Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
996 events across 8 channels
Event ID 2 — MDM Enroll: Certificate policy create message failed.
Event ID 2 — MDM Enroll: Certificate policy create message failed.
Event ID 3 — MDM Enroll: Certificate Authentication was requested, but failed sign the server request.
Event ID 3 — MDM Enroll: Certificate Authentication was requested, but failed sign the server request.
Event ID 4 — MDM Enroll: Certificate policy request sent successfully.
Description
MDM Enroll: Certificate policy request sent successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 4,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:00.715375+00:00",
"event_record_id": 119,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {},
"message": ""
}
Event ID 4 — MDM Enroll: Certificate policy request sent successfully.
Description
MDM Enroll: Certificate policy request sent successfully.
Message #
Event ID 5 — MDM Enroll: Certificate policy request sending failed.
Event ID 5 — MDM Enroll: Certificate policy request sending failed.
Event ID 6 — MDM Enroll: Certificate policy response processed successfully.
Description
MDM Enroll: Certificate policy response processed successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 6,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:00.717774+00:00",
"event_record_id": 120,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 6 — MDM Enroll: Certificate policy response processed successfully.
Description
MDM Enroll: Certificate policy response processed successfully.
Message #
Event ID 7 — MDM Enroll: Failed to receive or parse certificate response.
Event ID 7 — MDM Enroll: Failed to receive or parse certificate response.
Event ID 8 — MDM Enroll: Certificate enrollment request sent successfully.
Description
MDM Enroll: Certificate enrollment request sent successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 8,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:05.265280+00:00",
"event_record_id": 122,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {},
"message": ""
}
Event ID 8 — MDM Enroll: Certificate enrollment request sent successfully.
Description
MDM Enroll: Certificate enrollment request sent successfully.
Message #
Event ID 9 — MDM Enroll: Certificate enrollment request sending failed.
Event ID 9 — MDM Enroll: Certificate enrollment request sending failed.
Event ID 10 — MDM Enroll: Certificate enrollment response parsed successfully.
Description
MDM Enroll: Certificate enrollment response parsed successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 10,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:05.268581+00:00",
"event_record_id": 123,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 10 — MDM Enroll: Certificate enrollment response parsed successfully.
Description
MDM Enroll: Certificate enrollment response parsed successfully.
Message #
Event ID 11 — MDM Enroll: Failed to receive or parse certificate enroll response.
Event ID 11 — MDM Enroll: Failed to receive or parse certificate enroll response.
Event ID 12 — MDM Enroll: Failed to generate cert request.
Event ID 12 — MDM Enroll: Failed to generate cert request.
Event ID 15 — MDM Enroll: Failed to install client certificate.
Event ID 15 — MDM Enroll: Failed to install client certificate.
Event ID 16 — MDM Enroll: OMA-DM client configuration succeeds.
Description
MDM Enroll: OMA-DM client configuration succeeds.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 16,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:06.713255+00:00",
"event_record_id": 124,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 16 — MDM Enroll: OMA-DM client configuration succeeds.
Description
MDM Enroll: OMA-DM client configuration succeeds.
Message #
Event ID 17 — MDM Enroll: OMA-DM client configuration failed.
Event ID 17 — MDM Enroll: OMA-DM client configuration failed.
Event ID 19 — MDM Enroll: OMA-DM polling schedule set up failed.
Event ID 19 — MDM Enroll: OMA-DM polling schedule set up failed.
Event ID 20 — MDM Enroll: OMA-DM session initiation blocked since the enrollment is in a dormant state.
Event ID 20 — MDM Enroll: OMA-DM session initiation blocked since the enrollment is in a dormant state.
Event ID 21 — MDM Enroll: OMA-DM polling auxiliary schedule set up failed.
Event ID 21 — MDM Enroll: OMA-DM polling auxiliary schedule set up failed.
Event ID 23 — MDM Enroll: OMA-DM polling second auxiliary schedule set up failed.
Event ID 23 — MDM Enroll: OMA-DM polling second auxiliary schedule set up failed.
Event ID 25 — MDM Enroll: Client failed to set up the manual MDM client certificate renewal schedule.
Event ID 25 — MDM Enroll: Client failed to set up the manual MDM client certificate renewal schedule.
Event ID 26 — MDM Enroll: Certificate renew failed.
Event ID 26 — MDM Enroll: Certificate renew failed.
Event ID 27 — MDM Enroll: AutoEnrollMDM Result: (HRESULT) PolicyValue: (HexInt1) AADCredentialType: (HexInt2).
Event ID 28 — MDM Enroll: Certificate renew PKCS7Sign failed: Function: (Message1) Result: (HRESULT).
Event ID 28 — MDM Enroll: Certificate renew PKCS7Sign failed: Function: (Message1) Result: (HRESULT).
Event ID 29 — MDM Enroll: Certificate renew FindCertBasedOnContainer failed: Function: (Message1) ContainerName: (Message2) CryptoProvider: (Message3) Result: (HRESULT).
Event ID 29 — MDM Enroll: Certificate renew FindCertBasedOnContainer failed: Function: (Message1) ContainerName: (Message2) CryptoProvider: (Message3) Result: (HRESULT).
Event ID 30 — MDM Enroll: Binding public MDM certificate with private MDM key failed: Function: (Message1) Result: (HRESULT).
Event ID 30 — MDM Enroll: Binding public MDM certificate with private MDM key failed: Function: (Message1) Result: (HRESULT).
Event ID 32 — SCEP: Certificate enroll failed.
Event ID 36 — SCEP: Certificate request generated successfully.
Description
SCEP: Certificate request generated successfully. Enhanced Key Usage: (Message1), NDES URL: (Message2), Container Name: (Message3), KSP Setting: (HexInt1), Store Location: (HexInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
Event ID 37 — SCEP: Certificate request sent successfully.
Description
SCEP: Certificate request sent successfully.
Message #
Event ID 38 — SCEP: Certificate response received successfully.
Description
SCEP: Certificate response received successfully.
Message #
Event ID 39 — SCEP: Certificate installed successfully.
Description
SCEP: Certificate installed successfully.
Message #
Event ID 42 — MDM Push: Failed to create WNS Push Channel for MDM Push Sessions.
Description
MDM Push: Failed to create WNS Push Channel for MDM Push Sessions. Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 42,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:05.207348+00:00",
"event_record_id": 661,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x8000401a"
},
"message": ""
}
Event ID 42 — MDM Push: Failed to create WNS Push Channel for MDM Push Sessions.
Event ID 43 — MDM Push: Successfully created WNS Push Channel for MDM Push Sessions.
Description
MDM Push: Successfully created WNS Push Channel for MDM Push Sessions.
Message #
Event ID 43 — MDM Push: Successfully created WNS Push Channel for MDM Push Sessions.
Description
MDM Push: Successfully created WNS Push Channel for MDM Push Sessions.
Message #
Event ID 44 — MDM Push: Failed to renew WNS Push Channel for MDM Push Sessions.
Event ID 44 — MDM Push: Failed to renew WNS Push Channel for MDM Push Sessions.
Event ID 45 — MDM Push: Successfully renewed WNS Push Channel for MDM Push Sessions.
Description
MDM Push: Successfully renewed WNS Push Channel for MDM Push Sessions.
Message #
Event ID 45 — MDM Push: Successfully renewed WNS Push Channel for MDM Push Sessions.
Description
MDM Push: Successfully renewed WNS Push Channel for MDM Push Sessions.
Message #
Event ID 46 — MDM Push: Failed to upgrade WNS Push Channel for MDM Push Sessions.
Event ID 46 — MDM Push: Failed to upgrade WNS Push Channel for MDM Push Sessions.
Event ID 47 — MDM Push: Successfully upgraded WNS Push Channel for MDM Push Sessions.
Description
MDM Push: Successfully upgraded WNS Push Channel for MDM Push Sessions.
Message #
Event ID 47 — MDM Push: Successfully upgraded WNS Push Channel for MDM Push Sessions.
Description
MDM Push: Successfully upgraded WNS Push Channel for MDM Push Sessions.
Message #
Event ID 48 — MDM Unenroll: Unenroll alert sent to server.
Description
MDM Unenroll: Unenroll alert sent to server.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 48,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:05.075072+00:00",
"event_record_id": 102,
"correlation": {},
"execution": {
"process_id": 2768,
"thread_id": 276
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 48 — MDM Unenroll: Unenroll alert sent to server.
Description
MDM Unenroll: Unenroll alert sent to server.
Message #
Event ID 49 — MDM Unenroll: Error sending unenroll alert to server.
Event ID 49 — MDM Unenroll: Error sending unenroll alert to server.
Event ID 52 — MDM Enroll: Server Returned Fault/Code/Subcode/Value=(Message1) Fault/Reason/Text=(Message2).
Event ID 52 — MDM Enroll: Server Returned Fault/Code/Subcode/Value=(Message1) Fault/Reason/Text=(Message2).
Event ID 53 — MDM Enroll: Authentication failed.
Event ID 53 — MDM Enroll: Authentication failed.
Event ID 54 — MDM Enroll: Authentication successful: Got token from STS.
Description
MDM Enroll: Authentication successful: Got token from STS.
Message #
Event ID 54 — MDM Enroll: Authentication successful: Got token from STS.
Description
MDM Enroll: Authentication successful: Got token from STS.
Message #
Event ID 55 — MDM Enroll: Enrollment via UX failed.
Event ID 55 — MDM Enroll: Enrollment via UX failed.
Event ID 56 — MDM Enroll: Failed to parse server provisioning XML.
Event ID 56 — MDM Enroll: Failed to parse server provisioning XML.
Event ID 57 — MDM Enroll: Provisioning failed.
Event ID 57 — MDM Enroll: Provisioning failed.
Event ID 58 — MDM Enroll: Provisioning succeeded.
Description
MDM Enroll: Provisioning succeeded.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 58,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:07.569643+00:00",
"event_record_id": 127,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 58 — MDM Enroll: Provisioning succeeded.
Description
MDM Enroll: Provisioning succeeded.
Message #
Event ID 59 — MDM Enroll: Server context (Message1).
Event ID 59 — MDM Enroll: Server context (Message1).
Event ID 60 — MDM Unenroll: Unenrollment initiated by entity other than user (server or device) (Message1).
Description
MDM Unenroll: Unenrollment initiated by entity other than user (server or device) (Message1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 60,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:03.174459+00:00",
"event_record_id": 86,
"correlation": {},
"execution": {
"process_id": 2768,
"thread_id": 9988
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "43C0DA41-21B4-4245-980F-878D0899119B"
},
"message": ""
}
Event ID 60 — MDM Unenroll: Unenrollment initiated by entity other than user (server or device) (Message1).
Event ID 61 — MDM Unenroll: Unenrollment initiated by user through UI.
Event ID 61 — MDM Unenroll: Unenrollment initiated by user through UI.
Event ID 62 — MDM Enroll: Server specifed hashAlgorithmOIDReference (Message1) is a OID of group (Message2), expected an OID in group CRYPT_HASH_ALG_OID_GROUP_ID.
Description
MDM Enroll: Server specifed hashAlgorithmOIDReference (Message1) is a OID of group (Message2), expected an OID in group CRYPT_HASH_ALG_OID_GROUP_ID.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 62,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:00.719300+00:00",
"event_record_id": 121,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "1.3.14.3.2.29",
"Message2": "CRYPT_SIGN_ALG_OID_GROUP_ID"
},
"message": ""
}
Event ID 62 — MDM Enroll: Server specifed hashAlgorithmOIDReference (Message1) is a OID of group (Message2), expected an OID in group CRYPT_HASH_ALG_OID_GROUP_ID.
Event ID 63 — MDM Enroll: Unable to acquire private key for newly installed cert.
Event ID 64 — MDM Unenroll: Changing dmwappushservice startup type to demand-start.
Description
MDM Unenroll: Changing dmwappushservice startup type to demand-start. Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 64,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:05.580337+00:00",
"event_record_id": 112,
"correlation": {},
"execution": {
"process_id": 2768,
"thread_id": 276
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x1"
},
"message": ""
}
Event ID 64 — MDM Unenroll: Changing dmwappushservice startup type to demand-start.
Event ID 65 — MDM Unenroll: Changing dmwappushservice startup type to demand-start failed.
Event ID 65 — MDM Unenroll: Changing dmwappushservice startup type to demand-start failed.
Event ID 66 — MDM Enroll WAP Node Filtering: removed non-supported node (Message1).
Event ID 67 — MDM Unenroll: Failed to delete account.
Event ID 67 — MDM Unenroll: Failed to delete account.
Event ID 68 — MDM Enroll: /GetPoliciesResponse/response/policies/policy/attributes/policySchema invalid, got (UInt1) expected (3), ignoring certificate policy, usin...
Event ID 68 — MDM Enroll: /GetPoliciesResponse/response/policies/policy/attributes/policySchema invalid, got (UInt1) expected (3), ignoring certificate policy, usin...
Event ID 69 — MDM Enroll: Got a SOAP fault from the server, but couldn't parse it.
Message #
Event ID 69 — MDM Enroll: Got a SOAP fault from the server, but couldn't parse it.
Message #
Event ID 70 — MDM Enroll WAP Node Filtering: failed to remove non-supported node (HRESULT).
Event ID 71 — MDM Enroll: Failed (HRESULT).
Event ID 71 — MDM Enroll: Failed (HRESULT).
Event ID 72 — MDM Enroll: Succeeded
Description
MDM Enroll: Succeeded.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 72,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:07.683796+00:00",
"event_record_id": 128,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 72 — MDM Enroll: Succeeded
Description
MDM Enroll: Succeeded.
Message #
Event ID 73 — MDM Unenroll: Finished user independant unenroll
Description
MDM Unenroll: Finished user independant unenroll.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 73,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:04.969743+00:00",
"event_record_id": 96,
"correlation": {},
"execution": {
"process_id": 1872,
"thread_id": 9840
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 73 — MDM Unenroll: Finished user independant unenroll
Description
MDM Unenroll: Finished user independant unenroll.
Message #
Event ID 74 — MDM Unenroll: Succeeded
Description
MDM Unenroll: Succeeded.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 74,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:05.772240+00:00",
"event_record_id": 117,
"correlation": {},
"execution": {
"process_id": 1872,
"thread_id": 9840
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 74 — MDM Unenroll: Succeeded
Description
MDM Unenroll: Succeeded.
Message #
Event ID 75 — Auto MDM Enroll: Device Credential (HexInt1), Succeeded.
Event ID 75 — Auto MDM Enroll: Device Credential (HexInt1), Succeeded.
Event ID 76 — Auto MDM Enroll: Device Credential (HexInt1), Failed (HRESULT).
Event ID 76 — Auto MDM Enroll: Device Credential (HexInt1), Failed (HRESULT).
Event ID 77 — Auto MDM Enroll Retry On Failure (HRESULT).
Event ID 77 — Auto MDM Enroll Retry On Failure (HRESULT).
Event ID 78 — Auto MDM Enroll DMGetAadDeviceToken Failure (HRESULT).
Event ID 78 — Auto MDM Enroll DMGetAadDeviceToken Failure (HRESULT).
Event ID 79 — Auto MDM Enroll DmRequestAadUserToken Failure (HRESULT).
Event ID 79 — Auto MDM Enroll DmRequestAadUserToken Failure (HRESULT).
Event ID 80 — Auto MDM Enroll DmRaiseToastNotificationAndWait Failure (HRESULT).
Event ID 80 — Auto MDM Enroll DmRaiseToastNotificationAndWait Failure (HRESULT).
Event ID 81 — Auto MDM Enroll Impersonation Failure (HRESULT).
Event ID 81 — Auto MDM Enroll Impersonation Failure (HRESULT).
Event ID 82 — Auto MDM Enroll AADEnrollAsync Failure (HRESULT).
Event ID 82 — Auto MDM Enroll AADEnrollAsync Failure (HRESULT).
Event ID 83 — Auto MDM Enroll WaitForCompletiongNoThrow after AADEnrollAsync Failure (HRESULT).
Event ID 83 — Auto MDM Enroll WaitForCompletiongNoThrow after AADEnrollAsync Failure (HRESULT).
Event ID 84 — Auto MDM Enroll GetAsyncResults after AADEnrollAsync Failure (HRESULT).
Event ID 84 — Auto MDM Enroll GetAsyncResults after AADEnrollAsync Failure (HRESULT).
Event ID 85 — Should show EnrollmentStatusPage result.
Event ID 85 — Should show EnrollmentStatusPage result.
Event ID 86 — MDM Unenroll: Unenroll origin is: (Message1).
Description
MDM Unenroll: Unenroll origin is: (Message1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 86,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:05.052726+00:00",
"event_record_id": 98,
"correlation": {},
"execution": {
"process_id": 2768,
"thread_id": 276
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "MiradoreMDM"
},
"message": ""
}
Event ID 86 — MDM Unenroll: Unenroll origin is: (Message1).
Event ID 87 — AADEnrollAsync(Message1, Message2, Message3, Message4, UInt1, Message5, Message6, Message7) Failed Result: (Message8).
Description
AADEnrollAsync(Message1, Message2, Message3, Message4, UInt1, Message5, Message6, Message7) Failed Result: (Message8).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
UInt1 UInt32 | — |
Message5 UnicodeString | — |
Message6 UnicodeString | — |
Message7 UnicodeString | — |
Message8 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 88 — Enrolling SID (Message1) Result: (HRESULT).
Event ID 89 — Auto MDM Enroll DmGetAadDeviceTokenWithDiscovery with Application ID (Message1): Status (HRESULT).
Event ID 89 — Auto MDM Enroll DmGetAadDeviceTokenWithDiscovery with Application ID (Message1): Status (HRESULT).
Event ID 90 — Auto MDM Enroll Get AAD Token: Device Credential (HexInt1), Resource Url (Message1), Resource Url 2 (Message2), Status (HRESULT).
Event ID 90 — Auto MDM Enroll Get AAD Token: Device Credential (HexInt1), Resource Url (Message1), Resource Url 2 (Message2), Status (HRESULT).
Event ID 91 — Auto MDM Enroll Enrollment Information: AadResourceUrl (Message1), DiscoveryServiceFullUrl (Message2), TenantID (Message3), Upn (Message4).
Event ID 91 — Auto MDM Enroll Enrollment Information: AadResourceUrl (Message1), DiscoveryServiceFullUrl (Message2), TenantID (Message3), Upn (Message4).
Event ID 92 — MDM Unenroll due to the NT User who enrolled being deleted from the device (HRESULT).
Event ID 92 — MDM Unenroll due to the NT User who enrolled being deleted from the device (HRESULT).
Event ID 93 — Function Name: (Message1) HRESULT:(HRESULT).
Event ID 94 — CanEnroll Error: Found existing enrollment(s) of same type (UInt1), enrollmentIds: (Message1).
Event ID 94 — CanEnroll Error: Found existing enrollment(s) of same type (UInt1), enrollmentIds: (Message1).
Event ID 95 — CanEnroll Error: Found existing other enrollment(s) enrollmentId/EnrollmentType: (Message1).
Event ID 95 — CanEnroll Error: Found existing other enrollment(s) enrollmentId/EnrollmentType: (Message1).
Event ID 96 — CanEnroll Error: MDM enrollment is not allowed.
Description
CanEnroll Error: MDM enrollment is not allowed. An external management agent or Group Policy has blocked MDM enrollment.
Message #
Event ID 96 — CanEnroll Error: MDM enrollment is not allowed.
Description
CanEnroll Error: MDM enrollment is not allowed. An external management agent or Group Policy has blocked MDM enrollment.
Message #
Event ID 97 — CanEnroll Error: MDM enrollment is not allowed due to failed license check with HRESULT: (HRESULT).
Event ID 97 — CanEnroll Error: MDM enrollment is not allowed due to failed license check with HRESULT: (HRESULT).
Event ID 98 — CanEnroll Error: MDM enrollment is not allowed due to failed access check(administrator or allowed user, capability check) with HRESULT: (HRESULT).
Event ID 98 — CanEnroll Error: MDM enrollment is not allowed due to failed access check(administrator or allowed user, capability check) with HRESULT: (HRESULT).
Event ID 99 — CanEnroll Error: MDM enrollment is not allowed due to existing tenant found Type: (UInt1).
Event ID 99 — CanEnroll Error: MDM enrollment is not allowed due to existing tenant found Type: (UInt1).
Event ID 100 — Offline Domain Join: Could not establish connectivity after time: (HexInt1) milliseconds.
Event ID 101 — Offline Domain Join: Established connectivity after time: (HexInt1) milliseconds.
Event ID 102 — Offline Domain Join: Failed to connect VPN: (Message1).
Event ID 103 — Offline Domain Join: Connected VPN: (Message1).
Event ID 104 — Offline Domain Join: Failed to enumerate the VPNs.
Event ID 105 — Offline Domain Join: Attempting to get the DC name.
Event ID 106 — Offline Domain Join: Attempting to ping the DC.
Event ID 107 — Offline Domain Join: Applying offline domain join blob succeeded.
Event ID 108 — Offline Domain Join: Applying offline domain join blob failed.
Event ID 109 — Offline Domain Join: Setting Domain join connectivity state to: (HexInt1).
Event ID 110 — Offline Domain Join: Current Domain join connectivity state is: (HexInt1).
Event ID 111 — Offline Domain Join: Starting wait for offline domain join blob.
Event ID 112 — MDM Enroll: OMA-DM polling user schedule set up failed.
Event ID 113 — MDM Enroll: OMA-DM polling schedule set up for multiple session failed.
Event ID 200 — MDM Session: OMA-DM message sent.
Description
MDM Session: OMA-DM message sent.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 200,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:05.490052+00:00",
"event_record_id": 663,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {},
"message": ""
}
Event ID 200 — MDM Session: OMA-DM message sent.
Description
MDM Session: OMA-DM message sent.
Message #
Event ID 201 — MDM Session: OMA-DM message failed to be sent.
Description
MDM Session: OMA-DM message failed to be sent. Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 201,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:05.534621+00:00",
"event_record_id": 109,
"correlation": {},
"execution": {
"process_id": 5640,
"thread_id": 4564
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"HRESULT": "0x80072f0c"
},
"message": ""
}
Event ID 201 — MDM Session: OMA-DM message failed to be sent.
Event ID 202 — MDM Session: OMA-DM server message received and parsed successfully.
Description
MDM Session: OMA-DM server message received and parsed successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 202,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:05.490420+00:00",
"event_record_id": 664,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 202 — MDM Session: OMA-DM server message received and parsed successfully.
Description
MDM Session: OMA-DM server message received and parsed successfully.
Message #
Event ID 203 — MDM Session: OMA-DM server message parsing failed.
Event ID 203 — MDM Session: OMA-DM server message parsing failed.
Event ID 204 — MDM Session: OMA-DM client failed to connect to the server.
Event ID 204 — MDM Session: OMA-DM client failed to connect to the server.
Event ID 205 — MDM Session: OMA-DM client started.
Description
MDM Session: OMA-DM client started. CV: (Message1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 AnsiString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 205,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:01.988413+00:00",
"event_record_id": 648,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "urVXZ8kSLk69vXXSFwVTgA.0.0.25"
},
"message": ""
}
Event ID 205 — MDM Session: OMA-DM client started.
Event ID 206 — MDM Session: OMA-DM session Init: UserSID(Message1), EnrolledUser(UInt2), UserToken(UInt3), DeviceToken(UInt4), EnrollmentType(UInt5), SyncType(UInt6).
Description
MDM Session: OMA-DM session Init: UserSID(Message1), EnrolledUser(UInt2), UserToken(UInt3), DeviceToken(UInt4), EnrollmentType(UInt5), SyncType(UInt6).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
UInt2 UInt32 | — |
UInt3 UInt32 | — |
UInt4 UInt32 | — |
UInt5 UInt32 | — |
UInt6 UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 206,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:02.030240+00:00",
"event_record_id": 651,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "S-1-5-21-3407486967-1585450050-1838039599-1000",
"UInt2": 1,
"UInt3": 0,
"UInt4": 0,
"UInt5": 0,
"UInt6": 3
},
"message": ""
}
Event ID 206 — MDM Session: OMA-DM session Init: UserSID(Message1), EnrolledUser(UInt2), UserToken(UInt3), DeviceToken(UInt4), EnrollmentType(UInt5), SyncType(UInt6).
Event ID 207 — MDM Session: Alert type (Message1) and event type (HRESULT) sent to server to indicate user login status.
Event ID 207 — MDM Session: Alert type (Message1) and event type (HRESULT) sent to server to indicate user login status.
Event ID 208 — MDM Session: OMA-DM session started for EnrollmentID (Message1) with server: (Message2), Server version: (Message3), Client Version: (Message4), PushRouterOrigin: (HexInt1), Us...
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
HexInt4 HexInt32 | — |
UInt1 UInt32 | — |
UInt2 UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 208,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:02.155014+00:00",
"event_record_id": 652,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "69C01DBD-8068-44F9-9507-8A9DF76C127A",
"Message2": "MiradoreMDM",
"Message3": "NULL",
"Message4": "1.2",
"HexInt1": "0x3",
"HexInt2": "0x2",
"HexInt3": "0x0",
"HexInt4": "0x2",
"UInt1": 26,
"UInt2": 3
},
"message": ""
}
Event ID 208 — MDM Session: OMA-DM session started for EnrollmentID (Message1) with server: (Message2), Server version: (Message3), Client Version: (Message4), PushRouterOrigin: (HexInt1), Us...
Event ID 209 — MDM Session: OMA-DM session ended with status: (HRESULT).
Description
MDM Session: OMA-DM session ended with status: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 209,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:05.499293+00:00",
"event_record_id": 665,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x0"
},
"message": ""
}
Event ID 209 — MDM Session: OMA-DM session ended with status: (HRESULT).
Event ID 210 — MDM Session: OMA-DM client stopped with status: (HRESULT).
Event ID 211 — MDM Session: ExpiryTime triggered, Last successful server sync time (Message1), LocalTime (Message2), ExpiryTime (HexInt1) days.
Event ID 212 — MDM Session: Failed to get AAD Token for sync session User Token: (HRESULT1) Device Token: (HRESULT2).
Event ID 212 — MDM Session: Failed to get AAD Token for sync session User Token: (HRESULT1) Device Token: (HRESULT2).
Event ID 213 — MDM Session OmaDmVerboseTrace: Buffer: (Message1), BucketNumber: (HexInt1), BufferLength: (HexInt2).
Event ID 214 — MDM Session OmaDmVerboseTrace: Buffer: (Message1), BucketNumber: (HexInt1), BufferLength: (HexInt2).
Event ID 215 — MDM Session: Failure at Stage: (Message1), Result: (HRESULT).
Event ID 216 — MDM Session: OmaDmHttpHeaderAlert.
Event ID 217 — MDM Session: OmaDmMultipleMessagesInPackageContinue.
Event ID 218 — MDM Session: ClientCertificateMissing.
Event ID 219 — MDM Session: OmaDmLoadSession.
Event ID 220 — MDM Session: OmaDmOrphanedSession.
Event ID 221 — MDM Session: Alert type (Message1) and event type (HRESULT) sent to client to indicate user login status.
Event ID 222 — MDM Session: OmaDmMultipleMessagesInPackage.
Event ID 223 — MDM Session: GetTargetUserSidEnrolledUserNotLogon.
Event ID 224 — MDM Session: DmGetAadUserTokenFailure.
Event ID 224 — MDM Session: DmGetAadUserTokenFailure.
Event ID 225 — MDM Session: Event Start.
Event ID 226 — MDM Session: LogServerSideTimeSaved.
Event ID 227 — LogMeasure.
Event ID 228 — FunctionEntry.
Event ID 229 — FunctionExit.
Event ID 230 — MDM Session: Alert type (Message1), alert data (Message2) and event type (HexInt1) sent to server to indicate update status.
Event ID 230 — MDM Session: Alert type (Message1), alert data (Message2) and event type (HexInt1) sent to server to indicate update status.
Event ID 231 — MDM Session: DmGetAadUserTokenFailure.
Event ID 231 — MDM Session: DmGetAadTokenRetryOnExpiration.
Event ID 232 — MDM Session: DmInvalidateAadUserTokenFailure.
Event ID 232 — MDM Session: DmInvalidateAadUserTokenFailure.
Event ID 233 — MDM Session: Container syncML response XML parser: Result:(HexInt1) HRESULT.
Event ID 233 — MDM Session: Container syncML response XML parser: Result:(HexInt1) HRESULT.
Event ID 234 — MDM Session: HostOs syncML response XML length: HexInt1, Container syncML response XML length: HexInt2.
Event ID 234 — MDM Session: HostOs syncML response XML length: HexInt1, Container syncML response XML length: HexInt2.
Event ID 235 — MDM Session: Container syncML response XML: Message1.
Event ID 236 — DM Session: Container session has no SessionID.
Event ID 237 — DM Session: ContainerFunctionExit.
Event ID 238 — DM Session: ContainerCallbackEvent.
Event ID 239 — MDM Session: Host OS and Container Response XML Status content mismatch: Message1.
Event ID 240 — MDM Session: Host OS and Container Response XML Status count mismatch.
Event ID 241 — MDM Session: Host OS and Container Response XML Http status mismatch.
Description
MDM Session: Host OS and Container Response XML Http status mismatch. Info: Message1, Host OS http status: Message2. Container http status: Message3. Taking Host OS: UInt1. Result:(UInt2) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
UInt1 UInt32 | — |
UInt2 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 242 — MDM Session: Host OS and Container Response XML Result content mismatch.
Event ID 243 — MDM Session: Host OS and Container Response XML Result Item count mismatch.
Description
MDM Session: Host OS and Container Response XML Result Item count mismatch. Info: Message1. Host OS Item count: HexInt1, Container Item count: HexInt2. Result:(HexInt3) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
HRESULT HexInt32 | — |
Event ID 244 — MDM Session: Host OS and Container Response XML Result Item data mismatch.
Description
MDM Session: Host OS and Container Response XML Result Item data mismatch. Info: . Host OS Results Item data: , Container Results Item data: , Status index: , Result Item index. Result:() .
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
UInt1 UInt32 | — |
UInt2 UInt32 | — |
UInt3 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 245 — DM Container: Orchestrator Refresh is triggered.
Event ID 246 — DM Container: Configuration Completion Task is scheduled.
Event ID 247 — DM Container: Unenrollment is triggered.
Event ID 248 — DM Container: Result change is notified.
Event ID 249 — DM Container: Declared Configuration result is get.
Event ID 250 — DM Container: Declared Configuration result is set.
Event ID 251 — DM Container: Declared Configuration result is set with failure: EnrollmentId: (Message1), ContainerId: (Message2), Result: (HRESULT).
Event ID 252 — DM Container: Result of gathering setting provider settings: ProviderName: (Message1), User: (Boolean1), SettingFlag: (HexInt1), SettingDataLength: (UInt1), TimeUsed: ...
Description
DM Container: Result of gathering setting provider settings: ProviderName: (Message1), User: (Boolean1), SettingFlag: (HexInt1), SettingDataLength: (UInt1), TimeUsed: (UInt2), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Boolean1 Boolean | — |
HexInt1 HexInt32 | — |
UInt1 UInt32 | — |
UInt2 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 253 — DM Container: Result of applying setting provider settings: ProviderName: (Message1), User: (Boolean1), SettingFlag: (HexInt1), SettingDataLength: (UInt1), TimeUsed.
Description
DM Container: Result of applying setting provider settings: ProviderName: (Message1), User: (Boolean1), SettingFlag: (HexInt1), SettingDataLength: (UInt1), TimeUsed: (UInt2), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Boolean1 Boolean | — |
HexInt1 HexInt32 | — |
UInt1 UInt32 | — |
UInt2 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 254 — DM Container: Result of InitializeContainer: Duration: (UInt1), nestedVirtualization: (Boolean1), Result: (HexInt2).
Event ID 255 — MDM Session: DmGetAadDeviceMdmResourceUrlFailure.
Event ID 255 — MDM Session: DmGetAadDeviceMdmResourceUrlFailure.
Event ID 256 — OmaDmLogOmaDmApiInitiateSession: Result: (HRESULT1), Account Id: (Message2), Initiation Id: (Message3), Mode: (UInt4), Origin: (UInt5), AutoDelete: (Boolean6), Alert Count: (UInt7)...
Message #
Fields #
| Name | Description |
|---|---|
HRESULT1 HexInt32 | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
UInt4 UInt32 | — |
UInt5 UInt32 | — |
Boolean6 Boolean | — |
UInt7 UInt32 | — |
Message8 UnicodeString | — |
Message9 UnicodeString | — |
Boolean10 Boolean | — |
Boolean11 Boolean | — |
Message12 UnicodeString | — |
Boolean13 Boolean | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 256,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:01.766502+00:00",
"event_record_id": 646,
"correlation": {},
"execution": {
"process_id": 11564,
"thread_id": 3140
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT1": "0x0",
"Message2": "69C01DBD-8068-44F9-9507-8A9DF76C127A",
"Message3": "{41CCA717-5C3A-42DE-AEF7-8B805955A207}",
"UInt4": 2,
"UInt5": 3,
"Boolean6": true,
"UInt7": 0,
"Message8": "NULL",
"Message9": "NULL",
"Boolean10": false,
"Boolean11": false,
"Message12": "C:\\Windows\\system32\\deviceenroller.exe",
"Boolean13": true
},
"message": ""
}
Event ID 256 — OmaDmLogOmaDmApiInitiateSession: Result: (HRESULT1), Account Id: (Message2), Initiation Id: (Message3), Mode: (UInt4), Origin: (UInt5), AutoDelete: (Boolean6), Alert Count: (UInt7)...
Event ID 257 — MDM Session: OMA-DM session started: Session ID(UInt1), Server ID(Message2), User SID(Message3), Initiation ID(Message4), Origin(UInt5).
Description
MDM Session: OMA-DM session started: Session ID(UInt1), Server ID(Message2), User SID(Message3), Initiation ID(Message4), Origin(UInt5).
Message #
Fields #
| Name | Description |
|---|---|
UInt1 UInt32 | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
UInt5 UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 257,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:02.006036+00:00",
"event_record_id": 649,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"UInt1": 26,
"Message2": "69C01DBD-8068-44F9-9507-8A9DF76C127A",
"Message3": "NULL",
"Message4": "Software\\Microsoft\\Provisioning\\OMADM\\Sessions\\69C01DBD-8068-44F9-9507-8A9DF76C127A\\{41CCA717-5C3A-42DE-AEF7-8B805955A207}",
"UInt5": 3
},
"message": ""
}
Event ID 257 — MDM Session: OMA-DM session started: Session ID(UInt1), Server ID(Message2), User SID(Message3), Initiation ID(Message4), Origin(UInt5).
Event ID 258 — MDM Session: OMA-DM session Loaded: Initiation ID(Message1), Status(HRESULT2), Total Count(UInt3), Orphaned Count(UInt4), Loaded Count(UInt5), Parent Initiation ID(Message6),...
Description
MDM Session: OMA-DM session Loaded: Initiation ID(Message1), Status(HRESULT2), Total Count(UInt3), Orphaned Count(UInt4), Loaded Count(UInt5), Parent Initiation ID(Message6), Completed Count(UInt7).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
HRESULT2 HexInt32 | — |
UInt3 UInt32 | — |
UInt4 UInt32 | — |
UInt5 UInt32 | — |
Message6 UnicodeString | — |
UInt7 UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 258,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:02.017479+00:00",
"event_record_id": 650,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "Software\\Microsoft\\Provisioning\\OMADM\\Sessions\\69C01DBD-8068-44F9-9507-8A9DF76C127A\\{41CCA717-5C3A-42DE-AEF7-8B805955A207}",
"HRESULT2": "0x0",
"UInt3": 1,
"UInt4": 0,
"UInt5": 1,
"Message6": "NULL",
"UInt7": 0
},
"message": ""
}
Event ID 258 — MDM Session: OMA-DM session Loaded: Initiation ID(Message1), Status(HRESULT2), Total Count(UInt3), Orphaned Count(UInt4), Loaded Count(UInt5), Parent Initiation ID(Message6),...
Description
MDM Session: OMA-DM session Loaded: Initiation ID(Message1), Status(HRESULT2), Total Count(UInt3), Orphaned Count(UInt4), Loaded Count(UInt5), Parent Initiation ID(Message6), Completed Count(UInt7).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
HRESULT2 HexInt32 | — |
UInt3 UInt32 | — |
UInt4 UInt32 | — |
UInt5 UInt32 | — |
Message6 UnicodeString | — |
UInt7 UInt32 | — |
Event ID 259 — MDM Session: OMA-DM session Handled: Account ID(Message1), Initiation ID(Message2), Session ID(UInt3), Initiator(UInt4), Origin(UInt5).
Description
MDM Session: OMA-DM session Handled: Account ID(Message1), Initiation ID(Message2), Session ID(UInt3), Initiator(UInt4), Origin(UInt5).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
UInt3 UInt32 | — |
UInt4 UInt32 | — |
UInt5 UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 259,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:01.910679+00:00",
"event_record_id": 647,
"correlation": {},
"execution": {
"process_id": 2476,
"thread_id": 7860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "69C01DBD-8068-44F9-9507-8A9DF76C127A",
"Message2": "Software\\Microsoft\\Provisioning\\OMADM\\Sessions\\69C01DBD-8068-44F9-9507-8A9DF76C127A\\{41CCA717-5C3A-42DE-AEF7-8B805955A207}",
"UInt3": 0,
"UInt4": 0,
"UInt5": 3
},
"message": ""
}
Event ID 259 — MDM Session: OMA-DM session Handled: Account ID(Message1), Initiation ID(Message2), Session ID(UInt3), Initiator(UInt4), Origin(UInt5).
Event ID 260 — MDM Session: OMA-DM Retry Session Scheduled: Account ID(Message1), Retry Count(UInt2), status(HexInt3).
Event ID 260 — MDM Session: OMA-DM Retry Session Scheduled: Account ID(Message1), Retry Count(UInt2), status(HexInt3).
Event ID 261 — MDM Session: OMA-DM Retry Session Processed: Account ID(Message1), Retry Count(UInt2), Total Count(UInt3), status(HexInt4).
Event ID 261 — MDM Session: OMA-DM Retry Session Processed: Account ID(Message1), Retry Count(UInt2), Total Count(UInt3), status(HexInt4).
Event ID 262 — MDM Session: OMA-DM Retry Session Deleted: Account ID(Message1), Retry Count(UInt2), Total Count(UInt3), status(HexInt4).
Event ID 262 — MDM Session: OMA-DM Retry Session Deleted: Account ID(Message1), Retry Count(UInt2), Total Count(UInt3), status(HexInt4).
Event ID 263 — MDM Session: OMA-DM user logon sessions handled: Account ID(Message1), Count(UInt2), status(HexInt3).
Event ID 263 — MDM Session: OMA-DM user logon sessions handled: Account ID(Message1), Count(UInt2), status(HexInt3).
Event ID 264 — MDM Session: OMA-DM sessions handled: User SID (Message1), Account ID(Message2), Initiation ID(Message3), User Only(UInt4), All Active Users(UInt5), Session Result (HexInt6), R...
Description
MDM Session: OMA-DM sessions handled: User SID (Message1), Account ID(Message2), Initiation ID(Message3), User Only(UInt4), All Active Users(UInt5), Session Result (HexInt6), Result(HexInt7).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
UInt4 UInt32 | — |
UInt5 UInt32 | — |
HexInt6 HexInt32 | — |
HexInt7 HexInt32 | — |
Event ID 265 — MDM Session: OMA-DM sessions triggered: User SID (Message1), Account ID(Message2), Initiation ID(Message3), Parent Initiation ID(Message4), Origin(UInt5), Session ID(UInt6), Ses...
Description
MDM Session: OMA-DM sessions triggered: User SID (Message1), Account ID(Message2), Initiation ID(Message3), Parent Initiation ID(Message4), Origin(UInt5), Session ID(UInt6), Sessions Queued (UInt7), Session Result (HRESULT8), Result(HRESULT9).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
UInt5 UInt32 | — |
UInt6 UInt32 | — |
UInt7 UInt32 | — |
HRESULT8 HexInt32 | — |
HRESULT9 HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 265,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-12T02:51:06.035738+00:00",
"event_record_id": 7362,
"correlation": {},
"execution": {
"process_id": 2476,
"thread_id": 7860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "NULL",
"Message2": "69C01DBD-8068-44F9-9507-8A9DF76C127A",
"Message3": "Software\\Microsoft\\Provisioning\\OMADM\\Sessions\\69C01DBD-8068-44F9-9507-8A9DF76C127A\\{41CCA717-5C3A-42DE-AEF7-8B805955A207}",
"Message4": "NULL",
"UInt5": 3,
"UInt6": 0,
"UInt7": 0,
"HRESULT8": "0x0",
"HRESULT9": "0x0"
},
"message": ""
}
Event ID 266 — MDM Session: OMA-DM sessions completed: User SID (Message1), Account ID(Message2), Initiation ID(Message3), Parent Initiation ID(Message4), Origin(UInt5), Session ID(UInt6), Ses...
Description
MDM Session: OMA-DM sessions completed: User SID (Message1), Account ID(Message2), Initiation ID(Message3), Parent Initiation ID(Message4), Origin(UInt5), Session ID(UInt6), Sessions Queued (UInt7), Session Result (HRESULT8), Result(HRESULT9).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
UInt5 UInt32 | — |
UInt6 UInt32 | — |
UInt7 UInt32 | — |
HRESULT8 HexInt32 | — |
HRESULT9 HexInt32 | — |
Event ID 267 — MDM Session: OMA-DM sessions failed to wait for shell ready: Result (HRESULT).
Event ID 267 — MDM Session: OMA-DM sessions failed to wait for shell ready: Result (HRESULT).
Event ID 268 — MDM Session: OMA-DM sessions wait for shell ready: Wait Time in Seconds: (UInt1), Result (HexInt1).
Event ID 268 — MDM Session: OMA-DM sessions wait for shell ready: Wait Time in Seconds: (UInt1), Result (HexInt1).
Event ID 269 — MDM Session: OMA-DM sessions all active users: Account ID(Message1), Initiation ID(Message2), Active Users(UInt3), Sessions Queued (UInt4), Result(HRESULT5).
Event ID 270 — MDM Session: OMA-DM sessions active user triggered: User SID (Message1), Account ID(Message2), Initiation ID(Message3), Parent Initiation ID(Message4), Session ID(UInt5), Use...
Description
MDM Session: OMA-DM sessions active user triggered: User SID (Message1), Account ID(Message2), Initiation ID(Message3), Parent Initiation ID(Message4), Session ID(UInt5), User Index (UInt6), Sessions Queued (UInt7).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
UInt5 UInt32 | — |
UInt6 UInt32 | — |
UInt7 UInt32 | — |
Event ID 271 — MDM Session: OMA-DM sessions initialization: CPUs (UInt1), NumAllowedConcurrentUserSessionForBackgroundSync (UInt2), NumAllowedConcurrentUserSessionAtUse...
Event ID 272 — Device token MDM recovery successful
Description
Device token MDM recovery successful.
Message #
Event ID 272 — Device token MDM recovery successful
Description
Device token MDM recovery successful.
Message #
Event ID 273 — Device token MDM recovery failed.
Event ID 273 — Device token MDM recovery failed.
Event ID 274 — User token MDM recovery successful
Description
User token MDM recovery successful.
Message #
Event ID 274 — User token MDM recovery successful
Description
User token MDM recovery successful.
Message #
Event ID 275 — User token MDM recovery failed.
Event ID 275 — User token MDM recovery failed.
Event ID 276 — Toast for MDM recovery launched
Description
Toast for MDM recovery launched.
Message #
Event ID 276 — Toast for MDM recovery launched
Description
Toast for MDM recovery launched.
Message #
Event ID 277 — Toast for MDM recovery failed.
Event ID 277 — Toast for MDM recovery failed.
Event ID 278 — MDM recovery conditions detected.
Event ID 279 — MDM recovery maximum attempts have been reached
Description
MDM recovery maximum attempts have been reached.
Message #
Event ID 279 — MDM recovery maximum attempts have been reached
Description
MDM recovery maximum attempts have been reached.
Message #
Event ID 280 — MDM Session: Failure during retry session.
Description
An expired cert was chosen to use for OMA-DM Sync.
Fields #
| Name | Description |
|---|---|
param1 | — |
param2 | — |
param3 | — |
param4 | — |
Event ID 280 — An expired cert was chosen to use for OMA-DM Sync
Description
An expired cert was chosen to use for OMA-DM Sync.
Message #
Event ID 281 — MDM Session: Retry session succeeded.
Description
LogMeasureWithHresult. EventData: (), Tag: (), Result: ().
Fields #
| Name | Description |
|---|---|
param1 | — |
param2 | — |
param3 | — |
Event ID 281 — LogMeasureWithHresult.
Event ID 282 — MDM Session: Failure during retry session.
Event ID 282 —
Description
MDM Session: Failure during retry session. AccountID (), InitiationID (), Function (), HRESULT ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 283 — MDM Session: Retry session succeeded.
Event ID 283 —
Description
MDM Session: Retry session succeeded. AccountID (), InitiationID (), HRESULT ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 284 — MDM Session: AccountID (Message1), Function (Message2), HRESULT (HRESULT).
Event ID 284 —
Description
MDM Session: AccountID (), Function (), HRESULT ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 285 — MDM Session: Request to store session info for retry failed for AccountID (Message1) with delay (UInt2) and HRESULT (HexInt3).
Event ID 285 —
Description
MDM Session: Request to store session info for retry failed for AccountID () with delay () and HRESULT ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
UInt2 UInt32 | — |
HexInt3 HexInt32 | — |
Event ID 286 — MDM Session: Request to store session info for retry succeeded for AccountID (Message1) with delay (UInt2) and HRESULT (HexInt3).
Event ID 286 —
Description
MDM Session: Request to store session info for retry succeeded for AccountID () with delay () and HRESULT ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
UInt2 UInt32 | — |
HexInt3 HexInt32 | — |
Event ID 287 —
Description
MDM Session: OMA-DM Retry Session Scheduled: Account ID(), Initiation ID(), Retry Count(), status().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
UInt1 UInt32 | — |
HexInt1 HexInt32 | — |
Event ID 287 — MDM Session: OMA-DM Retry Session Scheduled: Account ID(Message1), Initiation ID(Message2), Retry Count(UInt1), status(HexInt1).
Event ID 288 — MDM Session: DmGetAadTokenReturnExpiredToken.
Description
MDM Session: DmGetAadTokenReturnExpiredToken. Interactive: (), Device: (), ExpirationTime: (), CurrentTime: (), BufferTimeInSeconds: ().
Fields #
| Name | Description |
|---|---|
param1 | — |
param2 | — |
param3 | — |
param4 | — |
param5 | — |
Event ID 288 —
Description
MDM Session: DmGetAadTokenReturnExpiredToken. Interactive: (), Device: (), ExpirationTime: (), CurrentTime: (), BufferTimeInSeconds: ().
Fields #
| Name | Description |
|---|---|
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
FileTime1 FILETIME | — |
FileTime2 FILETIME | — |
UInt11 UInt32 | — |
Event ID 288 — MDM Session: DmGetAadTokenReturnExpiredToken.
Description
MDM Session: DmGetAadTokenReturnExpiredToken. Interactive: (HexInt1), Device: (HexInt2), ExpirationTime: (FileTime1), CurrentTime: (FileTime2), BufferTimeInSeconds: (UInt11).
Message #
Fields #
| Name | Description |
|---|---|
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
FileTime1 FILETIME | — |
FileTime2 FILETIME | — |
UInt11 UInt32 | — |
Event ID 289 — MDM Session: OMA-DM sessions wait for shell ready: Wait Time in Seconds: (.
Description
MDM Session: OMA-DM sessions wait for shell ready: Wait Time in Seconds: (), Result (), Original Result ().
Fields #
| Name | Description |
|---|---|
param1 | — |
param2 | — |
param3 | — |
Event ID 289 —
Description
MDM Session: OMA-DM sessions wait for shell ready: Wait Time in Seconds: (), Result (), Original Result ().
Fields #
| Name | Description |
|---|---|
UInt1 UInt32 | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
Event ID 289 — MDM Session: OMA-DM sessions wait for shell ready: Wait Time in Seconds: (UInt1), Result (HexInt1), Original Result (HexInt2).
Event ID 290 — MDM Session: DmGetAadTokenExpired.
Description
MDM Session: DmGetAadTokenExpired. Interactive: (), Device: (), ExpirationTime: (), CurrentTime: (), BufferTimeInSeconds: ().
Fields #
| Name | Description |
|---|---|
param1 | — |
param2 | — |
param3 | — |
param4 | — |
param5 | — |
Event ID 290 —
Description
MDM Session: DmGetAadTokenExpired. Interactive: (), Device: (), ExpirationTime: (), CurrentTime: (), BufferTimeInSeconds: ().
Fields #
| Name | Description |
|---|---|
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
FileTime1 FILETIME | — |
FileTime2 FILETIME | — |
UInt11 UInt32 | — |
Event ID 290 — MDM Session: DmGetAadTokenExpired.
Event ID 291 —
Description
MDM Session: Process retry session succeeded: Account ID(), Initiation ID(), Function(), SubFunction(), HRESULT().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 291 — MDM Session: Process retry session succeeded: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT).
Description
MDM Session: Process retry session succeeded: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 292 —
Description
MDM Session: Process retry session failed: Account ID(), Initiation ID(), Function(), SubFunction(), HRESULT().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 292 — MDM Session: Process retry session failed: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT).
Description
MDM Session: Process retry session failed: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 293 —
Description
MDM Session: Schedule retry session succeeded: Account ID(), Initiation ID(), Function(), SubFunction(), HRESULT().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 293 — MDM Session: Schedule retry session succeeded: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT).
Description
MDM Session: Schedule retry session succeeded: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 294 —
Description
MDM Session: Schedule retry session failed: Account ID(), Initiation ID(), Function(), SubFunction(), HRESULT().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 294 — MDM Session: Schedule retry session failed: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT).
Description
MDM Session: Schedule retry session failed: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 295 —
Description
MDM Session: Retry recovery succeeded: Account ID(), Function(), SubFunction(), HRESULT().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 295 — MDM Session: Retry recovery succeeded: Account ID(Message1), Function(Message2), SubFunction(Message3), HRESULT(HRESULT).
Event ID 296 —
Description
MDM Session: Retry recovery failed: Account ID(), Function(), SubFunction(), HRESULT().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 296 — MDM Session: Retry recovery failed: Account ID(Message1), Function(Message2), SubFunction(Message3), HRESULT(HRESULT).
Event ID 301 — SCEP: Failed CspCreateInstance of Node : (Message1) Result : (HRESULT).
Event ID 302 — SCEP: Failed CspAddNode : (Message1) Result : (HRESULT).
Event ID 303 — SCEP: Failed CspDeleteChild for Node : (Message1) Result : (HRESULT).
Event ID 304 — SCEP: Failed CspGetValue for Node : (Message1) Result : (HRESULT).
Event ID 305 — SCEP: Failed CspSetValue for Node : (Message1) Result : (HRESULT).
Event ID 306 — SCEP: CspExecute for UniqueId : (Message1) InstallUserSid : (Message2) InstallLocation : (Message3) NodePath : (Message4) KeyProtection: (HexInt1) Result : (HexInt3).
Description
SCEP: CspExecute for UniqueId : (Message1) InstallUserSid : (Message2) InstallLocation : (Message3) NodePath : (Message4) KeyProtection: (HexInt1) Result : (HexInt3).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt3 HexInt32 | — |
Event ID 307 — SCEP: Failed LogError Message : (Message1).
Event ID 308 — SCEP: Failed to send Server request.
Event ID 309 — SCEP: InstallFromRegEntries.
Description
SCEP: InstallFromRegEntries. CorrelationGuid : (Message1) UniqueId : (Message2) Certificate Thumbprint : (Message3) Respondent Server : (Message4) Install Status : (HexInt1) Current Retry Count : (HexInt2) Result : (HexInt3).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
Event ID 310 — PFX: Certificate Install.
Event ID 311 — PFX: Certificate Install Failed.
Event ID 350 — First Sync: Deleting first sync key.
Event ID 351 — First Sync: Setting IsSyncDone.
Event ID 351 — First Sync: Setting IsSyncDone.
Event ID 352 — First Sync: Setting ContinueAnyway.
Event ID 352 — First Sync: Setting ContinueAnyway.
Event ID 353 — First Sync: Setting IsServerProvisioningDone.
Event ID 354 — First Sync: Setting AllowCollectLogsButton.
Event ID 354 — First Sync: Setting AllowCollectLogsButton.
Event ID 355 — First Sync: Setting SkipDeviceStatusPage.
Event ID 355 — First Sync: Setting SkipDeviceStatusPage.
Event ID 356 — First Sync: Setting SkipUserStatusPage.
Event ID 356 — First Sync: Setting SkipUserStatusPage.
Event ID 357 — First Sync: Setting TimeoutUntilSyncFailure.
Event ID 357 — First Sync: Setting TimeoutUntilSyncFailure.
Event ID 358 — First Sync: Setting BlockInStatusPage.
Event ID 358 — First Sync: Setting BlockInStatusPage.
Event ID 359 — First Sync: Resetting timeout.
Event ID 359 — First Sync: Resetting timeout.
Event ID 360 — First Sync: Setting DeviceProvisioningStatus.
Event ID 360 — First Sync: Setting DeviceProvisioningStatus.
Event ID 361 — First Sync: Getting DeviceProvisioningStatus.
Description
First Sync: Getting DeviceProvisioningStatus. EnrollmentID: () Status: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 361 — First Sync: Getting DeviceProvisioningStatus.
Event ID 400 — MDM ConfigurationManager: Command failure status.
Description
MDM ConfigurationManager: Command failure status. Configuration Source ID: (Message1), Enrollment Name: (Message2), Provider Name: (Message3), Command Type: (Message4), CSP URI: (Message5), Result: (HexInt1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 AnsiString | — |
Message5 UnicodeString | — |
HexInt1 HexInt32 | — |
Event ID 401 — MDM ConfigurationManager: CSP Node Operation.
Description
MDM ConfigurationManager: CSP Node Operation. Configuration Source ID: (Message1), Enrollment Name: (Message2), Provider Name: (Message3), Operation: (Message4), CSP URI: (Message5), Child URI: (Message6), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
Message6 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 402 — MDM ConfigurationManager: License check.
Event ID 403 — MDM ConfigurationManager: CSP Allow check.
Event ID 404 — MDM ConfigurationManager: Command failure status.
Description
MDM ConfigurationManager: Command failure status. Configuration Source ID: (Message1), Enrollment Name: (Message2), Provider Name: (Message3), Command Type: (InternalCmdType), CSP URI: (Message5), Result: (HexInt1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
InternalCmdType UInt32 | — |
Message5 UnicodeString | — |
HexInt1 HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 404,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:05.207419+00:00",
"event_record_id": 662,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "69C01DBD-8068-44F9-9507-8A9DF76C127A",
"Message2": "MDMFull",
"Message3": "DMClient",
"InternalCmdType": 1,
"Message5": "./Vendor/MSFT/DMClient/Provider/MiradoreMDM/Push/PFN",
"HexInt1": "0x8000401a"
},
"message": ""
}
Event ID 405 — MDM ConfigurationManager: No original URI.
Event ID 406 — MDM PushRouter: Pushrouter failed to start because the dmwappushservice service is disabled.
Description
MDM PushRouter: Pushrouter failed to start because the dmwappushservice service is disabled.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 406,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-15T23:43:23.939971+00:00",
"event_record_id": 2,
"correlation": {
"ActivityID": "2C21CC49-6A4B-4CBD-9614-B137D7FF6ACE"
},
"execution": {
"process_id": 1912,
"thread_id": 13680
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 450 — MDM ConfigurationManager: Command failure status.
Description
MDM ConfigurationManager: Command failure status. Configuration Source ID: (Message1), Enrollment Name: (Message2), Provider Name: (Message3), Command Type: (Message4), CSP URI: (Message5), Result: (HexInt1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 AnsiString | — |
Message5 UnicodeString | — |
HexInt1 HexInt32 | — |
Event ID 451 — MDM ConfigurationManager: CSP Node Operation.
Description
MDM ConfigurationManager: CSP Node Operation. Configuration Source ID: (Message1), Enrollment Name: (Message2), Provider Name: (Message3), Operation: (Message4), CSP URI: (Message5), Child URI: (Message6), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
Message6 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 452 — MDM ConfigurationManager: License check.
Event ID 453 — MDM ConfigurationManager: CSP Allow check.
Event ID 454 — MDM ConfigurationManager: Command failure status.
Description
MDM ConfigurationManager: Command failure status. Configuraton Source ID: (Message1), Enrollment Type: (Message2), CSP Name: (Message3), Command Type: (InternalCmdType), CSP URI: (Message5), Result: (HexInt1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
InternalCmdType UInt32 | — |
Message5 UnicodeString | — |
HexInt1 HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 454,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:05.770736+00:00",
"event_record_id": 116,
"correlation": {},
"execution": {
"process_id": 1872,
"thread_id": 9840
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "43C0DA41-21B4-4245-980F-878D0899119B",
"Message2": "Unknown",
"Message3": "CertificateStore",
"InternalCmdType": 4,
"Message5": "./Vendor/MSFT/CertificateStore/My/User/77AE461422C718FB773BA82A44CC4609879F20EA",
"HexInt1": "0x86000002"
},
"message": ""
}
Event ID 455 — MDM ConfigurationManager: Caller did not specify user to impersonate to.
Description
MDM ConfigurationManager: Caller did not specify user to impersonate to. Targetted user sid: () Result: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 455 — MDM ConfigurationManager: Caller did not specify user to impersonate to.
Event ID 456 — MDM ConfigurationManager: CSP Command takes too long in execution.
Description
MDM ConfigurationManager: CSP Command takes too long in execution. Configuration Source ID: (), Enrollment Name: (), Provider Name: (), Command Type: (), CSP URI: (), Duration: (), Result: ().
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
UInt4 UInt32 | — |
Message5 UnicodeString | — |
UInt6 UInt32 | — |
HexInt7 HexInt32 | — |
Event ID 457 — MDM ConfigurationManager: CSP takes too long in locking.
Description
MDM ConfigurationManager: CSP takes too long in locking. Configuration Source ID: (Message1), Enrollment Name: (Message2), Provider Name: (Message3), Command Type: (UInt4), CSP URI: (Message5), Duration: (UInt6), Result: (HexInt7).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
UInt4 UInt32 | — |
Message5 UnicodeString | — |
UInt6 UInt32 | — |
HexInt7 HexInt32 | — |
Event ID 458 — MDM ConfigurationManager: Global mutex takes too long in locking.
Event ID 600 — MDM ResourceManager: Resource URI: (Message1), Result: (HRESULT).
Event ID 601 — MDM ResourceManager: DeleteResource EnrollmentID: (Message1) UserSID: (Message2) URI: (Message3).
Description
MDM ResourceManager: DeleteResource EnrollmentID: (Message1) UserSID: (Message2) URI: (Message3).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 601,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:05.764037+00:00",
"event_record_id": 114,
"correlation": {},
"execution": {
"process_id": 2768,
"thread_id": 276
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "43C0DA41-21B4-4245-980F-878D0899119B",
"Message2": "device",
"Message3": "./Vendor/MSFT/CertificateStore/My/User/77AE461422C718FB773BA82A44CC4609879F20EA"
},
"message": ""
}
Event ID 700 — MDM Registration: Unregister device invoked by exe: (Message1), Result: (HRESULT).
Event ID 700 — MDM Registration: Unregister device invoked by exe: (Message1), Result: (HRESULT).
Event ID 800 — MDM PolicyManager: Dedicated notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1).
#Description
MDM PolicyManager: Dedicated notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 800,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T22:26:45.458468+00:00",
"event_record_id": 134,
"correlation": {
"ActivityID": "F590C418-1079-0002-E8EA-90F57910DA01"
},
"execution": {
"process_id": 3584,
"thread_id": 3588
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "Power/Policy/Settings/Processor/SchemePersonality/381b4222-f694-41f0-9685-ff5bb260df2e/0aabb002-a307-447e-9b81-1d819df6c6d0/PerfIncreaseThreshold/DcValue",
"HexInt1": "0xa3b7e065",
"HexInt2": "0x41c64e6d"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 801 — MDM PolicyManager: Dedicated notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1), Result:(HexInt3) HRESULT.
Event ID 802 — MDM PolicyManager: Area notification (WNF): (HexInt1, HexInt2) published for Area: (Message1).
Event ID 803 — MDM PolicyManager: Area notification (WNF): (HexInt1, HexInt2) published for Area: (Message1), Result:(HexInt3) HRESULT.
Event ID 804 — MDM PolicyManager: Dedicated notification (WNF) WNF_ENTR_REQUIRE_DEVICE_ENCRYPTION_POLICY_VALUE_CHANGED published.
Description
MDM PolicyManager: Dedicated notification (WNF) WNF_ENTR_REQUIRE_DEVICE_ENCRYPTION_POLICY_VALUE_CHANGED published.
Message #
Event ID 805 — MDM PolicyManager: Dedicated notification (WNF) WNF_ENTR_REQUIRE_DEVICE_ENCRYPTION_POLICY_VALUE_CHANGED published.
Event ID 806 — MDM PolicyManager: Merge string, Area: (Message1), Policy: (Message2), EnrollmentID requesting merge: (Message3), Result:(UInt1) HRESULT.
Event ID 807 — MDM PolicyManager: Merge binary, Area: (Message1), Policy: (Message2), EnrollmentID requesting merge: (Message3), Result:(UInt1) HRESULT.
Event ID 808 — MDM PolicyManager: Merge int, Area: (Message1), Policy: (Message2), EnrollmentID requesting merge: (Message3), Result:(UInt1) HRESULT.
Event ID 809 — MDM PolicyManager: Set policy int, Policy: (Message1), Area: (Message2), EnrollmentID requesting set: (Message3), Current User: (Message4), Int: (HexInt1), Enrollment Type.
Description
MDM PolicyManager: Set policy int, Policy: (Message1), Area: (Message2), EnrollmentID requesting set: (Message3), Current User: (Message4), Int: (HexInt1), Enrollment Type: (HexInt2), Scope: (HexInt3), Result:(HexInt4) HexInt5.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
HexInt4 HexInt32 | — |
HexInt5 HexInt32 | — |
Event ID 810 — MDM PolicyManager: Set policy string, Policy: (Message1), Area: (Message2), EnrollmentID requesting set: (Message3), Current User: (Message4), String: (Message5), Enrollment Typ...
Description
MDM PolicyManager: Set policy string, Policy: (Message1), Area: (Message2), EnrollmentID requesting set: (Message3), Current User: (Message4), String: (Message5), Enrollment Type: (HexInt1), Scope: (HexInt2), Result:(HexInt3) HexInt4.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
HexInt4 HexInt32 | — |
Event ID 811 — MDM PolicyManager: Set policy binary, Policy: (Message1), Area: (Message2), EnrollmentID requesting set: (Message3), Current User: (Message4), Enrollment Type: (HexInt1), Scope...
Description
MDM PolicyManager: Set policy binary, Policy: (Message1), Area: (Message2), EnrollmentID requesting set: (Message3), Current User: (Message4), Enrollment Type: (HexInt1), Scope: (HexInt2), Result:(HexInt3) HexInt4.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
HexInt4 HexInt32 | — |
Event ID 812 — MDM PolicyManager: Set policy, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Scope: (HexInt1), Result:(HexInt2) HexInt3.
Description
MDM PolicyManager: Set policy, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Scope: (HexInt1), Result:(HexInt2) HexInt3.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
Event ID 813 — MDM PolicyManager: Set policy int, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Int: (HexInt1), Enrollment Type.
#Description
MDM PolicyManager: Set policy int, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Int: (HexInt1), Enrollment Type: (HexInt2), Scope: (HexInt3).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 813,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T22:26:45.437445+00:00",
"event_record_id": 172,
"correlation": {
"ActivityID": "F590C418-1079-0002-E8EA-90F57910DA01"
},
"execution": {
"process_id": 3584,
"thread_id": 3588
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "Power/Policy/Settings/Processor/SchemePersonality/381b4222-f694-41f0-9685-ff5bb260df2e/0aabb002-a307-447e-9b81-1d819df6c6d0/PerfIncreaseThreshold/DcValue",
"Message2": "knobs",
"Message3": "fc01e91f-914c-45af-9d7c-0b2e5fbedf62",
"Message4": "device",
"HexInt1": "0x1e",
"HexInt2": "0x1",
"HexInt3": "0x0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 814 — MDM PolicyManager: Set policy string, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), String: (Message5), Enrollment T...
Description
MDM PolicyManager: Set policy string, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), String: (Message5), Enrollment Type: (HexInt1), Scope: (HexInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
Event ID 815 — MDM PolicyManager: Set policy binary, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Enrollment Type: (HexInt1), Sco...
Description
MDM PolicyManager: Set policy binary, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Enrollment Type: (HexInt1), Scope: (HexInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
Event ID 817 — MDM PolicyManager: Merge policy precheck apply call.
Event ID 818 — MDM PolicyManager: Delete policy, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Scope: (HexInt1), Result:(HexInt2) HexInt3.
Description
MDM PolicyManager: Delete policy, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Scope: (HexInt1), Result:(HexInt2) HexInt3.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
Event ID 819 — MDM PolicyManager: Delete policy, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Scope: (HexInt1).
Description
MDM PolicyManager: Delete policy, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Scope: (HexInt1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HexInt1 HexInt32 | — |
Event ID 820 — MDM PolicyManager: Set policy precheck precheck call.
Event ID 821 — MDM PolicyManager: Merge of policy did not complete successfully, Policy: (Message1), Area: (Message2), Result:(HexInt3) HRESULT.
Event ID 822 — MDM PolicyManager: Acquiring the merge lock, Policy: (Message1), Area: (Message2), Result:(HexInt3) HRESULT.
Event ID 823 — MDM PolicyManager: Create dynamic policy metadata, Policy: (Message1), Area: (Message2), Result:(HexInt3) HRESULT.
Event ID 824 — MDM PolicyManager: Per user policy has device wide scope specified, Policy: (Message1), Area: (Message2), Result:(HexInt3) HRESULT.
Event ID 825 — MDM PolicyManager: Device wide policy has user wide scope specified, Policy: (Message1), Area: (Message2), Result:(HexInt3) HRESULT.
Event ID 826 — MDM PolicyManager: SLAPI data not found, Policy: (Message1), Area: (Message2), Result:(HexInt3) HRESULT.
Event ID 827 — MDM PolicyManager: Policy is rejected by licensing, Policy: (Message1), Area: (Message2), Result:(HexInt3) HRESULT.
Event ID 828 — MDM PolicyManager: Policy is rejected by DoNotAllow flag, Policy: (Message1), Area: (Message2), Result:(HexInt3) HRESULT.
Event ID 829 — MDM PolicyManager: Dedicated cached delayed notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1) in Area (Message2).
#Description
MDM PolicyManager: Dedicated cached delayed notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1) in Area (Message2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 829,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2022-04-07T08:14:41.791112+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 648,
"thread_id": 2760
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "WIN-FPV0DSIC9O6.lab.local",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "DataProtection",
"Message2": "EnterpriseProtectedDomainNames",
"HexInt1": "0xa3bd6475",
"HexInt2": "0x13920028"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 830 — MDM PolicyManager: Dedicated cached delayed notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1) in Area (Message2), Result:(HexInt3) HRESULT.
Description
MDM PolicyManager: Dedicated cached delayed notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1) in Area (Message2), Result:(HexInt3) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
HRESULT HexInt32 | — |
Event ID 831 — MDM PolicyManager: Dedicated non-cached delayed notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1) in Area (Message2).
Event ID 832 — MDM PolicyManager: Dedicated non-cached delayed notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1) in Area (Message2), Result:(HexInt3) HRESULT.
Description
MDM PolicyManager: Dedicated non-cached delayed notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1) in Area (Message2), Result:(HexInt3) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
HRESULT HexInt32 | — |
Event ID 833 — MDM PolicyManager: Evaluator notification (WNF): (HexInt1, HexInt2) published for Evaluator: (Message1).
#Description
MDM PolicyManager: Evaluator notification (WNF): (HexInt1, HexInt2) published for Evaluator: (Message1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 833,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-10-25T22:55:39.435030+00:00",
"event_record_id": 50,
"correlation": {},
"execution": {
"process_id": 4544,
"thread_id": 772
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"Message1": "AppHVSI",
"HexInt1": "0xa3bd9075",
"HexInt2": "0x13920028"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 834 — MDM PolicyManager: Evaluator notification (WNF): (HexInt1, HexInt2) published for Evaluator: (Message1), Result:(HexInt3) HRESULT.
Event ID 835 — MDM PolicyManager: Set Policy (Message1) in Area (Message2) is Evaluator policy.
Event ID 836 — MDM PolicyManager: Set Policy (Message1) in Area (Message2) is Evaluator policy.
Description
MDM PolicyManager: Set Policy (Message1) in Area (Message2) is Evaluator policy. Add Evaluator (Message3) to Evaluator WNF list to publish area Evaluator WNF on CSP unload, Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
UInt1 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 837 — MDM PolicyManager: Delete Policy (Message1) in Area (Message2) is Evaluator policy.
Event ID 838 — MDM PolicyManager: Delete Policy (Message1) in Area (Message2) is Evaluator policy.
Description
MDM PolicyManager: Delete Policy (Message1) in Area (Message2) is Evaluator policy. Add Evaluator (Message3) to Evaluator WNF list to publish area Evaluator WNF on CSP unload, Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
UInt1 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 839 — MDM PolicyManager: Delete provider (Message1).
#Description
MDM PolicyManager: Delete provider (Message1). Add Evaluator (Message2) to Evaluator WNF list to publish area Evaluator WNF on CSP unload.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 839,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-10-25T22:55:39.426870+00:00",
"event_record_id": 48,
"correlation": {},
"execution": {
"process_id": 4544,
"thread_id": 772
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"Message1": "FC01E91F-914C-45AF-9D7C-0B2E5FBEDF62",
"Message2": "AppHVSI"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 840 — MDM PolicyManager: Delete provider (Message1).
Event ID 841 — MDM PolicyManager: Delete area (Message2) in provider (Message1).
Event ID 842 — MDM PolicyManager: Delete area (Message2) in provider (Message1).
Description
MDM PolicyManager: Delete area (Message2) in provider (Message1). Add Evaluator (Message3) to Evaluator WNF list to publish Evaluator WNF on CSP unload, Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
UInt1 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 843 — MDM PolicyManager: Load of the precheck DLL (UInt1) did not complete successfully, Policy: (Message2), Area: (Message1), Precheck: (Message3), Result:(UInt2) HRESULT.
Description
MDM PolicyManager: Load of the precheck DLL (UInt1) did not complete successfully, Policy: (Message2), Area: (Message1), Precheck: (Message3), Result:(UInt2) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
UInt1 UInt32 | — |
UInt2 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 844 — MDM PolicyManager: During Message1 found bad enrollment (Message2) during merge.
#Description
MDM PolicyManager: During Message1 found bad enrollment (Message2) during merge. Requesting merge (Message3). Deleting policies for the enrollment. Enrollment state is (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
HRESULT HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 844,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-10-26T04:20:37.233106+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 716,
"thread_id": 3532
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "WIN-OQ6R0RVA4NF",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "Inbox",
"Message2": "82965F5A-6C65-4B7A-8075-488FCCE07D4E",
"Message3": "1e05dd5d-a022-46c5-963c-b20de341170f",
"HRESULT": "0x3f"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 845 — MDM PolicyManager: Cannot delete the policy hive for bad enrollment (Message1).
Event ID 846 — MDM PolicyManager: Machine Broadcast of WM_SETTINGCHANGES to user sessions failed with (HexInt1).
Event ID 847 — MDM PolicyManager: Machine Broadcast of WM_SETTINGCHANGES to user sessions.
Description
MDM PolicyManager: Machine Broadcast of WM_SETTINGCHANGES to user sessions.
Message #
Event ID 848 — MDM PolicyManager: Policy value set by MAM is not allowed.
Event ID 849 — MDM PolicyManager: Merge policy precheck apply call.
Event ID 850 — MDM PolicyManager ADMX Ingestion: Blocked registry key: (Message1) in (Message2) tag.
Event ID 851 — MDM PolicyManager ADMX Ingestion: Cannot remove ADMX metadata when policy is in use.
Event ID 852 — MDM PolicyManager ADMX Ingestion: Invalid attribute.
Event ID 853 — MDM PolicyManager ADMX Ingestion: Invalid tag:<Message1> under <Message2>.
Event ID 854 — MDM PolicyManager ADMX Ingestion: <Message1> does not have required attribute (Message2).
Event ID 855 — MDM PolicyManager ADMX Ingestion: Xml Read Error TagName:(Message1), Line:(HexInt1) Position:(HexInt2) Result:(HRESULT).
Event ID 856 — MDM PolicyManager: ADMX ingestion given payload policy definition element Id not found: Id (Message1).
Event ID 857 — MDM PolicyManager: ADMX ingestion given payload expect True or False string.
Event ID 858 — MDM PolicyManager: ADMX ingestion given payload has value that cannot be converted to decimal: Id (Message1).
Event ID 859 — MDM PolicyManager: Load of the translation DLL (UInt1) did not complete successfully, Policy: (Message2), Area: (Message1), Action: (Message3), Result:(UInt2) HRESULT.
Description
MDM PolicyManager: Load of the translation DLL (UInt1) did not complete successfully, Policy: (Message2), Area: (Message1), Action: (Message3), Result:(UInt2) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
UInt1 UInt32 | — |
UInt2 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 860 — MDM PolicyManager: Merge policy precheck post apply call.
Description
MDM PolicyManager: Merge policy precheck post apply call. Policy: (Message1), Area: (Message2), string value: (Message3), setByProvider: (UInt1), Result:(UInt2) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
UInt1 UInt32 | — |
UInt2 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 861 — MDM PolicyManager: Merge policy precheck post apply call.
Description
MDM PolicyManager: Merge policy precheck post apply call. Policy: (Message1), Area: (Message2), int value: (HexInt1),setByProvider: (HexInt2) Result:(HexInt3) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
HRESULT HexInt32 | — |
Event ID 862 — MDM PolicyManager: Merge policy: Policy definitions for area (Message1) not found.
Event ID 863 — MDM PolicyManager: Merge policy: Policy definition for area (Message1), policy (Message2) not found.
Event ID 864 — MDM PolicyManager: Enum of policies: Policy definition for area (Message1), policy (Message2) not found.
Event ID 865 — MDM PolicyManager: ADMX Ingestion: EnrollmentId (Message1), app name (Message2), setting type (Message3), unique Id (Message4).
Description
MDM PolicyManager: ADMX Ingestion: EnrollmentId (Message1), app name (Message2), setting type (Message3), unique Id (Message4). Result:(HexInt1) HexInt3.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt3 HexInt32 | — |
Event ID 866 — MDM PolicyManager: ADMX Ingestion: EnrollmentId (Message1), app name (Message2), setting type (Message3), unique Id (Message4), area (Message5).
Description
MDM PolicyManager: ADMX Ingestion: EnrollmentId (Message1), app name (Message2), setting type (Message3), unique Id (Message4), area (Message5).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
Event ID 867 — MDM PolicyManager: ADMX ingestion delete of previous ingestion: EnrollmentId (Message1), app name (Message2), setting type (Message3), unique Id (Message4).
Description
MDM PolicyManager: ADMX ingestion delete of previous ingestion: EnrollmentId (Message1), app name (Message2), setting type (Message3), unique Id (Message4). Result:(HexInt1) HexInt3.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt3 HexInt32 | — |
Event ID 868 — MDM PolicyManager: ADMX ingestion: Nested Element tags found: previous (Message1), next (Message2).
Event ID 869 — MDM PolicyManager: ADMX ingestion: Delete of path issue: Path (Message1).
Event ID 870 — MDM PolicyManager: ADMX ingestion payload Id attribute missing.
Event ID 871 — MDM PolicyManager: ADMX ingestion verification whether there are policies against it has failed.
Description
MDM PolicyManager: ADMX ingestion verification whether there are policies against it has failed. EnrollmentId (Message1), app name (Message2), setting type (Message3), unique Id (Message4). Result:(HexInt1) HexInt3.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt3 HexInt32 | — |
Event ID 872 — MDM PolicyManager: ADMX ingestion starting update of existing Admx ingestion.
Description
MDM PolicyManager: ADMX ingestion starting update of existing Admx ingestion. EnrollmentId (), app name (), setting type (), unique Id (), policy values were set on previous ADMX file ingestion ().
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HexInt1 HexInt32 | — |
Event ID 873 — MDM PolicyManager: ADMX ingestion starting new Admx ingestion.
Event ID 880 — MDM Wins Over GP: MDMWinsOverGP policy enabled but this GP setting is not blocked, Value: (Message1), Namespace: (Message2), Operation: (Message3), Result:(UInt1) HRESULT.
Description
MDM Wins Over GP: MDMWinsOverGP policy enabled but this GP setting is not blocked, Value: (Message1), Namespace: (Message2), Operation: (Message3), Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
UInt1 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 881 — MDM Wins Over GP: MDMWinsOverGP policy enabled and GP setting is blocked, Value: (Message1), Namespace: (Message2), Operation: (Message3).
Event ID 890 — MDM Container: Admx Ingestion Change Notificaiton WNF fired, Value: (.
Description
MDM Container: Admx Ingestion Change Notificaiton WNF fired, Value: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Event ID 890 — MDM Container: Admx Ingestion Change Notificaiton WNF fired, Value: (Message1).
Event ID 900 — MDM Diagnostics: Getting Diagnostics Information from (Message1).
Event ID 901 — MDM Diagnostics: Creating Diagnostic report at (Message1).
Event ID 902 — MDM Diagnostics: Adding redirected reg keys to Policy Manager diagnostic data failed.
Event ID 903 — MDM Diagnostics: Opening redirected reg keys (Message1) in Policy Manager diagnostic data failed.
Event ID 904 — MDM Diagnostics: Opening redirected reg value (Message1) in Policy Manager diagnostic data failed.
Event ID 905 — MDM Diagnostics: Appending redirected reg key or Group Policy values in Policy Manager diagnostic report failed.
Event ID 906 — MDM Diagnostics: Parsing input XML failed.
Event ID 907 — MDM Diagnostics: Getting data out of top level key (Message1) failed.
Event ID 908 — MDM Diagnostics: Getting data out of registry keys (Message1) failed.
Event ID 909 — MDM Diagnostics: Getting data out of registry values (Message1) failed.
Event ID 910 — MDM Diagnostics: Check for whether directory (Message1) exists and create if not failed.
Event ID 911 — MDM Diagnostics: Removing PII from ActiveSync data failed.
Event ID 912 — MDM PolicyManager ADMX Ingestion: ParentCategory of policy is not defined in categories PolicyName:(Message1), ParentCategory:(Message2).
Event ID 913 — MDM PolicyManager ADMX Ingestion: Circular Referencing In Categories Category (Message1), ParentCategory:(Message2).
Event ID 914 — MDM PolicyManager ADMX Ingestion: Equivalent Area name from categories should be limited to 255 characters(Max registry key length).
Event ID 915 — MDM PolicyManager: Merge policy: Making the enrollment dormant, removing policies.
Event ID 916 — MDM PolicyManager: Merge policy: Making the enrollment non dormant, policies in enrollment are make current.
Event ID 917 — MDM PolicyManager: Merge policy: State of enrollment should not be dormant.
Event ID 918 — MDM PolicyManager: Merge policy: State of enrollment should not be non-dormant.
Event ID 1000 — Phone Reset: Phone reset initiated.
Description
Phone Reset: Phone reset initiated.
Message #
Event ID 1100 — Device Management Account CSP: Retrieving the node via Get command failed with (HRESULT).
Event ID 1101 — Device Management Account CSP: Device Management session not requested after account creation.
Description
Device Management Account CSP: Device Management session not requested after account creation.
Message #
Event ID 1102 — Device Management Account CSP: Device Management session requested after DM account creation by server: (Message1).
Event ID 1103 — Device Management Account CSP: Device Management session kick-off request ignored for enterprise enrollment type: (HexInt1).
Event ID 1104 — Device Management Account CSP: Device Management session kick-off request denied for enrollment type: (HexInt1).
Event ID 1105 — Device Management Account CSP: Invalid enrollment type.
Event ID 1106 — Device Management Account CSP: Device Management session kick-off request failed.
Event ID 1107 — Device Management Account CSP: Notifying configuration manager notification failed.
Event ID 1108 — Device Management Account CSP: Retrieving the session variable: (Message1), value: (Message2) failed.
Event ID 1109 — Device Management Account CSP: Retrieved the session variable: (Message1), value: (Message2).
Event ID 1110 — Device Management Account CSP: Creating an instance of Device Management Account CSP failed.
Event ID 1111 — Device Management Account CSP: An instance of the Device Management Account CSP was initialized for AccountUID: (Message1), session's Enrollment ID: (Message2)...
Event ID 1112 — Device Management Account CSP: Failed to initialize an instance of the Device Management Account CSP for AccountUID: (Message1), session's Enrollment ID:...
Event ID 1113 — Device Management Account CSP: Enumerating the children nodes failed.
Event ID 1114 — Device Management Account CSP: Device Management account for a different Enterprise enrollment denied.
Description
Device Management Account CSP: Device Management account for a different Enterprise enrollment denied. AccountUID: (), session's Enrollment ID: (), referenced account's Enrollment ID: (). Result: ().
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 1115 — Device Management Account CSP: Device Management account being created for Mobile Operator.
Event ID 1116 — Device Management Account CSP: Creating new enrollment for mobile operator failed.
Event ID 1117 — Device Management Account CSP: Creating new enrollment for mobile operator failed.
Event ID 1118 — Device Management Account CSP: Device Management account added.
Description
Device Management Account CSP: Device Management account added. Provider ID: (Message1), session Enrollment ID: (Message2), new Enrollment ID: (Message3), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 1119 — Device Management Account CSP: Adding device management account failed.
Description
Device Management Account CSP: Adding device management account failed. Provider ID: (Message1), session Enrollment ID: (Message2), new Enrollment ID: (Message3), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 1120 — Device Management Account CSP: Device Management account deleted.
Event ID 1121 — Device Management Account CSP: Device Management account deletion failed.
Event ID 1122 — Device Management Account CSP: Device Management account clear failed.
Event ID 1123 — Device Management Account CSP: Device Management account moved.
Description
Device Management Account CSP: Device Management account moved. Session's Enrollment ID: (Message1), Old AccountUID: (Message2), New AccountUID: (Message3), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 1124 — Device Management Account CSP: Device Management account move failed.
Description
Device Management Account CSP: Device Management account move failed. Session's Enrollment ID: (Message1), Old AccountUID: (Message2), New AccountUID: (Message3), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 1125 — Device Management Account CSP: Device Management account check.
Description
Device Management Account CSP: Device Management account check. Enrollment ID: (Message1), AccountUID of account being accessed: (Message2), AccountUID of account used to run the session: (Message3), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 1126 — Device Management Account CSP: Device Management account check failed.
Event ID 1127 — Device Management Account CSP: Device Management session kick-off request ignored since there are multiple accounts being created.
Event ID 1128 — Device Management Account CSP: MO trying to access a non-MO Device Management account.
Event ID 1200 — Device Impersonation: Illegal attempt to impersonate.
Event ID 1300 — Enrollment Status Tracking: Starting status tracking for resource.
Event ID 1301 — Enrollment Status Tracking: Initializing download for resource.
Event ID 1302 — Enrollment Status Tracking: Downloading resource.
Event ID 1303 — Enrollment Status Tracking: Pending download retry for resource.
Event ID 1304 — Enrollment Status Tracking: Download of resource encountered an error and could not complete.
Event ID 1305 — Enrollment Status Tracking: Download of resource completed successfully.
Event ID 1306 — Enrollment Status Tracking: Pending user session for resource.
Event ID 1307 — Enrollment Status Tracking: Installing resource.
Event ID 1308 — Enrollment Status Tracking: Pending installation retry for resource.
Event ID 1309 — Enrollment Status Tracking: Installation of resource encountered an error and could not complete.
Event ID 1310 — Enrollment Status Tracking: Installation of resource completed successfully.
Event ID 1311 — Enrollment Status Tracking: Status of resource is unknown.
Event ID 1350 — Autopilot Device Preparation: Latest device preparation hint used = UInt1.
Event ID 1351 — Autopilot Device Preparation: Device is no longer in OOBE and attempt to clear the device preparation hint resulted in HRESULT HRESULT.
Event ID 1500 — WiFiConfigurationServiceProvider: New node initialized, type: (UInt1), name: (Message1).
Event ID 1501 — WiFiConfigurationServiceProvider: Children queried, type: (UInt1), count: (UInt2).
Event ID 1502 — WiFiConfigurationServiceProvider: Node added, type: (UInt1), uri: (Message1), result: (HRESULT).
Event ID 1503 — WiFiConfigurationServiceProvider: Node delete child, type: (UInt1), uri: (Message1), result: (HRESULT).
Event ID 1504 — WiFiConfigurationServiceProvider: Node clear, type: (UInt1), Result: (HRESULT).
Event ID 1505 — WiFiConfigurationServiceProvider: Node get value, type: (UInt1), Result: (HRESULT).
Event ID 1506 — WiFiConfigurationServiceProvider: Node set value, type: (UInt1), Result: (HRESULT).
Event ID 1507 — WiFiConfigurationServiceProvider: Node set value failed to set the wlan profile, error: (UInt1).
Event ID 1508 — WiFiConfigurationServiceProvider: Node destructed, type: (UInt1).
Event ID 1509 — WiFiConfigurationServiceProvider: Get Node, Result: (HRESULT).
Event ID 1510 — WiFiConfigurationServiceProvider: Node set value failed to set proxy, dwError: (UInt1).
Event ID 1511 — WiFiConfigurationServiceProvider: Node initialize, segments: (UInt1), uri: (Message1), Result: (HRESULT).
Event ID 1530 — WiredNetworkConfigurationServiceProvider: Wired network profile saved.
Description
WiredNetworkConfigurationServiceProvider: Wired network profile saved.
Message #
Event ID 1531 — WiredNetworkConfigurationServiceProvider: Enable block period set.
Description
WiredNetworkConfigurationServiceProvider: Enable block period set.
Message #
Event ID 1532 — WiredNetworkConfigurationServiceProvider: Wired network profile deleted.
Description
WiredNetworkConfigurationServiceProvider: Wired network profile deleted.
Message #
Event ID 1533 — WiredNetworkConfigurationServiceProvider: Wired network profile deleted.
Description
WiredNetworkConfigurationServiceProvider: Wired network profile deleted.
Message #
Event ID 1534 — WiredNetworkConfigurationServiceProvider: Wired network profile not saved.
Event ID 1535 — WiredNetworkConfigurationServiceProvider: Block period not set.
Event ID 1536 — WiredNetworkConfigurationServiceProvider: Delete wired network profile failed.
Event ID 1537 — WiredNetworkConfigurationServiceProvider: Disable block period failed.
Event ID 1538 — WiredNetworkConfigurationServiceProvider: Dot3 service start failed.
Event ID 1539 — WiredNetworkConfigurationServiceProvider: Dot3 service configuration change failed.
Event ID 1540 — WiredNetworkConfigurationServiceProvider: Dot3 service stop failed.
Event ID 1600 — DMClient Configuration Service Provider: Server initiated unenroll started.
Description
DMClient Configuration Service Provider: Server initiated unenroll started. Enrollment ID: (Message1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1600,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:03.147900+00:00",
"event_record_id": 85,
"correlation": {},
"execution": {
"process_id": 6848,
"thread_id": 4028
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "43C0DA41-21B4-4245-980F-878D0899119B"
},
"message": ""
}
Event ID 1600 — DMClient Configuration Service Provider: Server initiated unenroll started.
Event ID 1601 — DMClient Configuration Service Provider: Server initiated unenroll failed.
Event ID 1601 — DMClient Configuration Service Provider: Server initiated unenroll failed.
Event ID 1650 — Windows Information Protection configuration changed: Previous State: (Message1), Current State: (Message2), Result: (HRESULT).
Event ID 1651 — Windows Information Protection dependency check result: Dependency Name: (Message1), State: (Message2), IsDependencySatisfied: (HexInt3), Result: (HexInt3).
Event ID 1652 — Windows Information Protection missing mandatory policy: Area: (Message1), Name: (Message2).
Event ID 1653 — MDM Evaluator Scenario Evaluate Result: Scenario: (Message1), Previous State: (Message2), Last Dependency: (Message3), Final State: (Message4), Result: (HRESULT).
Description
MDM Evaluator Scenario Evaluate Result: Scenario: (Message1), Previous State: (Message2), Last Dependency: (Message3), Final State: (Message4), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 1700 — System Migration Task Started.
Description
System Migration Task Started.
Message #
Event ID 1701 — System Migration Task Deleted.
Event ID 1702 — System Upgrade Alert scheduled.
Event ID 1703 — User Upgrade Alert scheduled.
Event ID 1704 — User Migration Task Started.
Description
User Migration Task Started.
Message #
Event ID 1705 — User Migration Task Deleted.
Event ID 1706 — Resource Manager Keys Migrated.
Event ID 1707 — Schedules Created.
Event ID 1708 — Impersonation result.
Event ID 1709 — No Migration needed, not an upgrade.
#Description
No Migration needed, not an upgrade.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1709,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-10-25T21:23:47.600367+00:00",
"event_record_id": 30,
"correlation": {},
"execution": {
"process_id": 6072,
"thread_id": 6120
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1800 — Windows Defender Advanced Threat Protection CSP: Get Node's Value.
Event ID 1801 — Windows Defender Advanced Threat Protection CSP: Failed to Get Node's Value.
Event ID 1802 — Windows Defender Advanced Threat Protection CSP: Get Node's Value complete.
Event ID 1803 — Windows Defender Advanced Threat Protection CSP: Get Last Connected value complete.
Event ID 1804 — Windows Defender Advanced Threat Protection CSP: Get Org ID value complete.
Event ID 1805 — Windows Defender Advanced Threat Protection CSP: Get Sense Is Running value complete.
Event ID 1806 — Windows Defender Advanced Threat Protection CSP: Get Onboarding State value complete.
Event ID 1807 — Windows Defender Advanced Threat Protection CSP: Get Onboarding value complete.
Event ID 1808 — Windows Defender Advanced Threat Protection CSP: Get Offboarding value complete.
Event ID 1809 — Windows Defender Advanced Threat Protection CSP: Get Sample Sharing value complete.
Event ID 1810 — Windows Defender Advanced Threat Protection CSP: Onboarding process.
Description
Windows Defender Advanced Threat Protection CSP: Onboarding process. Started.
Message #
Event ID 1811 — Windows Defender Advanced Threat Protection CSP: Onboarding process.
Event ID 1812 — Windows Defender Advanced Threat Protection CSP: Onboarding process.
Event ID 1813 — Windows Defender Advanced Threat Protection CSP: Onboarding process.
Description
Windows Defender Advanced Threat Protection CSP: Onboarding process. The service started successfully.
Message #
Event ID 1814 — Windows Defender Advanced Threat Protection CSP: Onboarding process.
Event ID 1815 — Windows Defender Advanced Threat Protection CSP: Set Sample Sharing value complete.
Event ID 1816 — Windows Defender Advanced Threat Protection CSP: Offboarding process.
Event ID 1817 — Windows Defender Advanced Threat Protection CSP: Offboarding process.
Event ID 1818 — Windows Defender Advanced Threat Protection CSP: Set Node's Value started.
Event ID 1819 — Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value.
Event ID 1820 — Windows Defender Advanced Threat Protection CSP: Set Node's Value complete.
Event ID 1901 — EnterpriseDesktopAppManagement CSP: A node instance of was created successfully.
Description
EnterpriseDesktopAppManagement CSP: A node instance of was created successfully. MSI ProductCode: Message1, MSI UpgradeCode: Message2, User SID: (Message3).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1901,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:36:03.908742+00:00",
"event_record_id": 173,
"correlation": {},
"execution": {
"process_id": 9444,
"thread_id": 6216
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "{ad40f56a-5735-45d5-8a57-c36ce8739abc}",
"Message2": "null",
"Message3": "S-0-0-00-0000000000-0000000000-000000000-000"
},
"message": ""
}
Event ID 1902 — EnterpriseDesktopAppManagement CSP: A node instance failed to be created.
Event ID 1903 — EnterpriseDesktopAppManagement CSP: An app which was previously installed is no longer installed on this device.
Event ID 1904 — EnterpriseDesktopAppManagement CSP: MDMAppInstaller task has started.
Description
EnterpriseDesktopAppManagement CSP: MDMAppInstaller task has started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1904,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:36:03.986978+00:00",
"event_record_id": 174,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 8940
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 1905 — EnterpriseDesktopAppManagement CSP: Application content download started.
Description
EnterpriseDesktopAppManagement CSP: Application content download started. MSI ProductCode: Message1, User SID: (Message2), BITS job: (Message3).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1905,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:36:04.197955+00:00",
"event_record_id": 175,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 8940
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "{ad40f56a-5735-45d5-8a57-c36ce8739abc}",
"Message2": "S-0-0-00-0000000000-0000000000-000000000-000",
"Message3": "2a8e6b4b-4e08-42bc-807d-0caca4252121"
},
"message": ""
}
Event ID 1906 — EnterpriseDesktopAppManagement CSP: Application content download completed.
Description
EnterpriseDesktopAppManagement CSP: Application content download completed. MSI ProductCode: Message1, User SID: (Message2), BITS job: (Message3).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1906,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:36:12.316964+00:00",
"event_record_id": 179,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 8940
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "{ad40f56a-5735-45d5-8a57-c36ce8739abc}",
"Message2": "S-0-0-00-0000000000-0000000000-000000000-000",
"Message3": "2a8e6b4b-4e08-42bc-807d-0caca4252121"
},
"message": ""
}
Event ID 1907 — EnterpriseDesktopAppManagement CSP: Application content download failed.
Description
EnterpriseDesktopAppManagement CSP: Application content download failed. MSI ProductCode: Message1, User SID: (Message2), BITS job: (Message3), Error message: (Message4), Error code: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 1908 — EnterpriseDesktopAppManagement CSP: Unable to start the application content download.
Event ID 1909 — EnterpriseDesktopAppManagement CSP: Unable to start the application installation action because the user is not logged in.
Event ID 1910 — EnterpriseDesktopAppManagement CSP: Another instance of the MDMAppInstaller process is already running.
Description
EnterpriseDesktopAppManagement CSP: Another instance of the MDMAppInstaller process is already running. This instance will terminate.
Message #
Event ID 1911 — EnterpriseDesktopAppManagement CSP: The MDMAppInstaller process is terminating with an error.
Event ID 1912 — EnterpriseDesktopAppManagement CSP: The MDMAppInstaller process is terminating with no errors.
Description
EnterpriseDesktopAppManagement CSP: The MDMAppInstaller process is terminating with no errors.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1912,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:36:55.690919+00:00",
"event_record_id": 195,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 8940
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 1913 — EnterpriseDesktopAppManagement CSP: Creation of the MSI app install job failed.
Event ID 1914 — EnterpriseDesktopAppManagement CSP: Creation of the MSI app uninstall job failed.
Event ID 1915 — EnterpriseDesktopAppManagement CSP: The MDMAppInstaller process could not be started to process MSI app install.
Event ID 1916 — EnterpriseDesktopAppManagement CSP: The MDMAppInstaller process could not be started to process MSI app uninstall.
Event ID 1920 — EnterpriseDesktopAppManagement CSP: An application install has started.
Description
EnterpriseDesktopAppManagement CSP: An application install has started. MSI ProductCode: Message1, User SID: (Message2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1920,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:36:13.374383+00:00",
"event_record_id": 180,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 3956
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "{ad40f56a-5735-45d5-8a57-c36ce8739abc}",
"Message2": "S-0-0-00-0000000000-0000000000-000000000-000"
},
"message": ""
}
Event ID 1921 — EnterpriseDesktopAppManagement CSP: An application uninstall has started.
Event ID 1922 — EnterpriseDesktopAppManagement CSP: An application install has succeeded.
Description
EnterpriseDesktopAppManagement CSP: An application install has succeeded. MSI ProductCode: Message1, User SID: (Message2), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
HRESULT HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1922,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:36:41.557289+00:00",
"event_record_id": 181,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 3956
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "{ad40f56a-5735-45d5-8a57-c36ce8739abc}",
"Message2": "S-0-0-00-0000000000-0000000000-000000000-000",
"HRESULT": "0x0"
},
"message": ""
}
Event ID 1923 — EnterpriseDesktopAppManagement CSP: An application uninstall has succeeded.
Event ID 1924 — EnterpriseDesktopAppManagement CSP: An application install has failed.
Description
EnterpriseDesktopAppManagement CSP: An application install has failed. Examine the MSI log (Message1) for more details. Install command: (Message2), MSI ProductCode: Message3, User SID: (Message4), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 1925 — EnterpriseDesktopAppManagement CSP: An application uninstall has failed.
Description
EnterpriseDesktopAppManagement CSP: An application uninstall has failed. Examine the MSI log (Message1) for more details. Uninstall command: (Message2), MSI ProductCode: Message3, User SID: (Message4), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 1926 — EnterpriseDesktopAppManagement CSP: An application installation action has exceeded the expected run time.
Event ID 1927 — EnterpriseDesktopAppManagement CSP: An application status alert was sent to the device management service.
Description
EnterpriseDesktopAppManagement CSP: An application status alert was sent to the device management service. LocURI: (Message1), Alert Data: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
HRESULT HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1927,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:36:55.575223+00:00",
"event_record_id": 194,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 8940
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ad40f56a-5735-45d5-8a57-c36ce8739abc}/DownloadInstall",
"HRESULT": "0x0"
},
"message": ""
}
Event ID 1928 — EnterpriseDesktopAppManagement CSP: An application status alert failed to be sent to the device management service.
Event ID 1930 — EnterpriseDesktopAppManagement CSP: The MDMAppInstaller has been configured for restart by scheduled task (Resume App Installation Actions).
Event ID 1931 — EnterpriseDesktopAppManagement CSP/ MdmAppInstaller: Message: (Message1).
Event ID 1932 — EnterpriseDesktopAppManagement CSP/ MdmAppInstaller: Message: (Message1).
Event ID 1933 — EnterpriseDesktopAppManagement CSP/ MdmAppInstaller: Message: (Message1).
Event ID 2001 — Identical Polices from sam configuration source already applied.
Description
Identical Polices from sam configuration source already applied. Hence this call is a NOP.
Message #
Event ID 2002 — Performing enrollment for Partnership ID (Message1) from an elevated context.
Event ID 2003 — Performing unenrollment for Partnership ID (Message1) from an elevated context.
Event ID 2004 — The required operation requires elevation.
Description
The required operation requires elevation. Please invoke the API from an elevated context.
Message #
Event ID 2005 — The compliance check result for the partnership ID (Message1) is (HRESULT).
Event ID 2006 — The policy application result for the partnership ID (Message1) is (HRESULT).
Event ID 2007 — MDM Enroll: Error creating OS Edition Upgrade Alert schedule (HRESULT).
Event ID 2008 — OS Edition Upgrade WNF event process status (HRESULT).
Event ID 2009 — MDM Enroll: Error creating Win10 S Mode Alert schedule (HRESULT).
Event ID 2010 — Win10 S Mode WNF event process status (HRESULT).
Event ID 2011 — MDM Enroll: Error creating Wsc Startup Alert schedule (HRESULT).
Event ID 2012 — Wsc Startup Alert WNF event process status (HRESULT).
Event ID 2101 — Dynamic Management: Successfully created Context Store.
Event ID 2102 — Dynamic Management: Failed to create Context Store.
Event ID 2103 — Dynamic Management: Successfully created context.
Event ID 2104 — Dynamic Management: Failed to create context.
Event ID 2105 — Dynamic Management: Successfully processed signal definition.
Event ID 2106 — Dynamic Management: Failed to process signal definition.
Event ID 2107 — Dynamic Management: Successfully applied context (Message2).
Event ID 2108 — Dynamic Management: Failed to apply context (Message2).
Event ID 2109 — Preview Builds: Preview_Builds, Result: Result.
Event ID 2110 — Preview Builds: Preview_Builds, Result: Result.
Event ID 2111 — Preview Builds: Preview_Builds, Result: Result.
Event ID 2112 — Preview Builds: Preview_Builds, Result: Result.
Event ID 2200 — Acquired lock for Group Policy scope: (Message1).
Event ID 2201 — Failed to acquire lock for Group Policy scope: (Message1), Error: (HRESULT).
Event ID 2202 — Released lock for Group Policy scope: (Message1).
Event ID 2203 — Failed to release lock for Group Policy scope: (Message1), Error: (HRESULT).
Event ID 2204 — Caching uri for blocking mapped GP location.
Event ID 2205 — Failed to lookup in the dictionary.
Event ID 2206 — Marking blocking record for removal during post processing.
Event ID 2207 — No blocking records need removal.
Description
No blocking records need removal.
Message #
Event ID 2208 — Trying to delete the blocking record reg key.
Event ID 2209 — Found a blocking record reg key that needs to be deleted.
Event ID 2210 — Attempted to restore GP Value.
Event ID 2211 — Created a blocking record.
Event ID 2212 — Updated a blocking record.
Event ID 2213 — Attempted to save existing GP Value.
Event ID 2214 — Attempted to delete existing GP Value.
Event ID 2215 — MdmWinsOverGp policy is being set to value (HexInt1).
Event ID 2216 — All GP locations that were to be unblocked have been unblocked successfully.
Event ID 2217 — No blocking records existed, so skipping re-evaluation of blocking records.
Description
No blocking records existed, so skipping re-evaluation of blocking records.
Message #
Event ID 2218 — Found existing blocking records.
Description
Found existing blocking records. Re-evaluating.
Message #
Event ID 2219 — Uri evalulation for delete showed that uri (Message1) still configured state is: (HRESULT).
Event ID 2220 — MdmWinsOverGp Policy value is (HexInt1).
Event ID 2221 — Setting the targetted user sid to : (Message1).
Event ID 2222 — No targetted user sid was set.
Description
No targetted user sid was set.
Message #
Event ID 2223 — Targetting user with sid : (Message1).
Event ID 2300 — Bootstrap Enrollment Status Page: publish notification value: (HexInt1).
Event ID 2400 — MDM Declared Configuration: Delete document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), ...
Description
MDM Declared Configuration: Delete document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enroll Type: (HexInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
Event ID 2400 — MDM Declared Configuration: Delete document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), ...
Description
MDM Declared Configuration: Delete document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enroll Type: (HexInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
Event ID 2401 — MDM Declared Configuration: Delete document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), ...
Description
MDM Declared Configuration: Delete document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enroll Type: (HexInt2), Result:(HexInt3) HexInt4.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
HexInt4 HexInt32 | — |
Event ID 2402 — MDM Declared Configuration: End document parsing from file: Expected Document Id: (Message1) File Document Id: (Message2), Scenario: (Message3), Version: (Message4), Enrol...
Event ID 2403 — MDM Declared Configuration: End document parsing from file: Expected Document Id: (Message1) File Document Id: (Message2), Scenario: (Message3), Version: (Message4), Enrol...
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
Message6 UnicodeString | — |
Message7 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
HexInt4 HexInt32 | — |
HexInt5 HexInt32 | — |
HexInt6 HexInt32 | — |
HexInt7 HexInt32 | — |
Event ID 2404 — MDM Declared Configuration: End document parsing from CSP: Document Id: (Message1), Scenario: (Message2), Version: (Message3), Enrollment Id: (Message4), Current User.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
Message6 UnicodeString | — |
Message7 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
HexInt4 HexInt32 | — |
HexInt5 HexInt32 | — |
HexInt6 HexInt32 | — |
HexInt7 HexInt32 | — |
Event ID 2405 — MDM Declared Configuration: End document parsing from CSP: Document Id: (Message1), Scenario: (Message2), Version: (Message3), Enrollment Id: (Message4), Current User.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
Message6 UnicodeString | — |
Message7 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
HexInt4 HexInt32 | — |
HexInt5 HexInt32 | — |
HexInt6 HexInt32 | — |
HexInt7 HexInt32 | — |
HexInt8 HexInt32 | — |
HexInt9 HexInt32 | — |
Event ID 2406 — MDM Declared Configuration: Document Summary due to Alert: Enrollment Id: (Message1), Current User: (Message2), Alert data: (Message3), Enroll type: (HexInt1).
Event ID 2407 — MDM Declared Configuration: Document Summary due to Alert: Enrollment Id: (Message1), Current User: (Message2), Alert data: (Message3), Enroll type: (UInt1), Result.
Description
MDM Declared Configuration: Document Summary due to Alert: Enrollment Id: (Message1), Current User: (Message2), Alert data: (Message3), Enroll type: (UInt1), Result:(UInt2) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
UInt1 UInt32 | — |
UInt2 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 2408 — MDM Declared Configuration: Flag set to trigger OMADM session.
Description
MDM Declared Configuration: Flag set to trigger OMADM session.
Message #
Event ID 2409 — MDM Declared Configuration: Failed to trigger OMADM session due to document changes, Result:(HexInt1) HRESULT.
Event ID 2410 — MDM Declared Configuration: CDN Download trigger DC WatchDog Task: Completed downloaded jobs: (HexInt1), Result:(HexInt2) HRESULT.
Event ID 2411 — MDM Declared Configuration: CDN Download trigger DC WatchDog Task: Completed downloaded jobs: (HexInt1).
Event ID 2412 — MDM Declared Configuration: Acquiring DC WatchDog Task Handler Lock Creation: Result:(HexInt1) HRESULT.
Event ID 2413 — MDM Declared Configuration: Acquiring DC WatchDog Task Handler Lock Creation.
Description
MDM Declared Configuration: Acquiring DC WatchDog Task Handler Lock Creation.
Message #
Event ID 2414 — MDM Declared Configuration: DC WatchDog Task Handler Lock.
Description
MDM Declared Configuration: DC WatchDog Task Handler Lock.
Message #
Event ID 2415 — MDM Declared Configuration: DC WatchDog Task Handler Unlock.
Description
MDM Declared Configuration: DC WatchDog Task Handler Unlock.
Message #
Event ID 2416 — MDM Declared Configuration: Construct URI Storage Lock Creation: Result:(HexInt1) HRESULT.
Event ID 2417 — MDM Declared Configuration: Construct URI Storage Lock Creation.
Description
MDM Declared Configuration: Construct URI Storage Lock Creation.
Message #
Event ID 2418 — MDM Declared Configuration: Construct URI Storage Lock.
Description
MDM Declared Configuration: Construct URI Storage Lock.
Message #
Event ID 2419 — MDM Declared Configuration: Construct URI Storage Unlock.
Description
MDM Declared Configuration: Construct URI Storage Unlock.
Message #
Event ID 2420 — MDM Declared Configuration: CDN Download Lock Creation: Result:(HexInt1) HRESULT.
Event ID 2421 — MDM Declared Configuration: CDN Download Lock Creation.
Description
MDM Declared Configuration: CDN Download Lock Creation.
Message #
Event ID 2422 — MDM Declared Configuration: CDN Download Lock.
Description
MDM Declared Configuration: CDN Download Lock.
Message #
Event ID 2423 — MDM Declared Configuration: CDN Download Unlock.
Description
MDM Declared Configuration: CDN Download Unlock.
Message #
Event ID 2424 — MDM Declared Configuration: CDN Download Lock Creation: Result:(HexInt1) HRESULT.
Event ID 2425 — MDM Declared Configuration: CDN Download Lock Creation.
Description
MDM Declared Configuration: CDN Download Lock Creation.
Message #
Event ID 2426 — MDM Declared Configuration: CDN Download Lock.
Description
MDM Declared Configuration: CDN Download Lock.
Message #
Event ID 2427 — MDM Declared Configuration: CDN Download Unlock.
Description
MDM Declared Configuration: CDN Download Unlock.
Message #
Event ID 2428 — MDM Declared Configuration: Async Delete Document Lock Creation: Result:(HexInt1) HRESULT.
Event ID 2429 — MDM Declared Configuration: Async Delete Document Lock Creation.
Description
MDM Declared Configuration: Async Delete Document Lock Creation.
Message #
Event ID 2430 — MDM Declared Configuration: Async Delete Document Lock.
Description
MDM Declared Configuration: Async Delete Document Lock.
Message #
Event ID 2431 — MDM Declared Configuration: Async Delete Document Unlock.
Description
MDM Declared Configuration: Async Delete Document Unlock.
Message #
Event ID 2432 — MDM Declared Configuration: Get Documents Summary Alert Lock Creation: Result:(HexInt1) HRESULT.
Event ID 2433 — MDM Declared Configuration: Get Documents Summary Alert Lock Creation.
Description
MDM Declared Configuration: Get Documents Summary Alert Lock Creation.
Message #
Event ID 2434 — MDM Declared Configuration: Get Documents Summary Alert Lock.
Description
MDM Declared Configuration: Get Documents Summary Alert Lock.
Message #
Event ID 2435 — MDM Declared Configuration: Get Documents Summary Alert Unlock.
Description
MDM Declared Configuration: Get Documents Summary Alert Unlock.
Message #
Event ID 2436 — MDM Declared Configuration: Unenroll Execute Lock Creation: Result:(HexInt1) HRESULT.
Event ID 2437 — MDM Declared Configuration: Unenroll Execute Lock Creation.
Description
MDM Declared Configuration: Unenroll Execute Lock Creation.
Message #
Event ID 2438 — MDM Declared Configuration: Unenroll Execute Lock.
Description
MDM Declared Configuration: Unenroll Execute Lock.
Message #
Event ID 2439 — MDM Declared Configuration: Unenroll Execute Unlock.
Description
MDM Declared Configuration: Unenroll Execute Unlock.
Message #
Event ID 2440 — MDM Declared Configuration: About to process CDN Downloaded Doc: Enrollment:(Message1), Context:(Message2), Document Id:(Message3).
Event ID 2441 — MDM Declared Configuration: Successfully processed CDN Downloaded Doc: Enrollment:(Message1), Context:(Message2), Document Id:(Message3).
Event ID 2442 — MDM Declared Configuration: Failed to processed CDN Downloaded Doc: Enrollment:(Message1), Context:(Message2), Document Id:(Message3), Result:(HexInt1) HexInt2.
Description
MDM Declared Configuration: Failed to processed CDN Downloaded Doc: Enrollment:(Message1), Context:(Message2), Document Id:(Message3), Result:(HexInt1) HexInt2.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
Event ID 2443 — MDM Declared Configuration: Results Merger: Host OS and container results CSP count is mismatch: Enrollment Id: (Message1), Doc Id:(Message2), Host CSP Count.
Description
MDM Declared Configuration: Results Merger: Host OS and container results CSP count is mismatch: Enrollment Id: (Message1), Doc Id:(Message2), Host CSP Count:(HexInt1), Container CSP Count:(HexInt2), Result:(HexInt3) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
HRESULT HexInt32 | — |
Event ID 2444 — MDM Declared Configuration: Results Merger: Host OS and container results URI count mismatch: Enrollment Id: (Message1), Doc Id:(Message2), CSP path:(Message3), Host...
Description
MDM Declared Configuration: Results Merger: Host OS and container results URI count mismatch: Enrollment Id: (), Doc Id:(), CSP path:(), Host URI Count:(), Container URI Count:(), Result:() .
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
UInt1 UInt32 | — |
UInt2 UInt32 | — |
UInt3 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 2445 — MDM Declared Configuration: Results Merger: Host OS and container results CSP path mismatch: Enrollment Id: (Message1), Doc Id:(Message2), Host CSP path:(Message3), ...
Description
MDM Declared Configuration: Results Merger: Host OS and container results CSP path mismatch: Enrollment Id: (Message1), Doc Id:(Message2), Host CSP path:(Message3), Container CSP path:(Message4), Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
UInt1 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 2446 — MDM Declared Configuration: Results Merger: Host OS and container results URI path mismatch: Enrollment Id: (Message1), Doc Id:(Message2), CSP path:(Message3), Host ...
Description
MDM Declared Configuration: Results Merger: Host OS and container results URI path mismatch: Enrollment Id: (), Doc Id:(), CSP path:(), Host URI path:(), Container URI path:(), Result:() .
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
UInt1 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 2447 — MDM Declared Configuration: Results Merger: Host OS and container results HTTP status mismatch: Enrollment Id: (Message1), Doc Id:(Message2), CSP path:(Message3), Ho...
Event ID 2448 — MDM Declared Configuration: Results Merger: Host OS and container results data mismatch: Enrollment Id: (Message1), Doc Id:(Message2), CSP path:(Message3), Host/Cont...
Description
MDM Declared Configuration: Results Merger: Host OS and container results data mismatch: Enrollment Id: (Message1), Doc Id:(Message2), CSP path:(Message3), Host/Container URI path:(Message4), Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
UInt1 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 2449 — MDM Declared Configuration: DeclaredConfigurationStore_ParseDeclaredConfigurationJson error at JSON argument (Message1): (Message2), HRESULT: (HRESULT).
Event ID 2450 — MDM Declared Configuration: Begin DSC Native MI Provider Operation, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Doc schema version: (Message4)...
Event ID 2451 — MDM Declared Configuration: End DSC Native MI Provider Operation failed, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Doc schema version:...
Event ID 2452 — MDM Declared Configuration: End DSC Native MI Provider Operation, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Doc schema version: (Message4), ...
Event ID 2454 — MDM Declared Configuration: Get document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enr...
Description
MDM Declared Configuration: Get document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enroll Type: (HexInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
Event ID 2455 — MDM Declared Configuration: Get document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enr...
Description
MDM Declared Configuration: Get document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enroll Type: (HexInt2), Result:(HexInt3) HexInt4.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
HexInt4 HexInt32 | — |
Event ID 2456 — MDM Declared Configuration: Set document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enr...
Description
MDM Declared Configuration: Set document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enroll Type: (HexInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
Event ID 2457 — MDM Declared Configuration: Set document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enr...
Description
MDM Declared Configuration: Set document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enroll Type: (HexInt2), Result:(HexInt3) HexInt4.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
HexInt4 HexInt32 | — |
Event ID 2500 — MDM Orchestrator: Service Init result: (HRESULT).
Event ID 2501 — MDM Orchestrator: Service Init status: (HexInt1) (HexInt2) (HexInt3).
Event ID 2502 — MDM Orchestrator: Start Service Error: (HRESULT).
Event ID 2503 — MDM Orchestrator: End Service Error: (HRESULT).
Event ID 2504 — MDM Orchestrator: CDN Download handler failed: (HRESULT).
Event ID 2505 — MDM Orchestrator: Process a single DeclaredConfiguration document result: enrollment Id: (Message1), userId: (Message2), docId: (Message3), docVersion:(Message4), target: ...
Description
MDM Orchestrator: Process a single DeclaredConfiguration document result: enrollment Id: (Message1), userId: (Message2), docId: (Message3), docVersion:(Message4), target: (Message5), hresult: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 2506 — MDM Declared Configuration: Create Orchestrator ScenrioId Lock Creation: Result:(HexInt1) HRESULT.
Event ID 2507 — MDM Declared Configuration: Create ScenarioId Lock.
Description
MDM Declared Configuration: Create ScenarioId Lock.
Message #
Event ID 2508 — MDM Declared Configuration: Create ScenarioId Unlock.
Description
MDM Declared Configuration: Create ScenarioId Unlock.
Message #
Event ID 2509 — MDM Declared Configuration: ConfigDC failed to create configuration request: EnrollmentId: (Message1) Result:(HRESULT).
Event ID 2510 — MDM Declared Configuration: DeleteDC failed to create configuration request: Result:(HRESULT).
Event ID 2511 — MDM Declared Configuration: ConfigDC failed to create configuration request: Result:(HRESULT).
Event ID 2512 — MDM Declared Configuration: ConfigDC waiting for notification.
Description
MDM Declared Configuration: ConfigDC waiting for notification.
Message #
Event ID 2513 — MDM Declared Configuration: ConfigDC notification sent with: Result: (HRESULT).
Event ID 2514 — MDM Declared Configuration: Orchestrator MsftPolicies GetRequest failed: Result: (HRESULT).
Event ID 2515 — MDM Declared Configuration: Orchestrator ConfigDC failed: Result: (HRESULT).
Event ID 2516 — MDM Declared Configuration: Orchestrator ConfigDC Succeeded.
Description
MDM Declared Configuration: Orchestrator ConfigDC Succeeded.
Message #
Event ID 2517 — MDM Declared Configuration: Orchestrator DeleteDC Succeeded.
Description
MDM Declared Configuration: Orchestrator DeleteDC Succeeded.
Message #
Event ID 2518 — MDM Declared Configuration: Orchestrator DeleteDC failed: Result: (HRESULT).
Event ID 2519 — MDM Declared Configuration: Orchestrator CreateNewRequest failed: EnrollmentId: (Message1), UserId: (Message2), DocId: (Message3), DocVersion: (Message4), Target: (Message5), St...
Description
MDM Declared Configuration: Orchestrator CreateNewRequest failed: EnrollmentId: (Message1), UserId: (Message2), DocId: (Message3), DocVersion: (Message4), Target: (Message5), StateMachineType: (UInt1), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
UInt1 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 2520 — MDM Declared Configuration: Orchestrator CreateNewRequest failed: EnrollmentId: (Message1), UserId: (Message2), DocId: (Message3), DocVersion: (Message4), Target: (Message5), St...
Description
MDM Declared Configuration: Orchestrator CreateNewRequest failed: EnrollmentId: (Message1), UserId: (Message2), DocId: (Message3), DocVersion: (Message4), Target: (Message5), StateMachineType: (UInt1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
UInt1 UInt32 | — |
Event ID 2521 — MDM Declared Configuration: Orchestrator (Message1) WaitForFinish timed out: (HRESULT).
Event ID 2522 — MDM Declared Configuration: StartProcessing Eventname: (Message7), RequestKey: (Message1), requestType: (UInt1), requestPriority: (UInt2), requestNumber: (UInt3), acti...
Event ID 2523 — MDM Declared Configuration: Error in Processing Eventname: (Message7), RequestKey: (Message1), requestType: (UInt1), requestPriority: (UInt2), requestNumber: (UInt3), ...
Message #
Fields #
| Name | Description |
|---|---|
UInt1 UInt32 | — |
UInt2 UInt32 | — |
UInt3 UInt32 | — |
UInt4 UInt32 | — |
UInt5 UInt32 | — |
UInt6 UInt32 | — |
UInt7 UInt32 | — |
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
Message6 UnicodeString | — |
Message7 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 2524 — MDM Declared Configuration: ScenarioId: (Message1) Result: (HRESULT).
Event ID 2525 — MDM Declared Configuration: Exception Details: (UInt1).
Event ID 2526 — MDM Declared Configuration: ActivityExecution: Activity Type (UInt1), Orchestrator Type (Message1), activityKey (Message2), Result: (HRESULT).
Event ID 2527 — MDM Declared Configuration: CDNDownload Delete record Id: (Message1), Result: (HRESULT).
Event ID 2528 — MDM Declared Configuration: Orchestrator CreateNewRequest failed: EnrollmentId: (Message1), UserId: (Message2), DocId: (Message3) Result: (HRESULT).
Event ID 2529 — MDM Declared Configuration: Invalid enrollment(or unenrolling) enrollmentId: (Message1), Result: (HRESULT).
Event ID 2530 — MDM Declared Configuration: EndProcessing Eventname: (Message7), RequestKey: (Message1), requestType: (UInt1), requestPriority: (UInt2), requestNumber: (UInt3), activi...
Message #
Fields #
| Name | Description |
|---|---|
UInt1 UInt32 | — |
UInt2 UInt32 | — |
UInt3 UInt32 | — |
UInt4 UInt32 | — |
UInt5 UInt32 | — |
UInt6 UInt32 | — |
UInt7 UInt32 | — |
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
Message6 UnicodeString | — |
Message7 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 2531 — MDM Declared Configuration: Acquire Orchestrator GlobalMutex failed in function: (Message1), Result: (HRESULT).
Event ID 2532 — MDM Declared Configuration: Alert Status for enrollmentId: (Message1), Result: (HRESULT).
Event ID 2533 — MDM Declared Configuration: ActivityExecution: Activity Type (UInt1), Orchestrator Type (Message1), activityKey (Message2), Result: (HRESULT).
Event ID 2534 — MDM Declared Configuration: Error in Processing Eventname: (Message7), RequestKey: (Message1), requestType: (UInt1), requestPriority: (UInt2), requestNumber: (UInt3), ...
Message #
Fields #
| Name | Description |
|---|---|
UInt1 UInt32 | — |
UInt2 UInt32 | — |
UInt3 UInt32 | — |
UInt4 UInt32 | — |
UInt5 UInt32 | — |
UInt6 UInt32 | — |
UInt7 UInt32 | — |
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
Message6 UnicodeString | — |
Message7 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 2535 — MDM Declared Configuration: Enter function: (Message1).
Event ID 2535 —
Description
MDM Declared Configuration: Enter function: ().
Fields #
| Name | Description |
|---|---|
Message1 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 2535,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-15T23:43:24.011682+00:00",
"event_record_id": 12,
"correlation": {},
"execution": {
"process_id": 14788,
"thread_id": 14400
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "OrchestratorResume"
},
"message": ""
}
Event ID 2536 — MDM Declared Configuration: Exit function: (Message1) with Result: (HRESULT).
Event ID 2536 —
Description
MDM Declared Configuration: Exit function: () with Result: ().
Fields #
| Name | Description |
|---|---|
Message1 | — |
HRESULT | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 2536,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-15T23:43:24.011824+00:00",
"event_record_id": 13,
"correlation": {},
"execution": {
"process_id": 14788,
"thread_id": 14400
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "OrchestratorResume",
"HRESULT": "0x80070002"
},
"message": ""
}
Event ID 2537 — MDM Declared Configuration: Exit OrchestratorConfig: enrollmentId: (Message1) userId: (Message2) docId: (Message3) docVersion: (4), target: (Message5) stateMachineType.
Description
MDM Declared Configuration: Exit OrchestratorConfig: enrollmentId: (Message1) userId: (Message2) docId: (Message3) docVersion: (4), target: (Message5) stateMachineType: (HexInt1), isNewVersion: (Boolean1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
HexInt1 HexInt32 | — |
Boolean1 Boolean | — |
Event ID 2538 — MDM Declared Configuration: Exit OrchestratorConfig: enrollmentId: (Message1) userId: (Message2) docId: (Message3) docVersion: (4), target: (Message5) stateMachineType.
Description
MDM Declared Configuration: Exit OrchestratorConfig: enrollmentId: (Message1) userId: (Message2) docId: (Message3) docVersion: (4), target: (Message5) stateMachineType: (HexInt1), isNewVersion: (Boolean1), Hresult: (HexInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
HexInt1 HexInt32 | — |
Boolean1 Boolean | — |
HexInt2 HexInt32 | — |
Event ID 2539 — MDM Declared Configuration: Exit OrchestratorSetInstanceVariable: enrollmentId: (Message1) docId: (Message2) docVersion: (3), vraiableName: (Message4).
Event ID 2540 — MDM Declared Configuration: Exit OrchestratorSetInstanceVariable: enrollmentId: (Message1) docId: (Message2) docVersion: (3), vraiableName: (Message4) Hresult: (HRESULT).
Description
MDM Declared Configuration: Exit OrchestratorSetInstanceVariable: enrollmentId: (Message1) docId: (Message2) docVersion: (3), vraiableName: (Message4) Hresult: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 2541 — MDM Declared Configuration: Enter OrchestratorDelete with GUID: (Message1).
Event ID 2542 — MDM Declared Configuration: Exit OrchestratorDelete with GUID: (Message1) Result: (HRESULT).
Event ID 2543 — MDM Declared Configuration: Exit OrchestratorProcessPreviouslyRanDocs with enrollmentId: (Message1).
Event ID 2544 — MDM Declared Configuration: Exit OrchestratorProcessPreviouslyRanDocs with enrollmentId: (Message1) Result: (HRESULT).
Event ID 2545 — MDM Declared Configuration: Function (Message1) operation (Message2) failed with (HRESULT).
#Description
MDM Declared Configuration: Function (Message1) operation (Message2) failed with (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
HRESULT HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 2545,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T01:13:43.732943+00:00",
"event_record_id": 139,
"correlation": {},
"execution": {
"process_id": 4596,
"thread_id": 21720
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "checkNewInstanceData",
"Message2": "Read isNewInstanceData",
"HRESULT": "0x80070057"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2546 — MDM Declared Configuration: Function (Message1) DocState is: (Message2).
Event ID 2547 — MDM Declared Configuration: Function (Message1) operation (Message2) succeeded.
Event ID 2548 — MDM Declared Configuration: Enter OrchestratorUpdateDocStatus enrollmentId (Message1) userId (Message2) uniqueId (Message3) successStatus (Boolean1).
Event ID 2549 — MDM Declared Configuration: Exit OrchestratorUpdateDocStatus enrollmentId (Message1) userId (Message2) uniqueId (Message3) successStatus (Boolean1) result (HRESULT).
Description
MDM Declared Configuration: Exit OrchestratorUpdateDocStatus enrollmentId (Message1) userId (Message2) uniqueId (Message3) successStatus (Boolean1) result (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Boolean1 Boolean | — |
HRESULT HexInt32 | — |
Event ID 2550 — MDM Declared Configuration: Warning Function (Message1) operation (Message2) result: (HRESULT).
Event ID 2551 — MDM Declared Configuration: Function (Message1) operation (Message2) result: (HRESULT).
Event ID 2552 — DeclaredConfiguration CSP: RefreshInterval can not be smaller than (UInt1).
Event ID 2553 — MDM Declared Configuration: Enter OrchestratorDeletePerEnrollmentScenario enrollmentId (Message1) OSDefinedScenario (Message2).
Event ID 2554 — MDM Declared Configuration: Exit OrchestratorDeletePerEnrollmentScenario enrollmentId (Message1) OSDefinedScenario (Message2) result (HRESULT).
Event ID 2555 — MDM Declared Configuration: Enqueue Request Failure - enrollmentId (Message1) docId (Message2) contextId (Message3) isRefresh (Boolean1) result (HRESULT).
Description
MDM Declared Configuration: Enqueue Request Failure - enrollmentId (Message1) docId (Message2) contextId (Message3) isRefresh (Boolean1) result (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Boolean1 Boolean | — |
HRESULT HexInt32 | — |
Event ID 2556 — MDM Declared Configuration: Enqueue Request Information - enrollmentId (Message1) docId (Message2) contextId (Message3) isRefresh (Boolean1) result (HRESULT).
Description
MDM Declared Configuration: Enqueue Request Information - enrollmentId (Message1) docId (Message2) contextId (Message3) isRefresh (Boolean1) result (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Boolean1 Boolean | — |
HRESULT HexInt32 | — |
Event ID 2600 — MMP-C: Device permission to select target MMP-C environment is (Boolean1).
Event ID 2600 — MMP-C: Device permission to select target MMP-C environment is (Boolean1).
Event ID 2601 — MMP-C: Query for MMP-C environment to target.
Event ID 2601 — MMP-C: Query for MMP-C environment to target.
Event ID 2602 — MMP-C: MMP-C environment to target.
Event ID 2602 — MMP-C: MMP-C environment to target.
Event ID 2603 — MMP-C: Device is allowed to skip MMP-C cert pinning checks.
Description
MMP-C: Device is allowed to skip MMP-C cert pinning checks.
Event ID 2603 — MMP-C: Device is allowed to skip MMP-C cert pinning checks.
Description
MMP-C: Device is allowed to skip MMP-C cert pinning checks.
Message #
Event ID 2604 — MMP-C: Failed to get certificate chain of the Server SSL certificate.
Event ID 2604 — MMP-C: Failed to get certificate chain of the Server SSL certificate.
Event ID 2605 — MMP-C: Failed to verify certificate policy: (Message1) of the Server SSL certificate.
Event ID 2605 — MMP-C: Failed to verify certificate policy: (Message1) of the Server SSL certificate.
Event ID 2606 — MMP-C: Certificate chain too short for MMP-C server SSL cert.
Event ID 2606 — MMP-C: Certificate chain too short for MMP-C server SSL cert.
Event ID 2607 — MMP-C: Getting the hash of the cert in position: (HexInt1) in the MMP-C SSL certificate chain failed.
Event ID 2607 — MMP-C: Getting the hash of the cert in position: (HexInt1) in the MMP-C SSL certificate chain failed.
Event ID 2608 — MMP-C: Found a certificate whose SPKI matched one of the expected pinned certs.
Description
MMP-C: Found a certificate whose SPKI matched one of the expected pinned certs.
Message #
Event ID 2608 — MMP-C: Found a certificate whose SPKI matched one of the expected pinned certs.
Description
MMP-C: Found a certificate whose SPKI matched one of the expected pinned certs.
Message #
Event ID 2609 — MMP-C: MMP-C Server's SSL cert did not chain to any known pinned certificate.
Description
MMP-C: MMP-C Server's SSL cert did not chain to any known pinned certificate.
Message #
Event ID 2609 — MMP-C: MMP-C Server's SSL cert did not chain to any known pinned certificate.
Description
MMP-C: MMP-C Server's SSL cert did not chain to any known pinned certificate.
Message #
Event ID 2610 — MMP-C: Device locked down state to MMP-C: (Boolean1).
Event ID 2610 — MMP-C: Device locked down state to MMP-C: (Boolean1).
Event ID 2611 — MMP-C: Retrieving MMP-C URLs failed.
Event ID 2611 — MMP-C: Retrieving MMP-C URLs failed.
Event ID 2612 — MMP-C: Device locked down to MMP-C: Enrollment URL: (Message1), ToU URL: (Message2), Resource URL: (Message3).
Event ID 2612 — MMP-C: Device locked down to MMP-C: Enrollment URL: (Message1), ToU URL: (Message2), Resource URL: (Message3).
Event ID 2613 — MMP-C: Not all URLs returned by MMP-C discovery.
Event ID 2613 — MMP-C: Not all URLs returned by MMP-C discovery.
Event ID 2614 — MMP-C: Retrieving MMP-C URLs failed.
Event ID 2614 — MMP-C: Retrieving MMP-C URLs failed.
Event ID 2700 — Device rename has been blocked through MDM because machine is domain joined.
Description
Device rename has been blocked through MDM because machine is domain joined.
Message #
Event ID 2750 — DeviceStatus CSP: WscGetSecurityProviderHealth(Message1) returned status HexInt1 and HRESULT HRESULT.
Description
DeviceStatus CSP: WscGetSecurityProviderHealth(Message1) returned status HexInt1 and HRESULT HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
HexInt1 HexInt32 | — |
HRESULT HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 2750,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T23:51:35.638355+00:00",
"event_record_id": 642,
"correlation": {},
"execution": {
"process_id": 5816,
"thread_id": 3760
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "WSC_SECURITY_PROVIDER_USER_ACCOUNT_CONTROL",
"HexInt1": "0x2",
"HRESULT": "0x0"
},
"message": ""
}
Event ID 2751 — DeviceStatus CSP: Message1 returned HRESULT HRESULT.
Event ID 2752 — DeviceStatus CSP: GetBitlockerStatus indicates drive Message1 is not encrypted, flags:HRESULT.
Event ID 2800 — The following URI has triggered a reboot: (Message1).
Event ID 2900 — BitLocker CSP: GetDeviceEncryptionComplianceStatus indicates Message1 is not compliant with returned status HRESULT.
Event ID 2901 — BitLocker CSP: GetRDVStatus returned status HexInt1 (BDE Disabled=0x00000001, Not Protected=0x00000002, Encryption Type Mismatch=0x00000004).
Event ID 2902 — BitLocker CSP: Encryption method of OS Drive is different than set by policy.
Event ID 2903 — BitLocker CSP: Wrong encryption type for OS Drives used.
Event ID 2904 — BitLocker CSP: Wrong encryption type for OS Drives used.
Event ID 2905 — BitLocker CSP: TPM not used for protection of OS Drives, but is required by policy.
Event ID 2906 — BitLocker CSP: TPM-only protection not used for OS Drives, but is required by policy.
Event ID 2907 — BitLocker CSP: TPM+PIN protection not used for OS Drives, but is required by policy.
Event ID 2908 — BitLocker CSP: TPM+Startup-Key protection not used for OS Drives, but is required by policy.
Event ID 2909 — BitLocker CSP: TPM+PIN+Startup-Key protection not used for OS Drives, but is required by policy.
Event ID 2910 — BitLocker CSP: Fixed Drive not protected.
Description
BitLocker CSP: Fixed Drive not protected.
Message #
Event ID 2911 — BitLocker CSP: Encryption method of Fixed Drive is different than set by policy.
Event ID 2912 — BitLocker CSP: Wrong encryption type for Fixed Drives used.
Event ID 2913 — BitLocker CSP: Wrong encryption type for Fixed Drives used.
Event ID 2914 — BitLocker CSP: OS Drive not protected.
Description
BitLocker CSP: OS Drive not protected.
Message #
Event ID 3000 — Current time (Message1) is earlier than expected renew attempt time (Message2), skip renew.
Event ID 3000 — Current time (Message1) is earlier than expected renew attempt time (Message2), skip renew.
Event ID 3001 — Current time (Message1) is later than expected renew end attempt time (Message2), but continue renew effort.
Event ID 3001 — Current time (Message1) is later than expected renew end attempt time (Message2), but continue renew effort.
Event ID 3002 — Failed to read regkey (Message1) with HRESULT HRESULT).
Event ID 3002 — Failed to read regkey (Message1) with HRESULT HRESULT).
Event ID 3003 — Current renew schedule is incorrect, next run time (Message1) is not between (Message2) and (Message3), updating renew schedule.
Event ID 3003 — Current renew schedule is incorrect, next run time (Message1) is not between (Message2) and (Message3), updating renew schedule.
Event ID 3004 — [MDM Schedule Enrollment Cert Renew Session Start] EnrollmentId: Message1, Renew period: UInt3; Renew retry interval: UInt4; Robo mode: UInt5; Cert Expiration: Message2.
Description
[MDM Schedule Enrollment Cert Renew Session Start] EnrollmentId: Message1, Renew period: UInt3; Renew retry interval: UInt4; Robo mode: UInt5; Cert Expiration: Message2.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
UInt3 UInt32 | — |
UInt4 UInt32 | — |
UInt5 UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 3004,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:07.063369+00:00",
"event_record_id": 125,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "69C01DBD-8068-44F9-9507-8A9DF76C127A",
"Message2": "2028-03-08T18:11:06.00",
"UInt3": 42,
"UInt4": 7,
"UInt5": 0
},
"message": ""
}
Event ID 3004 — [MDM Schedule Enrollment Cert Renew Session Start] EnrollmentId: Message1, Renew period: UInt3; Renew retry interval: UInt4; Robo mode: UInt5; Cert Expiration: Message2.
Event ID 3005 — [MDM Schedule Enrollment Cert Renew Session End] Error: HRESULT: HRESULT.
Description
[MDM Schedule Enrollment Cert Renew Session End] Error: HRESULT: HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 3005,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:07.156368+00:00",
"event_record_id": 126,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x0"
},
"message": ""
}
Event ID 3005 — [MDM Schedule Enrollment Cert Renew Session End] Error: HRESULT: HRESULT.
Event ID 3006 — Current time (Message1) is earlier than last renew time plus wait period (Message2), skip renew.
Event ID 3006 — Current time (Message1) is earlier than last renew time plus wait period (Message2), skip renew.
Event ID 3007 — Begin creating enrollment key in TPM function (Message1).
Event ID 3008 — End creating enrollment key in TPM function (Message1) with result (HRESULT).
Event ID 3009 — Function (Message1), cryptoProvider: (Message2), failed when binding keys, HRESULT(HRESULT).
Event ID 3010 — Skip export private keys when using TPM in function (Message1).
Event ID 3011 — Creating key with crypto provider: (ProviderName) HRESULT: (HRESULT2), failFunction: (FunctionName), CryptoProvider index (ProviderIndex) of total (TotalProviders).
Description
Creating key with crypto provider: (ProviderName) HRESULT: (HRESULT2), failFunction: (FunctionName), CryptoProvider index (ProviderIndex) of total (TotalProviders).
Message #
Fields #
| Name | Description |
|---|---|
ProviderName UnicodeString | — |
HRESULT2 HexInt32 | — |
FunctionName UnicodeString | — |
ProviderIndex UInt32 | — |
TotalProviders UInt32 | — |
Event ID 3011 — Creating key with crypto provider: (ProviderName) HRESULT: (HRESULT2), failFunction: (FunctionName), CryptoProvider index (ProviderIndex) of total (TotalProviders).
Description
Creating key with crypto provider: (ProviderName) HRESULT: (HRESULT2), failFunction: (FunctionName), CryptoProvider index (ProviderIndex) of total (TotalProviders).
Message #
Fields #
| Name | Description |
|---|---|
ProviderName UnicodeString | — |
HRESULT2 HexInt32 | — |
FunctionName UnicodeString | — |
ProviderIndex UInt32 | — |
TotalProviders UInt32 | — |
Event ID 3012 — TPM State: Version:(TPMVersion) ReadyForStorage:(ReadyForStorage) NotReadyReason:(NotReadyReason), ReadyForAttestation:(ReadyForAttestation), NotReadyReason:(NotREadyReason), isUnsatifactory:(IsUns...
Event ID 3012 — TPM State: Version:(TPMVersion) ReadyForStorage:(ReadyForStorage) NotReadyReason:(NotReadyReason), ReadyForAttestation:(ReadyForAttestation), NotReadyReason:(NotREadyReason), isUnsatifactory:(IsUns...
Event ID 3013 — Function Name: (Message1) HRESULT:(HRESULT).
Description
Function Name: (Message1) HRESULT:(HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
HRESULT HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 3013,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:00.269629+00:00",
"event_record_id": 118,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "DmGetTpmInfo",
"HRESULT": "0x8028400f"
},
"message": ""
}
Event ID 3013 — Function Name: (Message1) HRESULT:(HRESULT).
Event ID 3014 — CanEnroll Error: GetNumberOfEnrollmentsOfType failed with reason: (Message1), EnrollType: (HexInt1), HRESULT: (HRESULT).
Event ID 3014 — CanEnroll Error: GetNumberOfEnrollmentsOfType failed with reason: (Message1), EnrollType: (HexInt1), HRESULT: (HRESULT).
Event ID 3015 — CanEnroll Error: DiscoveryServiceFullUrl: (Message1), AccountID: (Message2), AadResourceUrl: (Message3), OpaqueId: (Message4), TenantId: (Message5), CorrelationID(Message6), Failure R...
Description
CanEnroll Error: DiscoveryServiceFullUrl: (), AccountID: (), AadResourceUrl: (), OpaqueId: (), TenantId: (), CorrelationID(), Failure Reason (), JoinType: (), EnrollType: (), HRESULT: ().
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
Message6 UnicodeString | — |
Message7 UnicodeString | — |
UInt1 UInt32 | — |
UInt2 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 3200 — OsConfiguration API success: Function (Message1) EnrollmentId (Message2) DocumentId (Message3) ScenarioName (Message4) ScenarioVersion (Message5) ScenarioSchema (Message6) WaitTime.
Description
OsConfiguration API success: Function (Message1) EnrollmentId (Message2) DocumentId (Message3) ScenarioName (Message4) ScenarioVersion (Message5) ScenarioSchema (Message6) WaitTime (UInt1 seconds) failed with HRESULT: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
Message6 UnicodeString | — |
UInt1 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 3200 —
Description
OsConfiguration API success: Function () EnrollmentId () DocumentId () ScenarioName () ScenarioVersion () ScenarioSchema () WaitTime ( seconds) failed with HRESULT: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
Message6 UnicodeString | — |
UInt1 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 3201 — OsConfiguration API failure: Function (Message1) EnrollmentId (Message2) DocumentId (Message3) ScenarioName (Message4) ScenarioVersion (Message5) ScenarioSchema (Message6) WaitTime.
Description
OsConfiguration API failure: Function (Message1) EnrollmentId (Message2) DocumentId (Message3) ScenarioName (Message4) ScenarioVersion (Message5) ScenarioSchema (Message6) WaitTime (UInt1 seconds) failed with HRESULT: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
Message6 UnicodeString | — |
UInt1 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 3201 —
Description
OsConfiguration API failure: Function () EnrollmentId () DocumentId () ScenarioName () ScenarioVersion () ScenarioSchema () WaitTime ( seconds) failed with HRESULT: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
Message6 UnicodeString | — |
UInt1 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 4000 — DcSvc: Successfully initialized service.
#Description
DcSvc: Successfully initialized service. Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 4000,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T06:25:47.748360+00:00",
"event_record_id": 52,
"correlation": {},
"execution": {
"process_id": 5040,
"thread_id": 5056
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4001 — DcSvc: Failled to initialize service.
Event ID 4002 — DcSvc: Successfully registered service's RPC interface.
Event ID 4003 — DcSvc: Failed to register service's RPC interface.
Event ID 4005 — DcSvc: Successfully unregistered service's RPC interface.
Event ID 4006 — DcSvc: Failed to unregister service's RPC interface.
Event ID 4007 — DcSvc: successfully uninitialize service.
Event ID 4008 — DcSvc: Failed to uninitialized service.
Event ID 4009 — DcSvc: Service status updated.
#Description
DcSvc: Service status updated. Current state: (HexInt1), Exit code: (HexInt2), Wait hint: (HexInt3).
Message #
Fields #
| Name | Description |
|---|---|
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
HexInt3 HexInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 4009,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T06:25:47.770822+00:00",
"event_record_id": 53,
"correlation": {},
"execution": {
"process_id": 5040,
"thread_id": 5056
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HexInt1": "0x4",
"HexInt2": "0x0",
"HexInt3": "0x0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4010 — DcSvc: Stop Service handler registered.
Event ID 4011 — DcSvc: Service handler invoked.
Event ID 4012 — DcSvc: Failed to activate RPC Server Interface group because a duplicate end point exists.
Event ID 4013 — DcSvc: Failed to deactivate RPC Server Interface group.
Event ID 4014 — DcSvc: Successfully deactivated RPC Server Interface group.
Event ID 4015 — DcSvc: Failed to close RPC Server Interface group.
Event ID 4016 — DcSvc: Successfully closed RPC Server Interface group.
Event ID 4017 — DcSvc: Failed to create RPC Server Interface group.
Event ID 4018 — DcSvc: Successfully created RPC Server Interface group.
Event ID 4019 — DcSvc: Service is being initialized.
#Description
DcSvc: Service is being initialized.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 4019,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T06:25:47.745461+00:00",
"event_record_id": 50,
"correlation": {},
"execution": {
"process_id": 5040,
"thread_id": 5056
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4020 — DcSvc: DeclaredConfigurationStore_RecreateSchedule failed.
Event ID 4021 — DcSvc:: Failed to create ConfigManager lock service binding.
Event ID 4022 — Failed to enroll MMP-C for dual enrollment mode.
Event ID 4022 — Failed to enroll MMP-C for dual enrollment mode.
Event ID 4023 — Enroll MMP-C for dual enrollment mode succeeded.
Description
Enroll MMP-C for dual enrollment mode succeeded.
Message #
Event ID 4023 — Enroll MMP-C for dual enrollment mode succeeded.
Description
Enroll MMP-C for dual enrollment mode succeeded.
Message #
Event ID 4024 — Failed to unenroll MMP-C for dual enrollment mode.
Event ID 4024 — Failed to unenroll MMP-C for dual enrollment mode.
Event ID 4025 — Unenroll MMP-C for dual enrollment mode succeeded.
Description
Unenroll MMP-C for dual enrollment mode succeeded.
Message #
Event ID 4025 — Unenroll MMP-C for dual enrollment mode succeeded.
Description
Unenroll MMP-C for dual enrollment mode succeeded.
Message #
Event ID 4026 — Failed to set mmpc flag.
Event ID 4026 — Failed to set mmpc flag.
Event ID 4027 — The following resource (Message1) has current state (Message2).
Event ID 4028 — MMP-C dual enrollment is bypassed with result: (HRESULT).
Event ID 4028 — MMP-C dual enrollment is bypassed with result: (HRESULT).
Event ID 4029 — Resource transfer (Message6) with enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), resourceUri(Message5) with result: (HRESULT).
Description
Resource transfer (Message6) with enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), resourceUri(Message5) with result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
Message6 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 4030 — Resource transfer from MMPC to MDM with enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4) failed with result: (HRESULT).
Description
Resource transfer from MMPC to MDM with enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4) failed with result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 4031 — MDM Declared Configuration: Orchestrator detects conflict with enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), cspName(Message5), uriPath(Message6) ...
Description
MDM Declared Configuration: Orchestrator detects conflict with enrollmentId (), context(), docId(), docVersion(), cspName(), uriPath() with result: (), SameValue(): Count(, , ).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
Message6 UnicodeString | — |
HRESULT HexInt32 | — |
UInt8 UInt32 | — |
UInt9 UInt32 | — |
UInt10 UInt32 | — |
UInt11 UInt32 | — |
Event ID 4032 — MDM Declared Configuration: Update drift control with enrollmentId (Message1), docId(Message2), driftControl(UInt1) with result: (HexInt1).
Event ID 4033 — MDM Declared Configuration: Update drift control refresh period with enrollmentId (Message1), docId(Message2), refreshPeriod(UInt1) with result: (HexInt1).
Event ID 4050 — Drift Control - No Drift Detected: enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), Uri(Message5).
Event ID 4051 — Drift Control - Drift Detected: enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), Uri(Message5), Result:(HRESULT).
Description
Drift Control - Drift Detected: enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), Uri(Message5), Result:(HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 4052 — Drift Control - Skip Refresh: enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), Uri(Message5).
Event ID 4053 — Drift Control - Drift Unrecoverable: enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), Uri(Message5), Result:(HRESULT).
Description
Drift Control - Drift Unrecoverable: enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), Uri(Message5), Result:(HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 4100 — UserRights account delete failed.
Description
UserRights account delete failed. UserRight: Message1, account name: Message2, SID: Message3, Name resolution type: Message4. Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
UInt1 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 4101 — UserRights account add failed.
Description
UserRights account add failed. UserRight: Message1, account name: Message2, SID: Message3, Name resolution type: Message4. Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
UInt1 UInt32 | — |
HRESULT HexInt32 | — |
Event ID 4102 — UserRights account add failed.
Event ID 4103 — UserRights SID is invalid.
Event ID 4104 — Bulk Instance Data Parsed Successfully.
Description
Bulk Instance Data Parsed Successfully. DocID: Message1, DocVersion: Message2, EnrollmentId: Message3, UserSid: Message4, Number of Instances: HexInt1, Variables per instance: HexInt2.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HexInt1 HexInt32 | — |
HexInt2 HexInt32 | — |
Event ID 4105 — MDM Declared Configuration: DeclaredConfigurationStore_ParseBulkInstanceData error at (Message1): (Message2), HRESULT: (HRESULT).
Event ID 4106 — Dual enrollment task creation is successful.
Description
Dual enrollment task creation is successful.
Message #
Event ID 4107 — MDM Declared Configuration resource cleanup task succeeded.
Description
MDM Declared Configuration resource cleanup task succeeded.
Message #
Event ID 4108 — MDM Declared Configuration resource cleanup task failed.
Description
MDM Declared Configuration resource cleanup task failed.
Message #
Event ID 4109 — Dual enrollment: missing parent enrollment Id (HRESULT).
Event ID 4109 — Dual enrollment: missing parent enrollment Id (HRESULT).
Event ID 4110 — Dual enrollment: discovery endpoint is not set (HRESULT).
Event ID 4110 — Dual enrollment: discovery endpoint is not set (HRESULT).
Event ID 4111 — Dual enrollment: discovery endpoint string is too big (HRESULT).
Event ID 4111 — Dual enrollment: discovery endpoint string is too big (HRESULT).
Event ID 4112 — Dual enrollment: existing dual enrollment found (Message1), skipping enroll task creation.
Event ID 4112 — Dual enrollment: existing dual enrollment found (Message1), skipping enroll task creation.
Event ID 4113 — Dual enrollment: EntDMId of the main enrollment is not found (HRESULT).
Event ID 4113 — Dual enrollment: EntDMId of the main enrollment is not found (HRESULT).
Event ID 4114 — Dual enrollment: could not find main enrollment GUID (HRESULT).
Event ID 4114 — Dual enrollment: could not find main enrollment GUID (HRESULT).
Event ID 4115 — Dual enrollment: found multiple MDM enrollments.
Description
Dual enrollment: found multiple MDM enrollments.
Message #
Event ID 4115 — Dual enrollment: found multiple MDM enrollments.
Description
Dual enrollment: found multiple MDM enrollments.
Message #
Event ID 4116 — UserRights account SID not mapped to account.
Event ID 4117 — Resource transfer from MDM failed with enrollmentId (Message1), context(Message2), docId(Message3), Result(HRESULT).
Event ID 4200 — ConfigRefresh started.
Description
ConfigRefresh started.
Message #
Event ID 4201 — ConfigRefresh failed with HRESULT HRESULT.
Event ID 4202 — ConfigRefresh completed successfully.
Description
ConfigRefresh completed successfully.
Message #
Event ID 4203 — Failed to create ConfigRefresh task.
Event ID 4204 — Failed to delete ConfigRefresh task.
Event ID 4205 — Failed to set ConfigRefresh Enabled value to UInt1.
Event ID 4206 — Failed to delete ConfigRefresh Enabled node.
Event ID 4207 — Failed to disable ConfigRefresh task.
Event ID 4208 — Failed to enable ConfigRefresh task.
Event ID 4209 — Failed to set ConfigRefresh Cadence value to UInt1.
Event ID 4210 — Failed to delete ConfigRefresh Cadence node.
Event ID 4211 — Failed to update ConfigRefresh task with Cadence value UInt1.
Event ID 4212 — Failed to set ConfigRefresh Pause Period value to UInt1.
Event ID 4213 — Failed to delete ConfigRefresh Pause Period node.
Event ID 4214 — Failed to update ConfigRefresh task with Pause Period value UInt1.
Event ID 4215 — Message1 failed to acquire ConfigRefresh mutex.
Event ID 4216 — Failed to release ConfigRefresh mutex.
Event ID 4217 — Failed to set ConfigRefresh thread to lowest priority.
Event ID 4218 — Wait for ConfigRefresh semaphore failed.
Event ID 4219 — Failed to release ConfigRefresh semaphore.
Event ID 4220 — ConfigRefresh skipped because OmaDmClient sync is in progress
Description
ConfigRefresh skipped because OmaDmClient sync is in progress.
Message #
Event ID 4221 — DeclaredConfigurationRefresh skipped because OmaDmClient sync is in progress
Description
DeclaredConfigurationRefresh skipped because OmaDmClient sync is in progress.
Message #
Event ID 4222 — ConfigLock skipped because OmaDmClient sync is in progress
Description
ConfigLock skipped because OmaDmClient sync is in progress.
Message #
Event ID 4223 — Soap Response Message with error: (Message1).
Event ID 4224 — ConfigRefresh just for per user policies started.
Description
ConfigRefresh just for per user policies started.
Message #
Event ID 4225 — ConfigRefresh just for per user policies failed with HRESULT HRESULT.
Event ID 4226 — ConfigRefresh just for per user policies cdcompleted successfully.
Description
ConfigRefresh just for per user policies cdcompleted successfully.
Message #
Event ID 4227 — ConfigRefresh for just per user policies skipped because OmaDmClient sync is in progress
Description
ConfigRefresh for just per user policies skipped because OmaDmClient sync is in progress.
Message #
Event ID 4300 — Failed to load Message1.
Event ID 4301 — Failed to GetProcAddress of Message1.
Event ID 4302 — ADMX-backed policy Message1/Message2 CSE Message3 call failed.
Event ID 4400 — Attestation attempt started with Correlation Vector: (Message1), RPID: (Message2), Attestation URI (Message3).
Event ID 4401 — Attestation attempt succeeded with Correlation Vector: (Message1), Server Correlation Vector (Message2), RPID: (Message3), Attestation URI (Message4), and HRESULT (HRESULT).
Description
Attestation attempt succeeded with Correlation Vector: (Message1), Server Correlation Vector (Message2), RPID: (Message3), Attestation URI (Message4), and HRESULT (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 4402 — Attestation attempt failed with Correlation Vector: (Message1), Server Correlation Vector (Message2), RPID: (Message3), Attestation URI (Message4), Error Message (Message5) and ...
Description
Attestation attempt failed with Correlation Vector: (Message1), Server Correlation Vector (Message2), RPID: (Message3), Attestation URI (Message4), Error Message (Message5) and HRESULT (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Message5 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 4403 — Attestation PDC Activate Failed with (HRESULT).
Event ID 4404 — Attestation PDC Deactivate failed with (HRESULT).
Event ID 4405 — Attestation PDC Function (Message1) failed with (HRESULT).
Event ID 4500 — MDM Registry Provider: Set value, URI: (Message1), Data Type: (UInt2), Int: (UInt3), Enrollment ID: (Message4).
Event ID 4500 —
Description
MDM Registry Provider: Set value, URI: (), Data Type: (), Int: (), Enrollment ID: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
UInt2 UInt32 | — |
UInt3 UInt32 | — |
Message4 UnicodeString | — |
Event ID 4501 — MDM Registry Provider: Set value, URI: (Message1), Data Type: (UInt2), String: (Message3), Enrollment ID: (Message4).
Event ID 4501 —
Description
MDM Registry Provider: Set value, URI: (), Data Type: (), String: (), Enrollment ID: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
UInt2 UInt32 | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
Event ID 4502 — MDM Registry Provider: Set value, URI: (Message1), Data Type: (UInt2), Binary Size: (UInt3), Enrollment ID: (Message4).
Event ID 4502 —
Description
MDM Registry Provider: Set value, URI: (), Data Type: (), Binary Size: (), Enrollment ID: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
UInt2 UInt32 | — |
UInt3 UInt32 | — |
Message4 UnicodeString | — |
Event ID 4503 — MDM Registry Provider: Delete value, URI: (Message1), Data Type: (UInt2), Enrollment ID: (Message3).
Event ID 4503 —
Description
MDM Registry Provider: Delete value, URI: (), Data Type: (), Enrollment ID: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
UInt2 UInt32 | — |
Message3 UnicodeString | — |
Event ID 4504 — MDM Registry Provider: Set value with failure, URI: (Message1), Data Type: (UInt2), Int: (UInt3), Enrollment ID: (Message4), Result: (HexInt5).
Event ID 4504 —
Description
MDM Registry Provider: Set value with failure, URI: (), Data Type: (), Int: (), Enrollment ID: (), Result: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
UInt2 UInt32 | — |
UInt3 UInt32 | — |
Message4 UnicodeString | — |
HexInt5 HexInt32 | — |
Event ID 4505 — MDM Registry Provider: Set value with failure, URI: (Message1), Data Type: (UInt2), String: (Message3), Enrollment ID: (Message4), Result: (HexInt5).
Event ID 4505 —
Description
MDM Registry Provider: Set value with failure, URI: (), Data Type: (), String: (), Enrollment ID: (), Result: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
UInt2 UInt32 | — |
Message3 UnicodeString | — |
Message4 UnicodeString | — |
HexInt5 HexInt32 | — |
Event ID 4506 — MDM Registry Provider: Set value with failure, URI: (Message1), Data Type: (UInt2), Binary Size: (UInt3), Enrollment ID: (Message4), Result: (HexInt5).
Event ID 4506 —
Description
MDM Registry Provider: Set value with failure, URI: (), Data Type: (), Binary Size: (), Enrollment ID: (), Result: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
UInt2 UInt32 | — |
UInt3 UInt32 | — |
Message4 UnicodeString | — |
HexInt5 HexInt32 | — |
Event ID 4507 — MDM Registry Provider: Set value with failure, URI: (Message1), Data Type: (UInt2), Enrollment ID: (Message3), Result: (HexInt4).
Event ID 4507 —
Description
MDM Registry Provider: Set value with failure, URI: (), Data Type: (), Enrollment ID: (), Result: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
UInt2 UInt32 | — |
Message3 UnicodeString | — |
HexInt4 HexInt32 | — |
Event ID 4508 — MDM Registry Provider: Delete value with failure, URI: (Message1), Data Type: (UInt2), Enrollment ID: (Message3), Result: (HexInt4).
Event ID 4508 —
Description
MDM Registry Provider: Delete value with failure, URI: (), Data Type: (), Enrollment ID: (), Result: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
UInt2 UInt32 | — |
Message3 UnicodeString | — |
HexInt4 HexInt32 | — |
Event ID 4509 — MDM Registry Provider: Set value, URI: (Message1), Data Type: (UInt2), Int: (UInt3), Enrollment ID: (Message4).
Event ID 4509 —
Description
MDM Registry Provider: Set value, URI: (), Data Type: (), Int: (), Enrollment ID: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
UInt2 UInt32 | — |
UInt3 UInt64 | — |
Message4 UnicodeString | — |
Event ID 4510 — MDM Registry Provider: Set value with failure, URI: (Message1), Data Type: (UInt2), Int: (UInt3), Enrollment ID: (Message4), Result: (HexInt5).
Event ID 4510 —
Description
MDM Registry Provider: Set value with failure, URI: (), Data Type: (), Int: (), Enrollment ID: (), Result: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
UInt2 UInt32 | — |
UInt3 UInt64 | — |
Message4 UnicodeString | — |
HexInt5 HexInt32 | — |
Event ID 4600 —
Description
Parsing notification payload succeeded. NotificationId.
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Event ID 4600 — Parsing notification payload succeeded.
Event ID 4601 — Parsing notification payload failed.
Event ID 4601 —
Description
Parsing notification payload failed. NotificationId: , HRESULT.
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 4602 —
Description
Getting push alert info for push initiated session succeeded. NotificationId.
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Event ID 4602 — Getting push alert info for push initiated session succeeded.
Event ID 4603 — Getting push alert info for push initiated session failed.
Event ID 4603 —
Description
Getting push alert info for push initiated session failed. NotificationId: , HRESULT.
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
HRESULT HexInt32 | — |
Event ID 4604 — Parsing notification payload succeeded.
Event ID 4604 —
Description
Parsing notification payload succeeded. NotificationId: , Payload.
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
Message2 UnicodeString | — |
Event ID 4605 — Parsing notification payload failed.
Event ID 4605 —
Description
Parsing notification payload failed. NotificationId: , HRESULT: , Payload.
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | — |
HRESULT HexInt32 | — |
Message2 UnicodeString | — |