Microsoft-Windows-TPM-WMI

51 events across 1 channel

Event	Title	Channel	Sample
513	TPM Owner Authorization information was backed up successfully to Active …	System	N
514	Failed to backup TPM Owner Authorization information to Active Directory Domain …	System	N
515	The Trusted Platform Module (TPM) hardware on this computer has failed to set …	System	N
516	Successfully sent physical presence request to clear the Trusted Platform …	System	N
517	Failed to send physical presence request to clear the Trusted Platform …	System	N
518	Failed to get isOwned status from Trusted Platform Module(TPM), proceeding to …	System	N
519	The TPM has been cleared.	System	N
769	TPM Owner Authorization configuration changed from 'OldOSManagedAuthLevel' to …	System	N
1025	The TPM was successfully provisioned and is now ready for use.	System	N
1026	The Trusted Platform Module (TPM) hardware on this computer cannot be …	System	N
1027	The Ownership of the Trusted Platform Module (TPM) hardware on this computer was …	System	N
1028	The NGC key generation task was successfully triggered.	System	N
1029	The triggering of the NGC key generation task failed.	System	N
1030	The NGC certificate enrollment task was successfully triggered.	System	N
1031	The triggering of the NGC certificate enrollment task failed.	System	N
1032	The Secure Boot update was not applied due to a known incompatibility with the …	System	N
1033	Potentially revoked boot manager was detected in EFI partition.	System	N
1034	Secure Boot Dbx update applied successfully	System	Y
1035	Secure Boot Dbx update applied successfully	System	N
1036	Secure Boot Db update applied successfully	System	N
1037	Secure Boot Dbx update to revoke Microsoft Windows Production PCA 2011 is …	System	N
1038	Pre-attestation health checks confirm that the device is expected to pass …	System	N
1039	Pre-attestation health checks confirm that the device meets most attestation …	System	N
1040	Pre-attestation health checks confirm a critical component has failed, and the …	System	N
1041	Pre-attestation health check detailed information: Json.	System	N
1042	Secure Boot Dbx update to revoke older Boot Manager SVNs is applied successfully	System	N
1043	Secure Boot KEK update applied successfully	System	N
1044	Secure Boot DB update to install Microsoft Option ROM UEFI CA 2023 certificate …	System	Y
1045	Secure Boot DB update to install Microsoft UEFI CA 2023 certificate applied …	System	N
1046	Measured boot files deleted successfully.	System	N
1047	Measured boot file FileName was not deleted successfully due to error ErrorCode.	System	N
1281	This event triggers the TBS device identifier generation.	System	Y
1282	The TBS device identifier has been generated.	System	N
1283	EK Certificate tool started.	System	N
1284	EK Certificate tool succeeded in Millisecondstaken milliseconds.	System	N
1285	EK Certificate tool failed in Millisecondstaken milliseconds with error …	System	N
1537	The Device Health Certificate was successfully provisioned from …	System	N
1538	The Device Health Certificate provisioning could not connect to …	System	N
1539	The Device Health Certificate could not be provisioned from …	System	N
1793	The Trusted Platform Module (TPM) hardware on this computer is scheduled to be …	System	N
1794	The Trusted Platform Module (TPM) firmware on this PC has a known security …	System	N
1795	The system firmware returned an error HResult when attempting to update a Secure …	System	N
1796	The Secure Boot update failed to update a Secure Boot variable with error …	System	N
1797	The Secure Boot Dbx update failed to revoke Microsoft Windows Production PCA …	System	N
1798	The Secure Boot Dbx update failed as boot manager is not signed with the Windows …	System	N
1799	Boot Manager signed with Windows UEFI CA 2023 was installed successfully	System	N
1800	A reboot is required before installing the Secure Boot update.	System	N
1801	Secure Boot certificates have been updated but are not yet applied to the device …	System	Y
1802	The Secure Boot update UpdateType was blocked due to a known firmware issue on …	System	N
1803	A PK-signed Key Exchange Key (KEK) cannot be found for this device.	System	N
1808	This device has updated Secure Boot CA/keys.	System	N

Event ID 513: TPM Owner Authorization information was backed up successfully to Active Directory Domain Services.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

TPM Owner Authorization information was backed up successfully to Active Directory Domain Services.

Message #

TPM Owner Authorization information was backed up successfully to Active Directory Domain Services.

Event ID 514: Failed to backup TPM Owner Authorization information to Active Directory Domain Services.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Failed to backup TPM Owner Authorization information to Active Directory Domain Services.

Message #

Failed to backup TPM Owner Authorization information to Active Directory Domain Services.
Errorcode: %1
Check that your computer is connected to the domain.  If your computer is connected to the domain, have your Domain Administrator check that the Active Directory schema is appropriate for backup of Windows 8 TPM Owner Authorization information and that the current Computer object has write permission to the TPM object.  Installations of Windows Server 2008 R2 or before need a schema extension in order to be ready for backup of Windows 8 TPM Owner Authorization information.  Consult online documentation for more information about setting up Active Directory Domain Services for TPM.

Fields #

Name	Description
`ErrorCode` HexInt32

Event ID 515: The Trusted Platform Module (TPM) hardware on this computer has failed to set its Dictionary Attack Parameters to legacy mode.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The Trusted Platform Module (TPM) hardware on this computer has failed to set its Dictionary Attack Parameters to legacy mode.

Message #

The Trusted Platform Module (TPM) hardware on this computer has failed to set its Dictionary Attack Parameters to legacy mode.

Event ID 516: Successfully sent physical presence request to clear the Trusted Platform Module(TPM).

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Successfully sent physical presence request to clear the Trusted Platform Module(TPM).

Message #

Successfully sent physical presence request to clear the Trusted Platform Module(TPM).

Event ID 517: Failed to send physical presence request to clear the Trusted Platform Module(TPM).

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Failed to send physical presence request to clear the Trusted Platform Module(TPM).

Message #

Failed to send physical presence request to clear the Trusted Platform Module(TPM).

Fields #

Name	Description
`HResult` Int32

Event ID 518: Failed to get isOwned status from Trusted Platform Module(TPM), proceeding to clear TPM assuming that TPM is owned.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Failed to get isOwned status from Trusted Platform Module(TPM), proceeding to clear TPM assuming that TPM is owned. Error code:HResult.

Message #

Failed to get isOwned status from Trusted Platform Module(TPM), proceeding to clear TPM assuming that TPM is owned. Error code:%1

Fields #

Name	Description
`HResult` Int32

Event ID 519: The TPM has been cleared.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The TPM has been cleared. Reason: ClearReason.

Message #

The TPM has been cleared. Reason: %1.

Fields #

Name	Description
`ClearReason` UnicodeString

Event ID 769: TPM Owner Authorization configuration changed from 'OldOSManagedAuthLevel' to 'NewOSManagedAuthLevel'.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

TPM Owner Authorization configuration changed from 'OldOSManagedAuthLevel' to 'NewOSManagedAuthLevel'.

Message #

TPM Owner Authorization configuration changed from '%1' to '%2'.

Fields #

Name	Description
`OldOSManagedAuthLevel` UInt32
`NewOSManagedAuthLevel` UInt32

Event ID 1025: The TPM was successfully provisioned and is now ready for use.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The TPM was successfully provisioned and is now ready for use.

Message #

The TPM was successfully provisioned and is now ready for use.

Event ID 1026: The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically. To set up the TPM interactively use the TPM management console (Start->tpm.msc) and use the action to make the TPM ready. Error: ErrorCode Additional Information: StatusInformation

Message #

The Trusted Platform Module (TPM) hardware on this computer cannot be provisioned for use automatically.  To set up the TPM interactively use the TPM management console (Start->tpm.msc) and use the action to make the TPM ready.

Error: %1
Additional Information: %2

Fields #

Name	Description
`ErrorCode` Int32
`StatusInformation` HexInt32

Event ID 1027: The Ownership of the Trusted Platform Module (TPM) hardware on this computer was successfully taken (TPM TakeOwnership command) by the system.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The Ownership of the Trusted Platform Module (TPM) hardware on this computer was successfully taken (TPM TakeOwnership command) by the system.

Message #

The Ownership of the Trusted Platform Module (TPM) hardware on this computer was successfully taken (TPM TakeOwnership command) by the system.

Event ID 1028: The NGC key generation task was successfully triggered.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The NGC key generation task was successfully triggered.

Message #

The NGC key generation task was successfully triggered.

Event ID 1029: The triggering of the NGC key generation task failed.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The triggering of the NGC key generation task failed.

Message #

The triggering of the NGC key generation task failed.

Fields #

Name	Description
`ErrorCode` HexInt32

Event ID 1030: The NGC certificate enrollment task was successfully triggered.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The NGC certificate enrollment task was successfully triggered.

Message #

The NGC certificate enrollment task was successfully triggered.

Event ID 1031: The triggering of the NGC certificate enrollment task failed.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The triggering of the NGC certificate enrollment task failed.

Message #

The triggering of the NGC certificate enrollment task failed.

Fields #

Name	Description
`ErrorCode` HexInt32

Event ID 1032: The Secure Boot update was not applied due to a known incompatibility with the current BitLocker configuration.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The Secure Boot update was not applied due to a known incompatibility with the current BitLocker configuration.

Message #

The Secure Boot update was not applied due to a known incompatibility with the current BitLocker configuration.

Fields #

Name	Description
`UpdateType` UnicodeString

Event ID 1033: Potentially revoked boot manager was detected in EFI partition.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Potentially revoked boot manager was detected in EFI partition. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931.

Message #

Potentially revoked boot manager was detected in EFI partition. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

Fields #

Name	Description
`Path` UnicodeString

Event ID 1034: Secure Boot Dbx update applied successfully

Provider: Microsoft-Windows-TPM-WMI
Channel: System
Level: Informational

Description

Secure Boot Dbx update applied successfully.

Message #

Secure Boot Dbx update applied successfully

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TPM-WMI",
    "guid": "{7D5387B0-CBE0-11DA-A94D-0800200C9A66}",
    "event_source_name": "",
    "event_id": 1034,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-04-18T00:27:48.4159220+00:00",
    "event_record_id": 312,
    "correlation": {},
    "execution": {
      "process_id": 4272,
      "thread_id": 4144
    },
    "channel": "System",
    "computer": "WIN11-25H2-X64",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": "Secure Boot Dbx update applied successfully"
}

Event ID 1035: Secure Boot Dbx update applied successfully

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Secure Boot Dbx update applied successfully.

Message #

Secure Boot Dbx update applied successfully

Event ID 1036: Secure Boot Db update applied successfully

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Secure Boot Db update applied successfully.

Message #

Secure Boot Db update applied successfully

Event ID 1037: Secure Boot Dbx update to revoke Microsoft Windows Production PCA 2011 is applied successfully

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Secure Boot Dbx update to revoke Microsoft Windows Production PCA 2011 is applied successfully.

Message #

Secure Boot Dbx update to revoke Microsoft Windows Production PCA 2011 is applied successfully

Event ID 1038: Pre-attestation health checks confirm that the device is expected to pass attestation.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Pre-attestation health checks confirm that the device is expected to pass attestation.

Message #

Pre-attestation health checks confirm that the device is expected to pass attestation.
 Please see %1 for detailed information on what checks were made.

Fields #

Name	Description
`Path` UnicodeString

Event ID 1039: Pre-attestation health checks confirm that the device meets most attestation criteria, but failing is still possible.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Pre-attestation health checks confirm that the device meets most attestation criteria, but failing is still possible.

Message #

Pre-attestation health checks confirm that the device meets most attestation criteria, but failing is still possible.
 Please see %1 for detailed information on what checks were made.

Fields #

Name	Description
`Path` UnicodeString

Event ID 1040: Pre-attestation health checks confirm a critical component has failed, and the device is not expected to pass attestation.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Pre-attestation health checks confirm a critical component has failed, and the device is not expected to pass attestation.

Message #

Pre-attestation health checks confirm a critical component has failed, and the device is not expected to pass attestation.
 Please see %1 for detailed information on what checks were made.

Fields #

Name	Description
`Path` UnicodeString

Event ID 1041: Pre-attestation health check detailed information: Json.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Pre-attestation health check detailed information: Json.

Message #

Pre-attestation health check detailed information: %1

Fields #

Name	Description
`Json` UnicodeString

Event ID 1042: Secure Boot Dbx update to revoke older Boot Manager SVNs is applied successfully

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Secure Boot Dbx update to revoke older Boot Manager SVNs is applied successfully.

Message #

Secure Boot Dbx update to revoke older Boot Manager SVNs is applied successfully

Event ID 1043: Secure Boot KEK update applied successfully

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Secure Boot KEK update applied successfully.

Message #

Secure Boot KEK update applied successfully

Event ID 1044: Secure Boot DB update to install Microsoft Option ROM UEFI CA 2023 certificate applied successfully

Provider: Microsoft-Windows-TPM-WMI
Channel: System
Level: Informational

Description

Secure Boot DB update to install Microsoft Option ROM UEFI CA 2023 certificate applied successfully.

Message #

Secure Boot DB update to install Microsoft Option ROM UEFI CA 2023 certificate applied successfully

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TPM-WMI",
    "event_id": 1044,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "time_created": "2026-05-27T19:37:00.1085569+00:00",
    "computer": "DESKTOP-FF3N5XK.ludus.domain",
    "channel": "System"
  },
  "event_data": {}
}

Event ID 1045: Secure Boot DB update to install Microsoft UEFI CA 2023 certificate applied successfully

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Secure Boot DB update to install Microsoft UEFI CA 2023 certificate applied successfully.

Message #

Secure Boot DB update to install Microsoft UEFI CA 2023 certificate applied successfully

Event ID 1046: Measured boot files deleted successfully.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Measured boot files deleted successfully. The following FilesCount files were deleted: Files.

Message #

Measured boot files deleted successfully. The following %1 files were deleted: %2

Fields #

Name	Description
`FilesCount` UInt16
`Files` UnicodeString

Event ID 1047: Measured boot file FileName was not deleted successfully due to error ErrorCode.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Measured boot file FileName was not deleted successfully due to error ErrorCode.

Message #

Measured boot file %1 was not deleted successfully due to error %2.

Fields #

Name	Description
`FileName` UnicodeString
`ErrorCode` UInt32

Event ID 1281: This event triggers the TBS device identifier generation.

Provider: Microsoft-Windows-TPM-WMI
Channel: System
Level: Informational

Description

This event triggers the TBS device identifier generation.

Message #

This event triggers the TBS device identifier generation.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TPM-WMI",
    "guid": "{7D5387B0-CBE0-11DA-A94D-0800200C9A66}",
    "event_source_name": "",
    "event_id": 1281,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": -9223372036854775808,
    "time_created": "2026-04-18T00:27:34.8402568+00:00",
    "event_record_id": 307,
    "correlation": {},
    "execution": {
      "process_id": 1708,
      "thread_id": 1832
    },
    "channel": "System",
    "computer": "WIN11-25H2-X64",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": "This event triggers the TBS device identifier generation."
}

Event ID 1282: The TBS device identifier has been generated.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The TBS device identifier has been generated.

Message #

The TBS device identifier has been generated.

Event ID 1283: EK Certificate tool started.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

EK Certificate tool started.

Message #

EK Certificate tool started.

Event ID 1284: EK Certificate tool succeeded in Millisecondstaken milliseconds.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

EK Certificate tool succeeded in Millisecondstaken milliseconds.

Message #

EK Certificate tool succeeded in %1 milliseconds.

Fields #

Name	Description
`Millisecondstaken` UInt32

Event ID 1285: EK Certificate tool failed in Millisecondstaken milliseconds with error ErrorCode.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

EK Certificate tool failed in Millisecondstaken milliseconds with error ErrorCode.

Message #

EK Certificate tool failed in %1 milliseconds with error %2.

Fields #

Name	Description
`Millisecondstaken` UInt32
`ErrorCode` Int32

Event ID 1537: The Device Health Certificate was successfully provisioned from HealthAttestationServer.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The Device Health Certificate was successfully provisioned from HealthAttestationServer.

Message #

The Device Health Certificate was successfully provisioned from %1.

Fields #

Name	Description
`HealthAttestationServer` UnicodeString

Event ID 1538: The Device Health Certificate provisioning could not connect to HealthAttestationServer.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The Device Health Certificate provisioning could not connect to HealthAttestationServer. HResult.

Message #

The Device Health Certificate provisioning could not connect to %1. %2

Fields #

Name	Description
`HealthAttestationServer` UnicodeString
`HResult` Int32

Event ID 1539: The Device Health Certificate could not be provisioned from HealthAttestationServer.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The Device Health Certificate could not be provisioned from HealthAttestationServer. HTTP status code HTTPStatus: ServerResponse.

Message #

The Device Health Certificate could not be provisioned from %1. HTTP status code %2: %3

Fields #

Name	Description
`HealthAttestationServer` UnicodeString
`HTTPStatus` Int32
`ServerResponse` UnicodeString

Event ID 1793: The Trusted Platform Module (TPM) hardware on this computer is scheduled to be cleared by the system.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The Trusted Platform Module (TPM) hardware on this computer is scheduled to be cleared by the system.

Message #

The Trusted Platform Module (TPM) hardware on this computer is scheduled to be cleared by the system.

Event ID 1794: The Trusted Platform Module (TPM) firmware on this PC has a known security problem.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The Trusted Platform Module (TPM) firmware on this PC has a known security problem. Please contact your PC manufacturer to find out if an update is available. For more information please go to https://go.microsoft.com/fwlink/?linkid=852572

Message #

The Trusted Platform Module (TPM) firmware on this PC has a known security problem. Please contact your PC manufacturer to find out if an update is available. For more information please go to https://go.microsoft.com/fwlink/?linkid=852572

Event ID 1795: The system firmware returned an error HResult when attempting to update a Secure Boot variable.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The system firmware returned an error HResult when attempting to update a Secure Boot variable. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931.

Message #

The system firmware returned an error %1 when attempting to update a Secure Boot variable. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

Fields #

Name	Description
`HResult` Int32
`UpdateType` UnicodeString
`DeviceAttributes` UnicodeString
`BucketId` UnicodeString
`BucketConfidenceLevel` UnicodeString

Event ID 1796: The Secure Boot update failed to update a Secure Boot variable with error UpdateType.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The Secure Boot update failed to update a Secure Boot variable with error UpdateType. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931.

Message #

The Secure Boot update failed to update a Secure Boot variable with error %1. For more information, please see https://go.microsoft.com/fwlink/?linkid=2169931

Fields #

Name	Description
`UpdateType` UnicodeString
`HResult` Int32

Event ID 1797: The Secure Boot Dbx update failed to revoke Microsoft Windows Production PCA 2011 as the Windows UEFI CA 2023 certificate is not present in Db

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The Secure Boot update failed as the Windows UEFI CA 2023 certificate is not present in Db.

Message #

The Secure Boot update failed as the Windows UEFI CA 2023 certificate is not present in Db

Event ID 1798: The Secure Boot Dbx update failed as boot manager is not signed with the Windows UEFI CA 2023 certificate.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

The Secure Boot Dbx update failed as boot manager is not signed with the Windows UEFI CA 2023 certificate.

Message #

The Secure Boot Dbx update failed as boot manager is not signed with the Windows UEFI CA 2023 certificate

Event ID 1799: Boot Manager signed with Windows UEFI CA 2023 was installed successfully

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

Boot Manager signed with Windows UEFI CA 2023 was installed successfully.

Message #

Boot Manager signed with Windows UEFI CA 2023 was installed successfully

Event ID 1800: A reboot is required before installing the Secure Boot update.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

A reboot is required before installing the Secure Boot update. Reason: UpdateType.

Message #

A reboot is required before installing the Secure Boot update. Reason: %1

Fields #

Name	Description
`UpdateType` UnicodeString

Event ID 1801: Secure Boot certificates have been updated but are not yet applied to the device firmware.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Message #

Secure Boot certificates have been updated but are not yet applied to the device firmware. Review the published guidance to complete the update and ensure full protection. This device signature information is included here.
DeviceAttributes: %1
BucketId: %2
BucketConfidenceLevel: %3
UpdateType: %4
For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018.

Fields #

Name	Description
`DeviceAttributes` UnicodeString
`BucketId` UnicodeString
`BucketConfidenceLevel` UnicodeString
`UpdateType` UnicodeString

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TPM-WMI",
    "event_id": 1801,
    "level": "Error",
    "task": null,
    "opcode": "Info",
    "time_created": "2026-04-23T15:41:27.4769718+00:00",
    "computer": "JD-DC01-2022.ludus.domain",
    "channel": "System"
  },
  "event_data": {
    "DeviceAttributes": "BaseBoardManufacturer:;FirmwareManufacturer:SeaBIOS;FirmwareVersion:rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org;OEMModelNumber:Standard PC (i440FX + PIIX, 1996);OEMModelBaseBoard:;OEMModelSystemFamily:;OEMManufacturerName:QEMU;OEMModelSKU:;OSArchitecture:amd64;",
    "BucketId": "996345bf0e7edc8a31ef4b8e37ed4b147f19d916912d33f12743b2bf21a937b1",
    "BucketConfidenceLevel": "No Data Observed - Action Required",
    "UpdateType": null
  }
}

Event ID 1802: The Secure Boot update UpdateType was blocked due to a known firmware issue on the device.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Message #

The Secure Boot update %1 was blocked due to a known firmware issue on the device. Check with your device vendor for a firmware update that addresses the issue. This device signature information is included here.
DeviceAttributes: %2
BucketId: %3
BucketConfidenceLevel: %4
SkipReason: %5.
For more information, please see https://go.microsoft.com/fwlink/?linkid=2339472

Fields #

Name	Description
`UpdateType` UnicodeString
`DeviceAttributes` UnicodeString
`BucketId` UnicodeString
`BucketConfidenceLevel` UnicodeString
`SkipReason` UnicodeString

Event ID 1803: A PK-signed Key Exchange Key (KEK) cannot be found for this device.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

A PK-signed Key Exchange Key (KEK) cannot be found for this device. Check with the device manufacturer for proper key provisioning.

Message #

A PK-signed Key Exchange Key (KEK) cannot be found for this device. Check with the device manufacturer for proper key provisioning.
This device signature information is included here.
DeviceAttributes: %1
BucketId: %2
BucketConfidenceLevel: %3.
For more information, please see https://go.microsoft.com/fwlink/?linkid=2339472

Fields #

Name	Description
`DeviceAttributes` UnicodeString
`BucketId` UnicodeString
`BucketConfidenceLevel` UnicodeString

Event ID 1808: This device has updated Secure Boot CA/keys.

Provider: Microsoft-Windows-TPM-WMI
Channel: System

Description

This device has updated Secure Boot CA/keys. This device signature information is included here.

Message #

This device has updated Secure Boot CA/keys. This device signature information is included here.
DeviceAttributes: %1
BucketId: %2
BucketConfidenceLevel: %3
UpdateType: %4
For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018.

Fields #

Name	Description
`DeviceAttributes` UnicodeString
`BucketId` UnicodeString
`BucketConfidenceLevel` UnicodeString
`UpdateType` UnicodeString

Provenance

Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.

ETW provider GUID 7d5387b0-cbe0-11da-a94d-0800200c9a66

Defined in TpmCoreProvisioning.dll, which carries the event manifest.

Observed on:

WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.4647, captured 2026-06-02
Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.4768, captured 2026-06-02

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)