Microsoft-Windows-Provisioning-Diagnostics-Provider
114 events across 5 channels
Event ID 10: Configuring ProvXML with category 'Message1'.
#Description
Configuring ProvXML with category 'Message1'.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | ProvXML data |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Provisioning-Diagnostics-Provider",
"guid": "ED8B9BD3-F66E-4FF2-B86B-75C7925F72A9",
"event_source_name": "",
"event_id": 10,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T06:25:52.831967+00:00",
"event_record_id": 113,
"correlation": {},
"execution": {
"process_id": 3584,
"thread_id": 3588
},
"channel": "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "PowerSettings",
"Message2": "MCSF/Power/Controls/EnergyEstimationEnabled"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 11: ProvXML category 'Message1' completed successfully.
#Description
ProvXML category 'Message1' completed successfully. Message2.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Provisioning-Diagnostics-Provider",
"guid": "ED8B9BD3-F66E-4FF2-B86B-75C7925F72A9",
"event_source_name": "",
"event_id": 11,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-05T22:26:45.490065+00:00",
"event_record_id": 132,
"correlation": {
"ActivityID": "F590C418-1079-0003-3DF1-90F57910DA01"
},
"execution": {
"process_id": 3584,
"thread_id": 3588
},
"channel": "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "PowerSettings",
"Message2": "Provisioning succeeded"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 12: ProvXML category 'Message1' failed with 'HRESULT' at CSP node 'Message2'.
#Event ID 13: Setting Message1 was ignored because it was not available on this OS build.
#Event ID 20: Applying package 'Message1' ID: Message2.
#Description
Applying package 'Message1' ID: Message2.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | 1' ID. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Provisioning-Diagnostics-Provider",
"guid": "ED8B9BD3-F66E-4FF2-B86B-75C7925F72A9",
"event_source_name": "",
"event_id": 20,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T06:25:50.949676+00:00",
"event_record_id": 111,
"correlation": {},
"execution": {
"process_id": 3584,
"thread_id": 3588
},
"channel": "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "Microsoft.Windows.Cosa.Desktop.Client.ppkg",
"Message2": "{c8a326e4-f518-4f14-b543-97a57e1a975e}"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 21: Package 'Message1' has completed.
#Event ID 22: Package 'Message1' failed with 'HRESULT'.
#Event ID 23: Skipping package 'Message1' ID: Message2.
#Event ID 30: Initiating provisioning turn '{Int1}'.
#Event ID 31: Provisioning turn '{Int1}' has completed.
#Event ID 32: Provisioning turn '{Int1}' failed with '{HRESULT}'.
#Event ID 40: Registry specified search path is invalid: Message1.
#Event ID 41: InitiateSystemShutdownEx succeeded.
#Description
InitiateSystemShutdownEx succeeded.
Message #
Event ID 42: InitiateSystemShutdownEx failed.
#Event ID 44: InitiateSystemShutdownEx succeeded.
#Description
InitiateSystemShutdownEx succeeded.
Message #
Event ID 45: InitiateSystemShutdownEx failed.
#Event ID 60: AddPackage initiated, pathCount = UInt1.
#Event ID 61: AddPackage succeeded, targetPath = Message1.
#Event ID 62: AddPackage failed.
#Event ID 63: RemovePackage initiated, package id = Message1.
#Event ID 64: RemovePackage succeeded, package id = Message1.
#Event ID 65: RemovePackage failed.
#Event ID 66: RemovePackageMetadata succeeded, package id = Message1.
#Event ID 67: RemovePackageMetadata failed.
#Event ID 68: RemoveResourceManagerPackageMetadataForCsp succeeded, package id = Message1.
#Event ID 69: RemoveResourceManagerPackageMetadataForCsp failed.
#Event ID 70: ApplyKnownPackages initiated, turn = Int1.
#Event ID 71: ApplyKnownPackages succeeded, turn = Int1.
#Event ID 72: ApplyKnownPackages failed.
#Event ID 73: PublishDeviceProvisioningLogs failed.
#Event ID 73: PublishDeviceProvisioningLogs failed
#Description
PublishDeviceProvisioningLogs failed. HRESULT =.
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 |
Event ID 74: PublishDeviceProvisioningLogs succeeded.
#Description
PublishDeviceProvisioningLogs succeeded.
Message #
Event ID 74: PublishDeviceProvisioningLogs succeeded
#Description
PublishDeviceProvisioningLogs succeeded.
Event ID 75: CleanupOOBEProvisioningLogs failed.
#Event ID 75: CleanupOOBEProvisioningLogs failed
#Description
CleanupOOBEProvisioningLogs failed. HRESULT =.
Fields #
| Name | Description |
|---|---|
HRESULT HexInt32 |
Event ID 76: CleanupOOBEProvisioningLogs succeeded.
#Description
CleanupOOBEProvisioningLogs succeeded.
Message #
Event ID 76: CleanupOOBEProvisioningLogs succeeded
#Description
CleanupOOBEProvisioningLogs succeeded.
Event ID 80: GetLastProvisioningResultsAsync succeeded, resultCount = UInt1.
#Event ID 81: GetLastProvisioningResultsAsync failed.
#Event ID 82: GetLastProvisioningCommandResultsAsync succeeded, resultCount = UInt1.
#Event ID 83: GetLastProvisioningCommandResultsAsync.
#Event ID 90: Settings detail.
#Description
Settings detail.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString | |
Message2 UnicodeString | |
Message3 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Provisioning-Diagnostics-Provider",
"guid": "ED8B9BD3-F66E-4FF2-B86B-75C7925F72A9",
"event_source_name": "",
"event_id": 90,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T06:25:42.966867+00:00",
"event_record_id": 89,
"correlation": {},
"execution": {
"process_id": 3584,
"thread_id": 3588
},
"channel": "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "OOBE",
"Message2": "<Not Present>",
"Message3": "<Not Present>"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 91: RegisterForCspAlerts succeeded.
#Description
RegisterForCspAlerts succeeded. EnrollmentId = Message1.
Message #
Fields #
| Name | Description |
|---|---|
Message1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-Provisioning-Diagnostics-Provider",
"guid": "ED8B9BD3-F66E-4FF2-B86B-75C7925F72A9",
"event_source_name": "",
"event_id": 91,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2023-11-06T06:25:52.831884+00:00",
"event_record_id": 112,
"correlation": {},
"execution": {
"process_id": 3584,
"thread_id": 3588
},
"channel": "Microsoft-Windows-Provisioning-Diagnostics-Provider/Admin",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"Message1": "{1e05dd5d-a022-46c5-963c-b20de341170f}"
},
"message": ""
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 92: RegisterForCspAlerts Failed.
#Event ID 93: UpdatePendingResultInternal succeeded.
#Event ID 94: UpdatePendingResultInternal Failed.
#Event ID 100: AutoPilot policy [Message1] not found.
#Event ID 101: AutoPilotGetPolicyDwordByName succeeded: policy name = Message1; policy value = Int1.
#Event ID 102: AutoPilotGetPolicyDwordByName error: policy name = Message1; HRESULT = HRESULT.
#Event ID 103: AutoPilotGetPolicyStringByName succeeded: policy name = Message1; policy value = Message2.
#Event ID 104: AutoPilotGetPolicyStringByName error: policy name = Message1; HRESULT = HRESULT.
#Event ID 106: AutoPilotDisable error: HRESULT = HRESULT.
#Event ID 107: AutoPilot state = Message1.
#Event ID 108: AutoPilotIsDisabled error: HRESULT = HRESULT.
#Event ID 109: AutoPilotGetOobeSettingsOverride succeeded: OOBE setting = Message1; state = Message2.
#Event ID 110: AutoPilotGetOobeSettingsOverride error: OOBE setting = Message1; HRESULT = HRESULT.
#Event ID 111: AutoPilotRetrieveSettings succeeded.
#Description
AutoPilotRetrieveSettings succeeded.
Message #
Event ID 112: AutoPilotRetrieveSettings error: HRESULT = HRESULT.
#Event ID 113: AutoPilot reported the DLL was unloaded while there were Int1 outstanding calls.
#Event ID 114: AutoPilotRetrieveSettings was skipped because this version of Windows does not support Azure Active Directory join.
#Description
AutoPilotRetrieveSettings was skipped because this version of Windows does not support Azure Active Directory join.
Message #
Event ID 115: Autopilot discovery failed to find a valid MDM.
#Event ID 150: AutoPilotManager started the MSA service for TPM attestation identity.
#Description
AutoPilotManager started the MSA service for TPM attestation identity.
Message #
Event ID 151: AutoPilotManager started the TPM task to update TPM attestation.
#Description
AutoPilotManager started the TPM task to update TPM attestation.
Message #
Event ID 152: AutoPilotManager reported TPM task is complete.
#Description
AutoPilotManager reported TPM task is complete.
Message #
Event ID 153: AutoPilotManager reported the state changed from InitialState to UpdateState.
#Event ID 154: AutoPilotManager failed to start MSA service.
#Event ID 155: AutoPilotManager failed to start TPM task.
#Event ID 156: AutoPilotManager reported that MSA TPM is not configured for hardware TPM attestation even though the profile indicates it is required.
#Description
AutoPilotManager reported that MSA TPM is not configured for hardware TPM attestation even though the profile indicates it is required. AutoPilot cannot proceed.
Message #
Event ID 157: AutoPilotManager reported that TPM attestation lasted UInt1 microseconds.
#Event ID 160: AutoPilotRetrieveSettings beginning acquisition.
#Description
AutoPilotRetrieveSettings beginning acquisition.
Message #
Event ID 161: AutoPilotManager retrieve settings succeeded.
#Description
AutoPilotManager retrieve settings succeeded.
Message #
Event ID 162: AutoPilotManager determined download is not required and the device is not provisioned.
#Description
AutoPilotManager determined download is not required and the device is not provisioned. Clean or reset the device to change this.
Message #
Event ID 163: AutoPilotManager determined download is not required and the device is already provisioned.
#Description
AutoPilotManager determined download is not required and the device is already provisioned. Clean or reset the device to change this.
Message #
Event ID 164: AutoPilotManager determined Internet is available to attempt policy download.
#Description
AutoPilotManager determined Internet is available to attempt policy download.
Message #
Event ID 165: AutoPilotManager determined Internet is not available; policy download will queue when available.
#Description
AutoPilotManager determined Internet is not available; policy download will queue when available.
Message #
Event ID 166: AutoPilotManager reported Internet is now available.
#Description
AutoPilotManager reported Internet is now available.
Message #
Event ID 167: AutoPilotManager reported Internet is still not available.
#Description
AutoPilotManager reported Internet is still not available.
Message #
Event ID 168: AutoPilotManager reported MSA TPM device identity was updated.
#Description
AutoPilotManager reported MSA TPM device identity was updated.
Message #
Event ID 169: AutoPilotManager set TPM identity confirmed.
#Description
AutoPilotManager set TPM identity confirmed.
Message #
Event ID 170: AutoPilotManager set AutoPilot profile as available.
#Description
AutoPilotManager set AutoPilot profile as available.
Message #
Event ID 171: AutoPilotManager failed to set TPM identity confirmed.
#Event ID 172: AutoPilotManager failed to set AutoPilot profile as available.
#Event ID 173: AutoPilotManager failed to register for network availability.
#Event ID 174: AutoPilotManager failed to register for device identity availability.
#Event ID 175: AutoPilotManager failed to register for device identity task update.
#Event ID 176: MSA TPM keystate has been updated.
#Event ID 177: TPM attestation retry is being attempted.
#Event ID 178: AutoPilotManager began device enrollment with internal state Int1.
#Event ID 179: AutoPilotManager began device enrollment phase State.
#Event ID 180: AutoPilotManager failed during device enrollment phase State.
#Event ID 181: AutoPilotManager completed device enrollment phase State.
#Event ID 182: AutoPilotManager reported that the retry timer event was set to UInt1 milliseconds.
#Event ID 183: AutoPilotManager reported that the retry timer event occurred
#Description
AutoPilotManager reported that the retry timer event occurred.
Message #
Event ID 184: AutoPilotManager failed to register for MSA keystate update availability.
#Event ID 300: AutoPilotManager device enrollment reported an initialization failure.
#Event ID 301: AutoPilotManager device enrollment reported a blocking failure.
#Event ID 302: AutoPilotManager device enrollment failed during stage State with error HRESULT.
#Event ID 303: AutoPilotManager device enrollment succeeded.
#Event ID 310: AutoPilot configuration file path: AutoPilot_configuration_file_path.
#Event ID 311: Failed to load AutoPilot configuration file, HRESULT = HRESULT.
#Event ID 312: Failed to parse AutoPilot configuration file, HRESULT = HRESULT.
#Event ID 313: Invalid ZtdCorrelationId found in Autopilot configuration file, HRESULT = HRESULT.
#Event ID 1002: Management service failed to start.
#Event ID 1003: Management service failed to register.
#Description
Management service failed to register.
Message #
Event ID 1005: Management service WIL error was reported.
#Event ID 1006: Management service call Message1 is deprecated!
#Event ID 1007: Management service cleared the local Autopilot cached state.
#Description
Management service cleared the local Autopilot cached state.
Message #
Event ID 1008: Management service failed to clear the local Autopilot cached state.
#Event ID 2000: Device rename has been blocked through MDM because machine is domain joined
#Description
Device rename has been blocked through MDM because machine is domain joined.
Message #
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID ed8b9bd3-f66e-4ff2-b86b-75c7925f72a9
Defined in provdiagnostics.dll, which carries the event manifest.
Observed on:
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4202, captured 2026-06-02