Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess

102 events across 2 channels

Event	Title	Channel	Sample
1	Provisioning Secure Process created	Debug	N
1	Event ID 1	Operational	N
2	Provisioning Secure Process could not initialize based on the command line …	Debug	N
2	Event ID 2	Operational	N
3	Provisioning Secure Process is closing	Debug	N
3	Event ID 3	Operational	N
4	Provisioning Secure Process argument was TemplateNameFound.	Debug	N
4	Event ID 4	Operational	N
5	Provisioning Secure Process was not provided the expected argument and will exit	Debug	N
5	Event ID 5	Operational	N
6	Provisioning Secure Process was not provided the expected argument and will exit	Debug	N
6	Event ID 6	Operational	N
7	Provisioning Secure Process parsed the command line arguments as MachineID.	Debug	N
7	Event ID 7	Operational	N
8	Provisioning Secure Process could not set the trustlet identity and must exit	Debug	N
8	Event ID 8	Operational	N
9	Provisioning Secure Process could not initialize the remote TPM assets and must …	Debug	N
9	Event ID 9	Operational	N
10	Provisioning Secure Process could not initialize the RPC server	Debug	N
10	Event ID 10	Operational	N
11	Provisioning Secure Process could not register with the RPC server	Debug	N
11	Event ID 11	Operational	N
12	Provisioning Secure Process transitioned to state EndState.	Debug	N
12	Event ID 12	Operational	N
13	Provisioning Secure Process transitioned to state EndState.	Debug	N
13	Event ID 13	Operational	N
14	Provisioning Secure Process is not running within IUM.	Debug	N
14	Event ID 14	Operational	N
15	Provisioning Secure Process received a message from source SourceGroup of length …	Debug	N
15	Event ID 15	Operational	N
16	Provisioning Secure Process received a request for the PDK.	Debug	N
16	Event ID 16	Operational	N
17	Provisioning Secure Process is sending the PDK to the provisioning agent.	Debug	N
17	Event ID 17	Operational	N
18	Provisioning Secure Process has sent the encrypted PDK to the virtual machine.	Debug	N
18	Event ID 18	Operational	N
19	Provisioning Secure Process received a PDK that was invalid or could not be …	Debug	N
19	Event ID 19	Operational	N
20	Provisioning Secure Process encountered an error while processing the EFI …	Debug	N
20	Event ID 20	Operational	N
21	Provisioning Secure Process encountered an error while generating the server key …	Debug	N
21	Event ID 21	Operational	N
22	Provisioning Secure Process encountered an error while extending the Secure Boot …	Debug	N
22	Event ID 22	Operational	N
23	Provisioning Secure Process encountered an error while extending the Boot Lock …	Debug	N
23	Event ID 23	Operational	N
24	Provisioning Secure Process encountered an error while accessing secure storage …	Debug	N
24	Event ID 24	Operational	N
25	Provisioning Secure Process encountered an error while working with the remote …	Debug	N
25	Event ID 25	Operational	N
26	Provisioning Secure Process encountered an error while working with the remote …	Debug	N
26	Event ID 26	Operational	N
27	Provisioning Secure Process encountered an error while attempting miniature …	Debug	N
27	Event ID 27	Operational	N
28	Provisioning Secure Process encountered an error while creating and sending the …	Debug	N
28	Event ID 28	Operational	N
29	Provisioning Secure Process could not collect necessary security info from the …	Debug	N
29	Event ID 29	Operational	N
30	Provisioning Secure Process is populating the boot authority information from …	Debug	N
30	Event ID 30	Operational	N
31	Provisioning Secure Process will allow the UEFI certificate authority for this …	Debug	N
31	Event ID 31	Operational	N
32	Provisioning Secure Process attestation error - PCR PcrIndex, error …	Debug	N
32	Event ID 32	Operational	N
33	Provisioning Secure Process received a PDK that was invalid or could not be …	Debug	N
33	Event ID 33	Operational	N
34	Provisioning Secure Process received a message from NMPS that was invalid or …	Debug	N
34	Event ID 34	Operational	N
35	Provisioning Secure Process received a message from NMPS that was invalid or …	Debug	N
35	Event ID 35	Operational	N
36	Provisioning Secure Process received a message that was invalid or could not be …	Debug	N
36	Event ID 36	Operational	N
37	Provisioning Secure Process received a message that was invalid or could not be …	Debug	N
37	Event ID 37	Operational	N
38	Provisioning Secure Process is starting the version negotiation with the …	Debug	N
38	Event ID 38	Operational	N
39	Provisioning Secure Process received version information from the provisioning …	Debug	N
39	Event ID 39	Operational	N
40	Provisioning Secure Process declared version information	Debug	N
40	Event ID 40	Operational	N
41	Provisioning Secure Process finished negotiating the protocol version	Debug	N
41	Event ID 41	Operational	N
42	Provisioning Secure Process accepted a protocol version for communication	Debug	N
42	Event ID 42	Operational	N
43	Provisioning Secuity Process failed to predict the UEFI Secure Boot variables …	Debug	N
43	Event ID 43	Operational	N
44	Provisioning Secuity Process detected a mismatched UEFI db variable on the …	Debug	N
44	Event ID 44	Operational	N
45	Provisioning Secuity Process detected a mismatched UEFI dbx variable on the …	Debug	N
45	Event ID 45	Operational	N
46	Provisioning Secuity Process failed to match the target machine UEFI Secure Boot …	Debug	N
46	Event ID 46	Operational	N
47	Provisioning Secuity Process failed to validate the target BootOS Provisioning …	Debug	N
47	Event ID 47	Operational	N
48	Provisioning Secuity Process has failed to verify the target machine so no …	Debug	N
48	Event ID 48	Operational	N
49	The PDK decypted by PSP does not contain an RRK and therefore no VMRK will be …	Debug	N
49	Event ID 49	Operational	N
50	The PDK decypted by PSP contains an RRK and a VMRK has been generated	Debug	N
50	Event ID 50	Operational	N
51	Processing the RRK failed	Debug	N
51	Event ID 51	Operational	N

Event ID 1: Provisioning Secure Process created

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process created.

Message #

Provisioning Secure Process created

Fields #

Name	Description
`NtStatus` UInt32

Event ID 1

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process created.

Fields #

Name	Description
`NtStatus` UInt32

Event ID 2: Provisioning Secure Process could not initialize based on the command line arguments

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process could not initialize based on the command line arguments.

Message #

Provisioning Secure Process could not initialize based on the command line arguments

Fields #

Name	Description
`NtStatus` UInt32

Event ID 2

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process could not initialize based on the command line arguments.

Fields #

Name	Description
`NtStatus` UInt32

Event ID 3: Provisioning Secure Process is closing

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process is closing.

Message #

Provisioning Secure Process is closing

Fields #

Name	Description
`NtStatus` UInt32

Event ID 3

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process is closing.

Fields #

Name	Description
`NtStatus` UInt32

Event ID 4: Provisioning Secure Process argument was TemplateNameFound.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process argument was TemplateNameFound.

Message #

Provisioning Secure Process argument was %1

Fields #

Name	Description
`TemplateNameFound` UnicodeString

Event ID 4

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process argument was.

Fields #

Name	Description
`TemplateNameFound` UnicodeString

Event ID 5: Provisioning Secure Process was not provided the expected argument and will exit

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process was not provided the expected argument and will exit.

Message #

Provisioning Secure Process was not provided the expected argument and will exit

Fields #

Name	Description
`NtStatus` UInt32

Event ID 5

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process was not provided the expected argument and will exit.

Fields #

Name	Description
`NtStatus` UInt32

Event ID 6: Provisioning Secure Process was not provided the expected argument and will exit

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process was not provided the expected argument and will exit.

Message #

Provisioning Secure Process was not provided the expected argument and will exit

Fields #

Name	Description
`TemplateNameFound` UnicodeString

Event ID 6

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process was not provided the expected argument and will exit.

Fields #

Name	Description
`TemplateNameFound` UnicodeString

Event ID 7: Provisioning Secure Process parsed the command line arguments as MachineID.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process parsed the command line arguments as MachineID.

Message #

Provisioning Secure Process parsed the command line arguments as %1

Fields #

Name	Description
`MachineID` GUID

Event ID 7

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process parsed the command line arguments as.

Fields #

Name	Description
`MachineID` GUID

Event ID 8: Provisioning Secure Process could not set the trustlet identity and must exit

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process could not set the trustlet identity and must exit.

Message #

Provisioning Secure Process could not set the trustlet identity and must exit

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 8

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process could not set the trustlet identity and must exit.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 9: Provisioning Secure Process could not initialize the remote TPM assets and must exit

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process could not initialize the remote TPM assets and must exit.

Message #

Provisioning Secure Process could not initialize the remote TPM assets and must exit

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 9

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process could not initialize the remote TPM assets and must exit.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 10: Provisioning Secure Process could not initialize the RPC server

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process could not initialize the RPC server.

Message #

Provisioning Secure Process could not initialize the RPC server

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 10

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process could not initialize the RPC server.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 11: Provisioning Secure Process could not register with the RPC server

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process could not register with the RPC server.

Message #

Provisioning Secure Process could not register with the RPC server

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 11

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process could not register with the RPC server.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 12: Provisioning Secure Process transitioned to state EndState.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process transitioned to state EndState.

Message #

Provisioning Secure Process transitioned to state %5

Fields #

Name	Description
`MachineID` GUID
`TransitionTime` FILETIME
`ValidStartState` Boolean
`StartState` UInt8
`EndState` UInt8

Event ID 12

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process transitioned to state.

Fields #

Name	Description
`MachineID` GUID
`TransitionTime` FILETIME
`ValidStartState` Boolean
`StartState` UInt8
`EndState` UInt8

Event ID 13: Provisioning Secure Process transitioned to state EndState.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process transitioned to state EndState.

Message #

Provisioning Secure Process transitioned to state %5

Fields #

Name	Description
`MachineID` GUID
`TransitionTime` FILETIME
`ValidStartState` Boolean
`StartState` UInt8
`EndState` UInt8
`ActionPriority` UInt32
`ActionStartingState` UInt8
`ActionNewState` UInt8
`ActionType` UInt8

Event ID 13

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process transitioned to state.

Fields #

Name	Description
`MachineID` GUID
`TransitionTime` FILETIME
`ValidStartState` Boolean
`StartState` UInt8
`EndState` UInt8
`ActionPriority` UInt32
`ActionStartingState` UInt8
`ActionNewState` UInt8
`ActionType` UInt8

Event ID 14: Provisioning Secure Process is not running within IUM.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process is not running within IUM. This degrades security.

Message #

Provisioning Secure Process is not running within IUM. This degrades security.

Fields #

Name	Description
`MachineID` GUID

Event ID 14

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process is not running within IUM. This degrades security.

Fields #

Name	Description
`MachineID` GUID

Event ID 15: Provisioning Secure Process received a message from source SourceGroup of length Length.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process received a message from source SourceGroup of length Length.

Message #

Provisioning Secure Process received a message from source %2 of length %3.

Fields #

Name	Description
`MachineID` GUID
`SourceGroup` UInt8
`Length` UInt32

Event ID 15

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process received a message from source of length .

Fields #

Name	Description
`MachineID` GUID
`SourceGroup` UInt8
`Length` UInt32

Event ID 16: Provisioning Secure Process received a request for the PDK.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process received a request for the PDK.

Message #

Provisioning Secure Process received a request for the PDK.

Fields #

Name	Description
`MachineID` GUID

Event ID 16

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process received a request for the PDK.

Fields #

Name	Description
`MachineID` GUID

Event ID 17: Provisioning Secure Process is sending the PDK to the provisioning agent.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process is sending the PDK to the provisioning agent.

Message #

Provisioning Secure Process is sending the PDK to the provisioning agent.

Fields #

Name	Description
`MachineID` GUID

Event ID 17

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process is sending the PDK to the provisioning agent.

Fields #

Name	Description
`MachineID` GUID

Event ID 18: Provisioning Secure Process has sent the encrypted PDK to the virtual machine.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process has sent the encrypted PDK to the virtual machine.

Message #

Provisioning Secure Process has sent the encrypted PDK to the virtual machine.

Fields #

Name	Description
`MachineID` GUID

Event ID 18

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process has sent the encrypted PDK to the virtual machine.

Fields #

Name	Description
`MachineID` GUID

Event ID 19: Provisioning Secure Process received a PDK that was invalid or could not be decrypted.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process received a PDK that was invalid or could not be decrypted.

Message #

Provisioning Secure Process received a PDK that was invalid or could not be decrypted.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 19

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process received a PDK that was invalid or could not be decrypted.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 20: Provisioning Secure Process encountered an error while processing the EFI database.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process encountered an error while processing the EFI database.

Message #

Provisioning Secure Process encountered an error while processing the EFI database.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 20

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process encountered an error while processing the EFI database.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 21: Provisioning Secure Process encountered an error while generating the server key and cannot continue.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process encountered an error while generating the server key and cannot continue.

Message #

Provisioning Secure Process encountered an error while generating the server key and cannot continue.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 21

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process encountered an error while generating the server key and cannot continue.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 22: Provisioning Secure Process encountered an error while extending the Secure Boot PCR and cannot continue.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process encountered an error while extending the Secure Boot PCR and cannot continue.

Message #

Provisioning Secure Process encountered an error while extending the Secure Boot PCR and cannot continue.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 22

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process encountered an error while extending the Secure Boot PCR and cannot continue.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 23: Provisioning Secure Process encountered an error while extending the Boot Lock PCR and cannot continue.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process encountered an error while extending the Boot Lock PCR and cannot continue.

Message #

Provisioning Secure Process encountered an error while extending the Boot Lock PCR and cannot continue.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 23

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process encountered an error while extending the Boot Lock PCR and cannot continue.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 24: Provisioning Secure Process encountered an error while accessing secure storage and cannot continue.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process encountered an error while accessing secure storage and cannot continue.

Message #

Provisioning Secure Process encountered an error while accessing secure storage and cannot continue.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 24

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process encountered an error while accessing secure storage and cannot continue.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 25: Provisioning Secure Process encountered an error while working with the remote TPM and cannot continue.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process encountered an error while working with the remote TPM and cannot continue.

Message #

Provisioning Secure Process encountered an error while working with the remote TPM and cannot continue.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 25

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process encountered an error while working with the remote TPM and cannot continue.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 26: Provisioning Secure Process encountered an error while working with the remote RTPM key and cannot authenticate the PDK.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process encountered an error while working with the remote RTPM key and cannot authenticate the PDK.

Message #

Provisioning Secure Process encountered an error while working with the remote RTPM key and cannot authenticate the PDK.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 26

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process encountered an error while working with the remote RTPM key and cannot authenticate the PDK.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 27: Provisioning Secure Process encountered an error while attempting miniature attestation.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process encountered an error while attempting miniature attestation.

Message #

Provisioning Secure Process encountered an error while attempting miniature attestation.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 27

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process encountered an error while attempting miniature attestation.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 28: Provisioning Secure Process encountered an error while creating and sending the provisioning message to the provisioning agent.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process encountered an error while creating and sending the provisioning message to the provisioning agent.

Message #

Provisioning Secure Process encountered an error while creating and sending the provisioning message to the provisioning agent.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 28

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process encountered an error while creating and sending the provisioning message to the provisioning agent.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 29: Provisioning Secure Process could not collect necessary security info from the secure kernel.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process could not collect necessary security info from the secure kernel.

Message #

Provisioning Secure Process could not collect necessary security info from the secure kernel.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 29

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process could not collect necessary security info from the secure kernel.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 30: Provisioning Secure Process is populating the boot authority information from the template.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process is populating the boot authority information from the template.

Message #

Provisioning Secure Process is populating the boot authority information from the template.

Fields #

Name	Description
`MachineID` GUID

Event ID 30

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process is populating the boot authority information from the template.

Fields #

Name	Description
`MachineID` GUID

Event ID 31: Provisioning Secure Process will allow the UEFI certificate authority for this boot.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process will allow the UEFI certificate authority for this boot.

Message #

Provisioning Secure Process will allow the UEFI certificate authority for this boot.

Fields #

Name	Description
`MachineID` GUID

Event ID 31

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process will allow the UEFI certificate authority for this boot.

Fields #

Name	Description
`MachineID` GUID

Event ID 32: Provisioning Secure Process attestation error - PCR PcrIndex, error DiagnosticEventId.

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process attestation error - PCR PcrIndex, error DiagnosticEventId.

Message #

Provisioning Secure Process attestation error - PCR %2, error %3

Fields #

Name	Description
`MachineID` GUID
`PcrIndex` UInt32
`DiagnosticEventId` UInt32
`Name` UnicodeString
`AuthoritativeEventOrder` UInt32
`AuthoritativeEventLength` UInt32
`AuthoritativeEvent` Binary
`AttestationEventOrder` UInt32
`AttestationEventLength` UInt32
`AttestationEvent` Binary

Event ID 32

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process attestation error - PCR , error.

Fields #

Name	Description
`MachineID` GUID
`PcrIndex` UInt32
`DiagnosticEventId` UInt32
`Name` UnicodeString
`AuthoritativeEventOrder` UInt32
`AuthoritativeEventLength` UInt32
`AuthoritativeEvent` Binary
`AttestationEventOrder` UInt32
`AttestationEventLength` UInt32
`AttestationEvent` Binary

Event ID 33: Provisioning Secure Process received a PDK that was invalid or could not be decrypted (payload included)

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process received a PDK that was invalid or could not be decrypted (payload included).

Message #

Provisioning Secure Process received a PDK that was invalid or could not be decrypted (payload included)

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32
`BlobSize` UInt32
`Blob` Binary

Event ID 33

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process received a PDK that was invalid or could not be decrypted (payload included).

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32
`BlobSize` UInt32
`Blob` Binary

Event ID 34: Provisioning Secure Process received a message from NMPS that was invalid or could not be interpreted

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process received a message from NMPS that was invalid or could not be interpreted.

Message #

Provisioning Secure Process received a message from NMPS that was invalid or could not be interpreted

Fields #

Name	Description
`MachineID` GUID

Event ID 34

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process received a message from NMPS that was invalid or could not be interpreted.

Fields #

Name	Description
`MachineID` GUID

Event ID 35: Provisioning Secure Process received a message from NMPS that was invalid or could not be interpreted (payload included)

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process received a message from NMPS that was invalid or could not be interpreted (payload included).

Message #

Provisioning Secure Process received a message from NMPS that was invalid or could not be interpreted (payload included)

Fields #

Name	Description
`MachineID` GUID
`BlobSize` UInt32
`Blob` Binary

Event ID 35

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process received a message from NMPS that was invalid or could not be interpreted (payload included).

Fields #

Name	Description
`MachineID` GUID
`BlobSize` UInt32
`Blob` Binary

Event ID 36: Provisioning Secure Process received a message that was invalid or could not be interpreted

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process received a message that was invalid or could not be interpreted.

Message #

Provisioning Secure Process received a message that was invalid or could not be interpreted

Fields #

Name	Description
`MachineID` GUID

Event ID 36

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process received a message that was invalid or could not be interpreted.

Fields #

Name	Description
`MachineID` GUID

Event ID 37: Provisioning Secure Process received a message that was invalid or could not be interpreted (payload included)

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process received a message that was invalid or could not be interpreted (payload included).

Message #

Provisioning Secure Process received a message that was invalid or could not be interpreted (payload included)

Fields #

Name	Description
`MachineID` GUID
`BlobSize` UInt32
`Blob` Binary

Event ID 37

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process received a message that was invalid or could not be interpreted (payload included).

Fields #

Name	Description
`MachineID` GUID
`BlobSize` UInt32
`Blob` Binary

Event ID 38: Provisioning Secure Process is starting the version negotiation with the provisioning agent

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process is starting the version negotiation with the provisioning agent.

Message #

Provisioning Secure Process is starting the version negotiation with the provisioning agent

Fields #

Name	Description
`MachineID` GUID

Event ID 38

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process is starting the version negotiation with the provisioning agent.

Fields #

Name	Description
`MachineID` GUID

Event ID 39: Provisioning Secure Process received version information from the provisioning agent

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process received version information from the provisioning agent.

Message #

Provisioning Secure Process received version information from the provisioning agent

Fields #

Name	Description
`MachineID` GUID
`VersionNegotiationVersion` UInt8
`DeclaredVersionMajor` UInt16
`DeclaredVersionMinor` UInt16
`DeclaredVersionBuild` UInt16
`DeclaredVersionRelease` UInt16
`DeclaredVersionLogicalMajor` UInt8
`DeclaredVersionLogicalMinor` UInt8
`AcceptableVersionStartMajor` UInt8
`AcceptableVersionStartMinor` UInt8

Event ID 39

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process received version information from the provisioning agent.

Fields #

Name	Description
`MachineID` GUID
`VersionNegotiationVersion` UInt8
`DeclaredVersionMajor` UInt16
`DeclaredVersionMinor` UInt16
`DeclaredVersionBuild` UInt16
`DeclaredVersionRelease` UInt16
`DeclaredVersionLogicalMajor` UInt8
`DeclaredVersionLogicalMinor` UInt8
`AcceptableVersionStartMajor` UInt8
`AcceptableVersionStartMinor` UInt8

Event ID 40: Provisioning Secure Process declared version information

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process declared version information.

Message #

Provisioning Secure Process declared version information

Fields #

Name	Description
`MachineID` GUID
`DeclaredVersionMajor` UInt16
`DeclaredVersionMinor` UInt16
`DeclaredVersionBuild` UInt16
`DeclaredVersionRelease` UInt16
`DeclaredVersionLogicalMajor` UInt8
`DeclaredVersionLogicalMinor` UInt8

Event ID 40

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process declared version information.

Fields #

Name	Description
`MachineID` GUID
`DeclaredVersionMajor` UInt16
`DeclaredVersionMinor` UInt16
`DeclaredVersionBuild` UInt16
`DeclaredVersionRelease` UInt16
`DeclaredVersionLogicalMajor` UInt8
`DeclaredVersionLogicalMinor` UInt8

Event ID 41: Provisioning Secure Process finished negotiating the protocol version

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process finished negotiating the protocol version.

Message #

Provisioning Secure Process finished negotiating the protocol version

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 41

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process finished negotiating the protocol version.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 42: Provisioning Secure Process accepted a protocol version for communication

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secure Process accepted a protocol version for communication.

Message #

Provisioning Secure Process accepted a protocol version for communication

Fields #

Name	Description
`MachineID` GUID
`AcceptedVersionStartMajor` UInt8
`AcceptedVersionStartMinor` UInt8

Event ID 42

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secure Process accepted a protocol version for communication.

Fields #

Name	Description
`MachineID` GUID
`AcceptedVersionStartMajor` UInt8
`AcceptedVersionStartMinor` UInt8

Event ID 43: Provisioning Secuity Process failed to predict the UEFI Secure Boot variables from the launch authority returned from attestation

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secuity Process failed to predict the UEFI Secure Boot variables from the launch authority returned from attestation.

Message #

Provisioning Secuity Process failed to predict the UEFI Secure Boot variables from the launch authority returned from attestation

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 43

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secuity Process failed to predict the UEFI Secure Boot variables from the launch authority returned from attestation.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 44: Provisioning Secuity Process detected a mismatched UEFI db variable on the target and is prevented from adopting this value by policy

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secuity Process detected a mismatched UEFI db variable on the target and is prevented from adopting this value by policy.

Message #

Provisioning Secuity Process detected a mismatched UEFI db variable on the target and is prevented from adopting this value by policy

Fields #

Name	Description
`MachineID` GUID

Event ID 44

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secuity Process detected a mismatched UEFI db variable on the target and is prevented from adopting this value by policy.

Fields #

Name	Description
`MachineID` GUID

Event ID 45: Provisioning Secuity Process detected a mismatched UEFI dbx variable on the target and is prevented from adopting this value by policy

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secuity Process detected a mismatched UEFI dbx variable on the target and is prevented from adopting this value by policy.

Message #

Provisioning Secuity Process detected a mismatched UEFI dbx variable on the target and is prevented from adopting this value by policy

Fields #

Name	Description
`MachineID` GUID

Event ID 45

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secuity Process detected a mismatched UEFI dbx variable on the target and is prevented from adopting this value by policy.

Fields #

Name	Description
`MachineID` GUID

Event ID 46: Provisioning Secuity Process failed to match the target machine UEFI Secure Boot configuration

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secuity Process failed to match the target machine UEFI Secure Boot configuration.

Message #

Provisioning Secuity Process failed to match the target machine UEFI Secure Boot configuration

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 46

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secuity Process failed to match the target machine UEFI Secure Boot configuration.

Fields #

Name	Description
`MachineID` GUID
`NtStatus` UInt32

Event ID 47: Provisioning Secuity Process failed to validate the target BootOS Provisioning Agent scenario ID and version

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secuity Process failed to validate the target BootOS Provisioning Agent scenario ID and version.

Message #

Provisioning Secuity Process failed to validate the target BootOS Provisioning Agent scenario ID and version

Fields #

Name	Description
`MachineID` GUID

Event ID 47

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secuity Process failed to validate the target BootOS Provisioning Agent scenario ID and version.

Fields #

Name	Description
`MachineID` GUID

Event ID 48: Provisioning Secuity Process has failed to verify the target machine so no Machine Key will be produced, provisioning will fail

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Provisioning Secuity Process has failed to verify the target machine so no Machine Key will be produced, provisioning will fail.

Message #

Provisioning Secuity Process has failed to verify the target machine so no Machine Key will be produced, provisioning will fail

Fields #

Name	Description
`MachineID` GUID

Event ID 48

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Provisioning Secuity Process has failed to verify the target machine so no Machine Key will be produced, provisioning will fail.

Fields #

Name	Description
`MachineID` GUID

Event ID 49: The PDK decypted by PSP does not contain an RRK and therefore no VMRK will be generated

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

The PDK decypted by PSP does not contain an RRK and therefore no VMRK will be generated.

Message #

The PDK decypted by PSP does not contain an RRK and therefore no VMRK will be generated

Fields #

Name	Description
`MachineID` GUID

Event ID 49

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

The PDK decypted by PSP does not contain an RRK and therefore no VMRK will be generated.

Fields #

Name	Description
`MachineID` GUID

Event ID 50: The PDK decypted by PSP contains an RRK and a VMRK has been generated

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

The PDK decypted by PSP contains an RRK and a VMRK has been generated.

Message #

The PDK decypted by PSP contains an RRK and a VMRK has been generated

Fields #

Name	Description
`MachineID` GUID

Event ID 50

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

The PDK decypted by PSP contains an RRK and a VMRK has been generated.

Fields #

Name	Description
`MachineID` GUID

Event ID 51: Processing the RRK failed

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Debug

Description

Processing the RRK failed.

Message #

Processing the RRK failed

Fields #

Name	Description
`MachineID` GUID

Event ID 51

Provider: Microsoft-Windows-ShieldedVM-ProvisioningSecureProcess
Channel: Operational

Description

Processing the RRK failed.

Fields #

Name	Description
`MachineID` GUID

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)