxPasswordRetry policy enforced without hardware based hardening for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 4114 — Device Lock recovery event initiated due to protected state mismatch for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Device Lock recovery event initiated due to protected state mismatch for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 4116 — Device Encryption initialization for volume %3 start.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

Device Encryption initialization for volume %3 start.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 4117 — Device Encryption initialization for volume %3 stop.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

Device Encryption initialization for volume %3 stop.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 4118 — Volume %3 could not be initialized for Device Encryption.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Operational

Message

Volume %3 could not be initialized for Device Encryption.

Error: %4.

Fields

Name	Description
`Error`	—
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 4119 — Windows RE is not correctly configured for device encryption.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Operational

Message

Windows RE is not correctly configured for device encryption. Make sure that Windows RE is enabled and is not installed on the OS drive.

Event ID 4120 — The TPM is not provisioned for device encryption.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Operational

Message

The TPM is not provisioned for device encryption. To set up the TPM use the TPM management console (Start->tpm.msc) and use the action to make the TPM ready.

Event ID 4121 — Sign in with a Microsoft account to finish provisioning device encryption.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Operational

Message

Sign in with a Microsoft account to finish provisioning device encryption.

Event ID 4122 — The following DMA (Direct Memory Access) capable devices are not declared as protected from external access, which can block security features such...

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management
Level: 4
Samples: 1

Message

The following DMA (Direct Memory Access) capable devices are not declared as protected from external access, which can block security features such as BitLocker automatic device encryption:

%1

Fields

Name	Description
`LocalizedText`	The following DMA (Direct Memory Access) capable devices are not declared as protected from external access, which can block security features such as BitLocker automatic device encryption

Example Event

system:
  provider: Microsoft-Windows-BitLocker-API
  guid: 5D674230-CA9F-11DA-A94D-0800200C9A66
  event_source_name: ''
  event_id: 4122
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 4611686018427387904
  time_created: '2023-11-05T22:28:46.216571+00:00'
  event_record_id: 2
  correlation: {}
  execution:
    process_id: 4412
    thread_id: 4416
  channel: Microsoft-Windows-BitLocker/BitLocker Management
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data:
  LocalizedText: "\r\nISA Bridge:\r\n\tPCI\\VEN_8086&DEV_7110 (PCI to ISA Bridge)\r\n\r\nPCI-to-PCI
    Bridge:\r\n\tPCI\\VEN_15AD&DEV_0790 (PCI-to-PCI Bridge)\r\n\tPCI\\VEN_15AD&DEV_07A0
    (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0
    (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0
    (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0
    (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0
    (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0
    (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0
    (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0
    (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0
    (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0
    (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0
    (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0
    (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0
    (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0
    (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0
    (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0
    (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_8086&DEV_7191
    (PCI-to-PCI Bridge)\r\n"
message: ''

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 4123 — BitLocker Drive Encryption recovery information for volume %1 was deleted successfully from your Entra ID.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

BitLocker Drive Encryption recovery information for volume %1 was deleted successfully from your Entra ID.
Protector GUID: %2.
TraceId: %3

Fields

Name	Description
`Protector_GUID`	—
`TraceId`	—
`VolumeMountPoint`	—
`ProtectorGUIDs`	—
`TraceGUID`	—

Event ID 4124 — HSTI is not supported on this device

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

HSTI is not supported on this device

Event ID 4125 — Failed to query HSTI data size.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

Failed to query HSTI data size. Error: %1

Fields

Name	Description
`Data`	—

Event ID 4126 — Actual HSTI data size.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

Actual HSTI data size: %1.
Expected HSTI data size to be at least: %2

Fields

Name	Description
`Data1`	—
`Data2`	—

Event ID 4127 — HSTI provider count.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

HSTI provider count: %1

Fields

Name	Description
`HSTI_provider_count`	—
`Data`	—

Event ID 4128 — HSTI data version.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

HSTI data version: %1.
Expected HSTI data version: %2

Fields

Name	Description
`HSTI_data_version`	—
`Expected_HSTI_data_version`	—
`Data1`	—
`Data2`	—

Event ID 4129 — HSTI security features size mismatch for HSTI provider %1: expected %2, actual %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

HSTI security features size mismatch for HSTI provider %1: expected %2, actual %3

Fields

Name	Description
`HSTIImplID`	—
`Data1`	—
`Data2`	—

Event ID 4130 — HSTI provider %1 found with unknown version %2.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

HSTI provider %1 found with unknown version %2. This provider will not be processed

Fields

Name	Description
`HSTIImplID`	—
`Data`	—

Event ID 4131 — HSTI provider %1 found.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

HSTI provider %1 found. Has PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE: %2.
(Note: there should only be one provider with this role.)

Fields

Name	Description
`HSTIImplID`	—
`BoolData`	—

Event ID 4132 — HSTI provider %1 found.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

HSTI provider %1 found. Has PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE: %2.
Since the platform was reported to have at least one other provider with PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE, HSTI is deemed unsafe

Fields

Name	Description
`HSTIImplID`	—
`BoolData`	—

Event ID 4133 — No HSTI provider with PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE found

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

No HSTI provider with PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE found

Event ID 4134 — HSTI provider %1 (which is not PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE) set SecurityFeaturesRequired.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

HSTI provider %1 (which is not PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE) set SecurityFeaturesRequired

Fields

Name	Description
`HSTIImplID`	—

Event ID 4135 — HSTI combined results report secure Intel Thunderbolt configuration bit.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

HSTI combined results report secure Intel Thunderbolt configuration bit: %1

Fields

Name	Description
`BoolData`	—

Event ID 4136 — Required HSTI features were not verified by any provider.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

Required HSTI features were not verified by any provider. For byte %1, the mask of missing features is: %2

Fields

Name	Description
`SecFeatureIndex`	—
`Data`	—

Event ID 4137 — HSTI tests failed.

Provider: Microsoft-Windows-BitLocker-API
Channel: Tracing

Message

HSTI tests failed. Error messages from HSTI Provider %1: %2

Fields

Name	Description
`HSTIImplID`	—
`ProviderErrorMsg`	—

Event ID 4138 — Successfully setup TPM API callback.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Successfully setup TPM API callback.

Fields

Name	Description
`ErrorCode`	—

Event ID 4139 — Failed to setup TPM API callback.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to setup TPM API callback. Error Code: %1

Fields

Name	Description
`ErrorCode`	—

Event ID 4140 — Successfully added predicted TPM protector.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Successfully added predicted TPM protector.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 4141 — Failed to add predicted TPM protector.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to add predicted TPM protector. Error Code: %4.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`ErrorCode`	—

Event ID 4142 — Predicted PCR4 value for TPM info based protector.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Predicted PCR4 value for TPM info based protector. Predicted Value: %5.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`BinaryDataSize`	—
`BinaryData`	—

Event ID 4143 — Failed to evaluate PCR4 predicted value from TPM info.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to evaluate PCR4 predicted value from TPM info. Error Code: %1

Fields

Name	Description
`ErrorCode`	—

Event ID 4144 — Predicted PCR7 value for TPM info based protector.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Predicted PCR7 value for TPM info based protector. Predicted Value: %5.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—
`BinaryDataSize`	—
`BinaryData`	—

Event ID 4145 — Failed to evaluate PCR7 predicted value from TPM info.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Failed to evaluate PCR7 predicted value from TPM info. Error Code: %1

Fields

Name	Description
`ErrorCode`	—

Event ID 4146 — Device Encryption initialized automatically for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Device Encryption initialized automatically for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—

Event ID 4147 — Device Encryption initialized by user for volume %3.

Provider: Microsoft-Windows-BitLocker-API
Channel: BitLocker Management

Message

Device Encryption initialized by user for volume %3.

Fields

Name	Description
`IdentificationGUID`	—
`VolumeName`	—
`VolumeMountPoint`	—