| Microsoft-Windows-ServerManager-ManagementProvider/Operational | 1000 | Information | Server Manager management provider started |
| Microsoft-Windows-ServerManager-ManagementProvider/Operational | 1001 | Information | Server Manager management provider stopped |
| Microsoft-Windows-ServerManager-ManagementProvider/Operational | 1100 | Error | Server Manager failed to connect to target server |
| Microsoft-Windows-ServerManager-ManagementProvider/Operational | 1101 | Information | Server Manager successfully connected to target server |
| Microsoft-Windows-ServerManager-ManagementProvider/Operational | 1200 | Information | Server Manager initiated refresh of roles and features |
| Microsoft-Windows-ServerManager-ManagementProvider/Operational | 1300 | Error | Unexpected error while managing target server |
| Microsoft-Windows-WindowsAdminCenter/Operational | 3000 | Information | Windows Admin Center gateway service started |
| Microsoft-Windows-WindowsAdminCenter/Operational | 3001 | Warning | Windows Admin Center gateway service stopped |
| Microsoft-Windows-WindowsAdminCenter/Operational | 3002 | Information | Admin Center user authenticated successfully |
| Microsoft-Windows-WindowsAdminCenter/Operational | 3003 | Warning | Admin Center user authentication failed |
| Microsoft-Windows-WindowsAdminCenter/Operational | 3004 | Information | User accessed a managed node via Admin Center |
| Microsoft-Windows-WindowsAdminCenter/Operational | 3005 | Warning | Unauthorized attempt to access managed node |
| Microsoft-Windows-WindowsAdminCenter/Operational | 3010 | Information | Configuration file modified |
| Microsoft-Windows-WindowsAdminCenter/Operational | 3011 | Information | Certificate updated or renewed |
| Microsoft-Windows-WindowsAdminCenter/Operational | 3015 | Information | Admin Center extension installed or removed |
| Microsoft-Windows-WindowsAdminCenter/Operational | 3020 | Warning | Connection lost to managed node |
| Microsoft-Windows-WindowsRemoteManagement/Operational | 6 | Information | WinRM service started |
| Microsoft-Windows-WindowsRemoteManagement/Operational | 7 | Information | WinRM service stopped |
| Microsoft-Windows-WindowsRemoteManagement/Operational | 16 | Information | WinRM client connected to remote system |
| Microsoft-Windows-WindowsRemoteManagement/Operational | 17 | Error | WinRM connection failed (access denied or timeout) |
| Microsoft-Windows-WindowsRemoteManagement/Operational | 18 | Information | WinRM listener started |
| Microsoft-Windows-WindowsRemoteManagement/Operational | 19 | Information | WinRM listener stopped |
| Microsoft-Windows-WindowsRemoteManagement/Operational | 20 | Warning | WinRM configuration modified |
| Microsoft-Windows-PowerShell/Operational | 4100 | Information | PowerShell remote session started |
| Microsoft-Windows-PowerShell/Operational | 4101 | Information | PowerShell command executed |
| Microsoft-Windows-PowerShell/Operational | 4102 | Error | PowerShell script execution failed |
| Microsoft-Windows-PowerShell/Operational | 4104 | Information | Script block logging — executed command captured |
| Microsoft-Windows-PowerShell/Operational | 4105 | Warning | PowerShell session disconnected |
| Microsoft-Windows-PowerShell/Operational | 4106 | Information | PowerShell session reconnected |
| Microsoft-Windows-PowerShell/Operational | 53504 | Warning | Unauthorized PowerShell activity blocked |
| Security | 4688 | Information | New process created (admin tool execution trace) |
| Security | 4670 | Warning | Permissions on management files or WAC config modified |
| System | 7036 | Information | WinRM service entered running/stopped state |
| Microsoft-Windows-ServerManager/Operational | 1001 | Medium | Management console failed to load data |
| Microsoft-Windows-ServerManager/Operational | 1003 | Medium | Refresh operation failed |
| Microsoft-Windows-ServerManager/Operational | 1010 | High | Server Manager task failed |
| Microsoft-Windows-PowerShell/Operational | 4103 | High | PowerShell command failure |
| Microsoft-Windows-PowerShell/Operational | 4104 | High | Suspicious script execution |
| Microsoft-Windows-Eventlog | 1102 | Critical | Audit log cleared |