Microsoft-Windows-BitLocker-API
211 events across 5 channels
Event ID 513 — BitLocker Drive Encryption recovery information was backed up successfully to Active Directory Domain Services.
Event ID 514 — Failed to backup BitLocker Drive Encryption recovery information to Active Directory Domain Services.
Event ID 515 — BitLocker Drive Encryption recovery information for the specified protector is already present in Active Directory Domain Services.
Event ID 516 — A BitLocker certificate data recovery agent was created, because it was missing on the volume or added to the list of data recovery agents.
Description
A BitLocker certificate data recovery agent was created, because it was missing on the volume or added to the list of data recovery agents.
Message #
Fields #
| Name | Description |
|---|---|
Protector_GUID GUID | — |
Certificate_thumbprint UnicodeString | — |
Volume_GUID GUID | — |
ProtectorGUID GUID | — |
Thumbprint UnicodeString | — |
VolumeGUID GUID | — |
Event ID 517 — A BitLocker certificate data recovery agent was removed, because is no longer in the list of data recovery agents.
Event ID 518 — The attempt to create a data recovery agent protector on the BitLocker volume failed.
Event ID 519 — The servicing of the data recovery agents on the volume failed.
Event ID 520 — The management of the data recovery agents failed on this drive because this feature of BitLocker Drive Encryption is not supported in this edition...
Event ID 521 — Bootmgr failed to obtain the BitLocker volume master key from the TPM because the PCRs did not match.
Event ID 522 — Bootmgr determined that the following boot application has changed: BootApplication.
Event ID 523 — Bootmgr determined that the boot configuration data setting BCDSetting has changed for the following boot application: BootApplication.
Event ID 524 — Bootmgr determined that the authorization data for the SRK of the TPM is incompatible with BitLocker.
Event ID 525 — Bootmgr determined that the TPM is disabled.
Event ID 526 — Bootmgr determined that the TPM is not accessible.
Event ID 527 — The partition size specified in the partition table is smaller than the size of the file system contained by that partition.
Event ID 528 — Boot debugging is enabled on Bootmgr so TPM based keys cannot be obtained.
Event ID 529 — Bootmgr determined that driver signature enforcement has been disabled.
Event ID 530 — Bootmgr determined that the device was locked out due to too many failed password attempts.
Event ID 531 — Bootmgr determined that the device was locked out due to Device Lockout state validation failure.
Event ID 532 — Bootmgr determined that the TPM is not present or recognized.
Event ID 768 — BitLocker encryption was started for volume VolumeMountPoint using AlgorithmType algorithm.
#Description
BitLocker encryption was started for volume VolumeMountPoint using AlgorithmType algorithm.
Message #
Fields #
| Name | Description |
|---|---|
IdentificationGUID GUID | — |
VolumeName UnicodeString | — |
VolumeMountPoint UnicodeString | — |
AlgorithmType UInt16 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-BitLocker-API",
"guid": "5D674230-CA9F-11DA-A94D-0800200C9A66",
"event_source_name": "",
"event_id": 768,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-11-01T21:26:46.384614Z",
"event_record_id": 21,
"correlation": {},
"execution": {
"process_id": 10108,
"thread_id": 9288
},
"channel": "Microsoft-Windows-BitLocker/BitLocker Management",
"computer": "GUAPOS-PC",
"security": {
"user_id": "S-1-5-21-2296991126-4013933037-3802873755-1001"
}
},
"event_data": {
"IdentificationGUID": "45A9DCBD-40EC-4295-A9E6-C2E63844F040",
"VolumeName": "\\\\?\\Volume{95b548ac-9d1a-4f36-96fc-2c67e06caefb}",
"VolumeMountPoint": "C:",
"AlgorithmType": 32772
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 769 — BitLocker encryption will occur for volume VolumeMountPoint when the computer is restarted using AlgorithmType algorithm.
Event ID 770 — BitLocker decryption was started for volume VolumeMountPoint.
Event ID 771 — BitLocker encryption was stopped for volume VolumeMountPoint.
Event ID 772 — BitLocker encryption was restarted for volume VolumeMountPoint using AlgorithmType algorithm.
Event ID 773 — BitLocker was suspended for volume VolumeMountPoint.
Event ID 774 — BitLocker was resumed for volume VolumeMountPoint.
Event ID 775 — A BitLocker key protector was created.
#Description
A BitLocker key protector was created.
Message #
Fields #
| Name | Description |
|---|---|
Identification_GUID | — |
Protector_GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-BitLocker-API",
"guid": "5D674230-CA9F-11DA-A94D-0800200C9A66",
"event_source_name": "",
"event_id": 775,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-11-01T21:25:03.283252Z",
"event_record_id": 18,
"correlation": {},
"execution": {
"process_id": 10108,
"thread_id": 1924
},
"channel": "Microsoft-Windows-BitLocker/BitLocker Management",
"computer": "GUAPOS-PC",
"security": {
"user_id": "S-1-5-21-2296991126-4013933037-3802873755-1001"
}
},
"event_data": {
"IdentificationGUID": "45A9DCBD-40EC-4295-A9E6-C2E63844F040",
"VolumeName": "\\\\?\\Volume{95b548ac-9d1a-4f36-96fc-2c67e06caefb}",
"VolumeMountPoint": "C:",
"ProtectorGUID": "354C0BE9-1562-417A-A871-247448EDE788",
"ProtectorType": "0x1"
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 776 — A BitLocker key protector was removed.
Event ID 777 — The PIN was updated for the operating system volume.
Event ID 778 — The BitLocker volume VolumeMountPoint was reverted to an unprotected state.
Event ID 779 — The BitLocker volume VolumeMountPoint was erased.
Event ID 780 — The identification field was changed.
#Description
The identification field was changed.
Message #
Fields #
| Name | Description |
|---|---|
Identification_GUID | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-BitLocker-API",
"guid": "5D674230-CA9F-11DA-A94D-0800200C9A66",
"event_source_name": "",
"event_id": 780,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-11-01T21:26:46.325697Z",
"event_record_id": 20,
"correlation": {},
"execution": {
"process_id": 10108,
"thread_id": 9288
},
"channel": "Microsoft-Windows-BitLocker/BitLocker Management",
"computer": "GUAPOS-PC",
"security": {
"user_id": "S-1-5-21-2296991126-4013933037-3802873755-1001"
}
},
"event_data": {
"IdentificationGUID": "45A9DCBD-40EC-4295-A9E6-C2E63844F040",
"VolumeName": "\\\\?\\Volume{95b548ac-9d1a-4f36-96fc-2c67e06caefb}",
"VolumeMountPoint": "C:"
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 781 — The BitLocker protected volume VolumeName was locked.
Event ID 782 — The BitLocker protected volume IdentificationGUID was unlocked.
Event ID 783 — BitLocker Drive Encryption recovery information for the specified protector is already present in Active Directory Domain Services.
Description
BitLocker Drive Encryption recovery information for the specified protector is already present in Active Directory Domain Services.
Message #
Fields #
| Name | Description |
|---|---|
Identification_GUID | — |
Protector_GUID | — |
IdentificationGUID GUID | — |
VolumeName UnicodeString | — |
VolumeMountPoint UnicodeString | — |
ProtectorGUID GUID | — |
Event ID 784 — BitLocker Drive Encryption recovery information was backed up successfully to Active Directory Domain Services.
Event ID 785 — Failed to backup BitLocker Drive Encryption recovery information to Active Directory Domain Services.
Event ID 786 — BitLocker free space wiping was started for volume VolumeMountPoint.
Event ID 787 — BitLocker free space wiping was stopped for volume VolumeMountPoint.
Event ID 788 — BitLocker free space wiping was restarted for volume VolumeMountPoint.
Event ID 789 — The PIN was changed.
Description
The PIN was changed.
Message #
Event ID 790 — A PIN change attempt failed.
Event ID 791 — The BitLocker Service (BdeSvc) PIN and password change facility is locked out due to too many failed PIN or password change attempts.
Description
The BitLocker Service (BdeSvc) PIN and password change facility is locked out due to too many failed PIN or password change attempts.
Message #
Event ID 792 — BitLocker encountered a failure to commit metadata changes for volume VolumeMountPoint.
Event ID 793 — BitLocker resealed boot settings to the TPM for volume VolumeMountPoint.
#Description
BitLocker resealed boot settings to the TPM for volume VolumeMountPoint.
Message #
Fields #
| Name | Description |
|---|---|
IdentificationGUID GUID | — |
VolumeName UnicodeString | — |
VolumeMountPoint UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-BitLocker-API",
"guid": "5D674230-CA9F-11DA-A94D-0800200C9A66",
"event_source_name": "",
"event_id": 793,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-11-09T22:40:09.768066Z",
"event_record_id": 28,
"correlation": {},
"execution": {
"process_id": 1224,
"thread_id": 2092
},
"channel": "Microsoft-Windows-BitLocker/BitLocker Management",
"computer": "GUAPOS-PC",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"IdentificationGUID": "45A9DCBD-40EC-4295-A9E6-C2E63844F040",
"VolumeName": "\\\\?\\Volume{95b548ac-9d1a-4f36-96fc-2c67e06caefb}",
"VolumeMountPoint": "C:"
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 794 — BitLocker failed to reseal boot settings to the TPM.
Event ID 795 — BitLocker failed to initialize hardware encryption for volume VolumeMountPoint due to group policy.
Event ID 796 — BitLocker Drive Encryption is using software-based encryption to protect volume VolumeMountPoint.
#Description
BitLocker Drive Encryption is using software-based encryption to protect volume VolumeMountPoint.
Message #
Fields #
| Name | Description |
|---|---|
IdentificationGUID GUID | — |
VolumeName UnicodeString | — |
VolumeMountPoint UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-BitLocker-API",
"guid": "5D674230-CA9F-11DA-A94D-0800200C9A66",
"event_source_name": "",
"event_id": 796,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-11-01T21:25:02.989680Z",
"event_record_id": 15,
"correlation": {},
"execution": {
"process_id": 10108,
"thread_id": 1924
},
"channel": "Microsoft-Windows-BitLocker/BitLocker Management",
"computer": "GUAPOS-PC",
"security": {
"user_id": "S-1-5-21-2296991126-4013933037-3802873755-1001"
}
},
"event_data": {
"IdentificationGUID": "00000000-0000-0000-0000-000000000000",
"VolumeName": "\\\\?\\Volume{95b548ac-9d1a-4f36-96fc-2c67e06caefb}",
"VolumeMountPoint": "C:"
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 797 — Group Policy settings prevented BitLocker Drive Encryption from reverting to BitLocker software-based encryption.
Event ID 798 — BitLocker failed to initialize hardware encryption for volume VolumeMountPoint.
Event ID 799 — BitLocker failed to initialize hardware encryption for volume VolumeMountPoint.
Event ID 800 — BitLocker failed to initialize hardware encryption for volume VolumeMountPoint.
Event ID 801 — BitLocker failed to initialize hardware encryption for volume VolumeMountPoint.
Event ID 802 — BitLocker failed to initialize hardware encryption for volume VolumeMountPoint.
Event ID 803 — BitLocker failed to initialize hardware encryption for volume VolumeMountPoint.
Event ID 804 — The target drive (VolumeMountPoint) cannot be managed by BitLocker because the drive's hardware encryption feature is already in use.
Event ID 805 — The BitLocker protected volume was unlocked in the Windows Recovery Environment.
Event ID 806 — BitLocker resealed boot settings to the TPM in the Windows Recovery Environment.
Event ID 807 — BitLocker free space wiping was canceled for volume VolumeMountPoint.
Event ID 808 — BitLocker failed to initialize hardware encryption for volume VolumeMountPoint.
Event ID 809 — BitLocker cannot use Secure Boot for integrity because it is disabled in Group Policy.
Description
BitLocker cannot use Secure Boot for integrity because it is disabled in Group Policy.
Message #
Event ID 810 — BitLocker cannot use Secure Boot for integrity because it is disabled.
Description
BitLocker cannot use Secure Boot for integrity because it is disabled.
Message #
Event ID 811 — BitLocker cannot use Secure Boot for integrity because the required UEFI variable 'VariableName' is not present.
Event ID 812 — BitLocker cannot use Secure Boot for integrity because the UEFI variable 'Error_Message' could not be read.
Event ID 813 — BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for variable 'VariableName' is missing or invalid.
Event ID 814 — BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority is missing or invalid.
Description
BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority is missing or invalid.
Message #
Event ID 815 — BitLocker cannot use Secure Boot for integrity because the expected TCG Log separator entry is missing or invalid.
Description
BitLocker cannot use Secure Boot for integrity because the expected TCG Log separator entry is missing or invalid.
Message #
Event ID 816 — BitLocker cannot use Secure Boot for integrity because the TCG Log for PCR [7] contains invalid entries.
Description
BitLocker cannot use Secure Boot for integrity because the TCG Log for PCR [7] contains invalid entries.
Message #
Event ID 817 — BitLocker successfully sealed a key to the TPM.
#Description
BitLocker successfully sealed a key to the TPM.
Message #
Fields #
| Name | Description |
|---|---|
The_source_for_these_PCRs_was | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-BitLocker-API",
"guid": "5D674230-CA9F-11DA-A94D-0800200C9A66",
"event_source_name": "",
"event_id": 817,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-11-01T21:25:03.260930Z",
"event_record_id": 16,
"correlation": {},
"execution": {
"process_id": 10108,
"thread_id": 1924
},
"channel": "Microsoft-Windows-BitLocker/BitLocker Management",
"computer": "GUAPOS-PC",
"security": {
"user_id": "S-1-5-21-2296991126-4013933037-3802873755-1001"
}
},
"event_data": {
"PCRBitmap": 2176,
"PCRBitmapSource": 3,
"PCRValuesSize": 72,
"PCRValues": "0B002000717ED786CD9A22923647FED0AEC18A34EE2097E0690619882C649ABD7377A1910B0020000000000000000000000000000000000000000000000000000000000000000000",
"FilteredTcgLogSize": 17035,
"FilteredTcgLog": "0700000001000080010000000B00CCFC4BB32888A345BC8AEADABA552B627D99348C767681AB3141F5B01E40A40E3500000061DFE48BCA93D211AA0D00E098032B8C0A00000000000000010000000000000053006500630075007200650042006F006F007400010700000001000080010000000B008C489E6B771E4BF95226F2D25C9F0F91E50E51052B25AA9DB534A40D9A3AC99F9A03000061DFE48BCA93D211AA0D00E098032B8C0200000000000000760300000000000050004B00A159C0A5E494A74A87B5AB155C2BF07276030000000000005A0300009130053B9F6CCC04B1ACE2A51E3BE5F5308203463082022EA00302010202105341E015C43AF8A84836B9A5FF691488300D06092A864886F70D01010B0500302D312B3029060355040313224153555354654B204D6F74686572426F61726420504B204365727469666963617465301E170D3131313232363233333435305A170D3331313232363233333434395A302D312B3029060355040313224153555354654B204D6F74686572426F61726420504B20436572746966696361746530820122300D06092A864886F70D01010105000382010F003082010A0282010100D9841536C5D4CE8AA15616A0E874CD581E2A02961BC43764DA8C6A2484CDDCC4680415C7E9CF20A4451A42F0A39B62226E2A4367178D4D10AAF8DDF22A9E86BA91D0327E95BE0178733AD3987E19F8160E27CCEAC5BEB5807EE8BCA81741B3EA55341953D77E7D50C75AB8EF54F9136EABD645CD1D0294E278D788A810528D7EBAF14936C06870F9D50C5AFD6B1A6F88C23769224292F39DAEEF73ECF40F324264C3E9B989DD06E5CC2F6BF8004E9164F70345F04FA41183E98397E9A0DC2DC80356B4DF61A632A58BA61B4ED81CA7A3F3724E72F8FE6949CF61F2E6599658B8147CCAF5E56BF06DDAF7BC085B7F57E99637595A7079570EC882C8917B67F92D0203010001A3623060305E0603551D01045730558010A28F65A66A296438D8D6720D3F3DE3E9A12F302D312B3029060355040313224153555354654B204D6F74686572426F61726420504B20436572746966696361746582105341E015C43AF8A84836B9A5FF691488300D06092A864886F70D01010B0500038201010073271A32880EDB138DF57EFC94F21A276BC2CA79D0BAB658BCDF97135A4CDCA2E490397B24847D2EA3959639A66BC2A651386FE50BAFC0910A903F3E5AE479169896329449AE002818AAEFFB549593C7FCE489EF9600CED6C68A4D85CA9C6CFB8AA74360365E7397172F1646D0CEF0A00777624D150E22F691711A79E1851C0B2C949F9D97CF49B5DDEA6AE5A761EC820D95E8985CE872C6DA8DDF21EC05300F79B8AFE9B02BC08373FEBF9D4A6DDAA5A06537CF2C87F12BC6A30E9264571A77EDD9474047DAEAFF2398D125B972F5383AB333A55DF144DCD8637DF92F7DF1D1D095C0A675A870C9C42BC04504D0405B757DE2B20A3C1E642230D20284C5B7BB0700000001000080010000000B002BAEA0FCF3EADBF39ECD8A4F7C5BF80D65C75B71FE00CD841C515A9DB8425E9D1B0E000061DFE48BCA93D211AA0D00E098032B8C0300000000000000F50D0000000000004B0045004B00A159C0A5E494A74A87B5AB155C2BF07279030000000000005D0300009130053B9F6CCC04B1ACE2A51E3BE5F53082034930820231A0030201020210311E46C51600A1A440F1C150E217C271300D06092A864886F70D01010B0500302E312C302A060355040313234153555354654B204D6F74686572426F617264204B454B204365727469666963617465301E170D3131313232363233333435395A170D3331313232363233333435385A302E312C302A060355040313234153555354654B204D6F74686572426F617264204B454B20436572746966696361746530820122300D06092A864886F70D01010105000382010F003082010A0282010100890984DEA721161B454D9C21738084F6D113E792A4B51D0AE34BC5A3009F64B9800FC21416D8D79E1EACA42FD8E8E23723D47580FAA32ADE8C352575F8C67736F21074A98E0849C7D536AB82FC266B53A2AB75A63EC223FB054B51D173CEBFDE88E5960C4A1F679A81E846A80945122F0F2939E9B1292BAC0C73AAFB784BD5297E352CAA842CE36279D35129D6ECF2E54045A09F174EB2F0DC3834C3C77CF605E827A1469B068C6F230A6A97EA22579969D37FEB2FD9592126065B367D1FB387056AA5FEE2AA4D8EC8365763BDB8ECDC8B8BA0252A4ACC839F05552B644BDF1006E56A0A7DD60C9EEDA9A7AEF126A6314C4B771DEB8D50CFA8D5176805973ADB0203010001A3633061305F0603551D010458305680105915D5B5698AB89D28C872DB3F5A9CF0A130302E312C302A060355040313234153555354654B204D6F74686572426F617264204B454B2043657274696669636174658210311E46C51600A1A440F1C150E217C271300D06092A864886F70D01010B050003820101002158304F95F59F66E6020C685EFC2824A78A33B7318126653D5BC0BAA348E5A0E81AC9A956E10685875697F32679CCB198DB741D954C3EF9DD91977633DBB2699571F25E8B9AEC370D367C306C5C99171049C86DB7CE17F30C2E0A728C32D0108F8B76DAC506B75B11CD393C68716F2AB167B46DAEC8852D8CAE9D45B7E1E171088F7699DDBCF8EEA7B75907DBF5CA56988F9F793BC33812F70C6DAD834C49938F829004E300E7DF677984FEAA4072E1370B715AFE9496D1F24C5B3B3BFCD71BA74DE276E6CA63F9C94B4AE7922CE4B1754692D7916B213D38E01D7E322A282A08E5F9ED14F23C589C4852E08343A809FE3A35FB26BC7B87CA51E52424305CDCA159C0A5E494A74A87B5AB155C2BF0721806000000000000FC050000BD9AFA775903324DBD6028F4E78F784B308205E8308203D0A003020102020A610AD188000000000003300D06092A864886F70D01010B0500308191310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E313B3039060355040313324D6963726F736F667420436F72706F726174696F6E205468697264205061727479204D61726B6574706C61636520526F6F74301E170D3131303632343230343132395A170D3236303632343230353132395A308180310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E312A3028060355040313214D6963726F736F667420436F72706F726174696F6E204B454B204341203230313130820122300D06092A864886F70D01010105000382010F003082010A0282010100C4E8B58ABFAD5726B026C3EAE7FB577A44025D070DDA4AE5742AE6B00FEC6DEBEC7FB9E35A63327C11174F0EE30BA73815938EC6F5E084B19A9B2CE7F5B791D609E1E2C004A8AC301CDF48F306509A64A7517FC8854F8F2086CEFE2FE19FFF82C0EDE9CDCEF4536A623A0B43B9E225FDFE05F9D4C414AB11E223898D70B7A41D4DECAEE59CFA16C2D7C1CBD4E8C42FE599EE248B03EC8DF28BEAC34AFB4311120B7EB547926CDCE60489EBF53304EB10012A71E5F983133CFF25092F687646FFBA4FBEDCAD712A58AAFB0ED2793DE49B653BCC292A9FFC7259A2EBAE92EFF6351380C602ECE45FCC9D76CDEF6392C1AF79408479877FE352A8E89D7B07698F150203010001A382014F3082014B301006092B06010401823715010403020100301D0603551D0E0416041462FC43CDA03EA4CB6712D25BD955AC7BCCB68A5F301906092B0601040182371402040C1E0A00530075006200430041300B0603551D0F040403020186300F0603551D130101FF040530030101FF301F0603551D2304183016801445665243E17E5811BFD64E9E2355083B3A226AA8305C0603551D1F045530533051A04FA04D864B687474703A2F2F63726C2E6D6963726F736F66742E636F6D2F706B692F63726C2F70726F64756374732F4D6963436F725468695061724D6172526F6F5F323031302D31302D30352E63726C306006082B0601050507010104543052305006082B060105050730028644687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B692F63657274732F4D6963436F725468695061724D6172526F6F5F323031302D31302D30352E637274300D06092A864886F70D01010B05000382020100D48488F514941802CA2A3CFB2A921C0CD7A0D1F1E85266A8EEA2B5757A9000AA2DA4765AEA79B7B9376A517B1064F6E164F20267BEF7A81B78BDBACE8858640CD657C819A35F05D6DBC6D069CE484B32B7EB5DD230F5C0F5B8BA7807A32BFE9BDB345684EC82CAAE4125709C6BE9FE900FD7961FE5E7941FB22A0C8D4BFF2829107BF7D77CA5D176B905C879ED0F90929CC2FEDF6F7E6C0F7BD4C145DD345196390FE55E56D8180596F407A642B3A077FD0819F27156CC9F8623A487CBA6FD587ED4696715917E81F27F13E50D8B8A3C8784EBE3CEBD43E5AD2D84938E6A2B5A7C44FA52AA81C82D1CBBE052DF0011F89A3DC160B0E133B5A388D165190A1AE7AC7CA4C182874E38B12F0DC514876FFD8D2EBC39B6E7E6C3E0E4CD2784EF9442EF298B9046413B811B67D8F9435965CB0DBCFD00924FF4753BA7A924FC50414079E02D4F0A6A27766E52ED96697BAF0FF78705D045C2AD5314811FFB3004AA373661DA4A691B34D868EDD602CF6C940CD3CF6C2279ADB1F0BC03A24660A9C407C22182F1FDF2E8793260BFD8ACA522144BCAC1D84BEB7D3F5735B2E64F75B4B060032253AE91791DD69B411F15865470B2DE0D350F7CB03472BA97603BF079EBA2B21C5DA216B887C5E91BF6B597256F389FE391FA8A7998C3690EB7A31C200597F8CA14AE00D7C4F3C01410756B34A01BB59960F35CB0C5574E36D23284BF9EA159C0A5E494A74A87B5AB155C2BF072640400000000000048040000E40AC46DE82E4C9CA3140FC7B2008710308204343082031CA003020102020900B94124A0182C9267300D06092A864886F70D01010B0500308184310B30090603550406130247423114301206035504080C0B49736C65206F66204D616E3110300E06035504070C07446F75676C617331173015060355040A0C0E43616E6F6E6963616C204C74642E3134303206035504030C2B43616E6F6E6963616C204C74642E204D617374657220436572746966696361746520417574686F72697479301E170D3132303431323131313235315A170D3432303431313131313235315A308184310B30090603550406130247423114301206035504080C0B49736C65206F66204D616E3110300E06035504070C07446F75676C617331173015060355040A0C0E43616E6F6E6963616C204C74642E3134303206035504030C2B43616E6F6E6963616C204C74642E204D617374657220436572746966696361746520417574686F7269747930820122300D06092A864886F70D01010105000382010F003082010A0282010100BF5B3A1674EE215DAE61ED9D56ACBDDEDE72F3DD7E2D4C620FACC06D480811CF8D8BFB611F27CC116ED9553D3954EB403BB1BBE2853479CAF77BBFBA7AC8102D197DAD59CFA6D4E94E0FDAAE52EA4C9E90CEC6990D4E6765785DF9D1D5384A4A7A8F939C7F1AA385DBCEFA8BF7C2A2212D9B5441351057138D6CBC2906504A7EEA99A968A73BC7071B329EA019870E79BB68992D7E9352E5F6EBC99BF92BEDB86849BCD99550405BC5B271AAEB5C57DE71F9400ADD5BAC1E842D501A52D6E1F36B6E90644F5BB4EB20E46110DA5AF0EAE442D701C4FE211FD9B9C05495428152721F49647AC86C24F108700B4DA5A032D1A01C57A84DE3AFA58E05053E1043A10203010001A381A63081A3301D0603551D0E04160414AD91990BC22AB1F517048C23B6655A268E345A63301F0603551D23041830168014AD91990BC22AB1F517048C23B6655A268E345A63300F0603551D130101FF040530030101FF300B0603551D0F04040302018630430603551D1F043C303A3038A036A0348632687474703A2F2F7777772E63616E6F6E6963616C2E636F6D2F7365637572652D626F6F742D6D61737465722D63612E63726C300D06092A864886F70D01010B050003820101003F7DF676A5B383B42B7AD06D521A0383C412A7509C4792CCC0947782D2AE57B39904F5323AC6551D07DB12A956FAD8D47620EBE4C351DB9A5C9C923F1873DA946AA199388CA4886DC1FC3971D0747616033E562335D555475B1A1D41C2D3124CDCFFAE0A929C620A17019C73E05EB1FDBCD6B519117A7ECD3E037E66DB5BA8C9394851FF53E19C3153911B3B10750317BAE681028094704C46B794B03D15CD1F8E02E068028FFBF9471D7DA201C60751C49ACCEDDDCFA35DED92BBBED1FDE6EC1F33517304BE3C72B07D08F801FF987DCB9CE069397725477188B18D27A52EA8F73F5F8069973EA9F49914DBCE030E0B66C41C6DBDB82777C14294BDFC6A0ABC0700000001000080010000000B005B463B6C9B68D073CA57C50C08B4D7D43EA0881F0C9A91D87748FE5E4488208AD6180000CBB219D73A3D9645A3BCDAD00E67656F0200000000000000B21800000000000064006200A159C0A5E494A74A87B5AB155C2BF0728203000000000000660300009130053B9F6CCC04B1ACE2A51E3BE5F5308203523082023AA0030201020210DA83B990422EBC8C441F8D8B039A65A2300D06092A864886F70D01010B05003031312F302D060355040313264153555354654B204D6F74686572426F617264205357204B6579204365727469666963617465301E170D3131313232363233333530355A170D3331313232363233333530345A3031312F302D060355040313264153555354654B204D6F74686572426F617264205357204B657920436572746966696361746530820122300D06092A864886F70D01010105000382010F003082010A02820101008CF6A6EB77FC838AA49FD5F8CF3F37F26E2D0A62C5D89B1D160B227F295F3A26DF53978C7894199042730F85C2FFA4857C812E0B51BA562327923DA3F2DCE277849E50BE8AEB5134A4F8EF5DD751FE70424C4206EF692CA2D325E1265723856DD0A77BC045287E89D5B40AEBAF417921D2D700EC48F944F65BBEB62524F08E2EB4523EE10EC1A467EAFEE593CCB9C43621CB54FAAF9D9C8578CCE588F3840C67DB266958CADE4734ECCF2FB64959B556DB58457B219D990B5FDE5716A6ABC8793F9D7689E209F98DE26337FC74EA737E70AC1516A5ED88605F33ED949E0A05DEC785C3C17A54FB4ECBCBE85E447C39DB2DB2B76CCECA2F639D164EA6E5EFD6CF0203010001A366306430620603551D01045B3059801056B08B2AA7FECCF10CED8762DCD51DC3A1333031312F302D060355040313264153555354654B204D6F74686572426F617264205357204B65792043657274696669636174658210DA83B990422EBC8C441F8D8B039A65A2300D06092A864886F70D01010B0500038201010002CF526F0B91EBE43BB2700C072D7980019E4B4D92BBDC9EE5E53185E39A75EDCADE8CEE2834018314479E3AD4435B2CC441C8407DB5087686802BA8009FB7D3B1E6605C32B0A0010FBA368BB7B54E87D5B70A2CBDBC6A433CEE767C7620ED3991A8BF701ED6A81A3E81366B7D1D8DF6F8AF5B38536A040D7EAE4DEEAB02D4A4A2A9CFB6E366A3CA4D5DD418614DDA83284EAA2AAFDAEBDF2A20BD7880EFD1B0DD9B77DBC925394BCFA2861AACCC32E787D459B203C469028F17C9DE52CBE7ABB835C5F83306039352CFB368D2B35C1CE819FE7526EDD16572134D69345A9B0CB4E356533CB46727F8FAD320DA3758F6ADE28259A2B8222F9E56FEBC17491DAFA159C0A5E494A74A87B5AB155C2BF07279030000000000005D0300009130053B9F6CCC04B1ACE2A51E3BE5F53082034930820231A0030201020210B8E581E4DF77A5BB4282D5CCFC00C071300D06092A864886F70D01010B0500302E312C302A060355040313234153555354654B204E6F7465626F6F6B205357204B6579204365727469666963617465301E170D3131313232373030313835335A170D3331313232373030313835325A302E312C302A060355040313234153555354654B204E6F7465626F6F6B205357204B657920436572746966696361746530820122300D06092A864886F70D01010105000382010F003082010A02820101009E61FA742C2A8817C4BD77190DB333270C0E94ECB08B71B30877B7D2089D324F5CF70CCFE0295356ED2491D8BD532A89898C7428AB162D4F9B65FC637DED23B6975C6D04E4157FDCF8BA6B08CCC921E9B5DE8E03281263F06AB6E5DF1D7228CC64D663662F04526A1D257DC7BDE078FB0CB737E5AEF70DD6B5B4BFF5F1C68256785CA8F3532EF5EC153F12622FEBB6797986AC76FFB66645F533DADD25D6A7BFF8D9DBD3F1FACE0E2230D7D48002BDD32C1EEC462E2FCA0F7AFAB95CFF2B16C66A6B8D9464927EF955EE96004D042E4B15EDF108496A078669C8C564FAAD2C4F0250E41F83C72F199FE8A562D9513218B683CA080AA1ABA765709C1E48C30F490203010001A3633061305F0603551D01045830568010006511E3CA0F96E88D5B04A4E7FECEAAA130302E312C302A060355040313234153555354654B204E6F7465626F6F6B205357204B65792043657274696669636174658210B8E581E4DF77A5BB4282D5CCFC00C071300D06092A864886F70D01010B050003820101003118F4EEE372BABE33446174191F66AC5CFD1D9A2675D014CD6838B3A83F4FB44AE91E21F2C9EE379626BE1D589BAD21CE587953D3FF38EF8F22CD900EC63221759B5AABAF08FF05CD2BF88CE79747BB78E45F5647D2BCC8A595CB76895C65240218069C125FEFE05C19453896DF7A605D61BA4DC87B6E8D8C6E1DA9E59235A24F36D340ADD74012AB6C488D1892E4005203DF14AC663F6AAE423A0650AAA50D40A77BEBFD4149FFEBA3B4504FF754133B1F8EB44504204274FE783DBE7CDBA72A2A9D0648C09A0223AFF2980795DE3B3073EC3E73588F07534096D824D966807A758DB7392710897AB453BF3BC2E29793378A9D4D236EACEB0D53214D0B3413A159C0A5E494A74A87B5AB155C2BF072400600000000000024060000BD9AFA775903324DBD6028F4E78F784B30820610308203F8A003020102020A6108D3C4000000000004300D06092A864886F70D01010B0500308191310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E313B3039060355040313324D6963726F736F667420436F72706F726174696F6E205468697264205061727479204D61726B6574706C61636520526F6F74301E170D3131303632373231323234355A170D3236303632373231333234355A308181310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E312B3029060355040313224D6963726F736F667420436F72706F726174696F6E2055454649204341203230313130820122300D06092A864886F70D01010105000382010F003082010A0282010100A5086C4CC745096A4B0CA4C0877F06750C43015464E0167F07ED927D0BB273BF0C0AC64A4561A0C5162D96D3F52BA0FB4D499B4180903CB954FDE6BCD19DC4A4188A7F418A5C59836832BB8C47C9EE71BC214F9A8A7CFF443F8D8F32B22648AE75B5EEC94C1E4A197EE4829A1D78774D0CB0BDF60FD316D3BCFA2BA551385DF5FBBADB7802DBFFEC0A1B96D583B81913E9B6C07B407BE11F2827C9FAEF565E1CE67E947EC0F044B27939E5DAB2628B4DBF3870E2682414C933A40837D558695ED37CEDC1045308E74EB02A876308616F631559EAB22B79D70C61678A5BFD5EAD877FBA86674F71581222042222CE8BEF547100CE503558769508EE6AB1A201D50203010001A382017630820172301206092B060104018237150104050203010001302306092B060104018237150204160414F8C16BB77F77534AF325371D4EA1267B0F207080301D0603551D0E0416041413ADBF4309BD82709C8CD54F316ED522988A1BD4301906092B0601040182371402040C1E0A00530075006200430041300B0603551D0F040403020186300F0603551D130101FF040530030101FF301F0603551D2304183016801445665243E17E5811BFD64E9E2355083B3A226AA8305C0603551D1F045530533051A04FA04D864B687474703A2F2F63726C2E6D6963726F736F66742E636F6D2F706B692F63726C2F70726F64756374732F4D6963436F725468695061724D6172526F6F5F323031302D31302D30352E63726C306006082B0601050507010104543052305006082B060105050730028644687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B692F63657274732F4D6963436F725468695061724D6172526F6F5F323031302D31302D30352E637274300D06092A864886F70D01010B05000382020100350842FF30CCCEF7760CAD1068583529463276277CEF124127421B4AAA6D813848591355F3E95834A6160B82AA5DAD82DA808341068FB41DF203B9F31A5D1BF15090F9B3558442281C20BDB2AE5114C5C0AC9795211C90DB0FFC779E95739188CABDBD52B905500DDF579EA061ED0DE56D25D9400F1740C8CEA34AC24DAF9A121D08548FBDC7BCB92B3D492B1F32FC6A21694F9BC87E4234FC3606178B8F2040C0B39A257527CDC903A3F65DD1E736547AB950B5D312D107BFBB74DFDC1E8F80D5ED18F42F14166B2FDE668CB023E5C784D8EDEAC13382AD564B182DF1689507CDCFF072F0AEBBDD8685982C214C332BF00F4AF06887B592553275A16A826A3CA32511A4EDADD704AECBD84059A084D1954C6291221A741D8C3D470E44A6E4B09B3435B1FAB653A82C81ECA40571C89DB8BAE81B4466E447540E8E567FB39F1698B286D0683E9023B52F5E8F50858DC68D825F41A1F42E0DE099D26C75E4B669B52186FA07D1F6E24DD1DAAD2C77531E253237C76C52729586B0F135616A19F5B23B815056A6322DFEA289F94286271855A182CA5A9BF830985414A64796252FC826E441941A5C023FE596E3855B3C3E3FBB47167255E22522B1D97BE703062AA3F71E9046C3000DD61989E30E352762037115A6EFD027A0A0593760F83894B8E07870F8BA4C868794F6E0AE0245EE65C2B6A37E69167507929BF5A6BC598358A159C0A5E494A74A87B5AB155C2BF0720706000000000000EB050000BD9AFA775903324DBD6028F4E78F784B308205D7308203BFA003020102020A61077656000000000008300D06092A864886F70D01010B0500308188310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E31323030060355040313294D6963726F736F667420526F6F7420436572746966696361746520417574686F726974792032303130301E170D3131313031393138343134325A170D3236313031393138353134325A308184310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E312E302C060355040313254D6963726F736F66742057696E646F77732050726F64756374696F6E20504341203230313130820122300D06092A864886F70D01010105000382010F003082010A0282010100DD0CBBA2E42E09E3E7C5F79669BC0021BD693333EFAD04CB5480EE0683BBC52084D9F7D28BF338B0ABA4AD2D7C627905FFE34A3F04352070E3C4E76BE09CC03675E98A31DD8D70E5DC37B5744696285B8760232CBFDC47A567F751279E72EB07A6C9B91E3B53357CE5D3EC27B9871CFEB9C923096FA84691C16E963C41D3CBA33F5D026A4DEC691F25285C36FFFD43150A94E019B4CFDFC212E2C25B27EE2778308B5B2A096B22895360162CC0681D53BAEC49F39D618C85680973445D7DA2542BDD79F715CF355D6C1C2B5CCEBC9C238B6F6EB526D93613C34FD627AEB9323B41922CE1C7CD77E8AA544EF75C0B048765B44318A8B2E06D1977EC5A24FA48030203010001A38201433082013F301006092B06010401823715010403020100301D0603551D0E04160414A92902398E16C49778CD90F99E4F9AE17C55AF53301906092B0601040182371402040C1E0A00530075006200430041300B0603551D0F040403020186300F0603551D130101FF040530030101FF301F0603551D23041830168014D5F656CB8FE8A25C6268D13D94905BD7CE9A18C430560603551D1F044F304D304BA049A0478645687474703A2F2F63726C2E6D6963726F736F66742E636F6D2F706B692F63726C2F70726F64756374732F4D6963526F6F4365724175745F323031302D30362D32332E63726C305A06082B06010505070101044E304C304A06082B06010505073002863E687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B692F63657274732F4D6963526F6F4365724175745F323031302D30362D32332E637274300D06092A864886F70D01010B0500038202010014FC7C7151A579C26EB2EF393EBC3C520F6E2B3F101373FEA868D048A6344D8A960526EE3146906179D6FF382E456BF4C0E528B8DA1D8F8ADB09D71AC74C0A36666A8CEC1BD70490A81817A49BB9E240323676C4C15AC6BFE404C0EA16D3ACC368EF62ACDD546C503058A6EB7CFE94A74E8EF4EC7C867357C2522173345AF3A38A56C804DA0709EDF88BE3CEF47E8EAEF0F60B8A08FB3FC91D727F53B8EBBE63E0E33D3165B081E5F2ACCD16A49F3DA8B19BC242D090845F541DFF89EABA1D47906FB0734E419F409F5FE5A12AB21191738A2128F0CEDE73395F3EAB5C60ECDF0310A8D309E9F4F69685B67F51886647198DA2B0123D812A680577BB914C627BB6C107C7BA7A8734030E4B627A99E9CAFCCE4A37C92DA4577C1CFE3DDCB80F5AFAD6C4B30285023AEAB3D96EE4692137DE81D1F675190567D393575E291B39C8EE2DE1CDE445735BD0D2CE7AAB1619824658D05E9D81B367AF6C35F2BCE53F24E235A20A7506F6185699D4782CD1051BEBD088019DAA10F105DFBA7E2C63B7069B2321C4F9786CE2581706362B911203CCA4D9F22DBAF9949D40ED1845F1CE8A5C6B3EAB03D370182A0A6AE05F47D1D5630A32F2AFD7361F2A705AE5425908714B57BA7E8381F0213CF41CC1C5B990930E88459386E9B12099BE98CBC595A45D62D6A0630820BD7510777D3DF345B99F979FCB57806F33A904CF77A4621C597EA159C0A5E494A74A87B5AB155C2BF072640400000000000048040000E40AC46DE82E4C9CA3140FC7B2008710308204343082031CA003020102020900B94124A0182C9267300D06092A864886F70D01010B0500308184310B30090603550406130247423114301206035504080C0B49736C65206F66204D616E3110300E06035504070C07446F75676C617331173015060355040A0C0E43616E6F6E6963616C204C74642E3134303206035504030C2B43616E6F6E6963616C204C74642E204D617374657220436572746966696361746520417574686F72697479301E170D3132303431323131313235315A170D3432303431313131313235315A308184310B30090603550406130247423114301206035504080C0B49736C65206F66204D616E3110300E06035504070C07446F75676C617331173015060355040A0C0E43616E6F6E6963616C204C74642E3134303206035504030C2B43616E6F6E6963616C204C74642E204D617374657220436572746966696361746520417574686F7269747930820122300D06092A864886F70D01010105000382010F003082010A0282010100BF5B3A1674EE215DAE61ED9D56ACBDDEDE72F3DD7E2D4C620FACC06D480811CF8D8BFB611F27CC116ED9553D3954EB403BB1BBE2853479CAF77BBFBA7AC8102D197DAD59CFA6D4E94E0FDAAE52EA4C9E90CEC6990D4E6765785DF9D1D5384A4A7A8F939C7F1AA385DBCEFA8BF7C2A2212D9B5441351057138D6CBC2906504A7EEA99A968A73BC7071B329EA019870E79BB68992D7E9352E5F6EBC99BF92BEDB86849BCD99550405BC5B271AAEB5C57DE71F9400ADD5BAC1E842D501A52D6E1F36B6E90644F5BB4EB20E46110DA5AF0EAE442D701C4FE211FD9B9C05495428152721F49647AC86C24F108700B4DA5A032D1A01C57A84DE3AFA58E05053E1043A10203010001A381A63081A3301D0603551D0E04160414AD91990BC22AB1F517048C23B6655A268E345A63301F0603551D23041830168014AD91990BC22AB1F517048C23B6655A268E345A63300F0603551D130101FF040530030101FF300B0603551D0F04040302018630430603551D1F043C303A3038A036A0348632687474703A2F2F7777772E63616E6F6E6963616C2E636F6D2F7365637572652D626F6F742D6D61737465722D63612E63726C300D06092A864886F70D01010B050003820101003F7DF676A5B383B42B7AD06D521A0383C412A7509C4792CCC0947782D2AE57B39904F5323AC6551D07DB12A956FAD8D47620EBE4C351DB9A5C9C923F1873DA946AA199388CA4886DC1FC3971D0747616033E562335D555475B1A1D41C2D3124CDCFFAE0A929C620A17019C73E05EB1FDBCD6B519117A7ECD3E037E66DB5BA8C9394851FF53E19C3153911B3B10750317BAE681028094704C46B794B03D15CD1F8E02E068028FFBF9471D7DA201C60751C49ACCEDDDCFA35DED92BBBED1FDE6EC1F33517304BE3C72B07D08F801FF987DCB9CE069397725477188B18D27A52EA8F73F5F8069973EA9F49914DBCE030E0B66C41C6DBDB82777C14294BDFC6A0ABC2616C4C14C509240ACA941F9369343280C010000000000003000000000000000000000000000000000000000F58FBDF71BE8C37CBBD6944E472C450B1043817B972914487C221033F3079E430000000000000000000000000000000004970157DE52CDAE14CF17EE369881D6245B3A6AB6352EABAEE588A0584B030300000000000000000000000000000000F16B5FC361183F587120E602C0D65773AFDFE786124184FA70805258D76D594C000000000000000000000000000000007E021F15E3A67B75ACE884999BEDFFE34213792A611E40E562E87E6B9A0CB28200000000000000000000000000000000A5D109B2AFA3FA90878F70382B2388FCD2FEAEAE8A51B80ADD048E9F876B2A4E0700000001000080010000000B008BC595AFE91665472BF77EB8874BEA431442530E0B1C993D48C0A3FFD307BEFBEE0F0000CBB219D73A3D9645A3BCDAD00E67656F0300000000000000C80F0000000000006400620078002616C4C14C509240ACA941F9369343288C0E00000000000030000000BD9AFA775903324DBD6028F4E78F784B80B4D96931BF0D02FD91A61E19D14F1DA452E66DB2408CA8604D411F92659F0ABD9AFA775903324DBD6028F4E78F784BF52F83A3FA9CFBD6920F722824DBE4034534D25B8507246B3B957DAC6E1BCE7ABD9AFA775903324DBD6028F4E78F784BC5D9D8A186E2C82D09AFAA2A6F7F2E73870D3E64F72C4E08EF67796A840F0FBDBD9AFA775903324DBD6028F4E78F784B363384D14D1F2E0B7815626484C459AD57A318EF4396266048D058C5A19BBF76BD9AFA775903324DBD6028F4E78F784B1AEC84B84B6C65A51220A9BE7181965230210D62D6D33C48999C6B295A2B0A06BD9AFA775903324DBD6028F4E78F784BE6CA68E94146629AF03F69C2F86E6BEF62F930B37C6FBCC878B78DF98C0334E5BD9AFA775903324DBD6028F4E78F784BC3A99A460DA464A057C3586D83CEF5F4AE08B7103979ED8932742DF0ED530C66BD9AFA775903324DBD6028F4E78F784B58FB941AEF95A25943B3FB5F2510A0DF3FE44C58C95E0AB80487297568AB9771BD9AFA775903324DBD6028F4E78F784B5391C3A2FB112102A6AA1EDC25AE77E19F5D6F09CD09EEB2509922BFCD5992EABD9AFA775903324DBD6028F4E78F784BD626157E1D6A718BC124AB8DA27CBB65072CA03A7B6B257DBDCBBD60F65EF3D1BD9AFA775903324DBD6028F4E78F784BD063EC28F67EBA53F1642DBF7DFF33C6A32ADD869F6013FE162E2C32F1CBE56DBD9AFA775903324DBD6028F4E78F784B29C6EB52B43C3AA18B2CD8ED6EA8607CEF3CFAE1BAFE1165755CF2E614844A44BD9AFA775903324DBD6028F4E78F784B90FBE70E69D633408D3E170C6832DBB2D209E0272527DFB63D49D29572A6F44CBD9AFA775903324DBD6028F4E78F784B075EEA060589548BA060B2FEED10DA3C20C7FE9B17CD026B94E8A683B8115238BD9AFA775903324DBD6028F4E78F784B07E6C6A858646FB1EFC67903FE28B116011F2367FE92E6BE2B36999EFF39D09EBD9AFA775903324DBD6028F4E78F784B09DF5F4E511208EC78B96D12D08125FDB603868DE39F6F72927852599B659C26BD9AFA775903324DBD6028F4E78F784B0BBB4392DAAC7AB89B30A4AC657531B97BFAAB04F90B0DAFE5F9B6EB90A06374BD9AFA775903324DBD6028F4E78F784B0C189339762DF336AB3DD006A463DF715A39CFB0F492465C600E6C6BD7BD898CBD9AFA775903324DBD6028F4E78F784B0D0DBECA6F29ECA06F331A7D72E4884B12097FB348983A2A14A0D73F4F10140FBD9AFA775903324DBD6028F4E78F784B0DC9F3FB99962148C3CA833632758D3ED4FC8D0B0007B95B31E6528F2ACD5BFCBD9AFA775903324DBD6028F4E78F784B106FACEACFECFD4E303B74F480A08098E2D0802B936F8EC774CE21F31686689CBD9AFA775903324DBD6028F4E78F784B174E3A0B5B43C6A607BBD3404F05341E3DCF396267CE94F8B50E2E23A9DA920CBD9AFA775903324DBD6028F4E78F784B18333429FF0562ED9F97033E1148DCEEE52DBE2E496D5410B5CFD6C864D2D10FBD9AFA775903324DBD6028F4E78F784B2B99CF26422E92FE365FBF4BC30D27086C9EE14B7A6FFF44FB2F6B9001699939BD9AFA775903324DBD6028F4E78F784B2BBF2CA7B8F1D91F27EE52B6FB2A5DD049B85A2B9B529C5D6662068104B055F8BD9AFA775903324DBD6028F4E78F784B2C73D93325BA6DCBE589D4A4C63C5B935559EF92FBF050ED50C4E2085206F17DBD9AFA775903324DBD6028F4E78F784B2E70916786A6F773511FA7181FAB0F1D70B557C6322EA923B2A8D3B92B51AF7DBD9AFA775903324DBD6028F4E78F784B306628FA5477305728BA4A467DE7D0387A54F569D3769FCE5E75EC89D28D1593BD9AFA775903324DBD6028F4E78F784B3608EDBAF5AD0F41A414A1777ABF2FAF5E670334675EC3995E6935829E0CAAD2BD9AFA775903324DBD6028F4E78F784B3841D221368D1583D75C0A02E62160394D6C4E0A6760B6F607B90362BC855B02BD9AFA775903324DBD6028F4E78F784B3FCE9B9FDF3EF09D5452B0F95EE481C2B7F06D743A737971558E70136ACE3E73BD9AFA775903324DBD6028F4E78F784B4397DACA839E7F63077CB50C92DF43BC2D2FB2A8F59F26FC7A0E4BD4D9751692BD9AFA775903324DBD6028F4E78F784B47CC086127E2069A86E03A6BEF2CD410F8C55A6D6BDB362168C31B2CE32A5ADFBD9AFA775903324DBD6028F4E78F784B518831FE7382B514D03E15C621228B8AB65479BD0CBFA3C5C1D0F48D9C306135BD9AFA775903324DBD6028F4E78F784B5AE949EA8855EB93E439DBC65BDA2E42852C2FDF6789FA146736E3C3410F2B5CBD9AFA775903324DBD6028F4E78F784B6B1D138078E4418AA68DEB7BB35E066092CF479EEB8CE4CD12E7D072CCB42F66BD9AFA775903324DBD6028F4E78F784B6C8854478DD559E29351B826C06CB8BFEF2B94AD3538358772D193F82ED1CA11BD9AFA775903324DBD6028F4E78F784B6F1428FF71C9DB0ED5AF1F2E7BBFCBAB647CC265DDF5B293CDB626F50A3A785EBD9AFA775903324DBD6028F4E78F784B71F2906FD222497E54A34662AB2497FCC81020770FF51368E9E3D9BFCBFD6375BD9AFA775903324DBD6028F4E78F784B726B3EB654046A30F3F83D9B96CE03F670E9A806D1708A0371E62DC49D2C23C1BD9AFA775903324DBD6028F4E78F784B72E0BD1867CF5D9D56AB158ADF3BDDBC82BF32A8D8AA1D8C5E2F6DF29428D6D8BD9AFA775903324DBD6028F4E78F784B7827AF99362CFAF0717DADE4B1BFE0438AD171C15ADDC248B75BF8CAA44BB2C5BD9AFA775903324DBD6028F4E78F784B81A8B965BB84D3876B9429A95481CC955318CFAA1412D808C8A33BFD33FFF0E4BD9AFA775903324DBD6028F4E78F784B82DB3BCEB4F60843CE9D97C3D187CD9B5941CD3DE8100E586F2BDA5637575F67BD9AFA775903324DBD6028F4E78F784B895A9785F617CA1D7ED44FC1A1470B71F3F1223862D9FF9DCC3AE2DF92163DAFBD9AFA775903324DBD6028F4E78F784B8AD64859F195B5F58DAFAA940B6A6167ACD67A886E8F469364177221C55945B9BD9AFA775903324DBD6028F4E78F784B8BF434B49E00CCF71502A2CD900865CB01EC3B3DA03C35BE505FDF7BD563F521BD9AFA775903324DBD6028F4E78F784B8D8EA289CFE70A1C07AB7365CB28EE51EDD33CF2506DE888FBADD60EBF80481CBD9AFA775903324DBD6028F4E78F784B9998D363C491BE16BD74BA10B94D9291001611736FDCA643A36664BC0F315A42BD9AFA775903324DBD6028F4E78F784B9E4A69173161682E55FDE8FEF560EB88EC1FFEDCAF04001F66C0CAF707B2B734BD9AFA775903324DBD6028F4E78F784BA6B5151F3655D3A2AF0D472759796BE4A4200E5495A7D869754C4848857408A7BD9AFA775903324DBD6028F4E78F784BA7F32F508D4EB0FEAD9A087EF94ED1BA0AEC5DE6F7EF6FF0A62B93BEDF5D458DBD9AFA775903324DBD6028F4E78F784BAD6826E1946D26D3EAF3685C88D97D85DE3B4DCB3D0EE2AE81C70560D13C5720BD9AFA775903324DBD6028F4E78F784BAEEBAE3151271273ED95AA2E671139ED31A98567303A332298F83709A9D55AA1BD9AFA775903324DBD6028F4E78F784BAFE2030AFB7D2CDA13F9FA333A02E34F6751AFEC11B010DBCD441FDF4C4002B3BD9AFA775903324DBD6028F4E78F784BB54F1EE636631FAD68058D3B0937031AC1B90CCB17062A391CCA68AFDBE40D55BD9AFA775903324DBD6028F4E78F784BB8F078D983A24AC433216393883514CD932C33AF18E7DD70884C8235F4275736BD9AFA775903324DBD6028F4E78F784BB97A0889059C035FF1D54B6DB53B11B9766668D9F955247C028B2837D7A04CD9BD9AFA775903324DBD6028F4E78F784BBC87A668E81966489CB508EE805183C19E6ACD24CF17799CA062D2E384DA0EA7BD9AFA775903324DBD6028F4E78F784BC409BDAC4775ADD8DB92AA22B5B718FB8C94A1462C1FE9A416B95D8A3388C2FCBD9AFA775903324DBD6028F4E78F784BC617C1A8B1EE2A811C28B5A81B4C83D7C98B5B0C27281D610207EBE692C2967FBD9AFA775903324DBD6028F4E78F784BC90F336617B8E7F983975413C997F10B73EB267FD8A10CB9E3BDBFC667ABDB8BBD9AFA775903324DBD6028F4E78F784BCB6B858B40D3A098765815B592C1514A49604FAFD60819DA88D7A76E9778FEF7BD9AFA775903324DBD6028F4E78F784BCE3BFABE59D67CE8AC8DFD4A16F7C43EF9C224513FBC655957D735FA29F540CEBD9AFA775903324DBD6028F4E78F784BD8CBEB9735F5672B367E4F96CDC74969615D17074AE96C724D42CE0216F8F3FABD9AFA775903324DBD6028F4E78F784BE92C22EB3B5642D65C1EC2CAF247D2594738EEBB7FB3841A44956F59E2B0D1FABD9AFA775903324DBD6028F4E78F784BFDDD6E3D29EA84C7743DAD4A1BDBC700B5FEC1B391F932409086ACC71DD6DBD8BD9AFA775903324DBD6028F4E78F784BFE63A84F782CC9D3FCF2CCF9FC11FBD03760878758D26285ED12669BDC6E6D01BD9AFA775903324DBD6028F4E78F784BFECFB232D12E994B6D485D2C7167728AA5525984AD5CA61E7516221F079A1436BD9AFA775903324DBD6028F4E78F784BCA171D614A8D7E121C93948CD0FE55D39981F9D11AA96E03450A415227C2C65BBD9AFA775903324DBD6028F4E78F784B55B99B0DE53DBCFE485AA9C737CF3FB616EF3D91FAB599AA7CAB19EDA763B5BABD9AFA775903324DBD6028F4E78F784B77DD190FA30D88FF5E3B011A0AE61E6209780C130B535ECB87E6F0888A0B6B2FBD9AFA775903324DBD6028F4E78F784BC83CB13922AD99F560744675DD37CC94DCAD5A1FCBA6472FEE341171D939E884BD9AFA775903324DBD6028F4E78F784B3B0287533E0CC3D0EC1AA823CBF0A941AAD8721579D1C499802DD1C3A636B8A9BD9AFA775903324DBD6028F4E78F784B939AEEF4F5FA51E23340C3F2E49048CE8872526AFDF752C3A7F3A3F2BC9F6049BD9AFA775903324DBD6028F4E78F784B64575BD912789A2E14AD56F6341F52AF6BF80CF94400785975E9F04E2D64D745BD9AFA775903324DBD6028F4E78F784B45C7C8AE750ACFBB48FC37527D6412DD644DAED8913CCD8A24C94D856967DF8E2616C4C14C509240ACA941F9369343283C0100000000000030000000BD9AFA775903324DBD6028F4E78F784B81D8FB4C9E2E7A8225656B4B8273B7CBA4B03EF2E9EB20E0A0291624ECA1BA86BD9AFA775903324DBD6028F4E78F784BB92AF298DC08049B78C77492D6551B710CD72AADA3D77BE54609E43278EF6E4DBD9AFA775903324DBD6028F4E78F784BE19DAE83C02E6F281358D4EBD11D7723B4F5EA0E357907D5443DECC5F93C1E9DBD9AFA775903324DBD6028F4E78F784B39DBC2288EF44B5F95332CB777E31103E840DBA680634AA806F5C9B100061802BD9AFA775903324DBD6028F4E78F784B32F5940CA29DD812A2C145E6FC89646628FFCC7C7A42CAE512337D8D29C40BBDBD9AFA775903324DBD6028F4E78F784B10D45FCBA396AEF3153EE8F6ECAE58AFE8476A280A2026FC71F6217DCF49BA2F0700000004000000010000000B00DF3F619804A92FDB4057192DC43DD748EA778ADC52BC498CE80524C014B81119040000000000000007000000E0000080010000000B0030BF464EE37F1BC0C7B1A5BF25ECED275347C3AB1492D5623AE9F7663BE07DD50F060000CBB219D73A3D9645A3BCDAD00E67656F0200000000000000EB0500000000000064006200BD9AFA775903324DBD6028F4E78F784B308205D7308203BFA003020102020A61077656000000000008300D06092A864886F70D01010B0500308188310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E31323030060355040313294D6963726F736F667420526F6F7420436572746966696361746520417574686F726974792032303130301E170D3131313031393138343134325A170D3236313031393138353134325A308184310B3009060355040613025553311330110603550408130A57617368696E67746F6E3110300E060355040713075265646D6F6E64311E301C060355040A13154D6963726F736F667420436F72706F726174696F6E312E302C060355040313254D6963726F736F66742057696E646F77732050726F64756374696F6E20504341203230313130820122300D06092A864886F70D01010105000382010F003082010A0282010100DD0CBBA2E42E09E3E7C5F79669BC0021BD693333EFAD04CB5480EE0683BBC52084D9F7D28BF338B0ABA4AD2D7C627905FFE34A3F04352070E3C4E76BE09CC03675E98A31DD8D70E5DC37B5744696285B8760232CBFDC47A567F751279E72EB07A6C9B91E3B53357CE5D3EC27B9871CFEB9C923096FA84691C16E963C41D3CBA33F5D026A4DEC691F25285C36FFFD43150A94E019B4CFDFC212E2C25B27EE2778308B5B2A096B22895360162CC0681D53BAEC49F39D618C85680973445D7DA2542BDD79F715CF355D6C1C2B5CCEBC9C238B6F6EB526D93613C34FD627AEB9323B41922CE1C7CD77E8AA544EF75C0B048765B44318A8B2E06D1977EC5A24FA48030203010001A38201433082013F301006092B06010401823715010403020100301D0603551D0E04160414A92902398E16C49778CD90F99E4F9AE17C55AF53301906092B0601040182371402040C1E0A00530075006200430041300B0603551D0F040403020186300F0603551D130101FF040530030101FF301F0603551D23041830168014D5F656CB8FE8A25C6268D13D94905BD7CE9A18C430560603551D1F044F304D304BA049A0478645687474703A2F2F63726C2E6D6963726F736F66742E636F6D2F706B692F63726C2F70726F64756374732F4D6963526F6F4365724175745F323031302D30362D32332E63726C305A06082B06010505070101044E304C304A06082B06010505073002863E687474703A2F2F7777772E6D6963726F736F66742E636F6D2F706B692F63657274732F4D6963526F6F4365724175745F323031302D30362D32332E637274300D06092A864886F70D01010B0500038202010014FC7C7151A579C26EB2EF393EBC3C520F6E2B3F101373FEA868D048A6344D8A960526EE3146906179D6FF382E456BF4C0E528B8DA1D8F8ADB09D71AC74C0A36666A8CEC1BD70490A81817A49BB9E240323676C4C15AC6BFE404C0EA16D3ACC368EF62ACDD546C503058A6EB7CFE94A74E8EF4EC7C867357C2522173345AF3A38A56C804DA0709EDF88BE3CEF47E8EAEF0F60B8A08FB3FC91D727F53B8EBBE63E0E33D3165B081E5F2ACCD16A49F3DA8B19BC242D090845F541DFF89EABA1D47906FB0734E419F409F5FE5A12AB21191738A2128F0CEDE73395F3EAB5C60ECDF0310A8D309E9F4F69685B67F51886647198DA2B0123D812A680577BB914C627BB6C107C7BA7A8734030E4B627A99E9CAFCCE4A37C92DA4577C1CFE3DDCB80F5AFAD6C4B30285023AEAB3D96EE4692137DE81D1F675190567D393575E291B39C8EE2DE1CDE445735BD0D2CE7AAB1619824658D05E9D81B367AF6C35F2BCE53F24E235A20A7506F6185699D4782CD1051BEBD088019DAA10F105DFBA7E2C63B7069B2321C4F9786CE2581706362B911203CCA4D9F22DBAF9949D40ED1845F1CE8A5C6B3EAB03D370182A0A6AE05F47D1D5630A32F2AFD7361F2A705AE5425908714B57BA7E8381F0213CF41CC1C5B990930E88459386E9B12099BE98CBC595A45D62D6A0630820BD7510777D3DF345B99F979FCB57806F33A904CF77A4621C597E0B0000000C000000010000000B00097328E8C957DE2428283954F6A1EE8FF7AD7DEF12E100A600178407F5DECF2404000000100000000B0000000C000000010000000B0008EFEA1C0957A5A1FE019E6EDB21FDC9FBE5DE2213487EAB7A05E06ECA1C978404000000FFFF0000"
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 818 — BitLocker encountered a failure attempting to configure network unlock for volume VolumeMountPoint.
Event ID 819 — The BitLocker service could not resume protection on the OS volume VolumeMountPoint, due to the following error: Bootable media in the drive.
Event ID 820 — The BitLocker service could not resume protection on the OS volume VolumeMountPoint, due to the following error: TPM is locked out.
Event ID 821 — The BitLocker service could not resume protection on the OS volume VolumeMountPoint, due to the following error: Group policy conflict.
Event ID 822 — The BitLocker service could not resume protection on the OS volume VolumeMountPoint, due to the following error code: ErrorCode.
Event ID 823 — Bootmgr failed to obtain the BitLocker volume master key from the TPM because Secure Boot was disabled.
Event ID 824 — Bootmgr failed to obtain the BitLocker volume master key from the TPM because Secure Boot configuration changed unexpectedly.
Event ID 825 — BitLocker failed to initialize hardware encryption for volume VolumeMountPoint.
Event ID 826 — The password was changed.
Description
The password was changed.
Message #
Event ID 827 — A password change attempt failed.
Event ID 828 — BitLocker Drive Encryption recovery information for volume VolumeName was backed up successfully to your Microsoft account.
Event ID 829 — Failed to backup BitLocker Drive Encryption recovery information for volume VolumeName to your Microsoft account.
Event ID 830 — The BitLocker Drive Encryption recovery information already exists in your Microsoft account.
Description
The BitLocker Drive Encryption recovery information already exists in your Microsoft account.
Message #
Event ID 831 — Failed to save BitLocker Drive Encryption recovery information to your Microsoft account due to an error.
Event ID 832 — TCG Log parsing failure.
Event ID 833 — BitLocker detected that custom Secure Boot policy is installed, and will seal to this configuration.
Description
BitLocker detected that custom Secure Boot policy is installed, and will seal to this configuration. Sealing to a custom policy may reduce the integrity provided by Secure Boot.
Message #
Event ID 834 — BitLocker determined that the TCG log is invalid for use of Secure Boot.
Description
BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.
Message #
Fields #
| Name | Description |
|---|---|
PCRBitmap UInt32 | — |
PCRBitmapSource UInt32 | — |
PCRValuesSize UInt32 | — |
PCRValues Binary | — |
FilteredTcgLogSize UInt32 | — |
FilteredTcgLog Binary | — |
TpmSrkAesStrengthInBits UInt16 | — |
Event ID 835 — BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority has invalid structure.
Description
BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority has invalid structure.
Message #
Event ID 836 — BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority is invalid.
Description
BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority is invalid.
Message #
Event ID 837 — BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority is invalid.
Description
BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority is invalid.
Message #
Event ID 838 — BitLocker cannot use Secure Boot for integrity because the signature of the boot manager could not be validated as a Windows signature chained to a...
Description
BitLocker cannot use Secure Boot for integrity because the signature of the boot manager could not be validated as a Windows signature chained to a trusted Microsoft root certificate.
Message #
Event ID 839 — BitLocker cannot use Secure Boot for integrity because the TCG Log entry for the OS Loader Authority is invalid.
Description
BitLocker cannot use Secure Boot for integrity because the TCG Log entry for the OS Loader Authority is invalid.
Message #
Event ID 840 — A trusted WIM file has been added for volume %3.
#Description
A trusted WIM file has been added for volume %3.
Message #
Fields #
| Name | Description |
|---|---|
The_SHA256_hash_of_the_WIM_file_is | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-BitLocker-API",
"guid": "5D674230-CA9F-11DA-A94D-0800200C9A66",
"event_source_name": "",
"event_id": 840,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-11-01T21:25:03.283160Z",
"event_record_id": 17,
"correlation": {},
"execution": {
"process_id": 10108,
"thread_id": 1924
},
"channel": "Microsoft-Windows-BitLocker/BitLocker Management",
"computer": "GUAPOS-PC",
"security": {
"user_id": "S-1-5-21-2296991126-4013933037-3802873755-1001"
}
},
"event_data": {
"IdentificationGUID": "45A9DCBD-40EC-4295-A9E6-C2E63844F040",
"VolumeName": "\\\\?\\Volume{95b548ac-9d1a-4f36-96fc-2c67e06caefb}",
"VolumeMountPoint": "C:",
"BinaryDataSize": 32,
"BinaryData": "F97AFF018A007ACD584A246C1F49D2BB8CD9AB4E7E461D52AE4623CB0A1260DB"
}
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 841 — BitLocker was unable to update a key for volume VolumeMountPoint due to the following error: ErrorCode.
Event ID 842 — BitLocker was unable to reseal boot settings to the TPM in the Windows Recovery Environment.
Event ID 843 — BitLocker was suspended from within the Windows Recovery Environment.
Event ID 844 — BitLocker was unable to recover from device lock in the Windows Recovery Environment.
Event ID 845 — BitLocker Drive Encryption recovery information for volume Protector_GUID was backed up successfully to your Entra ID.
Event ID 846 — Failed to backup BitLocker Drive Encryption recovery information for volume TraceId to your Entra ID.
Event ID 847 — Failed to save BitLocker Drive Encryption recovery information to your Azure AD due to an error.
Description
Failed to save BitLocker Drive Encryption recovery information to your Entra ID due to an error.
Message #
Fields #
| Name | Description |
|---|---|
Request_Id UnicodeString | — |
Response_Time UnicodeString | — |
Error_Code UnicodeString | — |
Error_Subcode UnicodeString | — |
Error_message UnicodeString | — |
JsonRequestId UnicodeString | — |
JsonTime UnicodeString | — |
JsonErrorCode UnicodeString | — |
JsonSubCode UnicodeString | — |
JsonMessage UnicodeString | — |
Event ID 848 — Failed to update BCD store with the Recovery URL for OS volume.
Event ID 849 — Failed to set the TPM dictionary attack parameters to the legacy behavior.
Event ID 850 — Successfully set the TPM dictionary attack parameters to the legacy behavior.
Event ID 851 — Failed to enable Silent Encryption.
Event ID 852 — Failed to enable Silent Encryption.
Event ID 853 — Failed to enable Silent Encryption.
Event ID 854 — Failed to enable Silent Encryption.
Event ID 855 — Recovery Password Rotation initiated.
Description
Recovery Password Rotation initiated.
Message #
Event ID 856 — Failed to initiate the Recovery Password Rotation Error.
Event ID 857 — Recovery Passwords Rotation done successfully
Description
Recovery Passwords Rotation done successfully.
Message #
Event ID 858 — Recovery Password Rotation failed.
Event ID 859 — Recovery Password Rotation failed.
Event ID 860 — Failed to delete recovery password from AAD.
Event ID 861 — Failed to create clinet recovery password rotation request.
Event ID 862 — Failed to Create AAD recovery Password Delete request.
Event ID 863 — Failed to initiate the Recovery Password Rotation and Entra ID Deletion requests processing Error.
Event ID 864 — Recovery Passwords Rotation and AAD Deletion requests processing initiated successfully
Description
Recovery Passwords Rotation and Entra ID Deletion requests processing initiated successfully.
Message #
Event ID 865 — BitLocker was unable to verify if TPM protector resealing is possible for volume VolumeMountPoint due to the following error: ErrorCode.
Event ID 866 — A BitLocker key protector which uses PBKDF2 was created.
Event ID 867 — Failed to delete BitLocker Drive Encryption recovery information for volume Protector_GUID from Entra ID.
Event ID 868 — Failed while attempting to get BitLocker Drive Encryption recovery information from Azure AD.
Event ID 869 — An operating system volume BitLocker recovery key password for the currently signed in user has not been backed up.
Description
An operating system volume BitLocker recovery key password for the currently signed in user has not been backed up.
Message #
Event ID 870 — Failed to register information for reverted volume.
Event ID 871 — Failed to register timer for recovery password cleanup.
Event ID 872 — Failed to save request.
Event ID 873 — Server reported a failure while attempting to backup a recovery password.
Event ID 874 — Server reported a failure while attempting to delete recovery password(s) from AAD.
Event ID 875 — Server reported a failure while attempting to retrieve recovery password information from AAD.
Event ID 876 — Failed to delete BitLocker Drive Encryption recovery information from Azure AD.
Event ID 877 — Not all privileges requested are assigned to the caller.
Description
Not all privileges requested are assigned to the caller.
Message #
Event ID 878 — BitLocker failed to validate secure boot state.
Event ID 879 — BitLocker failed to add a recovery password because the maximum number of recovery passwords has been reached.
Event ID 880 — BitLocker is unable to predict PCR7 value and will attempt to seal to current TPM PCR7 value as required by policy Policy PCR profile.
Event ID 881 — The signature contained in the EFI_SIGNATURE_DATA structure from the TCG Log OS Loader Authority event could not be found in the verified certifica...
Description
The signature contained in the EFI_SIGNATURE_DATA structure from the TCG Log OS Loader Authority event could not be found in the verified certificate chain for the boot manager.
Message #
Event ID 882 — BitLocker cannot use Secure Boot for integrity because hash of the boot manager for the TCG Log OS Loader Authority event could not be predicted.
Description
BitLocker cannot use Secure Boot for integrity because hash of the boot manager for the TCG Log OS Loader Authority event could not be predicted.
Message #
Event ID 883 — BitLocker cannot use Secure Boot for integrity because the expected TCG Log entry for the OS Loader Authority is invalid.
Event ID 884 — BitLocker cannot use Secure Boot for integrity because the signature in a TCG Log Authority event was not found in the Secure Boot 'db' signature d...
Event ID 885 — BitLocker cannot use Secure Boot for integrity because the signature predicted for the boot manager was not found in the Secure Boot 'db' signature...
Event ID 886 — BitLocker removed an orphaned TPM digest datum with identifier IdentityGUID.
Event ID 887 — There was a problem communicating with the TPM at boot.
Event ID 888 — BitLocker failed to obtain the key from the TPM due to an unforseen TPM failure.
Event ID 889 — BitLocker is attempting to seal to a PCR which is known to have events extended into the TPM after the BitLocker TPM cap event.
Event ID 890 —
Description
BitLocker conducted a TPM binding census.
Fields #
| Name | Description |
|---|---|
CountTpmBindings UInt32 | — |
TpmBindingsTotalSizeTpmDatumsOnly UInt64 | — |
TpmBindingsTotalSizeIncludingDigestDatums UInt64 | — |
CensusData UInt8 | — |
Event ID 890 — BitLocker conducted a TPM binding census.
Event ID 891 —
Description
BitLocker updated its TPM bindings in response to a PCR Prediction Framework callback. USN: , Scenario: , Volume: , Error: .
Fields #
| Name | Description |
|---|---|
ErrorCode Int32 | — |
USN UInt64 | — |
Scenario UInt32 | — |
VolumeMountPoint UnicodeString | — |
Event ID 891 — BitLocker updated its TPM bindings in response to a PCR Prediction Framework callback.
Event ID 892 —
Description
BitLocker successfully sealed a key to the TPM.
Fields #
| Name | Description |
|---|---|
PCRBitmap UInt32 | — |
PCRBitmapSource UInt32 | — |
PCRValuesSize UInt32 | — |
PCRValues Binary | — |
FilteredLog AnsiString | — |
TpmSrkAesStrengthInBits UInt16 | — |
ExcludedPcrsBitmap UInt32 | — |
Event ID 892 — BitLocker successfully sealed a key to the TPM.
Event ID 893 —
Description
BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.
Fields #
| Name | Description |
|---|---|
PCRBitmap UInt32 | — |
PCRBitmapSource UInt32 | — |
PCRValuesSize UInt32 | — |
PCRValues Binary | — |
FilteredLog AnsiString | — |
TpmSrkAesStrengthInBits UInt16 | — |
ExcludedPcrsBitmap UInt32 | — |
Event ID 893 — BitLocker determined that the TCG log is invalid for use of Secure Boot.
Description
BitLocker determined that the TCG log is invalid for use of Secure Boot. The filtered TCG log for PCR[7] is included in this event.
Message #
Fields #
| Name | Description |
|---|---|
PCRBitmap UInt32 | — |
PCRBitmapSource UInt32 | — |
PCRValuesSize UInt32 | — |
PCRValues Binary | — |
FilteredLog AnsiString | — |
TpmSrkAesStrengthInBits UInt16 | — |
ExcludedPcrsBitmap UInt32 | — |
Event ID 896 —
Description
BitLocker is currently excluding PCRs from its TPM protector PCR profile () as required by a firmware update installation.
Fields #
| Name | Description |
|---|---|
ExcludedPcrsBitmap UInt32 | — |
PcrProfile UInt32 | — |
Event ID 896 — BitLocker is currently excluding PCRs ExcludedPcrsBitmap from its TPM protector PCR profile (PcrProfile) as required by a firmware update installation.
Event ID 897 —
Description
BitLocker Drive Encryption recovery information for volume was backed up successfully to your Microsoft account.
Fields #
| Name | Description |
|---|---|
IdentificationGUID GUID | — |
VolumeName UnicodeString | — |
VolumeMountPoint UnicodeString | — |
ProtectorGUID GUID | — |
BackendName UnicodeString | — |
Event ID 897 — BitLocker Drive Encryption recovery information for volume VolumeMountPoint was backed up successfully to your Microsoft account.
Event ID 898 —
Description
Failed to backup BitLocker Drive Encryption recovery information for volume to your Microsoft account.
Fields #
| Name | Description |
|---|---|
IdentificationGUID GUID | — |
VolumeName UnicodeString | — |
VolumeMountPoint UnicodeString | — |
ErrorCode Int32 | — |
BackendName UnicodeString | — |
Event ID 898 — Failed to backup BitLocker Drive Encryption recovery information for volume VolumeMountPoint to your Microsoft account.
Event ID 899 —
Description
BitLocker is reading the TPM to calculate the PCR value.
Fields #
| Name | Description |
|---|---|
Pcr UInt32 | — |
Event ID 899 — BitLocker is reading the TPM to calculate the PCR Pcr value.
Event ID 900 —
Description
BitLocker successfully committed metadata changes for volume .
Fields #
| Name | Description |
|---|---|
IdentificationGUID GUID | — |
VolumeName UnicodeString | — |
VolumeMountPoint UnicodeString | — |
ErrorCode Int32 | — |
Event ID 900 — BitLocker successfully committed metadata changes for volume VolumeMountPoint.
Event ID 4096 — Device Encryption could not be initialized.
Event ID 4097 — Device Encryption initialization start.
Description
Device Encryption initialization start.
Message #
Event ID 4098 — Device Encryption initialization stop.
Description
Device Encryption initialization stop.
Message #
Event ID 4099 — Device Encryption failed to process user logon event.
Event ID 4100 — Beginning Device Encryption user logon processing.
Description
Beginning Device Encryption user logon processing.
Message #
Event ID 4101 — Ending Device Encryption user logon processing.
Description
Ending Device Encryption user logon processing.
Message #
Event ID 4102 — BitLocker failed to recover after Device Lock.
Event ID 4103 — Failed to automatically enable Device Encryption.
Event ID 4104 — Begin Enable Protection.
Description
Begin Enable Protection.
Message #
Event ID 4105 — End Enable Protection.
Description
End Enable Protection.
Message #
Event ID 4106 — Failed to automatically back up recovery password to your Microsoft account.
Event ID 4107 — Begin Recovery Password Backup.
Description
Begin Recovery Password Backup.
Message #
Event ID 4108 — End Recovery Password Backup.
Description
End Recovery Password Backup.
Message #
Event ID 4109 — Begin Query Protection Status.
Description
Begin Query Protection Status.
Message #
Event ID 4110 — End Query Protection Status.
Description
End Query Protection Status.
Message #
Event ID 4111 — Device Lock recovery event initiated for volume VolumeMountPoint.
Event ID 4112 — MaxPasswordRetry policy enforced with TPM-based hardening for volume VolumeMountPoint.
Event ID 4113 — MaxPasswordRetry policy enforced without hardware based hardening for volume VolumeMountPoint.
Event ID 4114 — Device Lock recovery event initiated due to protected state mismatch for volume VolumeMountPoint.
Event ID 4116 — Device Encryption initialization for volume VolumeMountPoint start.
Event ID 4117 — Device Encryption initialization for volume VolumeMountPoint stop.
Event ID 4118 — Volume VolumeName could not be initialized for Device Encryption.
Event ID 4119 — Windows RE is not correctly configured for device encryption.
Description
Windows RE is not correctly configured for device encryption. Make sure that Windows RE is enabled and is not installed on the OS drive.
Message #
Event ID 4120 — The TPM is not provisioned for device encryption.
Description
The TPM is not provisioned for device encryption. To set up the TPM use the TPM management console (Start->tpm.msc) and use the action to make the TPM ready.
Message #
Event ID 4121 — Sign in with a Microsoft account to finish provisioning device encryption.
Description
Sign in with a Microsoft account to finish provisioning device encryption.
Message #
Event ID 4122 — The following DMA (Direct Memory Access) capable devices are not declared as protected from external access, which can block security features such...
#Description
The following DMA (Direct Memory Access) capable devices are not declared as protected from external access, which can block security features such as BitLocker automatic device encryption.
Message #
Fields #
| Name | Description |
|---|---|
LocalizedText UnicodeString | The following DMA (Direct Memory Access) capable devices are not declared as protected from external access, which can block security features such as BitLocker automatic device encryption |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-BitLocker-API",
"guid": "5D674230-CA9F-11DA-A94D-0800200C9A66",
"event_source_name": "",
"event_id": 4122,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T22:28:46.216571+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 4412,
"thread_id": 4416
},
"channel": "Microsoft-Windows-BitLocker/BitLocker Management",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"LocalizedText": "\r\nISA Bridge:\r\n\tPCI\\VEN_8086&DEV_7110 (PCI to ISA Bridge)\r\n\r\nPCI-to-PCI Bridge:\r\n\tPCI\\VEN_15AD&DEV_0790 (PCI-to-PCI Bridge)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_15AD&DEV_07A0 (PCI Express Root Port)\r\n\tPCI\\VEN_8086&DEV_7191 (PCI-to-PCI Bridge)\r\n"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4123 — BitLocker Drive Encryption recovery information for volume Protector_GUID was deleted successfully from your Entra ID.
Event ID 4124 — HSTI is not supported on this device
Description
HSTI is not supported on this device.
Message #
Event ID 4125 — Failed to query HSTI data size.
Event ID 4126 — Actual HSTI data size: Data1.
Event ID 4127 — HSTI provider count: HSTI_provider_count.
Event ID 4128 — HSTI data version: HSTI_data_version.
Event ID 4129 — HSTI security features size mismatch for HSTI provider HSTIImplID: expected Data1, actual Data2.
Event ID 4130 — HSTI provider HSTIImplID found with unknown version Data.
Event ID 4131 — HSTI provider HSTIImplID found.
Event ID 4132 — HSTI provider HSTIImplID found.
Event ID 4133 — No HSTI provider with PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE found
Description
No HSTI provider with PLATFORM_SECURITY_ROLE_PLATFORM_REFERENCE found.