Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
996 events across 8 channels
Event ID 2: MDM Enroll: Certificate policy create message failed.
#Event ID 2: MDM Enroll: Certificate policy create message failed.
#Event ID 3: MDM Enroll: Certificate Authentication was requested, but failed sign the server request.
#Event ID 3: MDM Enroll: Certificate Authentication was requested, but failed sign the server request.
#Event ID 4: MDM Enroll: Certificate policy request sent successfully.
#Description
MDM Enroll: Certificate policy request sent successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 4,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:00.715375+00:00",
"event_record_id": 119,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {},
"message": ""
}
Event ID 4: MDM Enroll: Certificate policy request sent successfully.
#Description
MDM Enroll: Certificate policy request sent successfully.
Message #
Event ID 5: MDM Enroll: Certificate policy request sending failed.
#Event ID 5: MDM Enroll: Certificate policy request sending failed.
#Event ID 6: MDM Enroll: Certificate policy response processed successfully.
#Description
MDM Enroll: Certificate policy response processed successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 6,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:00.717774+00:00",
"event_record_id": 120,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 6: MDM Enroll: Certificate policy response processed successfully.
#Description
MDM Enroll: Certificate policy response processed successfully.
Message #
Event ID 7: MDM Enroll: Failed to receive or parse certificate response.
#Event ID 7: MDM Enroll: Failed to receive or parse certificate response.
#Event ID 8: MDM Enroll: Certificate enrollment request sent successfully.
#Description
MDM Enroll: Certificate enrollment request sent successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 8,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:05.265280+00:00",
"event_record_id": 122,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {},
"message": ""
}
Event ID 8: MDM Enroll: Certificate enrollment request sent successfully.
#Description
MDM Enroll: Certificate enrollment request sent successfully.
Message #
Event ID 9: MDM Enroll: Certificate enrollment request sending failed.
#Event ID 9: MDM Enroll: Certificate enrollment request sending failed.
#Event ID 10: MDM Enroll: Certificate enrollment response parsed successfully.
#Description
MDM Enroll: Certificate enrollment response parsed successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 10,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:05.268581+00:00",
"event_record_id": 123,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 10: MDM Enroll: Certificate enrollment response parsed successfully.
#Description
MDM Enroll: Certificate enrollment response parsed successfully.
Message #
Event ID 11: MDM Enroll: Failed to receive or parse certificate enroll response.
#Event ID 11: MDM Enroll: Failed to receive or parse certificate enroll response.
#Event ID 12: MDM Enroll: Failed to generate cert request.
#Event ID 12: MDM Enroll: Failed to generate cert request.
#Event ID 15: MDM Enroll: Failed to install client certificate.
#Event ID 15: MDM Enroll: Failed to install client certificate.
#Event ID 16: MDM Enroll: OMA-DM client configuration succeeds.
#Description
MDM Enroll: OMA-DM client configuration succeeds.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 16,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:06.713255+00:00",
"event_record_id": 124,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 16: MDM Enroll: OMA-DM client configuration succeeds.
#Description
MDM Enroll: OMA-DM client configuration succeeds.
Message #
Event ID 17: MDM Enroll: OMA-DM client configuration failed.
#Event ID 17: MDM Enroll: OMA-DM client configuration failed.
#Event ID 19: MDM Enroll: OMA-DM polling schedule set up failed.
#Event ID 19: MDM Enroll: OMA-DM polling schedule set up failed.
#Event ID 20: MDM Enroll: OMA-DM session initiation blocked since the enrollment is in a dormant state.
#Event ID 20: MDM Enroll: OMA-DM session initiation blocked since the enrollment is in a dormant state.
#Event ID 21: MDM Enroll: OMA-DM polling auxiliary schedule set up failed.
#Event ID 21: MDM Enroll: OMA-DM polling auxiliary schedule set up failed.
#Event ID 23: MDM Enroll: OMA-DM polling second auxiliary schedule set up failed.
#Event ID 23: MDM Enroll: OMA-DM polling second auxiliary schedule set up failed.
#Event ID 25: MDM Enroll: Client failed to set up the manual MDM client certificate renewal schedule.
#Event ID 25: MDM Enroll: Client failed to set up the manual MDM client certificate renewal schedule.
#Event ID 26: MDM Enroll: Certificate renew failed.
#Event ID 26: MDM Enroll: Certificate renew failed.
#Event ID 27: MDM Enroll: AutoEnrollMDM Result: (HRESULT) PolicyValue: (HexInt1) AADCredentialType: (HexInt2).
#Event ID 28: MDM Enroll: Certificate renew PKCS7Sign failed: Function: (Message1) Result: (HRESULT).
#Event ID 28: MDM Enroll: Certificate renew PKCS7Sign failed: Function: (Message1) Result: (HRESULT).
#Event ID 29: MDM Enroll: Certificate renew FindCertBasedOnContainer failed: Function: (Message1) ContainerName: (Message2) CryptoProvider: (Message3) Result: (HRESULT).
#Event ID 29: MDM Enroll: Certificate renew FindCertBasedOnContainer failed: Function: (Message1) ContainerName: (Message2) CryptoProvider: (Message3) Result: (HRESULT).
#Event ID 30: MDM Enroll: Binding public MDM certificate with private MDM key failed: Function: (Message1) Result: (HRESULT).
#Event ID 30: MDM Enroll: Binding public MDM certificate with private MDM key failed: Function: (Message1) Result: (HRESULT).
#Event ID 32: SCEP: Certificate enroll failed.
#Event ID 36: SCEP: Certificate request generated successfully.
#Description
SCEP: Certificate request generated successfully. Enhanced Key Usage: (Message1), NDES URL: (Message2), Container Name: (Message3), KSP Setting: (HexInt1), Store Location: (HexInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 |
Event ID 37: SCEP: Certificate request sent successfully.
#Description
SCEP: Certificate request sent successfully.
Message #
Event ID 38: SCEP: Certificate response received successfully.
#Description
SCEP: Certificate response received successfully.
Message #
Event ID 39: SCEP: Certificate installed successfully.
#Description
SCEP: Certificate installed successfully.
Message #
Event ID 42: MDM Push: Failed to create WNS Push Channel for MDM Push Sessions.
#Description
MDM Push: Failed to create WNS Push Channel for MDM Push Sessions. Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 42,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:05.207348+00:00",
"event_record_id": 661,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x8000401a"
},
"message": ""
}
Event ID 42: MDM Push: Failed to create WNS Push Channel for MDM Push Sessions.
#Event ID 43: MDM Push: Successfully created WNS Push Channel for MDM Push Sessions.
#Description
MDM Push: Successfully created WNS Push Channel for MDM Push Sessions.
Message #
Event ID 43: MDM Push: Successfully created WNS Push Channel for MDM Push Sessions.
#Description
MDM Push: Successfully created WNS Push Channel for MDM Push Sessions.
Message #
Event ID 44: MDM Push: Failed to renew WNS Push Channel for MDM Push Sessions.
#Event ID 44: MDM Push: Failed to renew WNS Push Channel for MDM Push Sessions.
#Event ID 45: MDM Push: Successfully renewed WNS Push Channel for MDM Push Sessions.
#Description
MDM Push: Successfully renewed WNS Push Channel for MDM Push Sessions.
Message #
Event ID 45: MDM Push: Successfully renewed WNS Push Channel for MDM Push Sessions.
#Description
MDM Push: Successfully renewed WNS Push Channel for MDM Push Sessions.
Message #
Event ID 46: MDM Push: Failed to upgrade WNS Push Channel for MDM Push Sessions.
#Event ID 46: MDM Push: Failed to upgrade WNS Push Channel for MDM Push Sessions.
#Event ID 47: MDM Push: Successfully upgraded WNS Push Channel for MDM Push Sessions.
#Description
MDM Push: Successfully upgraded WNS Push Channel for MDM Push Sessions.
Message #
Event ID 47: MDM Push: Successfully upgraded WNS Push Channel for MDM Push Sessions.
#Description
MDM Push: Successfully upgraded WNS Push Channel for MDM Push Sessions.
Message #
Event ID 48: MDM Unenroll: Unenroll alert sent to server.
#Description
MDM Unenroll: Unenroll alert sent to server.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 48,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:05.075072+00:00",
"event_record_id": 102,
"correlation": {},
"execution": {
"process_id": 2768,
"thread_id": 276
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 48: MDM Unenroll: Unenroll alert sent to server.
#Description
MDM Unenroll: Unenroll alert sent to server.
Message #
Event ID 49: MDM Unenroll: Error sending unenroll alert to server.
#Event ID 49: MDM Unenroll: Error sending unenroll alert to server.
#Event ID 52: MDM Enroll: Server Returned Fault/Code/Subcode/Value=(Message1) Fault/Reason/Text=(Message2).
#Event ID 52: MDM Enroll: Server Returned Fault/Code/Subcode/Value=(Message1) Fault/Reason/Text=(Message2).
#Event ID 53: MDM Enroll: Authentication failed.
#Event ID 53: MDM Enroll: Authentication failed.
#Event ID 54: MDM Enroll: Authentication successful: Got token from STS.
#Description
MDM Enroll: Authentication successful: Got token from STS.
Message #
Event ID 54: MDM Enroll: Authentication successful: Got token from STS.
#Description
MDM Enroll: Authentication successful: Got token from STS.
Message #
Event ID 55: MDM Enroll: Enrollment via UX failed.
#Event ID 55: MDM Enroll: Enrollment via UX failed.
#Event ID 56: MDM Enroll: Failed to parse server provisioning XML.
#Event ID 56: MDM Enroll: Failed to parse server provisioning XML.
#Event ID 57: MDM Enroll: Provisioning failed.
#Event ID 57: MDM Enroll: Provisioning failed.
#Event ID 58: MDM Enroll: Provisioning succeeded.
#Description
MDM Enroll: Provisioning succeeded.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 58,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:07.569643+00:00",
"event_record_id": 127,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 58: MDM Enroll: Provisioning succeeded.
#Description
MDM Enroll: Provisioning succeeded.
Message #
Event ID 59: MDM Enroll: Server context (Message1).
#Event ID 59: MDM Enroll: Server context (Message1).
#Event ID 60: MDM Unenroll: Unenrollment initiated by entity other than user (server or device) (Message1).
#Description
MDM Unenroll: Unenrollment initiated by entity other than user (server or device) (Message1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 60,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:03.174459+00:00",
"event_record_id": 86,
"correlation": {},
"execution": {
"process_id": 2768,
"thread_id": 9988
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "43C0DA41-21B4-4245-980F-878D0899119B"
},
"message": ""
}
Event ID 60: MDM Unenroll: Unenrollment initiated by entity other than user (server or device) (Message1).
#Event ID 61: MDM Unenroll: Unenrollment initiated by user through UI.
#Event ID 61: MDM Unenroll: Unenrollment initiated by user through UI.
#Event ID 62: MDM Enroll: Server specifed hashAlgorithmOIDReference (Message1) is a OID of group (Message2), expected an OID in group CRYPT_HASH_ALG_OID_GROUP_ID.
#Description
MDM Enroll: Server specifed hashAlgorithmOIDReference (Message1) is a OID of group (Message2), expected an OID in group CRYPT_HASH_ALG_OID_GROUP_ID.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 62,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:00.719300+00:00",
"event_record_id": 121,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "1.3.14.3.2.29",
"Message2": "CRYPT_SIGN_ALG_OID_GROUP_ID"
},
"message": ""
}
Event ID 62: MDM Enroll: Server specifed hashAlgorithmOIDReference (Message1) is a OID of group (Message2), expected an OID in group CRYPT_HASH_ALG_OID_GROUP_ID.
#Event ID 63: MDM Enroll: Unable to acquire private key for newly installed cert.
#Event ID 64: MDM Unenroll: Changing dmwappushservice startup type to demand-start.
#Description
MDM Unenroll: Changing dmwappushservice startup type to demand-start. Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 64,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:05.580337+00:00",
"event_record_id": 112,
"correlation": {},
"execution": {
"process_id": 2768,
"thread_id": 276
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x1"
},
"message": ""
}
Event ID 64: MDM Unenroll: Changing dmwappushservice startup type to demand-start.
#Event ID 65: MDM Unenroll: Changing dmwappushservice startup type to demand-start failed.
#Event ID 65: MDM Unenroll: Changing dmwappushservice startup type to demand-start failed.
#Event ID 66: MDM Enroll WAP Node Filtering: removed non-supported node (Message1).
#Event ID 67: MDM Unenroll: Failed to delete account.
#Event ID 67: MDM Unenroll: Failed to delete account.
#Event ID 68: MDM Enroll: /GetPoliciesResponse/response/policies/policy/attributes/policySchema invalid, got (UInt1) expected (3), ignoring certificate policy, usin...
#Event ID 68: MDM Enroll: /GetPoliciesResponse/response/policies/policy/attributes/policySchema invalid, got (UInt1) expected (3), ignoring certificate policy, usin...
#Event ID 69: MDM Enroll: Got a SOAP fault from the server, but couldn't parse it.
#Description
MDM Enroll: Got a SOAP fault from the server, but couldn't parse it. Was looking for /Fault/Code/Subcode/Value or (From http://schemas.microsoft.com/windows/pki/2009/01/enrollment) /Fault/Detail/DeviceEnrollmentServiceError/ErrorType
Message #
Event ID 70: MDM Enroll WAP Node Filtering: failed to remove non-supported node (HRESULT).
#Event ID 71: MDM Enroll: Failed (HRESULT).
#Event ID 71: MDM Enroll: Failed (HRESULT).
#Event ID 72: MDM Enroll: Succeeded
#Description
MDM Enroll: Succeeded.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 72,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:07.683796+00:00",
"event_record_id": 128,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 73: MDM Unenroll: Finished user independant unenroll
#Description
MDM Unenroll: Finished user independant unenroll.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 73,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:04.969743+00:00",
"event_record_id": 96,
"correlation": {},
"execution": {
"process_id": 1872,
"thread_id": 9840
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 73: MDM Unenroll: Finished user independant unenroll
#Description
MDM Unenroll: Finished user independant unenroll.
Message #
Event ID 74: MDM Unenroll: Succeeded
#Description
MDM Unenroll: Succeeded.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 74,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:05.772240+00:00",
"event_record_id": 117,
"correlation": {},
"execution": {
"process_id": 1872,
"thread_id": 9840
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 75: Auto MDM Enroll: Device Credential (HexInt1), Succeeded.
#Event ID 75: Auto MDM Enroll: Device Credential (HexInt1), Succeeded.
#Event ID 76: Auto MDM Enroll: Device Credential (HexInt1), Failed (HRESULT).
#Event ID 76: Auto MDM Enroll: Device Credential (HexInt1), Failed (HRESULT).
#Event ID 77: Auto MDM Enroll Retry On Failure (HRESULT).
#Event ID 77: Auto MDM Enroll Retry On Failure (HRESULT).
#Event ID 78: Auto MDM Enroll DMGetAadDeviceToken Failure (HRESULT).
#Event ID 78: Auto MDM Enroll DMGetAadDeviceToken Failure (HRESULT).
#Event ID 79: Auto MDM Enroll DmRequestAadUserToken Failure (HRESULT).
#Event ID 79: Auto MDM Enroll DmRequestAadUserToken Failure (HRESULT).
#Event ID 80: Auto MDM Enroll DmRaiseToastNotificationAndWait Failure (HRESULT).
#Event ID 80: Auto MDM Enroll DmRaiseToastNotificationAndWait Failure (HRESULT).
#Event ID 81: Auto MDM Enroll Impersonation Failure (HRESULT).
#Event ID 81: Auto MDM Enroll Impersonation Failure (HRESULT).
#Event ID 82: Auto MDM Enroll AADEnrollAsync Failure (HRESULT).
#Event ID 82: Auto MDM Enroll AADEnrollAsync Failure (HRESULT).
#Event ID 83: Auto MDM Enroll WaitForCompletiongNoThrow after AADEnrollAsync Failure (HRESULT).
#Event ID 83: Auto MDM Enroll WaitForCompletiongNoThrow after AADEnrollAsync Failure (HRESULT).
#Event ID 84: Auto MDM Enroll GetAsyncResults after AADEnrollAsync Failure (HRESULT).
#Event ID 84: Auto MDM Enroll GetAsyncResults after AADEnrollAsync Failure (HRESULT).
#Event ID 85: Should show EnrollmentStatusPage result.
#Event ID 85: Should show EnrollmentStatusPage result.
#Event ID 86: MDM Unenroll: Unenroll origin is: (Message1).
#Description
MDM Unenroll: Unenroll origin is: (Message1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 86,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:05.052726+00:00",
"event_record_id": 98,
"correlation": {},
"execution": {
"process_id": 2768,
"thread_id": 276
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "MiradoreMDM"
},
"message": ""
}
Event ID 86: MDM Unenroll: Unenroll origin is: (Message1).
#Event ID 87: AADEnrollAsync(Message1, Message2, Message3, Message4, UInt1, Message5, Message6, Message7) Failed Result: (Message8).
#Description
AADEnrollAsync(Message1, Message2, Message3, Message4, UInt1, Message5, Message6, Message7) Failed Result: (Message8).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
UInt1 UInt32 | |
Message5 UnicodeString | |
Message6 UnicodeString | |
Message7 UnicodeString | |
Message8 UnicodeString | |
HRESULT HexInt32 |
Event ID 88: Enrolling SID (Message1) Result: (HRESULT).
#Event ID 89: Auto MDM Enroll DmGetAadDeviceTokenWithDiscovery with Application ID (Message1): Status (HRESULT).
#Event ID 89: Auto MDM Enroll DmGetAadDeviceTokenWithDiscovery with Application ID (Message1): Status (HRESULT).
#Event ID 90: Auto MDM Enroll Get AAD Token: Device Credential (HexInt1), Resource Url (Message1), Resource Url 2 (Message2), Status (HRESULT).
#Event ID 90: Auto MDM Enroll Get AAD Token: Device Credential (HexInt1), Resource Url (Message1), Resource Url 2 (Message2), Status (HRESULT).
#Event ID 91: Auto MDM Enroll Enrollment Information: AadResourceUrl (Message1), DiscoveryServiceFullUrl (Message2), TenantID (Message3), Upn (Message4).
#Event ID 91: Auto MDM Enroll Enrollment Information: AadResourceUrl (Message1), DiscoveryServiceFullUrl (Message2), TenantID (Message3), Upn (Message4).
#Event ID 92: MDM Unenroll due to the NT User who enrolled being deleted from the device (HRESULT).
#Event ID 92: MDM Unenroll due to the NT User who enrolled being deleted from the device (HRESULT).
#Event ID 93: Function Name: (Message1) HRESULT:(HRESULT).
#Event ID 94: CanEnroll Error: Found existing enrollment(s) of same type (UInt1), enrollmentIds: (Message1).
#Event ID 94: CanEnroll Error: Found existing enrollment(s) of same type (UInt1), enrollmentIds: (Message1).
#Event ID 95: CanEnroll Error: Found existing other enrollment(s) enrollmentId/EnrollmentType: (Message1).
#Event ID 95: CanEnroll Error: Found existing other enrollment(s) enrollmentId/EnrollmentType: (Message1).
#Event ID 96: CanEnroll Error: MDM enrollment is not allowed.
#Description
CanEnroll Error: MDM enrollment is not allowed. An external management agent or Group Policy has blocked MDM enrollment.
Message #
Event ID 96: CanEnroll Error: MDM enrollment is not allowed.
#Description
CanEnroll Error: MDM enrollment is not allowed. An external management agent or Group Policy has blocked MDM enrollment.
Message #
Event ID 97: CanEnroll Error: MDM enrollment is not allowed due to failed license check with HRESULT: (HRESULT).
#Event ID 97: CanEnroll Error: MDM enrollment is not allowed due to failed license check with HRESULT: (HRESULT).
#Event ID 98: CanEnroll Error: MDM enrollment is not allowed due to failed access check(administrator or allowed user, capability check) with HRESULT: (HRESULT).
#Event ID 98: CanEnroll Error: MDM enrollment is not allowed due to failed access check(administrator or allowed user, capability check) with HRESULT: (HRESULT).
#Event ID 99: CanEnroll Error: MDM enrollment is not allowed due to existing tenant found Type: (UInt1).
#Event ID 99: CanEnroll Error: MDM enrollment is not allowed due to existing tenant found Type: (UInt1).
#Event ID 100: Offline Domain Join: Could not establish connectivity after time: (HexInt1) milliseconds.
#Event ID 101: Offline Domain Join: Established connectivity after time: (HexInt1) milliseconds.
#Event ID 102: Offline Domain Join: Failed to connect VPN: (Message1).
#Event ID 103: Offline Domain Join: Connected VPN: (Message1).
#Event ID 104: Offline Domain Join: Failed to enumerate the VPNs.
#Event ID 105: Offline Domain Join: Attempting to get the DC name.
#Event ID 106: Offline Domain Join: Attempting to ping the DC.
#Event ID 107: Offline Domain Join: Applying offline domain join blob succeeded.
#Event ID 108: Offline Domain Join: Applying offline domain join blob failed.
#Event ID 109: Offline Domain Join: Setting Domain join connectivity state to: (HexInt1).
#Event ID 110: Offline Domain Join: Current Domain join connectivity state is: (HexInt1).
#Event ID 111: Offline Domain Join: Starting wait for offline domain join blob.
#Event ID 112: MDM Enroll: OMA-DM polling user schedule set up failed.
#Event ID 113: MDM Enroll: OMA-DM polling schedule set up for multiple session failed.
#Event ID 200: MDM Session: OMA-DM message sent.
#Description
MDM Session: OMA-DM message sent.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 200,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:05.490052+00:00",
"event_record_id": 663,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {},
"message": ""
}
Event ID 200: MDM Session: OMA-DM message sent.
#Description
MDM Session: OMA-DM message sent.
Message #
Event ID 201: MDM Session: OMA-DM message failed to be sent.
#Description
MDM Session: OMA-DM message failed to be sent. Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 201,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:05.534621+00:00",
"event_record_id": 109,
"correlation": {},
"execution": {
"process_id": 5640,
"thread_id": 4564
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"HRESULT": "0x80072f0c"
},
"message": ""
}
Event ID 201: MDM Session: OMA-DM message failed to be sent.
#Event ID 202: MDM Session: OMA-DM server message received and parsed successfully.
#Description
MDM Session: OMA-DM server message received and parsed successfully.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 202,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:05.490420+00:00",
"event_record_id": 664,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 202: MDM Session: OMA-DM server message received and parsed successfully.
#Description
MDM Session: OMA-DM server message received and parsed successfully.
Message #
Event ID 203: MDM Session: OMA-DM server message parsing failed.
#Event ID 203: MDM Session: OMA-DM server message parsing failed.
#Event ID 204: MDM Session: OMA-DM client failed to connect to the server.
#Event ID 204: MDM Session: OMA-DM client failed to connect to the server.
#Event ID 205: MDM Session: OMA-DM client started.
#Description
MDM Session: OMA-DM client started. CV: (Message1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 AnsiString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 205,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:01.988413+00:00",
"event_record_id": 648,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "urVXZ8kSLk69vXXSFwVTgA.0.0.25"
},
"message": ""
}
Event ID 205: MDM Session: OMA-DM client started.
#Event ID 206: MDM Session: OMA-DM session Init: UserSID(Message1), EnrolledUser(UInt2), UserToken(UInt3), DeviceToken(UInt4), EnrollmentType(UInt5), SyncType(UInt6).
#Description
MDM Session: OMA-DM session Init: UserSID(Message1), EnrolledUser(UInt2), UserToken(UInt3), DeviceToken(UInt4), EnrollmentType(UInt5), SyncType(UInt6).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
UInt2 UInt32 | |
UInt3 UInt32 | |
UInt4 UInt32 | |
UInt5 UInt32 | |
UInt6 UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 206,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:02.030240+00:00",
"event_record_id": 651,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "S-1-5-21-3407486967-1585450050-1838039599-1000",
"UInt2": 1,
"UInt3": 0,
"UInt4": 0,
"UInt5": 0,
"UInt6": 3
},
"message": ""
}
Event ID 206: MDM Session: OMA-DM session Init: UserSID(Message1), EnrolledUser(UInt2), UserToken(UInt3), DeviceToken(UInt4), EnrollmentType(UInt5), SyncType(UInt6).
#Event ID 207: MDM Session: Alert type (Message1) and event type (HRESULT) sent to server to indicate user login status.
#Event ID 207: MDM Session: Alert type (Message1) and event type (HRESULT) sent to server to indicate user login status.
#Event ID 208: MDM Session: OMA-DM session started for EnrollmentID (Message1) with server: (Message2), Server version: (Message3), Client Version: (Message4), PushRouterOrigin: (HexInt1), Us...
#Description
MDM Session: OMA-DM session started for EnrollmentID (Message1) with server: (Message2), Server version: (Message3), Client Version: (Message4), PushRouterOrigin: (HexInt1), UserAgentOrigin: (HexInt2), Initiator: (HexInt3), Mode: (HexInt4), SessionID: (UInt1), Authentication Type: (UInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 | |
HexInt4 HexInt32 | |
UInt1 UInt32 | |
UInt2 UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 208,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:02.155014+00:00",
"event_record_id": 652,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "69C01DBD-8068-44F9-9507-8A9DF76C127A",
"Message2": "MiradoreMDM",
"Message3": "NULL",
"Message4": "1.2",
"HexInt1": "0x3",
"HexInt2": "0x2",
"HexInt3": "0x0",
"HexInt4": "0x2",
"UInt1": 26,
"UInt2": 3
},
"message": ""
}
Event ID 208: MDM Session: OMA-DM session started for EnrollmentID (Message1) with server: (Message2), Server version: (Message3), Client Version: (Message4), PushRouterOrigin: (HexInt1), Us...
#Event ID 209: MDM Session: OMA-DM session ended with status: (HRESULT).
#Description
MDM Session: OMA-DM session ended with status: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 209,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:05.499293+00:00",
"event_record_id": 665,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x0"
},
"message": ""
}
Event ID 209: MDM Session: OMA-DM session ended with status: (HRESULT).
#Event ID 210: MDM Session: OMA-DM client stopped with status: (HRESULT).
#Event ID 211: MDM Session: ExpiryTime triggered, Last successful server sync time (Message1), LocalTime (Message2), ExpiryTime (HexInt1) days.
#Event ID 212: MDM Session: Failed to get AAD Token for sync session User Token: (HRESULT1) Device Token: (HRESULT2).
#Event ID 212: MDM Session: Failed to get AAD Token for sync session User Token: (HRESULT1) Device Token: (HRESULT2).
#Event ID 213: MDM Session OmaDmVerboseTrace: Buffer: (Message1), BucketNumber: (HexInt1), BufferLength: (HexInt2).
#Event ID 214: MDM Session OmaDmVerboseTrace: Buffer: (Message1), BucketNumber: (HexInt1), BufferLength: (HexInt2).
#Event ID 215: MDM Session: Failure at Stage: (Message1), Result: (HRESULT).
#Event ID 216: MDM Session: OmaDmHttpHeaderAlert.
#Event ID 217: MDM Session: OmaDmMultipleMessagesInPackageContinue.
#Event ID 218: MDM Session: ClientCertificateMissing.
#Event ID 219: MDM Session: OmaDmLoadSession.
#Event ID 220: MDM Session: OmaDmOrphanedSession.
#Event ID 221: MDM Session: Alert type (Message1) and event type (HRESULT) sent to client to indicate user login status.
#Event ID 222: MDM Session: OmaDmMultipleMessagesInPackage.
#Event ID 223: MDM Session: GetTargetUserSidEnrolledUserNotLogon.
#Event ID 224: MDM Session: DmGetAadUserTokenFailure.
#Event ID 224: MDM Session: DmGetAadUserTokenFailure.
#Event ID 225: MDM Session: Event Start.
#Event ID 226: MDM Session: LogServerSideTimeSaved.
#Event ID 227: LogMeasure.
#Event ID 228: FunctionEntry.
#Event ID 229: FunctionExit.
#Event ID 230: MDM Session: Alert type (Message1), alert data (Message2) and event type (HexInt1) sent to server to indicate update status.
#Event ID 230: MDM Session: Alert type (Message1), alert data (Message2) and event type (HexInt1) sent to server to indicate update status.
#Event ID 231: MDM Session: DmGetAadUserTokenFailure.
#Event ID 231: MDM Session: DmGetAadTokenRetryOnExpiration.
#Event ID 232: MDM Session: DmInvalidateAadUserTokenFailure.
#Event ID 232: MDM Session: DmInvalidateAadUserTokenFailure.
#Event ID 233: MDM Session: Container syncML response XML parser: Result:(HexInt1) HRESULT.
#Event ID 233: MDM Session: Container syncML response XML parser: Result:(HexInt1) HRESULT.
#Event ID 234: MDM Session: HostOs syncML response XML length: HexInt1, Container syncML response XML length: HexInt2.
#Event ID 234: MDM Session: HostOs syncML response XML length: HexInt1, Container syncML response XML length: HexInt2.
#Event ID 235: MDM Session: Container syncML response XML: Message1.
#Event ID 236: DM Session: Container session has no SessionID.
#Event ID 237: DM Session: ContainerFunctionExit.
#Event ID 238: DM Session: ContainerCallbackEvent.
#Event ID 239: MDM Session: Host OS and Container Response XML Status content mismatch: Message1.
#Event ID 240: MDM Session: Host OS and Container Response XML Status count mismatch.
#Event ID 241: MDM Session: Host OS and Container Response XML Http status mismatch.
#Description
MDM Session: Host OS and Container Response XML Http status mismatch. Info: Message1, Host OS http status: Message2. Container http status: Message3. Taking Host OS: UInt1. Result:(UInt2) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt1 UInt32 | |
UInt2 UInt32 | |
HRESULT HexInt32 |
Event ID 242: MDM Session: Host OS and Container Response XML Result content mismatch.
#Event ID 243: MDM Session: Host OS and Container Response XML Result Item count mismatch.
#Description
MDM Session: Host OS and Container Response XML Result Item count mismatch. Info: Message1. Host OS Item count: HexInt1, Container Item count: HexInt2. Result:(HexInt3) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 | |
HRESULT HexInt32 |
Event ID 244: MDM Session: Host OS and Container Response XML Result Item data mismatch.
#Description
MDM Session: Host OS and Container Response XML Result Item data mismatch. Info: . Host OS Results Item data: , Container Results Item data: , Status index: , Result Item index. Result:() .
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt1 UInt32 | |
UInt2 UInt32 | |
UInt3 UInt32 | |
HRESULT HexInt32 |
Event ID 245: DM Container: Orchestrator Refresh is triggered.
#Event ID 246: DM Container: Configuration Completion Task is scheduled.
#Event ID 247: DM Container: Unenrollment is triggered.
#Event ID 248: DM Container: Result change is notified.
#Event ID 249: DM Container: Declared Configuration result is get.
#Event ID 250: DM Container: Declared Configuration result is set.
#Event ID 251: DM Container: Declared Configuration result is set with failure: EnrollmentId: (Message1), ContainerId: (Message2), Result: (HRESULT).
#Event ID 252: DM Container: Result of gathering setting provider settings: ProviderName: (Message1), User: (Boolean1), SettingFlag: (HexInt1), SettingDataLength: (UInt1), TimeUsed: ...
#Description
DM Container: Result of gathering setting provider settings: ProviderName: (Message1), User: (Boolean1), SettingFlag: (HexInt1), SettingDataLength: (UInt1), TimeUsed: (UInt2), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Boolean1 Boolean | |
HexInt1 HexInt32 | |
UInt1 UInt32 | |
UInt2 UInt32 | |
HRESULT HexInt32 |
Event ID 253: DM Container: Result of applying setting provider settings: ProviderName: (Message1), User: (Boolean1), SettingFlag: (HexInt1), SettingDataLength: (UInt1), TimeUsed.
#Description
DM Container: Result of applying setting provider settings: ProviderName: (Message1), User: (Boolean1), SettingFlag: (HexInt1), SettingDataLength: (UInt1), TimeUsed: (UInt2), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Boolean1 Boolean | |
HexInt1 HexInt32 | |
UInt1 UInt32 | |
UInt2 UInt32 | |
HRESULT HexInt32 |
Event ID 254: DM Container: Result of InitializeContainer: Duration: (UInt1), nestedVirtualization: (Boolean1), Result: (HexInt2).
#Event ID 255: MDM Session: DmGetAadDeviceMdmResourceUrlFailure.
#Event ID 255: MDM Session: DmGetAadDeviceMdmResourceUrlFailure.
#Event ID 256: OmaDmLogOmaDmApiInitiateSession: Result: (HRESULT1), Account Id: (Message2), Initiation Id: (Message3), Mode: (UInt4), Origin: (UInt5), AutoDelete: (Boolean6), Alert Count: (UInt7)...
#Description
OmaDmLogOmaDmApiInitiateSession: Result: (HRESULT1), Account Id: (Message2), Initiation Id: (Message3), Mode: (UInt4), Origin: (UInt5), AutoDelete: (Boolean6), Alert Count: (UInt7), First Alert Name: (Message8), User Sid: (Message9), User Only: (Boolean10), All Active Users: (Boolean11), Process Name: (Message12), System Or Admin: (Boolean13).
Message #
Fields #
| Name | Description |
|---|---|
HRESULT1 HexInt32 | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt4 UInt32 | |
UInt5 UInt32 | |
Boolean6 Boolean | |
UInt7 UInt32 | |
Message8 UnicodeString | |
Message9 UnicodeString | |
Boolean10 Boolean | |
Boolean11 Boolean | |
Message12 UnicodeString | |
Boolean13 Boolean |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 256,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:01.766502+00:00",
"event_record_id": 646,
"correlation": {},
"execution": {
"process_id": 11564,
"thread_id": 3140
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT1": "0x0",
"Message2": "69C01DBD-8068-44F9-9507-8A9DF76C127A",
"Message3": "{41CCA717-5C3A-42DE-AEF7-8B805955A207}",
"UInt4": 2,
"UInt5": 3,
"Boolean6": true,
"UInt7": 0,
"Message8": "NULL",
"Message9": "NULL",
"Boolean10": false,
"Boolean11": false,
"Message12": "C:\\Windows\\system32\\deviceenroller.exe",
"Boolean13": true
},
"message": ""
}
Event ID 256: OmaDmLogOmaDmApiInitiateSession: Result: (HRESULT1), Account Id: (Message2), Initiation Id: (Message3), Mode: (UInt4), Origin: (UInt5), AutoDelete: (Boolean6), Alert Count: (UInt7)...
#Event ID 257: MDM Session: OMA-DM session started: Session ID(UInt1), Server ID(Message2), User SID(Message3), Initiation ID(Message4), Origin(UInt5).
#Description
MDM Session: OMA-DM session started: Session ID(UInt1), Server ID(Message2), User SID(Message3), Initiation ID(Message4), Origin(UInt5).
Message #
Fields #
| Name | Description |
|---|---|
UInt1 UInt32 | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
UInt5 UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 257,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:02.006036+00:00",
"event_record_id": 649,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"UInt1": 26,
"Message2": "69C01DBD-8068-44F9-9507-8A9DF76C127A",
"Message3": "NULL",
"Message4": "Software\\Microsoft\\Provisioning\\OMADM\\Sessions\\69C01DBD-8068-44F9-9507-8A9DF76C127A\\{41CCA717-5C3A-42DE-AEF7-8B805955A207}",
"UInt5": 3
},
"message": ""
}
Event ID 257: MDM Session: OMA-DM session started: Session ID(UInt1), Server ID(Message2), User SID(Message3), Initiation ID(Message4), Origin(UInt5).
#Event ID 258: MDM Session: OMA-DM session Loaded: Initiation ID(Message1), Status(HRESULT2), Total Count(UInt3), Orphaned Count(UInt4), Loaded Count(UInt5), Parent Initiation ID(Message6),...
#Description
MDM Session: OMA-DM session Loaded: Initiation ID(Message1), Status(HRESULT2), Total Count(UInt3), Orphaned Count(UInt4), Loaded Count(UInt5), Parent Initiation ID(Message6), Completed Count(UInt7).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
HRESULT2 HexInt32 | |
UInt3 UInt32 | |
UInt4 UInt32 | |
UInt5 UInt32 | |
Message6 UnicodeString | |
UInt7 UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 258,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:02.017479+00:00",
"event_record_id": 650,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "Software\\Microsoft\\Provisioning\\OMADM\\Sessions\\69C01DBD-8068-44F9-9507-8A9DF76C127A\\{41CCA717-5C3A-42DE-AEF7-8B805955A207}",
"HRESULT2": "0x0",
"UInt3": 1,
"UInt4": 0,
"UInt5": 1,
"Message6": "NULL",
"UInt7": 0
},
"message": ""
}
Event ID 258: MDM Session: OMA-DM session Loaded: Initiation ID(Message1), Status(HRESULT2), Total Count(UInt3), Orphaned Count(UInt4), Loaded Count(UInt5), Parent Initiation ID(Message6),...
#Description
MDM Session: OMA-DM session Loaded: Initiation ID(Message1), Status(HRESULT2), Total Count(UInt3), Orphaned Count(UInt4), Loaded Count(UInt5), Parent Initiation ID(Message6), Completed Count(UInt7).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
HRESULT2 HexInt32 | |
UInt3 UInt32 | |
UInt4 UInt32 | |
UInt5 UInt32 | |
Message6 UnicodeString | |
UInt7 UInt32 |
Event ID 259: MDM Session: OMA-DM session Handled: Account ID(Message1), Initiation ID(Message2), Session ID(UInt3), Initiator(UInt4), Origin(UInt5).
#Description
MDM Session: OMA-DM session Handled: Account ID(Message1), Initiation ID(Message2), Session ID(UInt3), Initiator(UInt4), Origin(UInt5).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
UInt3 UInt32 | |
UInt4 UInt32 | |
UInt5 UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 259,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:01.910679+00:00",
"event_record_id": 647,
"correlation": {},
"execution": {
"process_id": 2476,
"thread_id": 7860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "69C01DBD-8068-44F9-9507-8A9DF76C127A",
"Message2": "Software\\Microsoft\\Provisioning\\OMADM\\Sessions\\69C01DBD-8068-44F9-9507-8A9DF76C127A\\{41CCA717-5C3A-42DE-AEF7-8B805955A207}",
"UInt3": 0,
"UInt4": 0,
"UInt5": 3
},
"message": ""
}
Event ID 259: MDM Session: OMA-DM session Handled: Account ID(Message1), Initiation ID(Message2), Session ID(UInt3), Initiator(UInt4), Origin(UInt5).
#Event ID 260: MDM Session: OMA-DM Retry Session Scheduled: Account ID(Message1), Retry Count(UInt2), status(HexInt3).
#Event ID 260: MDM Session: OMA-DM Retry Session Scheduled: Account ID(Message1), Retry Count(UInt2), status(HexInt3).
#Event ID 261: MDM Session: OMA-DM Retry Session Processed: Account ID(Message1), Retry Count(UInt2), Total Count(UInt3), status(HexInt4).
#Event ID 261: MDM Session: OMA-DM Retry Session Processed: Account ID(Message1), Retry Count(UInt2), Total Count(UInt3), status(HexInt4).
#Event ID 262: MDM Session: OMA-DM Retry Session Deleted: Account ID(Message1), Retry Count(UInt2), Total Count(UInt3), status(HexInt4).
#Event ID 262: MDM Session: OMA-DM Retry Session Deleted: Account ID(Message1), Retry Count(UInt2), Total Count(UInt3), status(HexInt4).
#Event ID 263: MDM Session: OMA-DM user logon sessions handled: Account ID(Message1), Count(UInt2), status(HexInt3).
#Event ID 263: MDM Session: OMA-DM user logon sessions handled: Account ID(Message1), Count(UInt2), status(HexInt3).
#Event ID 264: MDM Session: OMA-DM sessions handled: User SID (Message1), Account ID(Message2), Initiation ID(Message3), User Only(UInt4), All Active Users(UInt5), Session Result (HexInt6), R...
#Description
MDM Session: OMA-DM sessions handled: User SID (Message1), Account ID(Message2), Initiation ID(Message3), User Only(UInt4), All Active Users(UInt5), Session Result (HexInt6), Result(HexInt7).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt4 UInt32 | |
UInt5 UInt32 | |
HexInt6 HexInt32 | |
HexInt7 HexInt32 |
Event ID 265: MDM Session: OMA-DM sessions triggered: User SID (Message1), Account ID(Message2), Initiation ID(Message3), Parent Initiation ID(Message4), Origin(UInt5), Session ID(UInt6), Ses...
#Description
MDM Session: OMA-DM sessions triggered: User SID (Message1), Account ID(Message2), Initiation ID(Message3), Parent Initiation ID(Message4), Origin(UInt5), Session ID(UInt6), Sessions Queued (UInt7), Session Result (HRESULT8), Result(HRESULT9).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
UInt5 UInt32 | |
UInt6 UInt32 | |
UInt7 UInt32 | |
HRESULT8 HexInt32 | |
HRESULT9 HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 265,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-12T02:51:06.035738+00:00",
"event_record_id": 7362,
"correlation": {},
"execution": {
"process_id": 2476,
"thread_id": 7860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "NULL",
"Message2": "69C01DBD-8068-44F9-9507-8A9DF76C127A",
"Message3": "Software\\Microsoft\\Provisioning\\OMADM\\Sessions\\69C01DBD-8068-44F9-9507-8A9DF76C127A\\{41CCA717-5C3A-42DE-AEF7-8B805955A207}",
"Message4": "NULL",
"UInt5": 3,
"UInt6": 0,
"UInt7": 0,
"HRESULT8": "0x0",
"HRESULT9": "0x0"
},
"message": ""
}
Event ID 266: MDM Session: OMA-DM sessions completed: User SID (Message1), Account ID(Message2), Initiation ID(Message3), Parent Initiation ID(Message4), Origin(UInt5), Session ID(UInt6), Ses...
#Description
MDM Session: OMA-DM sessions completed: User SID (Message1), Account ID(Message2), Initiation ID(Message3), Parent Initiation ID(Message4), Origin(UInt5), Session ID(UInt6), Sessions Queued (UInt7), Session Result (HRESULT8), Result(HRESULT9).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
UInt5 UInt32 | |
UInt6 UInt32 | |
UInt7 UInt32 | |
HRESULT8 HexInt32 | |
HRESULT9 HexInt32 |
Event ID 267: MDM Session: OMA-DM sessions failed to wait for shell ready: Result (HRESULT).
#Event ID 267: MDM Session: OMA-DM sessions failed to wait for shell ready: Result (HRESULT).
#Event ID 268: MDM Session: OMA-DM sessions wait for shell ready: Wait Time in Seconds: (UInt1), Result (HexInt1).
#Event ID 268: MDM Session: OMA-DM sessions wait for shell ready: Wait Time in Seconds: (UInt1), Result (HexInt1).
#Event ID 269: MDM Session: OMA-DM sessions all active users: Account ID(Message1), Initiation ID(Message2), Active Users(UInt3), Sessions Queued (UInt4), Result(HRESULT5).
#Event ID 270: MDM Session: OMA-DM sessions active user triggered: User SID (Message1), Account ID(Message2), Initiation ID(Message3), Parent Initiation ID(Message4), Session ID(UInt5), Use...
#Description
MDM Session: OMA-DM sessions active user triggered: User SID (Message1), Account ID(Message2), Initiation ID(Message3), Parent Initiation ID(Message4), Session ID(UInt5), User Index (UInt6), Sessions Queued (UInt7).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
UInt5 UInt32 | |
UInt6 UInt32 | |
UInt7 UInt32 |
Event ID 271: MDM Session: OMA-DM sessions initialization: CPUs (UInt1), NumAllowedConcurrentUserSessionForBackgroundSync (UInt2), NumAllowedConcurrentUserSessionAtUse...
#Event ID 272: Device token MDM recovery successful
#Description
Device token MDM recovery successful.
Message #
Event ID 272: Device token MDM recovery successful
#Description
Device token MDM recovery successful.
Message #
Event ID 273: Device token MDM recovery failed.
#Event ID 273: Device token MDM recovery failed.
#Event ID 274: User token MDM recovery successful
#Description
User token MDM recovery successful.
Message #
Event ID 274: User token MDM recovery successful
#Description
User token MDM recovery successful.
Message #
Event ID 275: User token MDM recovery failed.
#Event ID 275: User token MDM recovery failed.
#Event ID 277: Toast for MDM recovery failed.
#Event ID 277: Toast for MDM recovery failed.
#Event ID 278: MDM recovery conditions detected.
#Event ID 279: MDM recovery maximum attempts have been reached
#Description
MDM recovery maximum attempts have been reached.
Message #
Event ID 279: MDM recovery maximum attempts have been reached
#Description
MDM recovery maximum attempts have been reached.
Message #
Event ID 280: MDM Session: Failure during retry session.
#Description
An expired cert was chosen to use for OMA-DM Sync.
Fields #
| Name | Description |
|---|---|
param1 | |
param2 | |
param3 | |
param4 |
Event ID 280: An expired cert was chosen to use for OMA-DM Sync
#Description
An expired cert was chosen to use for OMA-DM Sync.
Message #
Event ID 281: MDM Session: Retry session succeeded.
#Description
LogMeasureWithHresult. EventData: (), Tag: (), Result: ().
Fields #
| Name | Description |
|---|---|
Message1 | |
HexInt1 | |
HRESULT |
Event ID 281: LogMeasureWithHresult.
#Event ID 282: MDM Session: Failure during retry session.
#Event ID 282: MDM Session: Failure during retry session
#Description
MDM Session: Failure during retry session. AccountID (), InitiationID (), Function (), HRESULT ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
HRESULT HexInt32 |
Event ID 283: MDM Session: Retry session succeeded.
#Event ID 283: MDM Session: Retry session succeeded
#Description
MDM Session: Retry session succeeded. AccountID (), InitiationID (), HRESULT ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
HRESULT HexInt32 |
Event ID 284: MDM Session: AccountID (Message1), Function (Message2), HRESULT (HRESULT).
#Event ID 284: MDM Session: AccountID (Message1), Function (Message2), HRESULT (HRESULT)
#Description
MDM Session: AccountID (), Function (), HRESULT ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
HRESULT HexInt32 |
Event ID 285: MDM Session: Request to store session info for retry failed for AccountID (Message1) with delay (UInt2) and HRESULT (HexInt3).
#Event ID 285: MDM Session: Request to store session info for retry failed for AccountID (Message1) with delay (UInt2) and HRESULT (HexInt3)
#Description
MDM Session: Request to store session info for retry failed for AccountID () with delay () and HRESULT ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
UInt2 UInt32 | |
HexInt3 HexInt32 |
Event ID 286: MDM Session: Request to store session info for retry succeeded for AccountID (Message1) with delay (UInt2) and HRESULT (HexInt3).
#Event ID 286: MDM Session: Request to store session info for retry succeeded for AccountID (Message1) with delay (UInt2) and HRESULT (HexInt3)
#Description
MDM Session: Request to store session info for retry succeeded for AccountID () with delay () and HRESULT ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
UInt2 UInt32 | |
HexInt3 HexInt32 |
Event ID 287: MDM Session: OMA-DM Retry Session Scheduled: Account ID(Message1), Initiation ID(Message2), Retry Count(UInt1), status(HexInt1)
#Description
MDM Session: OMA-DM Retry Session Scheduled: Account ID(), Initiation ID(), Retry Count(), status().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
UInt1 UInt32 | |
HexInt1 HexInt32 |
Event ID 287: MDM Session: OMA-DM Retry Session Scheduled: Account ID(Message1), Initiation ID(Message2), Retry Count(UInt1), status(HexInt1).
#Event ID 288: MDM Session: DmGetAadTokenReturnExpiredToken.
#Description
MDM Session: DmGetAadTokenReturnExpiredToken. Interactive: (), Device: (), ExpirationTime: (), CurrentTime: (), BufferTimeInSeconds: ().
Fields #
| Name | Description |
|---|---|
HexInt1 | |
HexInt2 | |
FileTime1 | |
FileTime2 | |
UInt11 |
Event ID 288: MDM Session: DmGetAadTokenReturnExpiredToken
#Description
MDM Session: DmGetAadTokenReturnExpiredToken. Interactive: (), Device: (), ExpirationTime: (), CurrentTime: (), BufferTimeInSeconds: ().
Fields #
| Name | Description |
|---|---|
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
FileTime1 FILETIME | |
FileTime2 FILETIME | |
UInt11 UInt32 |
Event ID 288: MDM Session: DmGetAadTokenReturnExpiredToken.
#Event ID 289: MDM Session: OMA-DM sessions wait for shell ready: Wait Time in Seconds: (.
#Description
MDM Session: OMA-DM sessions wait for shell ready: Wait Time in Seconds: (), Result (), Original Result ().
Fields #
| Name | Description |
|---|---|
UInt1 | |
HexInt1 | |
HexInt2 |
Event ID 289: MDM Session: OMA-DM sessions wait for shell ready: Wait Time in Seconds: (UInt1), Result (HexInt1), Original Result (HexInt2)
#Description
MDM Session: OMA-DM sessions wait for shell ready: Wait Time in Seconds: (), Result (), Original Result ().
Fields #
| Name | Description |
|---|---|
UInt1 UInt32 | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 |
Event ID 289: MDM Session: OMA-DM sessions wait for shell ready: Wait Time in Seconds: (UInt1), Result (HexInt1), Original Result (HexInt2).
#Event ID 290: MDM Session: DmGetAadTokenExpired.
#Description
MDM Session: DmGetAadTokenExpired. Interactive: (), Device: (), ExpirationTime: (), CurrentTime: (), BufferTimeInSeconds: ().
Fields #
| Name | Description |
|---|---|
HexInt1 | |
HexInt2 | |
FileTime1 | |
FileTime2 | |
UInt11 |
Event ID 290: MDM Session: DmGetAadTokenExpired
#Description
MDM Session: DmGetAadTokenExpired. Interactive: (), Device: (), ExpirationTime: (), CurrentTime: (), BufferTimeInSeconds: ().
Fields #
| Name | Description |
|---|---|
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
FileTime1 FILETIME | |
FileTime2 FILETIME | |
UInt11 UInt32 |
Event ID 290: MDM Session: DmGetAadTokenExpired.
#Event ID 291: MDM Session: Process retry session succeeded: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT)
#Description
MDM Session: Process retry session succeeded: Account ID(), Initiation ID(), Function(), SubFunction(), HRESULT().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HRESULT HexInt32 |
Event ID 291: MDM Session: Process retry session succeeded: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT).
#Description
MDM Session: Process retry session succeeded: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HRESULT HexInt32 |
Event ID 292: MDM Session: Process retry session failed: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT)
#Description
MDM Session: Process retry session failed: Account ID(), Initiation ID(), Function(), SubFunction(), HRESULT().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HRESULT HexInt32 |
Event ID 292: MDM Session: Process retry session failed: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT).
#Event ID 293: MDM Session: Schedule retry session succeeded: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT)
#Description
MDM Session: Schedule retry session succeeded: Account ID(), Initiation ID(), Function(), SubFunction(), HRESULT().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HRESULT HexInt32 |
Event ID 293: MDM Session: Schedule retry session succeeded: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT).
#Description
MDM Session: Schedule retry session succeeded: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HRESULT HexInt32 |
Event ID 294: MDM Session: Schedule retry session failed: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT)
#Description
MDM Session: Schedule retry session failed: Account ID(), Initiation ID(), Function(), SubFunction(), HRESULT().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HRESULT HexInt32 |
Event ID 294: MDM Session: Schedule retry session failed: Account ID(Message1), Initiation ID(Message2), Function(Message3), SubFunction(Message4), HRESULT(HRESULT).
#Event ID 295: MDM Session: Retry recovery succeeded: Account ID(Message1), Function(Message2), SubFunction(Message3), HRESULT(HRESULT)
#Description
MDM Session: Retry recovery succeeded: Account ID(), Function(), SubFunction(), HRESULT().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
HRESULT HexInt32 |
Event ID 295: MDM Session: Retry recovery succeeded: Account ID(Message1), Function(Message2), SubFunction(Message3), HRESULT(HRESULT).
#Event ID 296: MDM Session: Retry recovery failed: Account ID(Message1), Function(Message2), SubFunction(Message3), HRESULT(HRESULT)
#Description
MDM Session: Retry recovery failed: Account ID(), Function(), SubFunction(), HRESULT().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
HRESULT HexInt32 |
Event ID 296: MDM Session: Retry recovery failed: Account ID(Message1), Function(Message2), SubFunction(Message3), HRESULT(HRESULT).
#Event ID 301: SCEP: Failed CspCreateInstance of Node : (Message1) Result : (HRESULT).
#Event ID 302: SCEP: Failed CspAddNode : (Message1) Result : (HRESULT).
#Event ID 303: SCEP: Failed CspDeleteChild for Node : (Message1) Result : (HRESULT).
#Event ID 304: SCEP: Failed CspGetValue for Node : (Message1) Result : (HRESULT).
#Event ID 305: SCEP: Failed CspSetValue for Node : (Message1) Result : (HRESULT).
#Event ID 306: SCEP: CspExecute for UniqueId : (Message1) InstallUserSid : (Message2) InstallLocation : (Message3) NodePath : (Message4) KeyProtection: (HexInt1) Result : (HexInt3).
#Description
SCEP: CspExecute for UniqueId : (Message1) InstallUserSid : (Message2) InstallLocation : (Message3) NodePath : (Message4) KeyProtection: (HexInt1) Result : (HexInt3).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HexInt1 HexInt32 | |
HexInt3 HexInt32 |
Event ID 307: SCEP: Failed LogError Message : (Message1).
#Event ID 308: SCEP: Failed to send Server request.
#Event ID 309: SCEP: InstallFromRegEntries.
#Description
SCEP: InstallFromRegEntries. CorrelationGuid : (Message1) UniqueId : (Message2) Certificate Thumbprint : (Message3) Respondent Server : (Message4) Install Status : (HexInt1) Current Retry Count : (HexInt2) Result : (HexInt3).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 |
Event ID 310: PFX: Certificate Install.
#Event ID 311: PFX: Certificate Install Failed.
#Event ID 350: First Sync: Deleting first sync key.
#Event ID 351: First Sync: Setting IsSyncDone.
#Event ID 351: First Sync: Setting IsSyncDone.
#Event ID 352: First Sync: Setting ContinueAnyway.
#Event ID 352: First Sync: Setting ContinueAnyway.
#Event ID 353: First Sync: Setting IsServerProvisioningDone.
#Event ID 354: First Sync: Setting AllowCollectLogsButton.
#Event ID 354: First Sync: Setting AllowCollectLogsButton.
#Event ID 355: First Sync: Setting SkipDeviceStatusPage.
#Event ID 355: First Sync: Setting SkipDeviceStatusPage.
#Event ID 356: First Sync: Setting SkipUserStatusPage.
#Event ID 356: First Sync: Setting SkipUserStatusPage.
#Event ID 357: First Sync: Setting TimeoutUntilSyncFailure.
#Event ID 357: First Sync: Setting TimeoutUntilSyncFailure.
#Event ID 358: First Sync: Setting BlockInStatusPage.
#Event ID 358: First Sync: Setting BlockInStatusPage.
#Event ID 359: First Sync: Resetting timeout.
#Event ID 359: First Sync: Resetting timeout.
#Event ID 360: First Sync: Setting DeviceProvisioningStatus.
#Event ID 360: First Sync: Setting DeviceProvisioningStatus.
#Event ID 361: First Sync: Getting DeviceProvisioningStatus.
#Description
First Sync: Getting DeviceProvisioningStatus. EnrollmentID: () Status: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
HRESULT HexInt32 |
Event ID 361: First Sync: Getting DeviceProvisioningStatus.
#Event ID 400: MDM ConfigurationManager: Command failure status.
#Description
MDM ConfigurationManager: Command failure status. Configuration Source ID: (Message1), Enrollment Name: (Message2), Provider Name: (Message3), Command Type: (Message4), CSP URI: (Message5), Result: (HexInt1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 AnsiString | |
Message5 UnicodeString | |
HexInt1 HexInt32 |
Event ID 401: MDM ConfigurationManager: CSP Node Operation.
#Description
MDM ConfigurationManager: CSP Node Operation. Configuration Source ID: (Message1), Enrollment Name: (Message2), Provider Name: (Message3), Operation: (Message4), CSP URI: (Message5), Child URI: (Message6), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
HRESULT HexInt32 |
Event ID 402: MDM ConfigurationManager: License check.
#Event ID 403: MDM ConfigurationManager: CSP Allow check.
#Event ID 404: MDM ConfigurationManager: Command failure status.
#Description
MDM ConfigurationManager: Command failure status. Configuration Source ID: (Message1), Enrollment Name: (Message2), Provider Name: (Message3), Command Type: (InternalCmdType), CSP URI: (Message5), Result: (HexInt1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
InternalCmdType UInt32 | |
Message5 UnicodeString | |
HexInt1 HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 404,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-12T02:51:05.207419+00:00",
"event_record_id": 662,
"correlation": {},
"execution": {
"process_id": 6736,
"thread_id": 11860
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "69C01DBD-8068-44F9-9507-8A9DF76C127A",
"Message2": "MDMFull",
"Message3": "DMClient",
"InternalCmdType": 1,
"Message5": "./Vendor/MSFT/DMClient/Provider/MiradoreMDM/Push/PFN",
"HexInt1": "0x8000401a"
},
"message": ""
}
Event ID 405: MDM ConfigurationManager: No original URI.
#Event ID 406: MDM PushRouter: Pushrouter failed to start because the dmwappushservice service is disabled.
#Description
MDM PushRouter: Pushrouter failed to start because the dmwappushservice service is disabled.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 406,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-15T23:43:23.939971+00:00",
"event_record_id": 2,
"correlation": {
"ActivityID": "2C21CC49-6A4B-4CBD-9614-B137D7FF6ACE"
},
"execution": {
"process_id": 1912,
"thread_id": 13680
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 450: MDM ConfigurationManager: Command failure status.
#Description
MDM ConfigurationManager: Command failure status. Configuration Source ID: (Message1), Enrollment Name: (Message2), Provider Name: (Message3), Command Type: (Message4), CSP URI: (Message5), Result: (HexInt1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 AnsiString | |
Message5 UnicodeString | |
HexInt1 HexInt32 |
Event ID 451: MDM ConfigurationManager: CSP Node Operation.
#Description
MDM ConfigurationManager: CSP Node Operation. Configuration Source ID: (Message1), Enrollment Name: (Message2), Provider Name: (Message3), Operation: (Message4), CSP URI: (Message5), Child URI: (Message6), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
HRESULT HexInt32 |
Event ID 452: MDM ConfigurationManager: License check.
#Event ID 453: MDM ConfigurationManager: CSP Allow check.
#Event ID 454: MDM ConfigurationManager: Command failure status.
#Description
MDM ConfigurationManager: Command failure status. Configuraton Source ID: (Message1), Enrollment Type: (Message2), CSP Name: (Message3), Command Type: (InternalCmdType), CSP URI: (Message5), Result: (HexInt1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
InternalCmdType UInt32 | |
Message5 UnicodeString | |
HexInt1 HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 454,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:05.770736+00:00",
"event_record_id": 116,
"correlation": {},
"execution": {
"process_id": 1872,
"thread_id": 9840
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "43C0DA41-21B4-4245-980F-878D0899119B",
"Message2": "Unknown",
"Message3": "CertificateStore",
"InternalCmdType": 4,
"Message5": "./Vendor/MSFT/CertificateStore/My/User/77AE461422C718FB773BA82A44CC4609879F20EA",
"HexInt1": "0x86000002"
},
"message": ""
}
Event ID 455: MDM ConfigurationManager: Caller did not specify user to impersonate to.
#Description
MDM ConfigurationManager: Caller did not specify user to impersonate to. Targetted user sid: () Result: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
HRESULT HexInt32 |
Event ID 455: MDM ConfigurationManager: Caller did not specify user to impersonate to.
#Event ID 456: MDM ConfigurationManager: CSP Command takes too long in execution.
#Description
MDM ConfigurationManager: CSP Command takes too long in execution. Configuration Source ID: (), Enrollment Name: (), Provider Name: (), Command Type: (), CSP URI: (), Duration: (), Result: ().
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt4 UInt32 | |
Message5 UnicodeString | |
UInt6 UInt32 | |
HexInt7 HexInt32 |
Event ID 457: MDM ConfigurationManager: CSP takes too long in locking.
#Description
MDM ConfigurationManager: CSP takes too long in locking. Configuration Source ID: (Message1), Enrollment Name: (Message2), Provider Name: (Message3), Command Type: (UInt4), CSP URI: (Message5), Duration: (UInt6), Result: (HexInt7).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt4 UInt32 | |
Message5 UnicodeString | |
UInt6 UInt32 | |
HexInt7 HexInt32 |
Event ID 458: MDM ConfigurationManager: Global mutex takes too long in locking.
#Event ID 600: MDM ResourceManager: Resource URI: (Message1), Result: (HRESULT).
#Event ID 601: MDM ResourceManager: DeleteResource EnrollmentID: (Message1) UserSID: (Message2) URI: (Message3).
#Description
MDM ResourceManager: DeleteResource EnrollmentID: (Message1) UserSID: (Message2) URI: (Message3).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 601,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:05.764037+00:00",
"event_record_id": 114,
"correlation": {},
"execution": {
"process_id": 2768,
"thread_id": 276
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "43C0DA41-21B4-4245-980F-878D0899119B",
"Message2": "device",
"Message3": "./Vendor/MSFT/CertificateStore/My/User/77AE461422C718FB773BA82A44CC4609879F20EA"
},
"message": ""
}
Event ID 700: MDM Registration: Unregister device invoked by exe: (Message1), Result: (HRESULT).
#Event ID 700: MDM Registration: Unregister device invoked by exe: (Message1), Result: (HRESULT).
#Event ID 800: MDM PolicyManager: Dedicated notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1).
#Description
MDM PolicyManager: Dedicated notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 800,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-05T22:26:45.458468+00:00",
"event_record_id": 134,
"correlation": {
"ActivityID": "F590C418-1079-0002-E8EA-90F57910DA01"
},
"execution": {
"process_id": 3584,
"thread_id": 3588
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "Power/Policy/Settings/Processor/SchemePersonality/381b4222-f694-41f0-9685-ff5bb260df2e/0aabb002-a307-447e-9b81-1d819df6c6d0/PerfIncreaseThreshold/DcValue",
"HexInt1": "0xa3b7e065",
"HexInt2": "0x41c64e6d"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 801: MDM PolicyManager: Dedicated notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1), Result:(HexInt3) HRESULT.
#Event ID 802: MDM PolicyManager: Area notification (WNF): (HexInt1, HexInt2) published for Area: (Message1).
#Event ID 803: MDM PolicyManager: Area notification (WNF): (HexInt1, HexInt2) published for Area: (Message1), Result:(HexInt3) HRESULT.
#Event ID 804: MDM PolicyManager: Dedicated notification (WNF) WNF_ENTR_REQUIRE_DEVICE_ENCRYPTION_POLICY_VALUE_CHANGED published.
#Description
MDM PolicyManager: Dedicated notification (WNF) WNF_ENTR_REQUIRE_DEVICE_ENCRYPTION_POLICY_VALUE_CHANGED published.
Message #
Event ID 805: MDM PolicyManager: Dedicated notification (WNF) WNF_ENTR_REQUIRE_DEVICE_ENCRYPTION_POLICY_VALUE_CHANGED published.
#Event ID 806: MDM PolicyManager: Merge string, Area: (Message1), Policy: (Message2), EnrollmentID requesting merge: (Message3), Result:(UInt1) HRESULT.
#Event ID 807: MDM PolicyManager: Merge binary, Area: (Message1), Policy: (Message2), EnrollmentID requesting merge: (Message3), Result:(UInt1) HRESULT.
#Event ID 808: MDM PolicyManager: Merge int, Area: (Message1), Policy: (Message2), EnrollmentID requesting merge: (Message3), Result:(UInt1) HRESULT.
#Event ID 809: MDM PolicyManager: Set policy int, Policy: (Message1), Area: (Message2), EnrollmentID requesting set: (Message3), Current User: (Message4), Int: (HexInt1), Enrollment Type.
#Description
MDM PolicyManager: Set policy int, Policy: (Message1), Area: (Message2), EnrollmentID requesting set: (Message3), Current User: (Message4), Int: (HexInt1), Enrollment Type: (HexInt2), Scope: (HexInt3), Result:(HexInt4) HexInt5.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 | |
HexInt4 HexInt32 | |
HexInt5 HexInt32 |
Event ID 810: MDM PolicyManager: Set policy string, Policy: (Message1), Area: (Message2), EnrollmentID requesting set: (Message3), Current User: (Message4), String: (Message5), Enrollment Typ...
#Description
MDM PolicyManager: Set policy string, Policy: (Message1), Area: (Message2), EnrollmentID requesting set: (Message3), Current User: (Message4), String: (Message5), Enrollment Type: (HexInt1), Scope: (HexInt2), Result:(HexInt3) HexInt4.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 | |
HexInt4 HexInt32 |
Event ID 811: MDM PolicyManager: Set policy binary, Policy: (Message1), Area: (Message2), EnrollmentID requesting set: (Message3), Current User: (Message4), Enrollment Type: (HexInt1), Scope...
#Description
MDM PolicyManager: Set policy binary, Policy: (Message1), Area: (Message2), EnrollmentID requesting set: (Message3), Current User: (Message4), Enrollment Type: (HexInt1), Scope: (HexInt2), Result:(HexInt3) HexInt4.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 | |
HexInt4 HexInt32 |
Event ID 812: MDM PolicyManager: Set policy, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Scope: (HexInt1), Result:(HexInt2) HexInt3.
#Description
MDM PolicyManager: Set policy, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Scope: (HexInt1), Result:(HexInt2) HexInt3.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 |
Event ID 813: MDM PolicyManager: Set policy int, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Int: (HexInt1), Enrollment Type.
#Description
MDM PolicyManager: Set policy int, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Int: (HexInt1), Enrollment Type: (HexInt2), Scope: (HexInt3).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 813,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T22:26:45.437445+00:00",
"event_record_id": 172,
"correlation": {
"ActivityID": "F590C418-1079-0002-E8EA-90F57910DA01"
},
"execution": {
"process_id": 3584,
"thread_id": 3588
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "Power/Policy/Settings/Processor/SchemePersonality/381b4222-f694-41f0-9685-ff5bb260df2e/0aabb002-a307-447e-9b81-1d819df6c6d0/PerfIncreaseThreshold/DcValue",
"Message2": "knobs",
"Message3": "fc01e91f-914c-45af-9d7c-0b2e5fbedf62",
"Message4": "device",
"HexInt1": "0x1e",
"HexInt2": "0x1",
"HexInt3": "0x0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 814: MDM PolicyManager: Set policy string, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), String: (Message5), Enrollment T...
#Description
MDM PolicyManager: Set policy string, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), String: (Message5), Enrollment Type: (HexInt1), Scope: (HexInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 |
Event ID 815: MDM PolicyManager: Set policy binary, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Enrollment Type: (HexInt1), Sco...
#Description
MDM PolicyManager: Set policy binary, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Enrollment Type: (HexInt1), Scope: (HexInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 |
Event ID 817: MDM PolicyManager: Merge policy precheck apply call.
#Event ID 818: MDM PolicyManager: Delete policy, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Scope: (HexInt1), Result:(HexInt2) HexInt3.
#Description
MDM PolicyManager: Delete policy, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Scope: (HexInt1), Result:(HexInt2) HexInt3.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 |
Event ID 819: MDM PolicyManager: Delete policy, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Scope: (HexInt1).
#Description
MDM PolicyManager: Delete policy, Policy: (Message1), Area: (Message2), EnrollmentID requesting merge: (Message3), Current User: (Message4), Scope: (HexInt1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HexInt1 HexInt32 |
Event ID 820: MDM PolicyManager: Set policy precheck precheck call.
#Event ID 821: MDM PolicyManager: Merge of policy did not complete successfully, Policy: (Message1), Area: (Message2), Result:(HexInt3) HRESULT.
#Event ID 822: MDM PolicyManager: Acquiring the merge lock, Policy: (Message1), Area: (Message2), Result:(HexInt3) HRESULT.
#Event ID 823: MDM PolicyManager: Create dynamic policy metadata, Policy: (Message1), Area: (Message2), Result:(HexInt3) HRESULT.
#Event ID 824: MDM PolicyManager: Per user policy has device wide scope specified, Policy: (Message1), Area: (Message2), Result:(HexInt3) HRESULT.
#Event ID 825: MDM PolicyManager: Device wide policy has user wide scope specified, Policy: (Message1), Area: (Message2), Result:(HexInt3) HRESULT.
#Event ID 826: MDM PolicyManager: SLAPI data not found, Policy: (Message1), Area: (Message2), Result:(HexInt3) HRESULT.
#Event ID 827: MDM PolicyManager: Policy is rejected by licensing, Policy: (Message1), Area: (Message2), Result:(HexInt3) HRESULT.
#Event ID 828: MDM PolicyManager: Policy is rejected by DoNotAllow flag, Policy: (Message1), Area: (Message2), Result:(HexInt3) HRESULT.
#Event ID 829: MDM PolicyManager: Dedicated cached delayed notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1) in Area (Message2).
#Description
MDM PolicyManager: Dedicated cached delayed notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1) in Area (Message2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "{3DA494E4-0FE2-415C-B895-FB5265C5C83B}",
"event_source_name": "",
"event_id": 829,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-05-28T11:11:48.4736842+00:00",
"event_record_id": 4,
"correlation": {},
"execution": {
"process_id": 716,
"thread_id": 3176
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "telemetry-DC-d.cell-d.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "DataProtection",
"Message2": "EnterpriseProtectedDomainNames",
"HexInt1": "0xa3bd6475",
"HexInt2": "0x13920028"
},
"message": "MDM PolicyManager: Dedicated cached delayed notification (WNF): (0xA3BD6475, 0x13920028) published for Policy: (DataProtection) in Area (EnterpriseProtectedDomainNames)."
}
Event ID 830: MDM PolicyManager: Dedicated cached delayed notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1) in Area (Message2), Result:(HexInt3) HRESULT.
#Description
MDM PolicyManager: Dedicated cached delayed notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1) in Area (Message2), Result:(HexInt3) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 | |
HRESULT HexInt32 |
Event ID 831: MDM PolicyManager: Dedicated non-cached delayed notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1) in Area (Message2).
#Event ID 832: MDM PolicyManager: Dedicated non-cached delayed notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1) in Area (Message2), Result:(HexInt3) HRESULT.
#Description
MDM PolicyManager: Dedicated non-cached delayed notification (WNF): (HexInt1, HexInt2) published for Policy: (Message1) in Area (Message2), Result:(HexInt3) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 | |
HRESULT HexInt32 |
Event ID 833: MDM PolicyManager: Evaluator notification (WNF): (HexInt1, HexInt2) published for Evaluator: (Message1).
#Description
MDM PolicyManager: Evaluator notification (WNF): (HexInt1, HexInt2) published for Evaluator: (Message1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 833,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-10-25T22:55:39.435030+00:00",
"event_record_id": 50,
"correlation": {},
"execution": {
"process_id": 4544,
"thread_id": 772
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"Message1": "AppHVSI",
"HexInt1": "0xa3bd9075",
"HexInt2": "0x13920028"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 834: MDM PolicyManager: Evaluator notification (WNF): (HexInt1, HexInt2) published for Evaluator: (Message1), Result:(HexInt3) HRESULT.
#Event ID 835: MDM PolicyManager: Set Policy (Message1) in Area (Message2) is Evaluator policy.
#Event ID 836: MDM PolicyManager: Set Policy (Message1) in Area (Message2) is Evaluator policy.
#Description
MDM PolicyManager: Set Policy (Message1) in Area (Message2) is Evaluator policy. Add Evaluator (Message3) to Evaluator WNF list to publish area Evaluator WNF on CSP unload, Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 837: MDM PolicyManager: Delete Policy (Message1) in Area (Message2) is Evaluator policy.
#Event ID 838: MDM PolicyManager: Delete Policy (Message1) in Area (Message2) is Evaluator policy.
#Description
MDM PolicyManager: Delete Policy (Message1) in Area (Message2) is Evaluator policy. Add Evaluator (Message3) to Evaluator WNF list to publish area Evaluator WNF on CSP unload, Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 839: MDM PolicyManager: Delete provider (Message1).
#Description
MDM PolicyManager: Delete provider (Message1). Add Evaluator (Message2) to Evaluator WNF list to publish area Evaluator WNF on CSP unload.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 839,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-10-25T22:55:39.426870+00:00",
"event_record_id": 48,
"correlation": {},
"execution": {
"process_id": 4544,
"thread_id": 772
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-21-2533829718-189860685-2477588761-500"
}
},
"event_data": {
"Message1": "FC01E91F-914C-45AF-9D7C-0B2E5FBEDF62",
"Message2": "AppHVSI"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 840: MDM PolicyManager: Delete provider (Message1).
#Event ID 841: MDM PolicyManager: Delete area (Message2) in provider (Message1).
#Event ID 842: MDM PolicyManager: Delete area (Message2) in provider (Message1).
#Description
MDM PolicyManager: Delete area (Message2) in provider (Message1). Add Evaluator (Message3) to Evaluator WNF list to publish Evaluator WNF on CSP unload, Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 843: MDM PolicyManager: Load of the precheck DLL (UInt1) did not complete successfully, Policy: (Message2), Area: (Message1), Precheck: (Message3), Result:(UInt2) HRESULT.
#Description
MDM PolicyManager: Load of the precheck DLL (UInt1) did not complete successfully, Policy: (Message2), Area: (Message1), Precheck: (Message3), Result:(UInt2) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt1 UInt32 | |
UInt2 UInt32 | |
HRESULT HexInt32 |
Event ID 844: MDM PolicyManager: During Message1 found bad enrollment (Message2) during merge.
#Description
MDM PolicyManager: During Message1 found bad enrollment (Message2) during merge. Requesting merge (Message3). Deleting policies for the enrollment. Enrollment state is (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 844,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-10-26T04:20:37.233106+00:00",
"event_record_id": 2,
"correlation": {},
"execution": {
"process_id": 716,
"thread_id": 3532
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "WIN-OQ6R0RVA4NF",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "Inbox",
"Message2": "82965F5A-6C65-4B7A-8075-488FCCE07D4E",
"Message3": "1e05dd5d-a022-46c5-963c-b20de341170f",
"HRESULT": "0x3f"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 845: MDM PolicyManager: Cannot delete the policy hive for bad enrollment (Message1).
#Event ID 846: MDM PolicyManager: Machine Broadcast of WM_SETTINGCHANGES to user sessions failed with (HexInt1).
#Event ID 847: MDM PolicyManager: Machine Broadcast of WM_SETTINGCHANGES to user sessions.
#Description
MDM PolicyManager: Machine Broadcast of WM_SETTINGCHANGES to user sessions.
Message #
Event ID 848: MDM PolicyManager: Policy value set by MAM is not allowed.
#Event ID 849: MDM PolicyManager: Merge policy precheck apply call.
#Event ID 850: MDM PolicyManager ADMX Ingestion: Blocked registry key: (Message1) in (Message2) tag.
#Event ID 851: MDM PolicyManager ADMX Ingestion: Cannot remove ADMX metadata when policy is in use.
#Event ID 852: MDM PolicyManager ADMX Ingestion: Invalid attribute.
#Event ID 853: MDM PolicyManager ADMX Ingestion: Invalid tag:<Message1> under <Message2>.
#Event ID 854: MDM PolicyManager ADMX Ingestion: <Message1> does not have required attribute (Message2).
#Event ID 855: MDM PolicyManager ADMX Ingestion: Xml Read Error TagName:(Message1), Line:(HexInt1) Position:(HexInt2) Result:(HRESULT).
#Event ID 856: MDM PolicyManager: ADMX ingestion given payload policy definition element Id not found: Id (Message1).
#Event ID 857: MDM PolicyManager: ADMX ingestion given payload expect True or False string.
#Event ID 858: MDM PolicyManager: ADMX ingestion given payload has value that cannot be converted to decimal: Id (Message1).
#Event ID 859: MDM PolicyManager: Load of the translation DLL (UInt1) did not complete successfully, Policy: (Message2), Area: (Message1), Action: (Message3), Result:(UInt2) HRESULT.
#Description
MDM PolicyManager: Load of the translation DLL (UInt1) did not complete successfully, Policy: (Message2), Area: (Message1), Action: (Message3), Result:(UInt2) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt1 UInt32 | |
UInt2 UInt32 | |
HRESULT HexInt32 |
Event ID 860: MDM PolicyManager: Merge policy precheck post apply call.
#Description
MDM PolicyManager: Merge policy precheck post apply call. Policy: (Message1), Area: (Message2), string value: (Message3), setByProvider: (UInt1), Result:(UInt2) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt1 UInt32 | |
UInt2 UInt32 | |
HRESULT HexInt32 |
Event ID 861: MDM PolicyManager: Merge policy precheck post apply call.
#Description
MDM PolicyManager: Merge policy precheck post apply call. Policy: (Message1), Area: (Message2), int value: (HexInt1),setByProvider: (HexInt2) Result:(HexInt3) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 | |
HRESULT HexInt32 |
Event ID 862: MDM PolicyManager: Merge policy: Policy definitions for area (Message1) not found.
#Event ID 863: MDM PolicyManager: Merge policy: Policy definition for area (Message1), policy (Message2) not found.
#Event ID 864: MDM PolicyManager: Enum of policies: Policy definition for area (Message1), policy (Message2) not found.
#Event ID 865: MDM PolicyManager: ADMX Ingestion: EnrollmentId (Message1), app name (Message2), setting type (Message3), unique Id (Message4).
#Description
MDM PolicyManager: ADMX Ingestion: EnrollmentId (Message1), app name (Message2), setting type (Message3), unique Id (Message4). Result:(HexInt1) HexInt3.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HexInt1 HexInt32 | |
HexInt3 HexInt32 |
Event ID 866: MDM PolicyManager: ADMX Ingestion: EnrollmentId (Message1), app name (Message2), setting type (Message3), unique Id (Message4), area (Message5).
#Event ID 867: MDM PolicyManager: ADMX ingestion delete of previous ingestion: EnrollmentId (Message1), app name (Message2), setting type (Message3), unique Id (Message4).
#Description
MDM PolicyManager: ADMX ingestion delete of previous ingestion: EnrollmentId (Message1), app name (Message2), setting type (Message3), unique Id (Message4). Result:(HexInt1) HexInt3.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HexInt1 HexInt32 | |
HexInt3 HexInt32 |
Event ID 868: MDM PolicyManager: ADMX ingestion: Nested Element tags found: previous (Message1), next (Message2).
#Event ID 869: MDM PolicyManager: ADMX ingestion: Delete of path issue: Path (Message1).
#Event ID 870: MDM PolicyManager: ADMX ingestion payload Id attribute missing.
#Event ID 871: MDM PolicyManager: ADMX ingestion verification whether there are policies against it has failed.
#Description
MDM PolicyManager: ADMX ingestion verification whether there are policies against it has failed. EnrollmentId (Message1), app name (Message2), setting type (Message3), unique Id (Message4). Result:(HexInt1) HexInt3.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HexInt1 HexInt32 | |
HexInt3 HexInt32 |
Event ID 872: MDM PolicyManager: ADMX ingestion starting update of existing Admx ingestion.
#Description
MDM PolicyManager: ADMX ingestion starting update of existing Admx ingestion. EnrollmentId (), app name (), setting type (), unique Id (), policy values were set on previous ADMX file ingestion ().
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HexInt1 HexInt32 |
Event ID 873: MDM PolicyManager: ADMX ingestion starting new Admx ingestion.
#Event ID 880: MDM Wins Over GP: MDMWinsOverGP policy enabled but this GP setting is not blocked, Value: (Message1), Namespace: (Message2), Operation: (Message3), Result:(UInt1) HRESULT.
#Description
MDM Wins Over GP: MDMWinsOverGP policy enabled but this GP setting is not blocked, Value: (Message1), Namespace: (Message2), Operation: (Message3), Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 881: MDM Wins Over GP: MDMWinsOverGP policy enabled and GP setting is blocked, Value: (Message1), Namespace: (Message2), Operation: (Message3).
#Event ID 890: MDM Container: Admx Ingestion Change Notificaiton WNF fired, Value: (.
#Description
MDM Container: Admx Ingestion Change Notificaiton WNF fired, Value: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString |
Event ID 890: MDM Container: Admx Ingestion Change Notificaiton WNF fired, Value: (Message1).
#Event ID 900: MDM Diagnostics: Getting Diagnostics Information from (Message1).
#Event ID 901: MDM Diagnostics: Creating Diagnostic report at (Message1).
#Event ID 902: MDM Diagnostics: Adding redirected reg keys to Policy Manager diagnostic data failed.
#Event ID 903: MDM Diagnostics: Opening redirected reg keys (Message1) in Policy Manager diagnostic data failed.
#Event ID 904: MDM Diagnostics: Opening redirected reg value (Message1) in Policy Manager diagnostic data failed.
#Event ID 905: MDM Diagnostics: Appending redirected reg key or Group Policy values in Policy Manager diagnostic report failed.
#Event ID 906: MDM Diagnostics: Parsing input XML failed.
#Event ID 907: MDM Diagnostics: Getting data out of top level key (Message1) failed.
#Event ID 908: MDM Diagnostics: Getting data out of registry keys (Message1) failed.
#Event ID 909: MDM Diagnostics: Getting data out of registry values (Message1) failed.
#Event ID 910: MDM Diagnostics: Check for whether directory (Message1) exists and create if not failed.
#Event ID 911: MDM Diagnostics: Removing PII from ActiveSync data failed.
#Event ID 912: MDM PolicyManager ADMX Ingestion: ParentCategory of policy is not defined in categories PolicyName:(Message1), ParentCategory:(Message2).
#Event ID 913: MDM PolicyManager ADMX Ingestion: Circular Referencing In Categories Category (Message1), ParentCategory:(Message2).
#Event ID 914: MDM PolicyManager ADMX Ingestion: Equivalent Area name from categories should be limited to 255 characters(Max registry key length).
#Event ID 915: MDM PolicyManager: Merge policy: Making the enrollment dormant, removing policies.
#Event ID 916: MDM PolicyManager: Merge policy: Making the enrollment non dormant, policies in enrollment are make current.
#Event ID 917: MDM PolicyManager: Merge policy: State of enrollment should not be dormant.
#Event ID 918: MDM PolicyManager: Merge policy: State of enrollment should not be non-dormant.
#Event ID 1000: Phone Reset: Phone reset initiated.
#Description
Phone Reset: Phone reset initiated.
Message #
Event ID 1100: Device Management Account CSP: Retrieving the node via Get command failed with (HRESULT).
#Event ID 1101: Device Management Account CSP: Device Management session not requested after account creation.
#Description
Device Management Account CSP: Device Management session not requested after account creation.
Message #
Event ID 1102: Device Management Account CSP: Device Management session requested after DM account creation by server: (Message1).
#Event ID 1103: Device Management Account CSP: Device Management session kick-off request ignored for enterprise enrollment type: (HexInt1).
#Event ID 1104: Device Management Account CSP: Device Management session kick-off request denied for enrollment type: (HexInt1).
#Event ID 1105: Device Management Account CSP: Invalid enrollment type.
#Event ID 1106: Device Management Account CSP: Device Management session kick-off request failed.
#Event ID 1107: Device Management Account CSP: Notifying configuration manager notification failed.
#Event ID 1108: Device Management Account CSP: Retrieving the session variable: (Message1), value: (Message2) failed.
#Event ID 1109: Device Management Account CSP: Retrieved the session variable: (Message1), value: (Message2).
#Event ID 1110: Device Management Account CSP: Creating an instance of Device Management Account CSP failed.
#Event ID 1111: Device Management Account CSP: An instance of the Device Management Account CSP was initialized for AccountUID: (Message1), session's Enrollment ID: (Message2)...
#Description
Device Management Account CSP: An instance of the Device Management Account CSP was initialized for AccountUID: (Message1), session's Enrollment ID: (Message2), initialized account's Enrollment ID: (Message3), number of segments: (UInt1). Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 1112: Device Management Account CSP: Failed to initialize an instance of the Device Management Account CSP for AccountUID: (Message1), session's Enrollment ID:...
#Description
Device Management Account CSP: Failed to initialize an instance of the Device Management Account CSP for AccountUID: (Message1), session's Enrollment ID: (Message2), initialized account's Enrollment ID: (Message3), number of segments: (UInt1). Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 1113: Device Management Account CSP: Enumerating the children nodes failed.
#Event ID 1114: Device Management Account CSP: Device Management account for a different Enterprise enrollment denied.
#Description
Device Management Account CSP: Device Management account for a different Enterprise enrollment denied. AccountUID: (), session's Enrollment ID: (), referenced account's Enrollment ID: (). Result: ().
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
HRESULT HexInt32 |
Event ID 1115: Device Management Account CSP: Device Management account being created for Mobile Operator.
#Event ID 1116: Device Management Account CSP: Creating new enrollment for mobile operator failed.
#Event ID 1117: Device Management Account CSP: Creating new enrollment for mobile operator failed.
#Event ID 1118: Device Management Account CSP: Device Management account added.
#Event ID 1119: Device Management Account CSP: Adding device management account failed.
#Description
Device Management Account CSP: Adding device management account failed. Provider ID: (Message1), session Enrollment ID: (Message2), new Enrollment ID: (Message3), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
HRESULT HexInt32 |
Event ID 1120: Device Management Account CSP: Device Management account deleted.
#Event ID 1121: Device Management Account CSP: Device Management account deletion failed.
#Event ID 1122: Device Management Account CSP: Device Management account clear failed.
#Event ID 1123: Device Management Account CSP: Device Management account moved.
#Description
Device Management Account CSP: Device Management account moved. Session's Enrollment ID: (Message1), Old AccountUID: (Message2), New AccountUID: (Message3), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
HRESULT HexInt32 |
Event ID 1124: Device Management Account CSP: Device Management account move failed.
#Description
Device Management Account CSP: Device Management account move failed. Session's Enrollment ID: (Message1), Old AccountUID: (Message2), New AccountUID: (Message3), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
HRESULT HexInt32 |
Event ID 1125: Device Management Account CSP: Device Management account check.
#Description
Device Management Account CSP: Device Management account check. Enrollment ID: (Message1), AccountUID of account being accessed: (Message2), AccountUID of account used to run the session: (Message3), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
HRESULT HexInt32 |
Event ID 1126: Device Management Account CSP: Device Management account check failed.
#Description
Device Management Account CSP: Device Management account check failed. Session's Enrollment ID: (Message1), AccountUID of account being accessed: (Message2), AccountUID of account used to run the session: (Message3), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
HRESULT HexInt32 |
Event ID 1127: Device Management Account CSP: Device Management session kick-off request ignored since there are multiple accounts being created.
#Event ID 1128: Device Management Account CSP: MO trying to access a non-MO Device Management account.
#Event ID 1200: Device Impersonation: Illegal attempt to impersonate.
#Event ID 1300: Enrollment Status Tracking: Starting status tracking for resource.
#Event ID 1301: Enrollment Status Tracking: Initializing download for resource.
#Event ID 1302: Enrollment Status Tracking: Downloading resource.
#Event ID 1303: Enrollment Status Tracking: Pending download retry for resource.
#Event ID 1304: Enrollment Status Tracking: Download of resource encountered an error and could not complete.
#Event ID 1305: Enrollment Status Tracking: Download of resource completed successfully.
#Event ID 1306: Enrollment Status Tracking: Pending user session for resource.
#Event ID 1307: Enrollment Status Tracking: Installing resource.
#Event ID 1308: Enrollment Status Tracking: Pending installation retry for resource.
#Event ID 1309: Enrollment Status Tracking: Installation of resource encountered an error and could not complete.
#Event ID 1310: Enrollment Status Tracking: Installation of resource completed successfully.
#Event ID 1311: Enrollment Status Tracking: Status of resource is unknown.
#Event ID 1350: Autopilot Device Preparation: Latest device preparation hint used = UInt1.
#Event ID 1351: Autopilot Device Preparation: Device is no longer in OOBE and attempt to clear the device preparation hint resulted in HRESULT HRESULT.
#Event ID 1500: WiFiConfigurationServiceProvider: New node initialized, type: (UInt1), name: (Message1).
#Event ID 1501: WiFiConfigurationServiceProvider: Children queried, type: (UInt1), count: (UInt2).
#Event ID 1502: WiFiConfigurationServiceProvider: Node added, type: (UInt1), uri: (Message1), result: (HRESULT).
#Event ID 1503: WiFiConfigurationServiceProvider: Node delete child, type: (UInt1), uri: (Message1), result: (HRESULT).
#Event ID 1504: WiFiConfigurationServiceProvider: Node clear, type: (UInt1), Result: (HRESULT).
#Event ID 1505: WiFiConfigurationServiceProvider: Node get value, type: (UInt1), Result: (HRESULT).
#Event ID 1506: WiFiConfigurationServiceProvider: Node set value, type: (UInt1), Result: (HRESULT).
#Event ID 1507: WiFiConfigurationServiceProvider: Node set value failed to set the wlan profile, error: (UInt1).
#Event ID 1508: WiFiConfigurationServiceProvider: Node destructed, type: (UInt1).
#Event ID 1509: WiFiConfigurationServiceProvider: Get Node, Result: (HRESULT).
#Event ID 1510: WiFiConfigurationServiceProvider: Node set value failed to set proxy, dwError: (UInt1).
#Event ID 1511: WiFiConfigurationServiceProvider: Node initialize, segments: (UInt1), uri: (Message1), Result: (HRESULT).
#Event ID 1530: WiredNetworkConfigurationServiceProvider: Wired network profile saved.
#Description
WiredNetworkConfigurationServiceProvider: Wired network profile saved.
Message #
Event ID 1531: WiredNetworkConfigurationServiceProvider: Enable block period set.
#Description
WiredNetworkConfigurationServiceProvider: Enable block period set.
Message #
Event ID 1532: WiredNetworkConfigurationServiceProvider: Wired network profile deleted.
#Description
WiredNetworkConfigurationServiceProvider: Wired network profile deleted.
Message #
Event ID 1533: WiredNetworkConfigurationServiceProvider: Wired network profile deleted.
#Description
WiredNetworkConfigurationServiceProvider: Wired network profile deleted.
Message #
Event ID 1534: WiredNetworkConfigurationServiceProvider: Wired network profile not saved.
#Event ID 1535: WiredNetworkConfigurationServiceProvider: Block period not set.
#Event ID 1536: WiredNetworkConfigurationServiceProvider: Delete wired network profile failed.
#Event ID 1537: WiredNetworkConfigurationServiceProvider: Disable block period failed.
#Event ID 1538: WiredNetworkConfigurationServiceProvider: Dot3 service start failed.
#Event ID 1539: WiredNetworkConfigurationServiceProvider: Dot3 service configuration change failed.
#Event ID 1540: WiredNetworkConfigurationServiceProvider: Dot3 service stop failed.
#Event ID 1600: DMClient Configuration Service Provider: Server initiated unenroll started.
#Description
DMClient Configuration Service Provider: Server initiated unenroll started. Enrollment ID: (Message1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1600,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T01:38:03.147900+00:00",
"event_record_id": 85,
"correlation": {},
"execution": {
"process_id": 6848,
"thread_id": 4028
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "43C0DA41-21B4-4245-980F-878D0899119B"
},
"message": ""
}
Event ID 1600: DMClient Configuration Service Provider: Server initiated unenroll started.
#Event ID 1601: DMClient Configuration Service Provider: Server initiated unenroll failed.
#Event ID 1601: DMClient Configuration Service Provider: Server initiated unenroll failed.
#Event ID 1650: Windows Information Protection configuration changed: Previous State: (Message1), Current State: (Message2), Result: (HRESULT).
#Event ID 1651: Windows Information Protection dependency check result: Dependency Name: (Message1), State: (Message2), IsDependencySatisfied: (HexInt3), Result: (HexInt3).
#Event ID 1652: Windows Information Protection missing mandatory policy: Area: (Message1), Name: (Message2).
#Event ID 1653: MDM Evaluator Scenario Evaluate Result: Scenario: (Message1), Previous State: (Message2), Last Dependency: (Message3), Final State: (Message4), Result: (HRESULT).
#Description
MDM Evaluator Scenario Evaluate Result: Scenario: (Message1), Previous State: (Message2), Last Dependency: (Message3), Final State: (Message4), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HRESULT HexInt32 |
Event ID 1701: System Migration Task Deleted.
#Event ID 1702: System Upgrade Alert scheduled.
#Event ID 1703: User Upgrade Alert scheduled.
#Event ID 1705: User Migration Task Deleted.
#Event ID 1706: Resource Manager Keys Migrated.
#Event ID 1707: Schedules Created.
#Event ID 1708: Impersonation result.
#Event ID 1709: No Migration needed, not an upgrade.
#Description
No Migration needed, not an upgrade.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1709,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-10-25T21:23:47.600367+00:00",
"event_record_id": 30,
"correlation": {},
"execution": {
"process_id": 6072,
"thread_id": 6120
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "WinDevEval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 1800: Windows Defender Advanced Threat Protection CSP: Get Node's Value.
#Event ID 1801: Windows Defender Advanced Threat Protection CSP: Failed to Get Node's Value.
#Event ID 1802: Windows Defender Advanced Threat Protection CSP: Get Node's Value complete.
#Event ID 1803: Windows Defender Advanced Threat Protection CSP: Get Last Connected value complete.
#Event ID 1804: Windows Defender Advanced Threat Protection CSP: Get Org ID value complete.
#Event ID 1805: Windows Defender Advanced Threat Protection CSP: Get Sense Is Running value complete.
#Event ID 1806: Windows Defender Advanced Threat Protection CSP: Get Onboarding State value complete.
#Event ID 1807: Windows Defender Advanced Threat Protection CSP: Get Onboarding value complete.
#Event ID 1808: Windows Defender Advanced Threat Protection CSP: Get Offboarding value complete.
#Event ID 1809: Windows Defender Advanced Threat Protection CSP: Get Sample Sharing value complete.
#Event ID 1810: Windows Defender Advanced Threat Protection CSP: Onboarding process.
#Description
Windows Defender Advanced Threat Protection CSP: Onboarding process. Started.
Message #
Event ID 1811: Windows Defender Advanced Threat Protection CSP: Onboarding process.
#Event ID 1812: Windows Defender Advanced Threat Protection CSP: Onboarding process.
#Event ID 1813: Windows Defender Advanced Threat Protection CSP: Onboarding process.
#Description
Windows Defender Advanced Threat Protection CSP: Onboarding process. The service started successfully.
Message #
Event ID 1814: Windows Defender Advanced Threat Protection CSP: Onboarding process.
#Event ID 1815: Windows Defender Advanced Threat Protection CSP: Set Sample Sharing value complete.
#Event ID 1816: Windows Defender Advanced Threat Protection CSP: Offboarding process.
#Event ID 1817: Windows Defender Advanced Threat Protection CSP: Offboarding process.
#Event ID 1818: Windows Defender Advanced Threat Protection CSP: Set Node's Value started.
#Event ID 1819: Windows Defender Advanced Threat Protection CSP: Failed to Set Node's Value.
#Event ID 1820: Windows Defender Advanced Threat Protection CSP: Set Node's Value complete.
#Event ID 1901: EnterpriseDesktopAppManagement CSP: A node instance of was created successfully.
#Description
EnterpriseDesktopAppManagement CSP: A node instance of was created successfully. MSI ProductCode: Message1, MSI UpgradeCode: Message2, User SID: (Message3).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1901,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:36:03.908742+00:00",
"event_record_id": 173,
"correlation": {},
"execution": {
"process_id": 9444,
"thread_id": 6216
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "{ad40f56a-5735-45d5-8a57-c36ce8739abc}",
"Message2": "null",
"Message3": "S-0-0-00-0000000000-0000000000-000000000-000"
},
"message": ""
}
Event ID 1902: EnterpriseDesktopAppManagement CSP: A node instance failed to be created.
#Event ID 1903: EnterpriseDesktopAppManagement CSP: An app which was previously installed is no longer installed on this device.
#Event ID 1904: EnterpriseDesktopAppManagement CSP: MDMAppInstaller task has started.
#Description
EnterpriseDesktopAppManagement CSP: MDMAppInstaller task has started.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1904,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:36:03.986978+00:00",
"event_record_id": 174,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 8940
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 1905: EnterpriseDesktopAppManagement CSP: Application content download started.
#Description
EnterpriseDesktopAppManagement CSP: Application content download started. MSI ProductCode: Message1, User SID: (Message2), BITS job: (Message3).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1905,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:36:04.197955+00:00",
"event_record_id": 175,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 8940
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "{ad40f56a-5735-45d5-8a57-c36ce8739abc}",
"Message2": "S-0-0-00-0000000000-0000000000-000000000-000",
"Message3": "2a8e6b4b-4e08-42bc-807d-0caca4252121"
},
"message": ""
}
Event ID 1906: EnterpriseDesktopAppManagement CSP: Application content download completed.
#Description
EnterpriseDesktopAppManagement CSP: Application content download completed. MSI ProductCode: Message1, User SID: (Message2), BITS job: (Message3).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1906,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:36:12.316964+00:00",
"event_record_id": 179,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 8940
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "{ad40f56a-5735-45d5-8a57-c36ce8739abc}",
"Message2": "S-0-0-00-0000000000-0000000000-000000000-000",
"Message3": "2a8e6b4b-4e08-42bc-807d-0caca4252121"
},
"message": ""
}
Event ID 1907: EnterpriseDesktopAppManagement CSP: Application content download failed.
#Description
EnterpriseDesktopAppManagement CSP: Application content download failed. MSI ProductCode: Message1, User SID: (Message2), BITS job: (Message3), Error message: (Message4), Error code: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HRESULT HexInt32 |
Event ID 1908: EnterpriseDesktopAppManagement CSP: Unable to start the application content download.
#Event ID 1909: EnterpriseDesktopAppManagement CSP: Unable to start the application installation action because the user is not logged in.
#Event ID 1910: EnterpriseDesktopAppManagement CSP: Another instance of the MDMAppInstaller process is already running.
#Description
EnterpriseDesktopAppManagement CSP: Another instance of the MDMAppInstaller process is already running. This instance will terminate.
Message #
Event ID 1911: EnterpriseDesktopAppManagement CSP: The MDMAppInstaller process is terminating with an error.
#Event ID 1912: EnterpriseDesktopAppManagement CSP: The MDMAppInstaller process is terminating with no errors.
#Description
EnterpriseDesktopAppManagement CSP: The MDMAppInstaller process is terminating with no errors.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1912,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:36:55.690919+00:00",
"event_record_id": 195,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 8940
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 1913: EnterpriseDesktopAppManagement CSP: Creation of the MSI app install job failed.
#Event ID 1914: EnterpriseDesktopAppManagement CSP: Creation of the MSI app uninstall job failed.
#Event ID 1915: EnterpriseDesktopAppManagement CSP: The MDMAppInstaller process could not be started to process MSI app install.
#Event ID 1916: EnterpriseDesktopAppManagement CSP: The MDMAppInstaller process could not be started to process MSI app uninstall.
#Event ID 1920: EnterpriseDesktopAppManagement CSP: An application install has started.
#Description
EnterpriseDesktopAppManagement CSP: An application install has started. MSI ProductCode: Message1, User SID: (Message2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1920,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:36:13.374383+00:00",
"event_record_id": 180,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 3956
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "{ad40f56a-5735-45d5-8a57-c36ce8739abc}",
"Message2": "S-0-0-00-0000000000-0000000000-000000000-000"
},
"message": ""
}
Event ID 1921: EnterpriseDesktopAppManagement CSP: An application uninstall has started.
#Event ID 1922: EnterpriseDesktopAppManagement CSP: An application install has succeeded.
#Description
EnterpriseDesktopAppManagement CSP: An application install has succeeded. MSI ProductCode: Message1, User SID: (Message2), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1922,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:36:41.557289+00:00",
"event_record_id": 181,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 3956
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "{ad40f56a-5735-45d5-8a57-c36ce8739abc}",
"Message2": "S-0-0-00-0000000000-0000000000-000000000-000",
"HRESULT": "0x0"
},
"message": ""
}
Event ID 1923: EnterpriseDesktopAppManagement CSP: An application uninstall has succeeded.
#Event ID 1924: EnterpriseDesktopAppManagement CSP: An application install has failed.
#Description
EnterpriseDesktopAppManagement CSP: An application install has failed. Examine the MSI log (Message1) for more details. Install command: (Message2), MSI ProductCode: Message3, User SID: (Message4), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HRESULT HexInt32 |
Event ID 1925: EnterpriseDesktopAppManagement CSP: An application uninstall has failed.
#Description
EnterpriseDesktopAppManagement CSP: An application uninstall has failed. Examine the MSI log (Message1) for more details. Uninstall command: (Message2), MSI ProductCode: Message3, User SID: (Message4), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HRESULT HexInt32 |
Event ID 1926: EnterpriseDesktopAppManagement CSP: An application installation action has exceeded the expected run time.
#Event ID 1927: EnterpriseDesktopAppManagement CSP: An application status alert was sent to the device management service.
#Description
EnterpriseDesktopAppManagement CSP: An application status alert was sent to the device management service. LocURI: (Message1), Alert Data: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 1927,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:36:55.575223+00:00",
"event_record_id": 194,
"correlation": {},
"execution": {
"process_id": 10088,
"thread_id": 8940
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "./Device/Vendor/MSFT/EnterpriseDesktopAppManagement/MSI/{ad40f56a-5735-45d5-8a57-c36ce8739abc}/DownloadInstall",
"HRESULT": "0x0"
},
"message": ""
}
Event ID 1928: EnterpriseDesktopAppManagement CSP: An application status alert failed to be sent to the device management service.
#Event ID 1930: EnterpriseDesktopAppManagement CSP: The MDMAppInstaller has been configured for restart by scheduled task (Resume App Installation Actions).
#Event ID 1931: EnterpriseDesktopAppManagement CSP/ MdmAppInstaller: Message: (Message1).
#Event ID 1932: EnterpriseDesktopAppManagement CSP/ MdmAppInstaller: Message: (Message1).
#Event ID 1933: EnterpriseDesktopAppManagement CSP/ MdmAppInstaller: Message: (Message1).
#Event ID 2001: Identical Polices from sam configuration source already applied.
#Description
Identical Polices from sam configuration source already applied. Hence this call is a NOP.
Message #
Event ID 2002: Performing enrollment for Partnership ID (Message1) from an elevated context.
#Event ID 2003: Performing unenrollment for Partnership ID (Message1) from an elevated context.
#Event ID 2004: The required operation requires elevation.
#Description
The required operation requires elevation. Please invoke the API from an elevated context.
Message #
Event ID 2005: The compliance check result for the partnership ID (Message1) is (HRESULT).
#Event ID 2006: The policy application result for the partnership ID (Message1) is (HRESULT).
#Event ID 2007: MDM Enroll: Error creating OS Edition Upgrade Alert schedule (HRESULT).
#Event ID 2008: OS Edition Upgrade WNF event process status (HRESULT).
#Event ID 2009: MDM Enroll: Error creating Win10 S Mode Alert schedule (HRESULT).
#Event ID 2010: Win10 S Mode WNF event process status (HRESULT).
#Event ID 2011: MDM Enroll: Error creating Wsc Startup Alert schedule (HRESULT).
#Event ID 2012: Wsc Startup Alert WNF event process status (HRESULT).
#Event ID 2101: Dynamic Management: Successfully created Context Store.
#Event ID 2102: Dynamic Management: Failed to create Context Store.
#Event ID 2103: Dynamic Management: Successfully created context.
#Event ID 2104: Dynamic Management: Failed to create context.
#Event ID 2105: Dynamic Management: Successfully processed signal definition.
#Event ID 2106: Dynamic Management: Failed to process signal definition.
#Event ID 2107: Dynamic Management: Successfully applied context (Message2).
#Event ID 2108: Dynamic Management: Failed to apply context (Message2).
#Event ID 2109: Preview Builds: Preview_Builds, Result: Result.
#Event ID 2110: Preview Builds: Preview_Builds, Result: Result.
#Event ID 2111: Preview Builds: Preview_Builds, Result: Result.
#Event ID 2112: Preview Builds: Preview_Builds, Result: Result.
#Event ID 2200: Acquired lock for Group Policy scope: (Message1).
#Event ID 2201: Failed to acquire lock for Group Policy scope: (Message1), Error: (HRESULT).
#Event ID 2202: Released lock for Group Policy scope: (Message1).
#Event ID 2203: Failed to release lock for Group Policy scope: (Message1), Error: (HRESULT).
#Event ID 2204: Caching uri for blocking mapped GP location.
#Event ID 2205: Failed to lookup in the dictionary.
#Event ID 2206: Marking blocking record for removal during post processing.
#Event ID 2207: No blocking records need removal.
#Description
No blocking records need removal.
Message #
Event ID 2208: Trying to delete the blocking record reg key.
#Event ID 2209: Found a blocking record reg key that needs to be deleted.
#Event ID 2210: Attempted to restore GP Value.
#Event ID 2211: Created a blocking record.
#Event ID 2212: Updated a blocking record.
#Event ID 2213: Attempted to save existing GP Value.
#Event ID 2214: Attempted to delete existing GP Value.
#Event ID 2215: MdmWinsOverGp policy is being set to value (HexInt1).
#Event ID 2216: All GP locations that were to be unblocked have been unblocked successfully.
#Event ID 2217: No blocking records existed, so skipping re-evaluation of blocking records.
#Description
No blocking records existed, so skipping re-evaluation of blocking records.
Message #
Event ID 2218: Found existing blocking records.
#Description
Found existing blocking records. Re-evaluating.
Message #
Event ID 2219: Uri evalulation for delete showed that uri (Message1) still configured state is: (HRESULT).
#Event ID 2220: MdmWinsOverGp Policy value is (HexInt1).
#Event ID 2221: Setting the targetted user sid to : (Message1).
#Event ID 2223: Targetting user with sid : (Message1).
#Event ID 2300: Bootstrap Enrollment Status Page: publish notification value: (HexInt1).
#Event ID 2400: MDM Declared Configuration: Delete document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), ...
#Description
MDM Declared Configuration: Delete document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enroll Type: (HexInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 |
Event ID 2400: MDM Declared Configuration: Delete document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), ...
#Description
MDM Declared Configuration: Delete document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enroll Type: (HexInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 |
Event ID 2401: MDM Declared Configuration: Delete document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), ...
#Description
MDM Declared Configuration: Delete document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enroll Type: (HexInt2), Result:(HexInt3) HexInt4.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 | |
HexInt4 HexInt32 |
Event ID 2402: MDM Declared Configuration: End document parsing from file: Expected Document Id: (Message1) File Document Id: (Message2), Scenario: (Message3), Version: (Message4), Enrol...
#Description
MDM Declared Configuration: End document parsing from file: Expected Document Id: (Message1) File Document Id: (Message2), Scenario: (Message3), Version: (Message4), Enrollment Id: (Message5), Current User: (Message6), Schema: (Message7), Scope: (HexInt1), Enroll Type: (HexInt2), File size: (HexInt3), CSP Count: (HexInt4), URI Count: (HexInt5).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
Message7 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 | |
HexInt4 HexInt32 | |
HexInt5 HexInt32 |
Event ID 2403: MDM Declared Configuration: End document parsing from file: Expected Document Id: (Message1) File Document Id: (Message2), Scenario: (Message3), Version: (Message4), Enrol...
#Description
MDM Declared Configuration: End document parsing from file: Expected Document Id: (Message1) File Document Id: (Message2), Scenario: (Message3), Version: (Message4), Enrollment Id: (Message5), Current User: (Message6), Schema: (Message7), Scope: (HexInt1), Enroll Type: (HexInt2), File size: (HexInt3), CSP Count: (HexInt4), URI Count: (HexInt5), Result:(HexInt6) HexInt7.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
Message7 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 | |
HexInt4 HexInt32 | |
HexInt5 HexInt32 | |
HexInt6 HexInt32 | |
HexInt7 HexInt32 |
Event ID 2404: MDM Declared Configuration: End document parsing from CSP: Document Id: (Message1), Scenario: (Message2), Version: (Message3), Enrollment Id: (Message4), Current User.
#Description
MDM Declared Configuration: End document parsing from CSP: Document Id: (Message1), Scenario: (Message2), Version: (Message3), Enrollment Id: (Message4), Current User: (Message5), Schema: (Message6), Download URL: (Message7), Scope: (HexInt1), Enroll Type: (HexInt2), File size: (HexInt3), CSP Count: (HexInt4), URI Count: (HexInt5).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
Message7 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 | |
HexInt4 HexInt32 | |
HexInt5 HexInt32 | |
HexInt6 HexInt32 | |
HexInt7 HexInt32 |
Event ID 2405: MDM Declared Configuration: End document parsing from CSP: Document Id: (Message1), Scenario: (Message2), Version: (Message3), Enrollment Id: (Message4), Current User.
#Description
MDM Declared Configuration: End document parsing from CSP: Document Id: (Message1), Scenario: (Message2), Version: (Message3), Enrollment Id: (Message4), Current User: (Message5), Schema: (Message6), Download URL: (Message7), Scope: (HexInt1), Enroll Type: (HexInt2), File size: (HexInt3), CSP Count: (HexInt4), URI Count: (HexInt5), Result:(HexInt6) HexInt7.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
Message7 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 | |
HexInt4 HexInt32 | |
HexInt5 HexInt32 | |
HexInt6 HexInt32 | |
HexInt7 HexInt32 | |
HexInt8 HexInt32 | |
HexInt9 HexInt32 |
Event ID 2406: MDM Declared Configuration: Document Summary due to Alert: Enrollment Id: (Message1), Current User: (Message2), Alert data: (Message3), Enroll type: (HexInt1).
#Event ID 2407: MDM Declared Configuration: Document Summary due to Alert: Enrollment Id: (Message1), Current User: (Message2), Alert data: (Message3), Enroll type: (UInt1), Result.
#Description
MDM Declared Configuration: Document Summary due to Alert: Enrollment Id: (Message1), Current User: (Message2), Alert data: (Message3), Enroll type: (UInt1), Result:(UInt2) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt1 UInt32 | |
UInt2 UInt32 | |
HRESULT HexInt32 |
Event ID 2408: MDM Declared Configuration: Flag set to trigger OMADM session.
#Description
MDM Declared Configuration: Flag set to trigger OMADM session.
Message #
Event ID 2409: MDM Declared Configuration: Failed to trigger OMADM session due to document changes, Result:(HexInt1) HRESULT.
#Event ID 2410: MDM Declared Configuration: CDN Download trigger DC WatchDog Task: Completed downloaded jobs: (HexInt1), Result:(HexInt2) HRESULT.
#Event ID 2411: MDM Declared Configuration: CDN Download trigger DC WatchDog Task: Completed downloaded jobs: (HexInt1).
#Event ID 2412: MDM Declared Configuration: Acquiring DC WatchDog Task Handler Lock Creation: Result:(HexInt1) HRESULT.
#Event ID 2413: MDM Declared Configuration: Acquiring DC WatchDog Task Handler Lock Creation.
#Description
MDM Declared Configuration: Acquiring DC WatchDog Task Handler Lock Creation.
Message #
Event ID 2414: MDM Declared Configuration: DC WatchDog Task Handler Lock.
#Description
MDM Declared Configuration: DC WatchDog Task Handler Lock.
Message #
Event ID 2415: MDM Declared Configuration: DC WatchDog Task Handler Unlock.
#Description
MDM Declared Configuration: DC WatchDog Task Handler Unlock.
Message #
Event ID 2416: MDM Declared Configuration: Construct URI Storage Lock Creation: Result:(HexInt1) HRESULT.
#Event ID 2417: MDM Declared Configuration: Construct URI Storage Lock Creation.
#Description
MDM Declared Configuration: Construct URI Storage Lock Creation.
Message #
Event ID 2418: MDM Declared Configuration: Construct URI Storage Lock.
#Description
MDM Declared Configuration: Construct URI Storage Lock.
Message #
Event ID 2419: MDM Declared Configuration: Construct URI Storage Unlock.
#Description
MDM Declared Configuration: Construct URI Storage Unlock.
Message #
Event ID 2420: MDM Declared Configuration: CDN Download Lock Creation: Result:(HexInt1) HRESULT.
#Event ID 2421: MDM Declared Configuration: CDN Download Lock Creation.
#Description
MDM Declared Configuration: CDN Download Lock Creation.
Message #
Event ID 2422: MDM Declared Configuration: CDN Download Lock.
#Description
MDM Declared Configuration: CDN Download Lock.
Message #
Event ID 2423: MDM Declared Configuration: CDN Download Unlock.
#Description
MDM Declared Configuration: CDN Download Unlock.
Message #
Event ID 2424: MDM Declared Configuration: CDN Download Lock Creation: Result:(HexInt1) HRESULT.
#Event ID 2425: MDM Declared Configuration: CDN Download Lock Creation.
#Description
MDM Declared Configuration: CDN Download Lock Creation.
Message #
Event ID 2426: MDM Declared Configuration: CDN Download Lock.
#Description
MDM Declared Configuration: CDN Download Lock.
Message #
Event ID 2427: MDM Declared Configuration: CDN Download Unlock.
#Description
MDM Declared Configuration: CDN Download Unlock.
Message #
Event ID 2428: MDM Declared Configuration: Async Delete Document Lock Creation: Result:(HexInt1) HRESULT.
#Event ID 2429: MDM Declared Configuration: Async Delete Document Lock Creation.
#Description
MDM Declared Configuration: Async Delete Document Lock Creation.
Message #
Event ID 2430: MDM Declared Configuration: Async Delete Document Lock.
#Description
MDM Declared Configuration: Async Delete Document Lock.
Message #
Event ID 2431: MDM Declared Configuration: Async Delete Document Unlock.
#Description
MDM Declared Configuration: Async Delete Document Unlock.
Message #
Event ID 2432: MDM Declared Configuration: Get Documents Summary Alert Lock Creation: Result:(HexInt1) HRESULT.
#Event ID 2433: MDM Declared Configuration: Get Documents Summary Alert Lock Creation.
#Description
MDM Declared Configuration: Get Documents Summary Alert Lock Creation.
Message #
Event ID 2434: MDM Declared Configuration: Get Documents Summary Alert Lock.
#Description
MDM Declared Configuration: Get Documents Summary Alert Lock.
Message #
Event ID 2435: MDM Declared Configuration: Get Documents Summary Alert Unlock.
#Description
MDM Declared Configuration: Get Documents Summary Alert Unlock.
Message #
Event ID 2436: MDM Declared Configuration: Unenroll Execute Lock Creation: Result:(HexInt1) HRESULT.
#Event ID 2437: MDM Declared Configuration: Unenroll Execute Lock Creation.
#Description
MDM Declared Configuration: Unenroll Execute Lock Creation.
Message #
Event ID 2438: MDM Declared Configuration: Unenroll Execute Lock.
#Description
MDM Declared Configuration: Unenroll Execute Lock.
Message #
Event ID 2439: MDM Declared Configuration: Unenroll Execute Unlock.
#Description
MDM Declared Configuration: Unenroll Execute Unlock.
Message #
Event ID 2440: MDM Declared Configuration: About to process CDN Downloaded Doc: Enrollment:(Message1), Context:(Message2), Document Id:(Message3).
#Event ID 2441: MDM Declared Configuration: Successfully processed CDN Downloaded Doc: Enrollment:(Message1), Context:(Message2), Document Id:(Message3).
#Event ID 2442: MDM Declared Configuration: Failed to processed CDN Downloaded Doc: Enrollment:(Message1), Context:(Message2), Document Id:(Message3), Result:(HexInt1) HexInt2.
#Description
MDM Declared Configuration: Failed to processed CDN Downloaded Doc: Enrollment:(Message1), Context:(Message2), Document Id:(Message3), Result:(HexInt1) HexInt2.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 |
Event ID 2443: MDM Declared Configuration: Results Merger: Host OS and container results CSP count is mismatch: Enrollment Id: (Message1), Doc Id:(Message2), Host CSP Count.
#Description
MDM Declared Configuration: Results Merger: Host OS and container results CSP count is mismatch: Enrollment Id: (Message1), Doc Id:(Message2), Host CSP Count:(HexInt1), Container CSP Count:(HexInt2), Result:(HexInt3) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 | |
HRESULT HexInt32 |
Event ID 2444: MDM Declared Configuration: Results Merger: Host OS and container results URI count mismatch: Enrollment Id: (Message1), Doc Id:(Message2), CSP path:(Message3), Host...
#Description
MDM Declared Configuration: Results Merger: Host OS and container results URI count mismatch: Enrollment Id: (), Doc Id:(), CSP path:(), Host URI Count:(), Container URI Count:(), Result:() .
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
UInt1 UInt32 | |
UInt2 UInt32 | |
UInt3 UInt32 | |
HRESULT HexInt32 |
Event ID 2445: MDM Declared Configuration: Results Merger: Host OS and container results CSP path mismatch: Enrollment Id: (Message1), Doc Id:(Message2), Host CSP path:(Message3), ...
#Description
MDM Declared Configuration: Results Merger: Host OS and container results CSP path mismatch: Enrollment Id: (Message1), Doc Id:(Message2), Host CSP path:(Message3), Container CSP path:(Message4), Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 2446: MDM Declared Configuration: Results Merger: Host OS and container results URI path mismatch: Enrollment Id: (Message1), Doc Id:(Message2), CSP path:(Message3), Host ...
#Description
MDM Declared Configuration: Results Merger: Host OS and container results URI path mismatch: Enrollment Id: (), Doc Id:(), CSP path:(), Host URI path:(), Container URI path:(), Result:() .
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 2447: MDM Declared Configuration: Results Merger: Host OS and container results HTTP status mismatch: Enrollment Id: (Message1), Doc Id:(Message2), CSP path:(Message3), Ho...
#Description
MDM Declared Configuration: Results Merger: Host OS and container results HTTP status mismatch: Enrollment Id: (Message1), Doc Id:(Message2), CSP path:(Message3), Host URI path:(Message4), Container URI path:(Message5), Host HTTP status:(Message6), Container HTTP status:(Message7), Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
Message7 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 2448: MDM Declared Configuration: Results Merger: Host OS and container results data mismatch: Enrollment Id: (Message1), Doc Id:(Message2), CSP path:(Message3), Host/Cont...
#Description
MDM Declared Configuration: Results Merger: Host OS and container results data mismatch: Enrollment Id: (Message1), Doc Id:(Message2), CSP path:(Message3), Host/Container URI path:(Message4), Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 2449: MDM Declared Configuration: DeclaredConfigurationStore_ParseDeclaredConfigurationJson error at JSON argument (Message1): (Message2), HRESULT: (HRESULT).
#Event ID 2450: MDM Declared Configuration: Begin DSC Native MI Provider Operation, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Doc schema version: (Message4)...
#Description
MDM Declared Configuration: Begin DSC Native MI Provider Operation, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Doc schema version: (Message4), Provider Operation: (Message5), Provider Namespace: (Message6), Provider ClassName: (Message7).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
Message7 UnicodeString |
Event ID 2451: MDM Declared Configuration: End DSC Native MI Provider Operation failed, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Doc schema version:...
#Description
MDM Declared Configuration: End DSC Native MI Provider Operation failed, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Doc schema version: (Message4), Provider Operation: (Message5), Provider Namespace: (Message6), Provider ClassName: (Message7), Provider Err Msg (Message8), Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
Message7 UnicodeString | |
Message8 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 2452: MDM Declared Configuration: End DSC Native MI Provider Operation, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Doc schema version: (Message4), ...
#Description
MDM Declared Configuration: End DSC Native MI Provider Operation, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Doc schema version: (Message4), Provider Operation: (Message5), Provider Namespace: (Message6), Provider ClassName: (Message7).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
Message7 UnicodeString |
Event ID 2454: MDM Declared Configuration: Get document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enr...
#Description
MDM Declared Configuration: Get document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enroll Type: (HexInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 |
Event ID 2455: MDM Declared Configuration: Get document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enr...
#Description
MDM Declared Configuration: Get document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enroll Type: (HexInt2), Result:(HexInt3) HexInt4.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 | |
HexInt4 HexInt32 |
Event ID 2456: MDM Declared Configuration: Set document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enr...
#Description
MDM Declared Configuration: Set document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enroll Type: (HexInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 |
Event ID 2457: MDM Declared Configuration: Set document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enr...
#Description
MDM Declared Configuration: Set document, Document Id: (Message1), Version: (Message2), Enrollment ID: (Message3), Current User: (Message4), schema: (Message5), Scope: (HexInt1), Enroll Type: (HexInt2), Result:(HexInt3) HexInt4.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 | |
HexInt4 HexInt32 |
Event ID 2500: MDM Orchestrator: Service Init result: (HRESULT).
#Event ID 2501: MDM Orchestrator: Service Init status: (HexInt1) (HexInt2) (HexInt3).
#Event ID 2502: MDM Orchestrator: Start Service Error: (HRESULT).
#Event ID 2503: MDM Orchestrator: End Service Error: (HRESULT).
#Event ID 2504: MDM Orchestrator: CDN Download handler failed: (HRESULT).
#Event ID 2505: MDM Orchestrator: Process a single DeclaredConfiguration document result: enrollment Id: (Message1), userId: (Message2), docId: (Message3), docVersion:(Message4), target: ...
#Description
MDM Orchestrator: Process a single DeclaredConfiguration document result: enrollment Id: (Message1), userId: (Message2), docId: (Message3), docVersion:(Message4), target: (Message5), hresult: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
HRESULT HexInt32 |
Event ID 2506: MDM Declared Configuration: Create Orchestrator ScenrioId Lock Creation: Result:(HexInt1) HRESULT.
#Event ID 2507: MDM Declared Configuration: Create ScenarioId Lock.
#Description
MDM Declared Configuration: Create ScenarioId Lock.
Message #
Event ID 2508: MDM Declared Configuration: Create ScenarioId Unlock.
#Description
MDM Declared Configuration: Create ScenarioId Unlock.
Message #
Event ID 2509: MDM Declared Configuration: ConfigDC failed to create configuration request: EnrollmentId: (Message1) Result:(HRESULT).
#Event ID 2510: MDM Declared Configuration: DeleteDC failed to create configuration request: Result:(HRESULT).
#Event ID 2511: MDM Declared Configuration: ConfigDC failed to create configuration request: Result:(HRESULT).
#Event ID 2512: MDM Declared Configuration: ConfigDC waiting for notification.
#Description
MDM Declared Configuration: ConfigDC waiting for notification.
Message #
Event ID 2513: MDM Declared Configuration: ConfigDC notification sent with: Result: (HRESULT).
#Event ID 2514: MDM Declared Configuration: Orchestrator MsftPolicies GetRequest failed: Result: (HRESULT).
#Event ID 2515: MDM Declared Configuration: Orchestrator ConfigDC failed: Result: (HRESULT).
#Event ID 2516: MDM Declared Configuration: Orchestrator ConfigDC Succeeded.
#Description
MDM Declared Configuration: Orchestrator ConfigDC Succeeded.
Message #
Event ID 2517: MDM Declared Configuration: Orchestrator DeleteDC Succeeded.
#Description
MDM Declared Configuration: Orchestrator DeleteDC Succeeded.
Message #
Event ID 2518: MDM Declared Configuration: Orchestrator DeleteDC failed: Result: (HRESULT).
#Event ID 2519: MDM Declared Configuration: Orchestrator CreateNewRequest failed: EnrollmentId: (Message1), UserId: (Message2), DocId: (Message3), DocVersion: (Message4), Target: (Message5), St...
#Description
MDM Declared Configuration: Orchestrator CreateNewRequest failed: EnrollmentId: (Message1), UserId: (Message2), DocId: (Message3), DocVersion: (Message4), Target: (Message5), StateMachineType: (UInt1), Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 2520: MDM Declared Configuration: Orchestrator CreateNewRequest failed: EnrollmentId: (Message1), UserId: (Message2), DocId: (Message3), DocVersion: (Message4), Target: (Message5), St...
#Description
MDM Declared Configuration: Orchestrator CreateNewRequest failed: EnrollmentId: (Message1), UserId: (Message2), DocId: (Message3), DocVersion: (Message4), Target: (Message5), StateMachineType: (UInt1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
UInt1 UInt32 |
Event ID 2521: MDM Declared Configuration: Orchestrator (Message1) WaitForFinish timed out: (HRESULT).
#Event ID 2522: MDM Declared Configuration: StartProcessing Eventname: (Message7), RequestKey: (Message1), requestType: (UInt1), requestPriority: (UInt2), requestNumber: (UInt3), acti...
#Description
MDM Declared Configuration: StartProcessing Eventname: (Message7), RequestKey: (Message1), requestType: (UInt1), requestPriority: (UInt2), requestNumber: (UInt3), activityType: (UInt4), StateMachineType: (UInt5), state: (UInt6), notificationState: (UInt7), enrollmentId: (Message2), userId: (Message3), docId: (Message4), docVersion: (Message5), target: (Message6)
Message #
Fields #
| Name | Description |
|---|---|
UInt1 UInt32 | |
UInt2 UInt32 | |
UInt3 UInt32 | |
UInt4 UInt32 | |
UInt5 UInt32 | |
UInt6 UInt32 | |
UInt7 UInt32 | |
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
Message7 UnicodeString |
Event ID 2523: MDM Declared Configuration: Error in Processing Eventname: (Message7), RequestKey: (Message1), requestType: (UInt1), requestPriority: (UInt2), requestNumber: (UInt3), ...
#Description
MDM Declared Configuration: Error in Processing Eventname: (Message7), RequestKey: (Message1), requestType: (UInt1), requestPriority: (UInt2), requestNumber: (UInt3), activityType: (UInt4), StateMachineType: (UInt5), state: (UInt6), notificationState: (UInt7), enrollmentId: (Message2), userId: (Message3), docId: (Message4), docVersion: (Message5), target: (Message6), result: (HRESULT)
Message #
Fields #
| Name | Description |
|---|---|
UInt1 UInt32 | |
UInt2 UInt32 | |
UInt3 UInt32 | |
UInt4 UInt32 | |
UInt5 UInt32 | |
UInt6 UInt32 | |
UInt7 UInt32 | |
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
Message7 UnicodeString | |
HRESULT HexInt32 |
Event ID 2524: MDM Declared Configuration: ScenarioId: (Message1) Result: (HRESULT).
#Event ID 2525: MDM Declared Configuration: Exception Details: (UInt1).
#Event ID 2526: MDM Declared Configuration: ActivityExecution: Activity Type (UInt1), Orchestrator Type (Message1), activityKey (Message2), Result: (HRESULT).
#Event ID 2527: MDM Declared Configuration: CDNDownload Delete record Id: (Message1), Result: (HRESULT).
#Event ID 2528: MDM Declared Configuration: Orchestrator CreateNewRequest failed: EnrollmentId: (Message1), UserId: (Message2), DocId: (Message3) Result: (HRESULT).
#Event ID 2529: MDM Declared Configuration: Invalid enrollment(or unenrolling) enrollmentId: (Message1), Result: (HRESULT).
#Event ID 2530: MDM Declared Configuration: EndProcessing Eventname: (Message7), RequestKey: (Message1), requestType: (UInt1), requestPriority: (UInt2), requestNumber: (UInt3), activi...
#Description
MDM Declared Configuration: EndProcessing Eventname: (Message7), RequestKey: (Message1), requestType: (UInt1), requestPriority: (UInt2), requestNumber: (UInt3), activityType: (UInt4), StateMachineType: (UInt5), state: (UInt6), notificationState: (UInt7), enrollmentId: (Message2), userId: (Message3), docId: (Message4), docVersion: (Message5), target: (Message6), result: (HRESULT)
Message #
Fields #
| Name | Description |
|---|---|
UInt1 UInt32 | |
UInt2 UInt32 | |
UInt3 UInt32 | |
UInt4 UInt32 | |
UInt5 UInt32 | |
UInt6 UInt32 | |
UInt7 UInt32 | |
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
Message7 UnicodeString | |
HRESULT HexInt32 |
Event ID 2531: MDM Declared Configuration: Acquire Orchestrator GlobalMutex failed in function: (Message1), Result: (HRESULT).
#Event ID 2532: MDM Declared Configuration: Alert Status for enrollmentId: (Message1), Result: (HRESULT).
#Event ID 2533: MDM Declared Configuration: ActivityExecution: Activity Type (UInt1), Orchestrator Type (Message1), activityKey (Message2), Result: (HRESULT).
#Event ID 2534: MDM Declared Configuration: Error in Processing Eventname: (Message7), RequestKey: (Message1), requestType: (UInt1), requestPriority: (UInt2), requestNumber: (UInt3), ...
#Description
MDM Declared Configuration: Error in Processing Eventname: (Message7), RequestKey: (Message1), requestType: (UInt1), requestPriority: (UInt2), requestNumber: (UInt3), activityType: (UInt4), StateMachineType: (UInt5), state: (UInt6), notificationState: (UInt7), enrollmentId: (Message2), userId: (Message3), docId: (Message4), docVersion: (Message5), target: (Message6), result: (HRESULT)
Message #
Fields #
| Name | Description |
|---|---|
UInt1 UInt32 | |
UInt2 UInt32 | |
UInt3 UInt32 | |
UInt4 UInt32 | |
UInt5 UInt32 | |
UInt6 UInt32 | |
UInt7 UInt32 | |
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
Message7 UnicodeString | |
HRESULT HexInt32 |
Event ID 2535: MDM Declared Configuration: Enter function: (Message1).
#Description
MDM Declared Configuration: Enter function: (Message1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"event_id": 2535,
"level": "Information",
"task": null,
"opcode": "Info",
"time_created": "2026-03-17T19:13:24.6042309+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
},
"event_data": {
"Message1": "DCEngine::ExecuteRequests"
}
}
Event ID 2535: MDM Declared Configuration: Enter function: (Message1).
#Description
MDM Declared Configuration: Enter function: ().
Fields #
| Name | Description |
|---|---|
Message1 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 2535,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-15T23:43:24.011682+00:00",
"event_record_id": 12,
"correlation": {},
"execution": {
"process_id": 14788,
"thread_id": 14400
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "OrchestratorResume"
},
"message": ""
}
Event ID 2536: MDM Declared Configuration: Exit function: (Message1) with Result: (HRESULT).
#Description
MDM Declared Configuration: Exit function: (Message1) with Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"event_id": 2536,
"level": "Information",
"task": null,
"opcode": "Info",
"time_created": "2026-03-17T19:13:54.5986165+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational"
},
"event_data": {
"Message1": "DCEngine::StaticExecuteRequests",
"HRESULT": "0x0"
}
}
Event ID 2536: MDM Declared Configuration: Exit function: (Message1) with Result: (HRESULT).
#Description
MDM Declared Configuration: Exit function: () with Result: ().
Fields #
| Name | Description |
|---|---|
Message1 | |
HRESULT |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 2536,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-15T23:43:24.011824+00:00",
"event_record_id": 13,
"correlation": {},
"execution": {
"process_id": 14788,
"thread_id": 14400
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "OrchestratorResume",
"HRESULT": "0x80070002"
},
"message": ""
}
Event ID 2537: MDM Declared Configuration: Exit OrchestratorConfig: enrollmentId: (Message1) userId: (Message2) docId: (Message3) docVersion: (4), target: (Message5) stateMachineType.
#Description
MDM Declared Configuration: Exit OrchestratorConfig: enrollmentId: (Message1) userId: (Message2) docId: (Message3) docVersion: (4), target: (Message5) stateMachineType: (HexInt1), isNewVersion: (Boolean1).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
HexInt1 HexInt32 | |
Boolean1 Boolean |
Event ID 2538: MDM Declared Configuration: Exit OrchestratorConfig: enrollmentId: (Message1) userId: (Message2) docId: (Message3) docVersion: (4), target: (Message5) stateMachineType.
#Description
MDM Declared Configuration: Exit OrchestratorConfig: enrollmentId: (Message1) userId: (Message2) docId: (Message3) docVersion: (4), target: (Message5) stateMachineType: (HexInt1), isNewVersion: (Boolean1), Hresult: (HexInt2).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
HexInt1 HexInt32 | |
Boolean1 Boolean | |
HexInt2 HexInt32 |
Event ID 2539: MDM Declared Configuration: Exit OrchestratorSetInstanceVariable: enrollmentId: (Message1) docId: (Message2) docVersion: (3), vraiableName: (Message4).
#Event ID 2540: MDM Declared Configuration: Exit OrchestratorSetInstanceVariable: enrollmentId: (Message1) docId: (Message2) docVersion: (3), vraiableName: (Message4) Hresult: (HRESULT).
#Description
MDM Declared Configuration: Exit OrchestratorSetInstanceVariable: enrollmentId: (Message1) docId: (Message2) docVersion: (3), vraiableName: (Message4) Hresult: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HRESULT HexInt32 |
Event ID 2541: MDM Declared Configuration: Enter OrchestratorDelete with GUID: (Message1).
#Event ID 2542: MDM Declared Configuration: Exit OrchestratorDelete with GUID: (Message1) Result: (HRESULT).
#Event ID 2543: MDM Declared Configuration: Exit OrchestratorProcessPreviouslyRanDocs with enrollmentId: (Message1).
#Event ID 2544: MDM Declared Configuration: Exit OrchestratorProcessPreviouslyRanDocs with enrollmentId: (Message1) Result: (HRESULT).
#Event ID 2545: MDM Declared Configuration: Function (Message1) operation (Message2) failed with (HRESULT).
#Description
MDM Declared Configuration: Function (Message1) operation (Message2) failed with (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 2545,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T01:13:43.732943+00:00",
"event_record_id": 139,
"correlation": {},
"execution": {
"process_id": 4596,
"thread_id": 21720
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "checkNewInstanceData",
"Message2": "Read isNewInstanceData",
"HRESULT": "0x80070057"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 2546: MDM Declared Configuration: Function (Message1) DocState is: (Message2).
#Event ID 2547: MDM Declared Configuration: Function (Message1) operation (Message2) succeeded.
#Event ID 2548: MDM Declared Configuration: Enter OrchestratorUpdateDocStatus enrollmentId (Message1) userId (Message2) uniqueId (Message3) successStatus (Boolean1).
#Event ID 2549: MDM Declared Configuration: Exit OrchestratorUpdateDocStatus enrollmentId (Message1) userId (Message2) uniqueId (Message3) successStatus (Boolean1) result (HRESULT).
#Description
MDM Declared Configuration: Exit OrchestratorUpdateDocStatus enrollmentId (Message1) userId (Message2) uniqueId (Message3) successStatus (Boolean1) result (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Boolean1 Boolean | |
HRESULT HexInt32 |
Event ID 2550: MDM Declared Configuration: Warning Function (Message1) operation (Message2) result: (HRESULT).
#Event ID 2551: MDM Declared Configuration: Function (Message1) operation (Message2) result: (HRESULT).
#Event ID 2552: DeclaredConfiguration CSP: RefreshInterval can not be smaller than (UInt1).
#Event ID 2553: MDM Declared Configuration: Enter OrchestratorDeletePerEnrollmentScenario enrollmentId (Message1) OSDefinedScenario (Message2).
#Event ID 2554: MDM Declared Configuration: Exit OrchestratorDeletePerEnrollmentScenario enrollmentId (Message1) OSDefinedScenario (Message2) result (HRESULT).
#Event ID 2555: MDM Declared Configuration: Enqueue Request Failure - enrollmentId (Message1) docId (Message2) contextId (Message3) isRefresh (Boolean1) result (HRESULT).
#Event ID 2556: MDM Declared Configuration: Enqueue Request Information - enrollmentId (Message1) docId (Message2) contextId (Message3) isRefresh (Boolean1) result (HRESULT).
#Event ID 2600: MMP-C: Device permission to select target MMP-C environment is (Boolean1).
#Event ID 2600: MMP-C: Device permission to select target MMP-C environment is (Boolean1).
#Event ID 2601: MMP-C: Query for MMP-C environment to target.
#Event ID 2601: MMP-C: Query for MMP-C environment to target.
#Event ID 2602: MMP-C: MMP-C environment to target.
#Event ID 2602: MMP-C: MMP-C environment to target.
#Event ID 2603: MMP-C: Device is allowed to skip MMP-C cert pinning checks.
#Description
MMP-C: Device is allowed to skip MMP-C cert pinning checks.
Event ID 2603: MMP-C: Device is allowed to skip MMP-C cert pinning checks.
#Description
MMP-C: Device is allowed to skip MMP-C cert pinning checks.
Message #
Event ID 2604: MMP-C: Failed to get certificate chain of the Server SSL certificate.
#Event ID 2604: MMP-C: Failed to get certificate chain of the Server SSL certificate.
#Event ID 2605: MMP-C: Failed to verify certificate policy: (Message1) of the Server SSL certificate.
#Event ID 2605: MMP-C: Failed to verify certificate policy: (Message1) of the Server SSL certificate.
#Event ID 2606: MMP-C: Certificate chain too short for MMP-C server SSL cert.
#Event ID 2606: MMP-C: Certificate chain too short for MMP-C server SSL cert.
#Event ID 2607: MMP-C: Getting the hash of the cert in position: (HexInt1) in the MMP-C SSL certificate chain failed.
#Event ID 2607: MMP-C: Getting the hash of the cert in position: (HexInt1) in the MMP-C SSL certificate chain failed.
#Event ID 2608: MMP-C: Found a certificate whose SPKI matched one of the expected pinned certs.
#Description
MMP-C: Found a certificate whose SPKI matched one of the expected pinned certs.
Message #
Event ID 2608: MMP-C: Found a certificate whose SPKI matched one of the expected pinned certs.
#Description
MMP-C: Found a certificate whose SPKI matched one of the expected pinned certs.
Message #
Event ID 2609: MMP-C: MMP-C Server's SSL cert did not chain to any known pinned certificate.
#Description
MMP-C: MMP-C Server's SSL cert did not chain to any known pinned certificate.
Message #
Event ID 2609: MMP-C: MMP-C Server's SSL cert did not chain to any known pinned certificate.
#Description
MMP-C: MMP-C Server's SSL cert did not chain to any known pinned certificate.
Message #
Event ID 2610: MMP-C: Device locked down state to MMP-C: (Boolean1).
#Event ID 2610: MMP-C: Device locked down state to MMP-C: (Boolean1).
#Event ID 2611: MMP-C: Retrieving MMP-C URLs failed.
#Event ID 2611: MMP-C: Retrieving MMP-C URLs failed.
#Event ID 2612: MMP-C: Device locked down to MMP-C: Enrollment URL: (Message1), ToU URL: (Message2), Resource URL: (Message3).
#Event ID 2612: MMP-C: Device locked down to MMP-C: Enrollment URL: (Message1), ToU URL: (Message2), Resource URL: (Message3).
#Event ID 2613: MMP-C: Not all URLs returned by MMP-C discovery.
#Event ID 2613: MMP-C: Not all URLs returned by MMP-C discovery.
#Event ID 2614: MMP-C: Retrieving MMP-C URLs failed.
#Event ID 2614: MMP-C: Retrieving MMP-C URLs failed.
#Event ID 2700: Device rename has been blocked through MDM because machine is domain joined.
#Description
Device rename has been blocked through MDM because machine is domain joined.
Message #
Event ID 2750: DeviceStatus CSP: WscGetSecurityProviderHealth(Message1) returned status HexInt1 and HRESULT HRESULT.
#Description
DeviceStatus CSP: WscGetSecurityProviderHealth(Message1) returned status HexInt1 and HRESULT HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
HexInt1 HexInt32 | |
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 2750,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T23:51:35.638355+00:00",
"event_record_id": 642,
"correlation": {},
"execution": {
"process_id": 5816,
"thread_id": 3760
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "WSC_SECURITY_PROVIDER_USER_ACCOUNT_CONTROL",
"HexInt1": "0x2",
"HRESULT": "0x0"
},
"message": ""
}
Event ID 2751: DeviceStatus CSP: Message1 returned HRESULT HRESULT.
#Event ID 2752: DeviceStatus CSP: GetBitlockerStatus indicates drive Message1 is not encrypted, flags:HRESULT.
#Event ID 2800: The following URI has triggered a reboot: (Message1).
#Event ID 2900: BitLocker CSP: GetDeviceEncryptionComplianceStatus indicates Message1 is not compliant with returned status HRESULT.
#Event ID 2901: BitLocker CSP: GetRDVStatus returned status HexInt1 (BDE Disabled=0x00000001, Not Protected=0x00000002, Encryption Type Mismatch=0x00000004).
#Event ID 2902: BitLocker CSP: Encryption method of OS Drive is different than set by policy.
#Event ID 2903: BitLocker CSP: Wrong encryption type for OS Drives used.
#Event ID 2904: BitLocker CSP: Wrong encryption type for OS Drives used.
#Event ID 2905: BitLocker CSP: TPM not used for protection of OS Drives, but is required by policy.
#Event ID 2906: BitLocker CSP: TPM-only protection not used for OS Drives, but is required by policy.
#Event ID 2907: BitLocker CSP: TPM+PIN protection not used for OS Drives, but is required by policy.
#Event ID 2908: BitLocker CSP: TPM+Startup-Key protection not used for OS Drives, but is required by policy.
#Event ID 2909: BitLocker CSP: TPM+PIN+Startup-Key protection not used for OS Drives, but is required by policy.
#Event ID 2910: BitLocker CSP: Fixed Drive not protected.
#Description
BitLocker CSP: Fixed Drive not protected.
Message #
Event ID 2911: BitLocker CSP: Encryption method of Fixed Drive is different than set by policy.
#Event ID 2912: BitLocker CSP: Wrong encryption type for Fixed Drives used.
#Event ID 2913: BitLocker CSP: Wrong encryption type for Fixed Drives used.
#Event ID 2914: BitLocker CSP: OS Drive not protected.
#Description
BitLocker CSP: OS Drive not protected.
Message #
Event ID 3000: Current time (Message1) is earlier than expected renew attempt time (Message2), skip renew.
#Event ID 3000: Current time (Message1) is earlier than expected renew attempt time (Message2), skip renew.
#Event ID 3001: Current time (Message1) is later than expected renew end attempt time (Message2), but continue renew effort.
#Event ID 3001: Current time (Message1) is later than expected renew end attempt time (Message2), but continue renew effort.
#Event ID 3002: Failed to read regkey (Message1) with HRESULT HRESULT).
#Event ID 3002: Failed to read regkey (Message1) with HRESULT HRESULT).
#Event ID 3003: Current renew schedule is incorrect, next run time (Message1) is not between (Message2) and (Message3), updating renew schedule.
#Event ID 3003: Current renew schedule is incorrect, next run time (Message1) is not between (Message2) and (Message3), updating renew schedule.
#Event ID 3004: [MDM Schedule Enrollment Cert Renew Session Start] EnrollmentId: Message1, Renew period: UInt3; Renew retry interval: UInt4; Robo mode: UInt5; Cert Expiration: Message2.
#Description
[MDM Schedule Enrollment Cert Renew Session Start] EnrollmentId: Message1, Renew period: UInt3; Renew retry interval: UInt4; Robo mode: UInt5; Cert Expiration: Message2.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
UInt3 UInt32 | |
UInt4 UInt32 | |
UInt5 UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 3004,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:07.063369+00:00",
"event_record_id": 125,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "69C01DBD-8068-44F9-9507-8A9DF76C127A",
"Message2": "2028-03-08T18:11:06.00",
"UInt3": 42,
"UInt4": 7,
"UInt5": 0
},
"message": ""
}
Event ID 3004: [MDM Schedule Enrollment Cert Renew Session Start] EnrollmentId: Message1, Renew period: UInt3; Renew retry interval: UInt4; Robo mode: UInt5; Cert Expiration: Message2.
#Event ID 3005: [MDM Schedule Enrollment Cert Renew Session End] Error: HRESULT: HRESULT.
#Description
[MDM Schedule Enrollment Cert Renew Session End] Error: HRESULT: HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 3005,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:07.156368+00:00",
"event_record_id": 126,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x0"
},
"message": ""
}
Event ID 3005: [MDM Schedule Enrollment Cert Renew Session End] Error: HRESULT: HRESULT.
#Event ID 3006: Current time (Message1) is earlier than last renew time plus wait period (Message2), skip renew.
#Event ID 3006: Current time (Message1) is earlier than last renew time plus wait period (Message2), skip renew.
#Event ID 3007: Begin creating enrollment key in TPM function (Message1).
#Event ID 3008: End creating enrollment key in TPM function (Message1) with result (HRESULT).
#Event ID 3009: Function (Message1), cryptoProvider: (Message2), failed when binding keys, HRESULT(HRESULT).
#Event ID 3010: Skip export private keys when using TPM in function (Message1).
#Event ID 3011: Creating key with crypto provider: (ProviderName) HRESULT: (HRESULT2), failFunction: (FunctionName), CryptoProvider index (ProviderIndex) of total (TotalProviders).
#Description
Creating key with crypto provider: (ProviderName) HRESULT: (HRESULT2), failFunction: (FunctionName), CryptoProvider index (ProviderIndex) of total (TotalProviders).
Message #
Fields #
| Name | Description |
|---|---|
ProviderName UnicodeString | |
HRESULT2 HexInt32 | |
FunctionName UnicodeString | |
ProviderIndex UInt32 | |
TotalProviders UInt32 |
Event ID 3011: Creating key with crypto provider: (ProviderName) HRESULT: (HRESULT2), failFunction: (FunctionName), CryptoProvider index (ProviderIndex) of total (TotalProviders).
#Description
Creating key with crypto provider: (ProviderName) HRESULT: (HRESULT2), failFunction: (FunctionName), CryptoProvider index (ProviderIndex) of total (TotalProviders).
Message #
Fields #
| Name | Description |
|---|---|
ProviderName UnicodeString | |
HRESULT2 HexInt32 | |
FunctionName UnicodeString | |
ProviderIndex UInt32 | |
TotalProviders UInt32 |
Event ID 3012: TPM State: Version:(TPMVersion) ReadyForStorage:(ReadyForStorage) NotReadyReason:(NotReadyReason), ReadyForAttestation:(ReadyForAttestation), NotReadyReason:(NotREadyReason), isUnsatifactory:(IsUns...
#Event ID 3012: TPM State: Version:(TPMVersion) ReadyForStorage:(ReadyForStorage) NotReadyReason:(NotReadyReason), ReadyForAttestation:(ReadyForAttestation), NotReadyReason:(NotREadyReason), isUnsatifactory:(IsUns...
#Description
TPM State: Version:(TPMVersion) ReadyForStorage:(ReadyForStorage) NotReadyReason:(NotReadyReason), ReadyForAttestation:(ReadyForAttestation), NotReadyReason:(NotREadyReason), isUnsatifactory:(IsUnsatifactory), hasVulnerability:(HasVulnerability), isLockedout:(IsLocked), AlgOidInUse:(AlgorithmOid), IsAlgOidInUseSupported:(IsSupportedAlg).
Message #
Fields #
| Name | Description |
|---|---|
TPMVersion UInt32 | |
ReadyForStorage Boolean | |
NotReadyReason UnicodeString | |
ReadyForAttestation Boolean | |
NotREadyReason UnicodeString | |
IsUnsatifactory Boolean | |
HasVulnerability Boolean | |
IsLocked Boolean | |
IsSupportedAlg Boolean | |
AlgorithmOid UnicodeString |
Event ID 3013: Function Name: (Message1) HRESULT:(HRESULT).
#Description
Function Name: (Message1) HRESULT:(HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 3013,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-09T18:21:00.269629+00:00",
"event_record_id": 118,
"correlation": {},
"execution": {
"process_id": 9152,
"thread_id": 8668
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "DmGetTpmInfo",
"HRESULT": "0x8028400f"
},
"message": ""
}
Event ID 3013: Function Name: (Message1) HRESULT:(HRESULT).
#Event ID 3014: CanEnroll Error: GetNumberOfEnrollmentsOfType failed with reason: (Message1), EnrollType: (HexInt1), HRESULT: (HRESULT).
#Event ID 3014: CanEnroll Error: GetNumberOfEnrollmentsOfType failed with reason: (Message1), EnrollType: (HexInt1), HRESULT: (HRESULT).
#Event ID 3015: CanEnroll Error: DiscoveryServiceFullUrl: (Message1), AccountID: (Message2), AadResourceUrl: (Message3), OpaqueId: (Message4), TenantId: (Message5), CorrelationID(Message6), Failure R...
#Description
CanEnroll Error: DiscoveryServiceFullUrl: (), AccountID: (), AadResourceUrl: (), OpaqueId: (), TenantId: (), CorrelationID(), Failure Reason (), JoinType: (), EnrollType: (), HRESULT: ().
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
Message7 UnicodeString | |
UInt1 UInt32 | |
UInt2 UInt32 | |
HRESULT HexInt32 |
Event ID 3200: OsConfiguration API success: Function (Message1) EnrollmentId (Message2) DocumentId (Message3) ScenarioName (Message4) ScenarioVersion (Message5) ScenarioSchema (Message6) WaitTime.
#Description
OsConfiguration API success: Function (Message1) EnrollmentId (Message2) DocumentId (Message3) ScenarioName (Message4) ScenarioVersion (Message5) ScenarioSchema (Message6) WaitTime (UInt1 seconds) failed with HRESULT: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 3200
#Description
OsConfiguration API success: Function () EnrollmentId () DocumentId () ScenarioName () ScenarioVersion () ScenarioSchema () WaitTime ( seconds) failed with HRESULT: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 3201: OsConfiguration API failure: Function (Message1) EnrollmentId (Message2) DocumentId (Message3) ScenarioName (Message4) ScenarioVersion (Message5) ScenarioSchema (Message6) WaitTime.
#Description
OsConfiguration API failure: Function (Message1) EnrollmentId (Message2) DocumentId (Message3) ScenarioName (Message4) ScenarioVersion (Message5) ScenarioSchema (Message6) WaitTime (UInt1 seconds) failed with HRESULT: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 3201
#Description
OsConfiguration API failure: Function () EnrollmentId () DocumentId () ScenarioName () ScenarioVersion () ScenarioSchema () WaitTime ( seconds) failed with HRESULT: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 4000: DcSvc: Successfully initialized service.
#Description
DcSvc: Successfully initialized service. Result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 4000,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T06:25:47.748360+00:00",
"event_record_id": 52,
"correlation": {},
"execution": {
"process_id": 5040,
"thread_id": 5056
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HRESULT": "0x0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4001: DcSvc: Failled to initialize service.
#Event ID 4002: DcSvc: Successfully registered service's RPC interface.
#Event ID 4003: DcSvc: Failed to register service's RPC interface.
#Event ID 4005: DcSvc: Successfully unregistered service's RPC interface.
#Event ID 4006: DcSvc: Failed to unregister service's RPC interface.
#Event ID 4007: DcSvc: successfully uninitialize service.
#Event ID 4008: DcSvc: Failed to uninitialized service.
#Event ID 4009: DcSvc: Service status updated.
#Description
DcSvc: Service status updated. Current state: (HexInt1), Exit code: (HexInt2), Wait hint: (HexInt3).
Message #
Fields #
| Name | Description |
|---|---|
HexInt1 HexInt32 | |
HexInt2 HexInt32 | |
HexInt3 HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 4009,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T06:25:47.770822+00:00",
"event_record_id": 53,
"correlation": {},
"execution": {
"process_id": 5040,
"thread_id": 5056
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"HexInt1": "0x4",
"HexInt2": "0x0",
"HexInt3": "0x0"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4010: DcSvc: Stop Service handler registered.
#Event ID 4011: DcSvc: Service handler invoked.
#Event ID 4012: DcSvc: Failed to activate RPC Server Interface group because a duplicate end point exists.
#Event ID 4013: DcSvc: Failed to deactivate RPC Server Interface group.
#Event ID 4014: DcSvc: Successfully deactivated RPC Server Interface group.
#Event ID 4015: DcSvc: Failed to close RPC Server Interface group.
#Event ID 4016: DcSvc: Successfully closed RPC Server Interface group.
#Event ID 4017: DcSvc: Failed to create RPC Server Interface group.
#Event ID 4018: DcSvc: Successfully created RPC Server Interface group.
#Event ID 4019: DcSvc: Service is being initialized.
#Description
DcSvc: Service is being initialized.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider",
"guid": "3DA494E4-0FE2-415C-B895-FB5265C5C83B",
"event_source_name": "",
"event_id": 4019,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2023-11-06T06:25:47.745461+00:00",
"event_record_id": 50,
"correlation": {},
"execution": {
"process_id": 5040,
"thread_id": 5056
},
"channel": "Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 4020: DcSvc: DeclaredConfigurationStore_RecreateSchedule failed.
#Event ID 4021: DcSvc:: Failed to create ConfigManager lock service binding.
#Event ID 4022: Failed to enroll MMP-C for dual enrollment mode.
#Event ID 4022: Failed to enroll MMP-C for dual enrollment mode.
#Event ID 4023: Enroll MMP-C for dual enrollment mode succeeded.
#Description
Enroll MMP-C for dual enrollment mode succeeded.
Message #
Event ID 4023: Enroll MMP-C for dual enrollment mode succeeded.
#Description
Enroll MMP-C for dual enrollment mode succeeded.
Message #
Event ID 4024: Failed to unenroll MMP-C for dual enrollment mode.
#Event ID 4024: Failed to unenroll MMP-C for dual enrollment mode.
#Event ID 4025: Unenroll MMP-C for dual enrollment mode succeeded.
#Description
Unenroll MMP-C for dual enrollment mode succeeded.
Message #
Event ID 4025: Unenroll MMP-C for dual enrollment mode succeeded.
#Description
Unenroll MMP-C for dual enrollment mode succeeded.
Message #
Event ID 4026: Failed to set mmpc flag.
#Event ID 4026: Failed to set mmpc flag.
#Event ID 4027: The following resource (Message1) has current state (Message2).
#Event ID 4028: MMP-C dual enrollment is bypassed with result: (HRESULT).
#Event ID 4028: MMP-C dual enrollment is bypassed with result: (HRESULT).
#Event ID 4029: Resource transfer (Message6) with enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), resourceUri(Message5) with result: (HRESULT).
#Description
Resource transfer (Message6) with enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), resourceUri(Message5) with result: (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
HRESULT HexInt32 |
Event ID 4030: Resource transfer from MMPC to MDM with enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4) failed with result: (HRESULT).
#Event ID 4031: MDM Declared Configuration: Orchestrator detects conflict with enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), cspName(Message5), uriPath(Message6) ...
#Description
MDM Declared Configuration: Orchestrator detects conflict with enrollmentId (), context(), docId(), docVersion(), cspName(), uriPath() with result: (), SameValue(): Count(, , ).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
Message6 UnicodeString | |
HRESULT HexInt32 | |
UInt8 UInt32 | |
UInt9 UInt32 | |
UInt10 UInt32 | |
UInt11 UInt32 |
Event ID 4032: MDM Declared Configuration: Update drift control with enrollmentId (Message1), docId(Message2), driftControl(UInt1) with result: (HexInt1).
#Event ID 4033: MDM Declared Configuration: Update drift control refresh period with enrollmentId (Message1), docId(Message2), refreshPeriod(UInt1) with result: (HexInt1).
#Event ID 4050: Drift Control - No Drift Detected: enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), Uri(Message5).
#Event ID 4051: Drift Control - Drift Detected: enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), Uri(Message5), Result:(HRESULT).
#Description
Drift Control - Drift Detected: enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), Uri(Message5), Result:(HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
HRESULT HexInt32 |
Event ID 4052: Drift Control - Skip Refresh: enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), Uri(Message5).
#Event ID 4053: Drift Control - Drift Unrecoverable: enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), Uri(Message5), Result:(HRESULT).
#Description
Drift Control - Drift Unrecoverable: enrollmentId (Message1), context(Message2), docId(Message3), docVersion(Message4), Uri(Message5), Result:(HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
HRESULT HexInt32 |
Event ID 4100: UserRights account delete failed.
#Description
UserRights account delete failed. UserRight: Message1, account name: Message2, SID: Message3, Name resolution type: Message4. Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 4101: UserRights account add failed.
#Description
UserRights account add failed. UserRight: Message1, account name: Message2, SID: Message3, Name resolution type: Message4. Result:(UInt1) HRESULT.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
UInt1 UInt32 | |
HRESULT HexInt32 |
Event ID 4102: UserRights account add failed.
#Event ID 4103: UserRights SID is invalid.
#Event ID 4104: Bulk Instance Data Parsed Successfully.
#Description
Bulk Instance Data Parsed Successfully. DocID: Message1, DocVersion: Message2, EnrollmentId: Message3, UserSid: Message4, Number of Instances: HexInt1, Variables per instance: HexInt2.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HexInt1 HexInt32 | |
HexInt2 HexInt32 |
Event ID 4105: MDM Declared Configuration: DeclaredConfigurationStore_ParseBulkInstanceData error at (Message1): (Message2), HRESULT: (HRESULT).
#Event ID 4106: Dual enrollment task creation is successful.
#Description
Dual enrollment task creation is successful.
Message #
Event ID 4107: MDM Declared Configuration resource cleanup task succeeded.
#Description
MDM Declared Configuration resource cleanup task succeeded.
Message #
Event ID 4108: MDM Declared Configuration resource cleanup task failed.
#Description
MDM Declared Configuration resource cleanup task failed.
Message #
Event ID 4109: Dual enrollment: missing parent enrollment Id (HRESULT).
#Event ID 4109: Dual enrollment: missing parent enrollment Id (HRESULT).
#Event ID 4110: Dual enrollment: discovery endpoint is not set (HRESULT).
#Event ID 4110: Dual enrollment: discovery endpoint is not set (HRESULT).
#Event ID 4111: Dual enrollment: discovery endpoint string is too big (HRESULT).
#Event ID 4111: Dual enrollment: discovery endpoint string is too big (HRESULT).
#Event ID 4112: Dual enrollment: existing dual enrollment found (Message1), skipping enroll task creation.
#Event ID 4112: Dual enrollment: existing dual enrollment found (Message1), skipping enroll task creation.
#Event ID 4113: Dual enrollment: EntDMId of the main enrollment is not found (HRESULT).
#Event ID 4113: Dual enrollment: EntDMId of the main enrollment is not found (HRESULT).
#Event ID 4114: Dual enrollment: could not find main enrollment GUID (HRESULT).
#Event ID 4114: Dual enrollment: could not find main enrollment GUID (HRESULT).
#Event ID 4115: Dual enrollment: found multiple MDM enrollments.
#Description
Dual enrollment: found multiple MDM enrollments.
Message #
Event ID 4115: Dual enrollment: found multiple MDM enrollments.
#Description
Dual enrollment: found multiple MDM enrollments.
Message #
Event ID 4116: UserRights account SID not mapped to account.
#Event ID 4117: Resource transfer from MDM failed with enrollmentId (Message1), context(Message2), docId(Message3), Result(HRESULT).
#Event ID 4201: ConfigRefresh failed with HRESULT HRESULT.
#Event ID 4202: ConfigRefresh completed successfully.
#Description
ConfigRefresh completed successfully.
Message #
Event ID 4203: Failed to create ConfigRefresh task.
#Event ID 4204: Failed to delete ConfigRefresh task.
#Event ID 4205: Failed to set ConfigRefresh Enabled value to UInt1.
#Event ID 4206: Failed to delete ConfigRefresh Enabled node.
#Event ID 4207: Failed to disable ConfigRefresh task.
#Event ID 4208: Failed to enable ConfigRefresh task.
#Event ID 4209: Failed to set ConfigRefresh Cadence value to UInt1.
#Event ID 4210: Failed to delete ConfigRefresh Cadence node.
#Event ID 4211: Failed to update ConfigRefresh task with Cadence value UInt1.
#Event ID 4212: Failed to set ConfigRefresh Pause Period value to UInt1.
#Event ID 4213: Failed to delete ConfigRefresh Pause Period node.
#Event ID 4214: Failed to update ConfigRefresh task with Pause Period value UInt1.
#Event ID 4215: Message1 failed to acquire ConfigRefresh mutex.
#Event ID 4216: Failed to release ConfigRefresh mutex.
#Event ID 4217: Failed to set ConfigRefresh thread to lowest priority.
#Event ID 4218: Wait for ConfigRefresh semaphore failed.
#Event ID 4219: Failed to release ConfigRefresh semaphore.
#Event ID 4220: ConfigRefresh skipped because OmaDmClient sync is in progress
#Description
ConfigRefresh skipped because OmaDmClient sync is in progress.
Message #
Event ID 4221: DeclaredConfigurationRefresh skipped because OmaDmClient sync is in progress
#Description
DeclaredConfigurationRefresh skipped because OmaDmClient sync is in progress.
Message #
Event ID 4222: ConfigLock skipped because OmaDmClient sync is in progress
#Description
ConfigLock skipped because OmaDmClient sync is in progress.
Message #
Event ID 4223: Soap Response Message with error: (Message1).
#Event ID 4224: ConfigRefresh just for per user policies started.
#Description
ConfigRefresh just for per user policies started.
Message #
Event ID 4225: ConfigRefresh just for per user policies failed with HRESULT HRESULT.
#Event ID 4226: ConfigRefresh just for per user policies cdcompleted successfully.
#Description
ConfigRefresh just for per user policies cdcompleted successfully.
Message #
Event ID 4227: ConfigRefresh for just per user policies skipped because OmaDmClient sync is in progress
#Description
ConfigRefresh for just per user policies skipped because OmaDmClient sync is in progress.
Message #
Event ID 4300: Failed to load Message1.
#Event ID 4301: Failed to GetProcAddress of Message1.
#Event ID 4302: ADMX-backed policy Message1/Message2 CSE Message3 call failed.
#Event ID 4400: Attestation attempt started with Correlation Vector: (Message1), RPID: (Message2), Attestation URI (Message3).
#Event ID 4401: Attestation attempt succeeded with Correlation Vector: (Message1), Server Correlation Vector (Message2), RPID: (Message3), Attestation URI (Message4), and HRESULT (HRESULT).
#Description
Attestation attempt succeeded with Correlation Vector: (Message1), Server Correlation Vector (Message2), RPID: (Message3), Attestation URI (Message4), and HRESULT (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HRESULT HexInt32 |
Event ID 4402: Attestation attempt failed with Correlation Vector: (Message1), Server Correlation Vector (Message2), RPID: (Message3), Attestation URI (Message4), Error Message (Message5) and ...
#Description
Attestation attempt failed with Correlation Vector: (Message1), Server Correlation Vector (Message2), RPID: (Message3), Attestation URI (Message4), Error Message (Message5) and HRESULT (HRESULT).
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString | |
Message4 UnicodeString | |
Message5 UnicodeString | |
HRESULT HexInt32 |
Event ID 4403: Attestation PDC Activate Failed with (HRESULT).
#Event ID 4404: Attestation PDC Deactivate failed with (HRESULT).
#Event ID 4405: Attestation PDC Function (Message1) failed with (HRESULT).
#Event ID 4500: MDM Registry Provider: Set value, URI: (Message1), Data Type: (UInt2), Int: (UInt3), Enrollment ID: (Message4).
#Event ID 4500
#Description
MDM Registry Provider: Set value, URI: (), Data Type: (), Int: (), Enrollment ID: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
UInt2 UInt32 | |
UInt3 UInt32 | |
Message4 UnicodeString |
Event ID 4501: MDM Registry Provider: Set value, URI: (Message1), Data Type: (UInt2), String: (Message3), Enrollment ID: (Message4).
#Event ID 4501
#Description
MDM Registry Provider: Set value, URI: (), Data Type: (), String: (), Enrollment ID: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
UInt2 UInt32 | |
Message3 UnicodeString | |
Message4 UnicodeString |
Event ID 4502: MDM Registry Provider: Set value, URI: (Message1), Data Type: (UInt2), Binary Size: (UInt3), Enrollment ID: (Message4).
#Event ID 4502
#Description
MDM Registry Provider: Set value, URI: (), Data Type: (), Binary Size: (), Enrollment ID: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
UInt2 UInt32 | |
UInt3 UInt32 | |
Message4 UnicodeString |
Event ID 4503: MDM Registry Provider: Delete value, URI: (Message1), Data Type: (UInt2), Enrollment ID: (Message3).
#Event ID 4503
#Description
MDM Registry Provider: Delete value, URI: (), Data Type: (), Enrollment ID: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
UInt2 UInt32 | |
Message3 UnicodeString |
Event ID 4504: MDM Registry Provider: Set value with failure, URI: (Message1), Data Type: (UInt2), Int: (UInt3), Enrollment ID: (Message4), Result: (HexInt5).
#Event ID 4504
#Description
MDM Registry Provider: Set value with failure, URI: (), Data Type: (), Int: (), Enrollment ID: (), Result: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
UInt2 UInt32 | |
UInt3 UInt32 | |
Message4 UnicodeString | |
HexInt5 HexInt32 |
Event ID 4505: MDM Registry Provider: Set value with failure, URI: (Message1), Data Type: (UInt2), String: (Message3), Enrollment ID: (Message4), Result: (HexInt5).
#Event ID 4505
#Description
MDM Registry Provider: Set value with failure, URI: (), Data Type: (), String: (), Enrollment ID: (), Result: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
UInt2 UInt32 | |
Message3 UnicodeString | |
Message4 UnicodeString | |
HexInt5 HexInt32 |
Event ID 4506: MDM Registry Provider: Set value with failure, URI: (Message1), Data Type: (UInt2), Binary Size: (UInt3), Enrollment ID: (Message4), Result: (HexInt5).
#Event ID 4506
#Description
MDM Registry Provider: Set value with failure, URI: (), Data Type: (), Binary Size: (), Enrollment ID: (), Result: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
UInt2 UInt32 | |
UInt3 UInt32 | |
Message4 UnicodeString | |
HexInt5 HexInt32 |
Event ID 4507: MDM Registry Provider: Set value with failure, URI: (Message1), Data Type: (UInt2), Enrollment ID: (Message3), Result: (HexInt4).
#Event ID 4507
#Description
MDM Registry Provider: Set value with failure, URI: (), Data Type: (), Enrollment ID: (), Result: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
UInt2 UInt32 | |
Message3 UnicodeString | |
HexInt4 HexInt32 |
Event ID 4508: MDM Registry Provider: Delete value with failure, URI: (Message1), Data Type: (UInt2), Enrollment ID: (Message3), Result: (HexInt4).
#Event ID 4508
#Description
MDM Registry Provider: Delete value with failure, URI: (), Data Type: (), Enrollment ID: (), Result: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
UInt2 UInt32 | |
Message3 UnicodeString | |
HexInt4 HexInt32 |
Event ID 4509: MDM Registry Provider: Set value, URI: (Message1), Data Type: (UInt2), Int: (UInt3), Enrollment ID: (Message4).
#Event ID 4509
#Description
MDM Registry Provider: Set value, URI: (), Data Type: (), Int: (), Enrollment ID: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
UInt2 UInt32 | |
UInt3 UInt64 | |
Message4 UnicodeString |
Event ID 4510: MDM Registry Provider: Set value with failure, URI: (Message1), Data Type: (UInt2), Int: (UInt3), Enrollment ID: (Message4), Result: (HexInt5).
#Event ID 4510
#Description
MDM Registry Provider: Set value with failure, URI: (), Data Type: (), Int: (), Enrollment ID: (), Result: ().
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
UInt2 UInt32 | |
UInt3 UInt64 | |
Message4 UnicodeString | |
HexInt5 HexInt32 |
Event ID 4600: Parsing notification payload succeeded
#Description
Parsing notification payload succeeded. NotificationId.
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString |
Event ID 4600: Parsing notification payload succeeded.
#Event ID 4601: Parsing notification payload failed.
#Event ID 4601: Parsing notification payload failed
#Description
Parsing notification payload failed. NotificationId: , HRESULT.
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
HRESULT HexInt32 |
Event ID 4602: Getting push alert info for push initiated session succeeded
#Description
Getting push alert info for push initiated session succeeded. NotificationId.
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString |
Event ID 4602: Getting push alert info for push initiated session succeeded.
#Event ID 4603: Getting push alert info for push initiated session failed.
#Event ID 4603: Getting push alert info for push initiated session failed
#Description
Getting push alert info for push initiated session failed. NotificationId: , HRESULT.
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
HRESULT HexInt32 |
Event ID 4604: Parsing notification payload succeeded.
#Event ID 4604: Parsing notification payload succeeded
#Description
Parsing notification payload succeeded. NotificationId: , Payload.
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString |
Event ID 4605: Parsing notification payload failed.
#Event ID 4605: Parsing notification payload failed
#Description
Parsing notification payload failed. NotificationId: , HRESULT: , Payload.
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
HRESULT HexInt32 | |
Message2 UnicodeString |
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 3da494e4-0fe2-415c-b895-fb5265c5c83b
Defined in dmenterprisediagnostics.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.5074, captured 2026-06-02
Downloads
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider registered manifest XML (in the WS2022-20348.4893 manifest pack, 1.9 MB) manifest-xml
- Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider registered manifest XML (in the Win11-26200.6584 manifest pack, 2.0 MB) manifest-xml