Description

TPM Owner Authorization information was backed up successfully to Active Directory Domain Services.

Message #

TPM Owner Authorization information was backed up successfully to Active Directory Domain Services.

Description

Failed to backup TPM Owner Authorization information to Active Directory Domain Services.

Message #

Failed to backup TPM Owner Authorization information to Active Directory Domain Services.
Errorcode: %1
Check that your computer is connected to the domain.  If your computer is connected to the domain, have your Domain Administrator check that the Active Directory schema is appropriate for backup of Windows 8 TPM Owner Authorization information and that the current Computer object has write permission to the TPM object.  Installations of Windows Server 2008 R2 or before need a schema extension in order to be ready for backup of Windows 8 TPM Owner Authorization information.  Consult online documentation for more information about setting up Active Directory Domain Services for TPM.

Fields #

Description

The Trusted Platform Module (TPM) hardware on this computer has failed to set its Dictionary Attack Parameters to legacy mode.

Message #

The Trusted Platform Module (TPM) hardware on this computer has failed to set its Dictionary Attack Parameters to legacy mode.

Description

Successfully sent physical presence request to clear the Trusted Platform Module(TPM).

Message #

Successfully sent physical presence request to clear the Trusted Platform Module(TPM).

Description

Failed to send physical presence request to clear the Trusted Platform Module(TPM).

Message #

Failed to send physical presence request to clear the Trusted Platform Module(TPM).

Fields #

Description

Failed to get isOwned status from Trusted Platform Module(TPM), proceeding to clear TPM assuming that TPM is owned. Error code:HResult.

Message #

Failed to get isOwned status from Trusted Platform Module(TPM), proceeding to clear TPM assuming that TPM is owned. Error code:%1

Fields #

Description

The TPM has been cleared. Reason: ClearReason.

Message #

The TPM has been cleared. Reason: %1.

Fields #

Description

TPM Owner Authorization configuration changed from 'OldOSManagedAuthLevel' to 'NewOSManagedAuthLevel'.

Message #

TPM Owner Authorization configuration changed from '%1' to '%2'.

Fields #

Description

The TPM was successfully provisioned and is now ready for use.

Message #

The TPM was successfully provisioned and is now ready for use.

Message #

The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically.  To set up the TPM interactively use the TPM management console (Start->tpm.msc) and use the action to make the TPM ready.

Error: %1
Additional Information: %2

Fields #

Description

The Ownership of the Trusted Platform Module (TPM) hardware on this computer was successfully taken (TPM TakeOwnership command) by the system.

Message #

The Ownership of the Trusted Platform Module (TPM) hardware on this computer was successfully taken (TPM TakeOwnership command) by the system.

Description

The NGC key generation task was successfully triggered.

Message #

The NGC key generation task was successfully triggered.

Description

The triggering of the NGC key generation task failed.

Message #

The triggering of the NGC key generation task failed.

Fields #

Description

The NGC certificate enrollment task was successfully triggered.

Message #

The NGC certificate enrollment task was successfully triggered.

Description

The triggering of the NGC certificate enrollment task failed.

Message #

The triggering of the NGC certificate enrollment task failed.

Fields #

Description

The Secure Boot update was not applied due to a known incompatibility with the current BitLocker configuration.

Message #

The Secure Boot update was not applied due to a known incompatibility with the current BitLocker configuration.

Fields #

Description

Potentially revoked boot manager was detected in EFI partition. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931.

Message #

Potentially revoked boot manager was detected in EFI partition. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

Fields #

Description

Secure Boot Dbx update applied successfully.

Message #

Secure Boot Dbx update applied successfully

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TPM-WMI",
    "guid": "7D5387B0-CBE0-11DA-A94D-0800200C9A66",
    "event_source_name": "",
    "event_id": 1034,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2023-11-05T22:27:36.527418+00:00",
    "event_record_id": 1724,
    "correlation": {},
    "execution": {
      "process_id": 1092,
      "thread_id": 956
    },
    "channel": "System",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

Secure Boot Dbx update applied successfully.

Message #

Secure Boot Dbx update applied successfully

Description

Secure Boot Db update applied successfully.

Message #

Secure Boot Db update applied successfully

Description

Secure Boot Dbx update to revoke Microsoft Windows Production PCA 2011 is applied successfully.

Message #

Secure Boot Dbx update to revoke Microsoft Windows Production PCA 2011 is applied successfully

Description

Pre-attestation health checks confirm that the device is expected to pass attestation.

Message #

Pre-attestation health checks confirm that the device is expected to pass attestation.
 Please see %1 for detailed information on what checks were made.

Fields #

Description

Pre-attestation health checks confirm that the device meets most attestation criteria, but failing is still possible.

Message #

Pre-attestation health checks confirm that the device meets most attestation criteria, but failing is still possible.
 Please see %1 for detailed information on what checks were made.

Fields #

Description

Pre-attestation health checks confirm a critical component has failed, and the device is not expected to pass attestation.

Message #

Pre-attestation health checks confirm a critical component has failed, and the device is not expected to pass attestation.
 Please see %1 for detailed information on what checks were made.

Fields #

Description

Pre-attestation health check detailed information: Json.

Message #

Pre-attestation health check detailed information: %1

Fields #

Description

Secure Boot Dbx update to revoke older Boot Manager SVNs is applied successfully.

Message #

Secure Boot Dbx update to revoke older Boot Manager SVNs is applied successfully

Description

Secure Boot KEK update applied successfully.

Message #

Secure Boot KEK update applied successfully

Description

Secure Boot DB update to install Microsoft Option ROM UEFI CA 2023 certificate applied successfully.

Message #

Secure Boot DB update to install Microsoft Option ROM UEFI CA 2023 certificate applied successfully

Description

Secure Boot DB update to install Microsoft UEFI CA 2023 certificate applied successfully.

Message #

Secure Boot DB update to install Microsoft UEFI CA 2023 certificate applied successfully

Description

Measured boot files deleted successfully. The following FilesCount files were deleted: Files.

Message #

Measured boot files deleted successfully. The following %1 files were deleted: %2

Fields #

Description

Measured boot file FileName was not deleted successfully due to error ErrorCode.

Message #

Measured boot file %1 was not deleted successfully due to error %2.

Fields #

Description

This event triggers the TBS device identifier generation.

Message #

This event triggers the TBS device identifier generation.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TPM-WMI",
    "guid": "7D5387B0-CBE0-11DA-A94D-0800200C9A66",
    "event_source_name": "",
    "event_id": 1281,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 9223372036854775808,
    "time_created": "2022-04-07T16:48:26.716878+00:00",
    "event_record_id": 346,
    "correlation": {},
    "execution": {
      "process_id": 4332,
      "thread_id": 4368
    },
    "channel": "System",
    "computer": "WIN-FPV0DSIC9O6",
    "security": {
      "user_id": "S-1-5-21-2121334350-1110938707-2888912545-500"
    }
  },
  "event_data": {},
  "message": ""
}

References #

• Example event sourced from https://github.com/NextronSystems/evtx-baseline

Description

The TBS device identifier has been generated.

Message #

The TBS device identifier has been generated.

Description

EK Certificate tool started.

Message #

EK Certificate tool started.

Description

EK Certificate tool succeeded in Millisecondstaken milliseconds.

Message #

EK Certificate tool succeeded in %1 milliseconds.

Fields #

Description

EK Certificate tool failed in Millisecondstaken milliseconds with error ErrorCode.

Message #

EK Certificate tool failed in %1 milliseconds with error %2.

Fields #

Description

The Device Health Certificate was successfully provisioned from HealthAttestationServer.

Message #

The Device Health Certificate was successfully provisioned from %1.

Fields #

Description

The Device Health Certificate provisioning could not connect to HealthAttestationServer. HResult.

Message #

The Device Health Certificate provisioning could not connect to %1. %2

Fields #

Description

The Device Health Certificate could not be provisioned from HealthAttestationServer. HTTP status code HTTPStatus: ServerResponse.

Message #

The Device Health Certificate could not be provisioned from %1. HTTP status code %2: %3

Fields #

Description

The Trusted Platform Module (TPM) hardware on this computer is scheduled to be cleared by the system.

Message #

The Trusted Platform Module (TPM) hardware on this computer is scheduled to be cleared by the system.

Message #

The Trusted Platform Module (TPM) firmware on this PC has a known security problem. Please contact your PC manufacturer to find out if an update is available. For more information please go to https://go.microsoft.com/fwlink/?linkid=852572

Description

The system firmware returned an error HResult when attempting to update a Secure Boot variable. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931.

Message #

The system firmware returned an error %1 when attempting to update a Secure Boot variable. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

Fields #

Description

The Secure Boot update failed to update a Secure Boot variable with error UpdateType. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931.

Message #

The Secure Boot update failed to update a Secure Boot variable with error %1. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

Fields #

Description

The Secure Boot update failed as the Windows UEFI CA 2023 certificate is not present in Db.

Message #

The Secure Boot update failed as the Windows UEFI CA 2023 certificate is not present in Db

Description

The Secure Boot Dbx update failed as boot manager is not signed with the Windows UEFI CA 2023 certificate.

Message #

The Secure Boot Dbx update failed as boot manager is not signed with the Windows UEFI CA 2023 certificate

Description

Boot Manager signed with Windows UEFI CA 2023 was installed successfully.

Message #

Boot Manager signed with Windows UEFI CA 2023 was installed successfully

Description

A reboot is required before installing the Secure Boot update. Reason: UpdateType.

Message #

A reboot is required before installing the Secure Boot update. Reason: %1

Fields #

Message #

Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here.
DeviceAttributes: %1
BucketId: %2
BucketConfidenceLevel: %3
UpdateType: %4
For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018.

Fields #

Message #

The Secure Boot update %1 was blocked due to a known firmware issue on the device. Check with your device vendor for a firmware update that addresses the issue. This device signature information is included here.
DeviceAttributes: %2
BucketId: %3
BucketConfidenceLevel: %4
SkipReason: %5.
For more information, please see https://go.microsoft.com/fwlink/?linkid=2339472

Fields #

Description

A PK-signed Key Exchange Key (KEK) cannot be found for this device. Check with the device manufacturer for proper key provisioning.

Message #

A PK-signed Key Exchange Key (KEK) cannot be found for this device. Check with the device manufacturer for proper key provisioning.
This device signature information is included here.
DeviceAttributes: %1
BucketId: %2
BucketConfidenceLevel: %3.
For more information, please see https://go.microsoft.com/fwlink/?linkid=2339472

Fields #

Description

This device has updated Secure Boot CA/keys. This device signature information is included here.

Message #

This device has updated Secure Boot CA/keys. This device signature information is included here.
DeviceAttributes: %1
BucketId: %2
BucketConfidenceLevel: %3
UpdateType: %4
For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018.

Fields #