From 4c6c1639eee9e3a1bb2cb805fbd1f0373e785990 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Thu, 12 Nov 2020 14:30:55 +0000 Subject: [PATCH] update to privacy events --- ...ndows-diagnostic-events-and-fields-1703.md | 87 ++- ...ndows-diagnostic-events-and-fields-1709.md | 87 ++- ...ndows-diagnostic-events-and-fields-1803.md | 104 +++- ...ndows-diagnostic-events-and-fields-1809.md | 406 ++++++++++---- ...ndows-diagnostic-events-and-fields-1903.md | 518 +++++++++++++++++- ...-diagnostic-data-events-and-fields-2004.md | 284 ++++++++-- 6 files changed, 1292 insertions(+), 194 deletions(-) diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md index d3555a0e8a..5a75aeb713 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/30/2020 +ms.date: 11/12/2020 ms.reviewer: --- @@ -33,7 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 2004 and Windows 10, version 20H2 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) @@ -2490,7 +2490,7 @@ The following fields are available: - **Enumerator** Identifies the bus that enumerated the device. - **HWID** A list of hardware IDs for the device. See [HWID](#hwid). - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.asp - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -2678,6 +2678,31 @@ The following fields are available: - **StartTime** UTC date and time at which this event was sent. +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoAdd + +This event provides basic information about active memory slots on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Capacity** Memory size in bytes +- **Manufacturer** Name of the DRAM manufacturer +- **Model** Model and sub-model of the memory +- **Slot** Slot to which the DRAM is plugged into the motherboard. +- **Speed** The configured memory slot speed in MHz. +- **Type** Reports DDR, etc. as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2. +- **TypeDetails** Reports Non-volatile, etc. as a bit flag enumeration per DMTF SMBIOS standard version 3.3.0, section 7.18.3. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync + +This diagnostic event indicates a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly. @@ -6417,6 +6442,62 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICOInteractionCampaignComplete + +This event is generated whenever a RUXIM user interaction campaign becomes complete. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that became complete. +- **ResultId** The final result of the interaction campaign. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMICS. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMIH. +- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.SystemEvaluator.Evaluation + +This event is generated whenever the RUXIM Evaluator DLL performs an evaluation. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **HRESULT** Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks do not affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.) +- **Id** GUID passed in by the caller to identify the evaluation. +- **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation. +- **Result** The overall result generated by the evaluation. + + ## Windows Update mitigation events ### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md index 2be76e6660..f4bfc0d442 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/30/2020 +ms.date: 11/12/2020 ms.reviewer: --- @@ -33,7 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 2004 and Windows 10, version 20H2 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) @@ -2512,7 +2512,7 @@ The following fields are available: - **Enumerator** Identifies the bus that enumerated the device. - **HWID** A list of hardware IDs for the device. - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -2712,6 +2712,31 @@ The following fields are available: - **StartTime** UTC date and time at which this event was sent. +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoAdd + +This event provides basic information about active memory slots on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Capacity** Memory size in bytes +- **Manufacturer** Name of the DRAM manufacturer +- **Model** Model and sub-model of the memory +- **Slot** Slot to which the DRAM is plugged into the motherboard. +- **Speed** The configured memory slot speed in MHz. +- **Type** Reports DDR, etc. as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2. +- **TypeDetails** Reports Non-volatile, etc. as a bit flag enumeration per DMTF SMBIOS standard version 3.3.0, section 7.18.3. + + +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync + +This diagnostic event indicates a new sync is being generated for this object type. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd This event provides data on the installed Office add-ins. The data collected with this event is used to keep Windows performing properly. @@ -6724,6 +6749,62 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICOInteractionCampaignComplete + +This event is generated whenever a RUXIM user interaction campaign becomes complete. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that became complete. +- **ResultId** The final result of the interaction campaign. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMICS. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMIH. +- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.SystemEvaluator.Evaluation + +This event is generated whenever the RUXIM Evaluator DLL performs an evaluation. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **HRESULT** Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks do not affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.) +- **Id** GUID passed in by the caller to identify the evaluation. +- **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation. +- **Result** Overall result generated by the evaluation. + + ## Windows Update mitigation events ### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md index b9030aba9a..a5c2718237 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/30/2020 +ms.date: 11/12/2020 ms.reviewer: --- @@ -33,7 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 2004 and Windows 10, version 20H2 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -3470,7 +3470,7 @@ The following fields are available: - **Enumerator** Identifies the bus that enumerated the device. - **HWID** A list of hardware IDs for the device. - **Inf** The name of the INF file (possibly renamed by the OS, such as oemXX.inf). -- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. For a list of values, see: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx - **InventoryVersion** The version number of the inventory process generating the events. - **LowerClassFilters** The identifiers of the Lower Class filters installed for the device. - **LowerFilters** The identifiers of the Lower filters installed for the device. @@ -3675,6 +3675,23 @@ The following fields are available: - **StartTime** UTC date and time at which this event was sent. +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoAdd + +This event provides basic information about active memory slots on the device. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **Capacity** Memory size in bytes +- **Manufacturer** Name of the DRAM manufacturer +- **Model** Model and sub-model of the memory +- **Slot** Slot to which the DRAM is plugged into the motherboard. +- **Speed** The configured memory slot speed in MHz. +- **Type** Reports DDR, etc. as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2. +- **TypeDetails** Reports Non-volatile, etc. as a bit flag enumeration per DMTF SMBIOS standard version 3.3.0, section 7.18.3. + + ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync This diagnostic event indicates a new sync is being generated for this object type. @@ -4574,6 +4591,31 @@ The following fields are available: - **winInetError** The HResult of the operation. +## Other events + +### Microsoft.ServerManagementExperience.Gateway.Service.ManagedNodeProperties + +This is a periodic rundown event that contains more detailed information about the nodes added to this Windows Admin Center gateway for management. + +The following fields are available: + +- **nodeId** Constructed from nodeTypeId concatenated with the hostname or IP address that gateway uses to connect to this node. +- **nodeOperatingSystem** A user friendly description of the node's OS version. +- **nodeOSVersion** A major or minor build version string for the node's OS. +- **nodeTypeId** A string that distinguishes between a connection target, whether it is a client, server, cluster or a hyperconverged cluster. +- **otherProperties** Contains a JSON object with variable content and may contain: "nodes": a list of host names or IP addresses of the servers belonging to a cluster, "aliases": the alias if it is set for this connection, "lastUpdatedTime": the number of milliseconds since Unix epoch when this connection was last updated, "ncUri", "caption", "version", "productType", "networkName", "operatingSystem", "computerManufacturer", "computerModel", "isS2dEnabled". This JSON object is formatted as an quotes-escaped string. + + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -8373,6 +8415,62 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +### Microsoft.Windows.WindowsUpdate.RUXIM.ICOInteractionCampaignComplete + +This event is generated whenever a RUXIM user interaction campaign becomes complete. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that became complete. +- **ResultId** The final result of the interaction campaign. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSExit + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + + + +### Microsoft.Windows.WindowsUpdate.RUXIM.ICSLaunch + +This event is generated when the RUXIM Interaction Campaign Scheduler (RUXIMICS.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMICS. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHExit + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) exits. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **InteractionCampaignID** GUID identifying the interaction campaign that RUXIMIH processed. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.IHLaunch + +This event is generated when the RUXIM Interaction Handler (RUXIMIH.EXE) is launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CommandLine** The command line used to launch RUXIMIH. +- **InteractionCampaignID** GUID identifying the user interaction campaign that the Interaction Handler will process. + + +### Microsoft.Windows.WindowsUpdate.RUXIM.SystemEvaluator.Evaluation + +This event is generated whenever the RUXIM Evaluator DLL performs an evaluation. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **HRESULT** Error, if any, that occurred during evaluation. (Note that if errors encountered during individual checks do not affect the overall result of the evaluation, those errors will be reported in NodeEvaluationData, but this HRESULT will still be zero.) +- **Id** GUID passed in by the caller to identify the evaluation. +- **NodeEvaluationData** Structure showing the results of individual checks that occurred during the overall evaluation. +- **Result** Overall result generated by the evaluation. + + ## Windows Update mitigation events ### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md index 12bf3f543c..4795516628 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/30/2020 +ms.date: 11/12/2020 ms.reviewer: --- @@ -33,7 +33,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 2004 and Windows 10, version 20H2 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1903 and Windows 10, version 1909 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1903.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -2551,19 +2551,6 @@ The following fields are available: - **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. - **xid** A list of base10-encoded XBOX User IDs. -## Common Data Fields - -### Ms.Device.DeviceInventoryChange - -Describes the installation state for all hardware and software components available on a particular device. - -The following fields are available: - -- **action** The change that was invoked on a device inventory object. -- **inventoryId** Device ID used for Compatibility testing -- **objectInstanceId** Object identity which is unique within the device scope. -- **objectType** Indicates the object type that the event applies to. -- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object. ## Compatibility events @@ -2795,6 +2782,12 @@ The following fields are available: ## Diagnostic data events +### Microsoft.Windows.Test.WindowsCoreTelemetryTestProvider.WindowsCoreTelemetryTestEvent + +This is an internal-only test event used to validate the utc.app and telemetry.asm-windowsdefault settings and namespaces before publishing. The provider of this event is assigned to the Windows Core Telemetry group provider in order to test. The data collected with this event is used to keep Windows performing properly. + + + ### TelClientSynthetic.AbnormalShutdown_0 This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. @@ -3307,6 +3300,19 @@ The following fields are available: - **CV** Correlation vector. +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator WaitForRebootUi call. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + ### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown This event indicates that the Coordinator WaitForRebootUi call succeeded. The data collected with this event is used to help keep Windows secure and up to date. @@ -3579,82 +3585,149 @@ The following fields are available: - **CV** Correlation vector. +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXEnteringState + +This event indicates that DTUNotificationUX has started processing a workflow state. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** The coordinator version of Direct To Update. +- **CV** Correlation vector. +- **State** State of the workflow. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXEvaluation + +This event indicates that Applicability DLL ran a set of applicability tests. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **Action** The enumeration code of action that was handled. +- **ActiveTestResults** The bitmask results of applicability tests. +- **ActiveTestsRun** The bitmask of applicability tests that were run. +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** The coordinator version of Direct To Update. +- **CV** Correlation vector. +- **FullTestResults** The bitmask of results of applicability tests. +- **FullTestsRun** The bitmask of applicability tests that were run. +- **SuppressedTests** The bitmask of applicability tests that were unable to run due to suppression caused by the configuration settings. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXEvaluationError + +This event indicates that Applicability DLL failed on a test. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **FailedTest** The enumeration code of the test that failed. +- **HRESULT** An error (if any) that occurred. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXExit + +This event indicates that DTUNotificationUX has finished execution. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **HRESULTCausingExit** HRESULT Causing an abnormal exit, or S_OK for normal exits. +- **ProcessExitCode** The exit code that DTUNotificationUX returns to DTUCoordinator. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXExitingState + +This event indicates that DTUNotificationUX has stopped processing a workflow state. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **HRESULT** Error (if any) that occurred. +- **NextState** Next workflow state we will enter. +- **State** The state of the workflow. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXFinalAcceptDialogDisplayed + +This event indicates that the Final Accept dialog has been shown. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **EnterpriseAttribution** If true, the user is told that the enterprise managed the reboot. +- **HRESULT** Error (if any) that occurred. +- **UserResponse** The enumeration code indicating the user response to a dialog. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXFirstAcceptDialogDisplayed + +This event indicates that the First Accept dialog has been shown. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **EnterpriseAttribution** If true, the user is told that the enterprise managed the reboot. +- **HRESULT** Error (if any) that occurred. +- **UserResponse** Enumeration code indicating the user response to a dialog. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXLaunch + +This event indicates that DTUNotificationUX has launched. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CommandLine** Command line passed to DTUNotificationUX. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXUserCannotReboot + +This event indicates that the user has no restart privilege. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUNotificationUXUserInitatedRestartFailed + +This event indicates that the system failed to restart. The data collected with this event is used to help keep Windows up to date and performing properly. + +The following fields are available: + +- **CampaignID** The ID of the campaign being run. +- **ClientID** The ID of the client being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + ## DISM events -### Microsoft.Windows.StartRep.DISMLatesInstalledLCU - -This event indicates that LCU is being uninstalled by DISM. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **DISMInstalledLCUPackageName** Package name of LCU that's uninstalled by using DISM - - -### Microsoft.Windows.StartRep.DISMPendingInstall - -This event indicates that installation for the package is pending during recovery session. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **DISMPendingInstallPackageName** The name of the pending package. - - -### Microsoft.Windows.StartRep.DISMRevertPendingActions - -This event indicates that the revert pending packages operation has been completed. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **ErrorCode** The result from the operation to revert pending packages. - - -### Microsoft.Windows.StartRep.DISMUninstallLCU - -This event indicates the uninstall operation. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **ErrorCode** The error code that is being reported by DISM. - - -### Microsoft.Windows.StartRep.SRTRepairActionEnd - -This event indicates that the SRT Repair has been completed. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **ErrorCode** The error code that is reported. -- **SRTRepairAction** The action that was taken by SRT. - - -### Microsoft.Windows.StartRep.SRTRepairActionStart - -This event sends data when SRT repair has started. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **SRTRepairAction** The action that is being taken by SRT. - - -### Microsoft.Windows.StartRep.SRTRootCauseDiagEnd - -This event sends data when the root cause operation has completed. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **ErrorCode** The final result code for the root cause operation. -- **SRTRootCauseDiag** The name of the root cause operation that ran. - - -### Microsoft.Windows.StartRep.SRTRootCauseDiagStart - -This event indicates that a diagnostic in the recovery environment has been initiated. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **SRTRootCauseDiag** The name of a specific diagnostic. - - ### Microsoft.Windows.StartRepairCore.DISMLatestInstalledLCU The DISM Latest Installed LCU sends information to report result of search for latest installed LCU after last successful boot. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. @@ -3682,6 +3755,15 @@ The following fields are available: - **errorCode** The result code returned by the event. +### Microsoft.Windows.StartRepairCore.DISMUninstallLCU + +The DISM Uninstall LCU sends information to report result of uninstall attempt for found LCU. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. + +The following fields are available: + +- **errorCode** The result code returned by the event. + + ### Microsoft.Windows.StartRepairCore.SRTRepairActionEnd The SRT Repair Action End event sends information to report repair operation ended for given plug-in. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. @@ -4332,7 +4414,7 @@ The following fields are available: This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent. The data collected with this event is used to keep Windows performing properly. -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +This event includes fields from [Ms.Device.De~iceInventoryChange](#msdevicede~iceinventorychange). The following fields are available: @@ -4423,7 +4505,7 @@ The following fields are available: This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent. The data collected with this event is used to keep Windows performing properly. -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +This event includes fields from [Ms.De~ice.DeviceInventoryChange](#msde~icedeviceinventorychange). The following fields are available: @@ -4573,11 +4655,19 @@ The following fields are available: - **Manufacturer** Name of the DRAM manufacturer - **Model** Model and sub-model of the memory - **Slot** Slot to which the DRAM is plugged into the motherboard. -- **Speed** MHZ the memory is currently configured & used at. +- **Speed** The configured memory slot speed in MHz. - **Type** Reports DDR, etc. as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2. - **TypeDetails** Reports Non-volatile, etc. as a bit flag enumeration per DMTF SMBIOS standard version 3.3.0, section 7.18.3. +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoRemove + +This event indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync This diagnostic event indicates a new sync is being generated for this object type. @@ -4929,7 +5019,7 @@ The following fields are available: This event represents the basic metadata about the OS indicators installed on the system. The data collected with this event helps ensure the device is up to date and keeps Windows performing properly. -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +This event includes fields from [Ms.Device.DeviceInventoryChangd](#msdevicedeviceinventorychangd). The following fields are available: @@ -4955,15 +5045,6 @@ This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedevic ## Kernel events -### IO - -This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup. - -The following fields are available: - -- **BytesRead** The total number of bytes read from or read by the OS upon system startup. -- **BytesWritten** The total number of bytes written to or written by the OS upon system startup. - ### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch This event includes basic data about the Operating System, collected during Boot and used to evaluate the success of the upgrade process. The data collected with this event is used to keep Windows performing properly. @@ -5543,7 +5624,7 @@ The following fields are available: - **winInetError** The HResult of the operation. -## ONNX runtime events +## Other events ### Microsoft.ML.ONNXRuntime.ProcessInfo @@ -5570,6 +5651,94 @@ The following fields are available: - **totalRuns** Total number of running/evaluation from last time. +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Size of the battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + +### Microsoft.Windows.StartRep.DISMLatesInstalledLCU + +This event indicates that LCU is being uninstalled by DISM. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **DISMInstalledLCUPackageName** Package name of LCU that's uninstalled by using DISM + + +### Microsoft.Windows.StartRep.DISMPendingInstall + +This event indicates that installation for the package is pending during recovery session. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **DISMPendingInstallPackageName** The name of the pending package. + + +### Microsoft.Windows.StartRep.DISMRevertPendingActions + +This event indicates that the revert pending packages operation has been completed. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **ErrorCode** The result from the operation to revert pending packages. + + +### Microsoft.Windows.StartRep.DISMUninstallLCU + +This event indicates the uninstall operation. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **ErrorCode** The error code that is being reported by DISM. + + +### Microsoft.Windows.StartRep.SRTRepairActionEnd + +This event indicates that the SRT Repair has been completed. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **ErrorCode** The error code that is reported. +- **SRTRepairAction** The action that was taken by SRT. + + +### Microsoft.Windows.StartRep.SRTRepairActionStart + +This event sends data when SRT repair has started. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **SRTRepairAction** The action that is being taken by SRT. + + +### Microsoft.Windows.StartRep.SRTRootCauseDiagEnd + +This event sends data when the root cause operation has completed. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **ErrorCode** The final result code for the root cause operation. +- **SRTRootCauseDiag** The name of the root cause operation that ran. + + +### Microsoft.Windows.StartRep.SRTRootCauseDiagStart + +This event indicates that a diagnostic in the recovery environment has been initiated. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **SRTRootCauseDiag** The name of a specific diagnostic. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -7601,18 +7770,6 @@ The following fields are available: - **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise - **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson). -### Value - -This event returns data about Mean Time to Failure (MTTF) for Windows devices. It is the primary means of estimating reliability problems in Basic Diagnostic reporting with very strong privacy guarantees. Since Basic Diagnostic reporting does not include system up-time, and since that information is important to ensuring the safe and stable operation of Windows, the data provided by this event provides that data in a manner which does not threaten a user’s privacy. - -The following fields are available: - -- **Algorithm** The algorithm used to preserve privacy. -- **DPRange** The upper bound of the range being measured. -- **DPValue** The randomized response returned by the client. -- **Epsilon** The level of privacy to be applied. -- **HistType** The histogram type if the algorithm is a histogram algorithm. -- **PertProb** The probability the entry will be Perturbed if the algorithm chosen is “heavy-hitters”. ## Windows Error Reporting MTT events @@ -8013,7 +8170,7 @@ The following fields are available: ### Microsoft.Windows.Kits.WSK.WskImageCreate -This event sends data when the Windows System Kit is used to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. The data collected with this event is used to keep Windows performing properly. +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate “image” creation failures. The data collected with this event is used to keep Windows performing properly. The following fields are available: @@ -8028,7 +8185,7 @@ The following fields are available: ### Microsoft.Windows.Kits.WSK.WskImageCustomization -This event sends data when the Windows System Kit is used to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. The data collected with this event is used to keep Windows performing properly. +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create/modify configuration files allowing the customization of a new OS image with Apps or Drivers. The data includes the version of the Windows System Kit, the state of the event, the customization type (drivers or apps) and the mode (new or updating) and is used to help investigate configuration file creation failures. The data collected with this event is used to keep Windows performing properly. The following fields are available: @@ -8044,7 +8201,7 @@ The following fields are available: ### Microsoft.Windows.Kits.WSK.WskWorkspaceCreate -This event sends data when the Windows System Kit is used to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. The data collected with this event is used to keep Windows performing properly. +This event sends simple Product and Service usage data when a user is using the Windows System Kit to create new workspace for generating OS “images”. The data includes the version of the Windows System Kit and the state of the event and is used to help investigate workspace creation failures. The data collected with this event is used to keep Windows performing properly. The following fields are available: @@ -9077,6 +9234,19 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +### Microsoft.Windows.Update.Orchestrator.UUPFallBack + +This event sends data when UUP needs to fall back, to help keep Windows secure and up to date. + +The following fields are available: + +- **EventPublishedTime** The current event time. +- **UUPFallBackCause** The reason for UUP fall back. +- **UUPFallBackConfigured** The fall back error code. +- **UUPFallBackErrorReason** The reason for fall back error. +- **wuDeviceid** A Windows Update device ID. + + ### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. The data collected with this event is used to help keep Windows secure and up to date. diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md index 1623bf2d24..76b3ba247f 100644 --- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md +++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1903.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/30/2020 +ms.date: 11/12/2020 --- @@ -38,7 +38,7 @@ Use this article to learn about diagnostic events, grouped by event area, and th You can learn more about Windows functional and diagnostic data through these articles: -- [Windows 10, version 2004 and Windows 10, version 20H2 required Windows diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) +- [Windows 10, version 20H2 and Windows 10, version 2004 basic diagnostic events and fields](required-windows-diagnostic-data-events-and-fields-2004.md) - [Windows 10, version 1809 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md) - [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md) - [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md) @@ -486,11 +486,18 @@ The following fields are available: - **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. - **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. - **DecisionSystemProcessor_RS2** The count of the number of this particular object type present on this device. +- **DecisionTest_19H1** The count of the number of this particular object type present on this device. - **DecisionTest_20H1** The count of the number of this particular object type present on this device. - **DecisionTest_20H1Setup** The count of the number of this particular object type present on this device. - **DecisionTest_21H1** The count of the number of this particular object type present on this device. - **DecisionTest_21H1Setup** The count of the number of this particular object type present on this device. - **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **DecisionTest_RS2** The count of the number of this particular object type present on this device. +- **DecisionTest_RS3** The count of the number of this particular object type present on this device. +- **DecisionTest_RS4** The count of the number of this particular object type present on this device. +- **DecisionTest_RS5** The count of the number of this particular object type present on this device. +- **DecisionTest_TH1** The count of the number of this particular object type present on this device. +- **DecisionTest_TH2** The count of the number of this particular object type present on this device. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. - **InventoryDeviceContainer** A count of device container objects in cache. - **InventoryDevicePnp** A count of device Plug and Play objects in cache. @@ -968,6 +975,17 @@ The following fields are available: - **MigApplication** Is there a matching info block with a mig for the current mode of upgrade? +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove + +This event Indicates that the DecisionMatchingInfoPassive object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -2762,6 +2780,12 @@ This event reports the results of deferring Windows Content to keep Windows up t ## Diagnostic data events +### Microsoft.Windows.Test.WindowsCoreTelemetryTestProvider.WindowsCoreTelemetryTestEvent + +This is an internal-only test event used to validate the utc.app and telemetry.asm-windowsdefault settings and namespaces before publishing. The provider of this event is assigned to the Windows Core Telemetry group provider in order to test. The data collected with this event is used to keep Windows performing properly + + + ### TelClientSynthetic.AbnormalShutdown_0 This event sends data about boot IDs for which a normal clean shutdown was not observed. The data collected with this event is used to help keep Windows up to date, secure, and performing properly. @@ -3101,6 +3125,194 @@ This event is a low latency health alert that is part of the 4Nines device healt ## Direct to update events +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure + +This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector +- **hResult** HRESULT of the failure + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess + +This event indicates that the Coordinator Commit call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess + +This event indicates that the Coordinator Download call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess + +This event indicates that the Coordinator HandleShutdown call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess + +This event indicates that the Coordinator Initialize call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure + +This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess + +This event indicates that the Coordinator Install call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack + +This event indicates that the Coordinator's progress callback has been called. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run. +- **ClientID** Client ID being run. +- **CoordinatorVersion** Coordinator version of DTU. +- **CV** Correlation vector. +- **DeployPhase** Current Deploy Phase. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess + +This event indicates that the Coordinator SetCommitReady call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection + +This event indicates that the user selected an option on the Reboot UI. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **rebootUiSelection** Selection on the Reboot UI. + + +### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess + +This event indicates that the Coordinator WaitForRebootUi call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + ### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityGenericFailure This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicability call. The data collected with this event is used to help keep Windows secure and up to date. @@ -3115,6 +3327,187 @@ The following fields are available: - **hResult** HRESULT of the failure +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess + +This event indicates that the Handler CheckApplicabilityInternal call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ApplicabilityResult** The result of the applicability check. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess + +This event indicates that the Handler CheckApplicability call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **ApplicabilityResult** The result code indicating whether the update is applicable. +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **CV_new** New correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabAlreadyDownloaded + +This event indicates that the Handler Download and Extract cab returned a value indicating that the cab has already been downloaded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** Campaign ID being run +- **ClientID** Client ID being run +- **CoordinatorVersion** Coordinator version of DTU +- **CV** Correlation vector + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure + +This event indicates that the Handler Download and Extract cab call failed. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess + +This event indicates that the Handler Download and Extract cab call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess + +This event indicates that the Handler Download call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess + +This event indicates that the Handler Initialize call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure + +This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. +- **hResult** HRESULT of the failure. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess + +This event indicates that the Coordinator Install call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the update campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + +### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess + +This event indicates that the Handler SetCommitReady call succeeded. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CampaignID** ID of the campaign being run. +- **ClientID** ID of the client receiving the update. +- **CoordinatorVersion** Coordinator version of Direct to Update. +- **CV** Correlation vector. + + ## DISM events ### Microsoft.Windows.StartRepairCore.DISMLatestInstalledLCU @@ -3655,7 +4048,7 @@ The following fields are available: This event sends basic metadata about an application on the system. The data collected with this event is used to keep Windows performing properly and up to date. -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +This event includes fields from [Ms.Device.DeviceInven|oryChange](#msdevicedeviceinven|orychange). The following fields are available: @@ -3758,7 +4151,7 @@ The following fields are available: This event indicates that a new set of InventoryDevicePnpAdd events will be sent. The data collected with this event is used to keep Windows performing properly. -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). +This event includes fields from [Ms.Device.DmviceInventoryChange](#msdevicedmviceinventorychange). The following fields are available: @@ -3769,7 +4162,7 @@ The following fields are available: This event indicates that a new set of InventoryApplicationAdd events will be sent. The data collected with this event is used to keep Windows performing properly. -This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange) +This event includes fields from [Ms.Device,DeviceInventoryChange](#msdevice,deviceinventorychange). The following fields are available: @@ -3929,7 +4322,7 @@ The following fields are available: - **HWID** The version of the driver loaded for the device. - **Inf** The bus that enumerated the device. - **InstallDate** The date of the most recent installation of the device on the machine. -- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx +- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx - **InventoryVersion** List of hardware ids for the device. - **LowerClassFilters** Lower filter class drivers IDs installed for the device - **LowerFilters** Lower filter drivers IDs installed for the device @@ -4126,7 +4519,7 @@ The following fields are available: - **Manufacturer** Name of the DRAM manufacturer - **Model** Model and sub-model of the memory - **Slot** Slot to which the DRAM is plugged into the motherboard. -- **Speed** MHZ the memory is currently configured & used at. +- **Speed** The configured memory slot speed in MHz. - **Type** Reports DDR, etc. as an enumeration value as per the DMTF SMBIOS standard version 3.3.0, section 7.18.2. - **TypeDetails** Reports Non-volatile, etc. as a bit flag enumeration according to the DMTF SMBIOS standard version 3.3.0, section 7.18.3. @@ -4653,6 +5046,7 @@ The following fields are available: - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event, where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. @@ -4680,6 +5074,7 @@ The following fields are available: - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. @@ -4708,6 +5103,7 @@ The following fields are available: - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. @@ -4735,6 +5131,7 @@ The following fields are available: - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. @@ -4767,6 +5164,8 @@ The following fields are available: - **appLang** The language of the product install, in IETF BCP 47 representation. Default: ''. - **appNextVersion** The version of the app that the update flow to which this event belongs attempted to reach, regardless of the success or failure of the update operation. Please see the wiki for additional information. Default: '0.0.0.0'. - **appPingEventAppSize** The total number of bytes of all downloaded packages. Default: '0'. +- **appPingEventDownloadMetricsCdnCCC** ISO 2 character country code that matches to the country updated binaries are delivered from. E.g.: US. +- **appPingEventDownloadMetricsCdnCID** Numeric value used to internally track the origins of the updated binaries. For example, 2. - **appPingEventDownloadMetricsDownloadedBytes** For events representing a download, the number of bytes expected to be downloaded. For events representing an entire update flow, the sum of all such expected bytes over the course of the update flow. Default: '0'. - **appPingEventDownloadMetricsDownloader** A string identifying the download algorithm and/or stack. Example values include: 'bits', 'direct', 'winhttp', 'p2p'. Sent in events that have an event type of '14' only. Default: ''. - **appPingEventDownloadMetricsDownloadTimeMs** For events representing a download, the time elapsed between the start of the download and the end of the download, in milliseconds. For events representing an entire update flow, the sum of all such download times over the course of the update flow. Sent in events that have an event type of '1', '2', '3', and '14' only. Default: '0'. @@ -4835,6 +5234,7 @@ The following fields are available: - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. @@ -5065,7 +5465,7 @@ The following fields are available: - **SourceOSVersion** The source version of the operating system. -## ONNX runtime events +## Other events ### Microsoft.ML.ONNXRuntime.ProcessInfo @@ -5092,7 +5492,20 @@ The following fields are available: - **totalRuns** Total number of running/evaluation from last time. -## Surface events +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData** Hardware level data about battery performance. +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + ### Microsoft.Surface.Health.Binary.Prod.McuHealthLog @@ -5105,7 +5518,6 @@ The following fields are available: - **healthLogSize** 4KB. - **productId** Identifier for product model. -## Update health events ### Microsoft.Windows.UpdateHealthTools.ExpediteBlocked @@ -5286,6 +5698,7 @@ The following fields are available: - **CV** Correlation vector. - **ExpediteErrorBitMap** Bit map value for any error code. +- **ExpediteHoursOfUpTimeSincePolicy** The number of hours the device has been active since it received a policy. - **ExpeditePolicyId** The policy Id of the expedite request. - **ExpediteResult** Boolean value for success or failure. - **ExpediteUpdaterCurrentUbr** The UBR of the device. @@ -5347,6 +5760,18 @@ The following fields are available: - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsBlobNotificationRetrieved + +This event is sent when a blob notification is received. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version of the label. +- **UpdateHealthToolsBlobNotificationNotEmpty** True if the blob notification is not empty. + + ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsDeviceInformationUploaded This event is received when the UpdateHealthTools service uploads device information. The data collected with this event is used to help keep Windows secure and up to date. @@ -5418,6 +5843,24 @@ The following fields are available: - **UpdateHealthToolsPushCurrentStep** The current step for the push notification +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlobDocumentDetails + +The event indicates the details about the blob used for update health tools. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by the user. +- **PackageVersion** The package version of the label. +- **UpdateHealthToolsDevicePolicyFileName** The default name of the policy blob file. +- **UpdateHealthToolsDssDeviceApiSegment** The URI segment for reading the DSS device pointer. +- **UpdateHealthToolsDssDeviceId** The AAD ID of the device used to create the device ID hash. +- **UpdateHealthToolsDssDevicePolicyApiSegment** The segment of the device policy API pointer. +- **UpdateHealthToolsDssTenantId** The tenant id of the device used to create the tenant id hash. +- **UpdateHealthToolsHashedDeviceId** The SHA256 hash of the device id. +- **UpdateHealthToolsHashedTenantId** The SHA256 hash of the device tenant id. + + ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoAADJoin This event indicates that the device is not AAD joined so service stops. The data collected with this event is used to help keep Windows secure and up to date. @@ -5429,6 +5872,28 @@ The following fields are available: - **PackageVersion** Current package version of UpdateHealthTools. +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin + +The event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** The global event counter counts the total events for the provider. +- **PackageVersion** The version for the current package. + + +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin + +This event is sent when a device has been detected as DSS device. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** A correlation vector. +- **GlobalEventCounter** This is a client side counter which indicates ordering of events sent by this user. +- **PackageVersion** The package version of the label. + + ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceStarted This event is sent when the service first starts. It is a heartbeat indicating that the service is available on the device. The data collected with this event is used to help keep Windows secure and up to date. @@ -6315,6 +6780,7 @@ The following fields are available: - **ContainsSafeOSDUPackage** Boolean indicating whether Safe DU packages are part of the payload. - **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. - **DownloadComplete** Indicates if the download is complete. +- **DownloadedSizeBundle** Cumulative size (in bytes) of the downloaded bundle content. - **DownloadedSizeCanonical** Cumulative size (in bytes) of downloaded canonical content. - **DownloadedSizeDiff** Cumulative size (in bytes) of downloaded diff content. - **DownloadedSizeExpress** Cumulative size (in bytes) of downloaded express content. @@ -6324,11 +6790,13 @@ The following fields are available: - **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. - **FlightId** Unique ID for each flight. - **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **NumberOfHops** Number of intermediate packages used to reach target version. - **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). - **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. - **PackageCountOptional** Number of optional packages requested. - **PackageCountRequired** Number of required packages requested. - **PackageCountTotal** Total number of packages needed. +- **PackageCountTotalBundle** Total number of bundle packages. - **PackageCountTotalCanonical** Total number of canonical packages. - **PackageCountTotalDiff** Total number of diff packages. - **PackageCountTotalExpress** Total number of express packages. @@ -7533,6 +8001,12 @@ This event indicates that the Quality Rollback process has started. The data col +### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualitySucceeded + +This event sends basic telemetry on the success of the rollback of the Quality/LCU builds. The data collected with this event is used to help keep Windows secure and up to date. + + + ## Windows Update Delivery Optimization events ### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled @@ -8407,6 +8881,17 @@ The following fields are available: - **wuDeviceid** WU device ID. +### Microsoft.Windows.Update.Orchestrator.UniversalOrchestratorScheduleWorkNonSystem + +This event ensures that only callers with system or admin privileges are allowed to schedule work through Windows Update Universal Orchestrator. The data collected with this event is used to help keep Windows product and service secure. + +The following fields are available: + +- **updaterCmdLine** Updater Command Line. +- **updaterId** Updater ID. +- **wuDeviceid** Device ID. + + ### Microsoft.Windows.Update.Orchestrator.UnstickUpdate This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update. The data collected with this event is used to help keep Windows secure and up to date. @@ -8504,6 +8989,19 @@ The following fields are available: - **wuDeviceid** The Windows Update device GUID. +### Microsoft.Windows.Update.Orchestrator.UUPFallBack + +This event sends data when UUP needs to fall back, to help keep Windows secure and up to date. + +The following fields are available: + +- **EventPublishedTime** The current event time. +- **UUPFallBackCause** The reason for UUP fall back. +- **UUPFallBackConfigured** The fall back error code. +- **UUPFallBackErrorReason** The reason for fall back error. +- **wuDeviceid** A Windows Update device ID. + + ### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. The data collected with this event is used to help keep Windows secure and up to date. diff --git a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md index b1c3b25c91..1bd826bfd0 100644 --- a/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md +++ b/windows/privacy/required-windows-diagnostic-data-events-and-fields-2004.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-security-compliance ms.topic: article audience: ITPro -ms.date: 09/30/2020 +ms.date: 11/12/2020 --- @@ -264,9 +264,18 @@ The following fields are available: - **DecisionSystemBios_RS5Setup** The count of the number of this particular object type present on this device. - **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device. - **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device. +- **DecisionTest_19H1** The count of the number of this particular object type present on this device. +- **DecisionTest_20H1** The count of the number of this particular object type present on this device. - **DecisionTest_20H1Setup** The count of the number of this particular object type present on this device. - **DecisionTest_21H1** The count of the number of this particular object type present on this device. - **DecisionTest_21H1Setup** The count of the number of this particular object type present on this device. +- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers. +- **DecisionTest_RS2** The count of the number of this particular object type present on this device. +- **DecisionTest_RS3** The count of the number of this particular object type present on this device. +- **DecisionTest_RS4** The count of the number of this particular object type present on this device. +- **DecisionTest_RS5** The count of the number of this particular object type present on this device. +- **DecisionTest_TH1** The count of the number of this particular object type present on this device. +- **DecisionTest_TH2** The count of the number of this particular object type present on this device. - **InventoryApplicationFile** The count of the number of this particular object type present on this device. - **InventoryLanguagePack** The count of the number of this particular object type present on this device. - **InventoryMediaCenter** The count of the number of this particular object type present on this device. @@ -488,6 +497,17 @@ The following fields are available: - **AppraiserVersion** The version of the appraiser file generating the events. +### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove + +This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + ### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -754,6 +774,17 @@ The following fields are available: - **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade). +### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove + +This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present. The data collected with this event is used to help keep Windows up to date. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + +The following fields are available: + +- **AppraiserVersion** The version of the Appraiser file that is generating the events. + + ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent. The data collected with this event is used to help keep Windows up to date. @@ -1393,23 +1424,6 @@ The following fields are available: ## Audio endpoint events -### MicArrayGeometry - -This event provides information about the layout of the individual microphone elements in the microphone array. The data collected with this event is used to keep Windows performing properly. - -The following fields are available: - -- **MicCoords** The location and orientation of the microphone element. -- **usFrequencyBandHi** The high end of the frequency range for the microphone. -- **usFrequencyBandLo** The low end of the frequency range for the microphone. -- **usMicArrayType** The type of the microphone array. -- **usNumberOfMicrophones** The number of microphones in the array. -- **usVersion** The version of the microphone array specification. -- **wHorizontalAngleBegin** The horizontal angle of the start of the working volume (reported as radians times 10,000). -- **wHorizontalAngleEnd** The horizontal angle of the end of the working volume (reported as radians times 10,000). -- **wVerticalAngleBegin** The vertical angle of the start of the working volume (reported as radians times 10,000). -- **wVerticalAngleEnd** The vertical angle of the end of the working volume (reported as radians times 10,000). - ### Microsoft.Windows.Audio.EndpointBuilder.DeviceInfo This event logs the successful enumeration of an audio endpoint (such as a microphone or speaker) and provides information about the audio endpoint. The data collected with this event is used to keep Windows performing properly. @@ -1638,7 +1652,7 @@ The following fields are available: - **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store. - **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine. - **OSEdition** Retrieves the version of the current OS. -- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc. +- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc - **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC). - **OSSKU** Retrieves the Friendly Name of OS Edition. - **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines. @@ -1786,7 +1800,7 @@ This event sends data about the current user's default preferences for browser a The following fields are available: - **CalendarType** The calendar identifiers that are used to specify different calendars. -- **DefaultApp** The current user's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. +- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf. - **DefaultBrowserProgId** The ProgramId of the current user's default browser. - **LocaleName** Name of the current user locale given by LOCALE_SNAME via the GetLocaleInfoEx() function. - **LongDateFormat** The long date format the user has selected. @@ -2098,18 +2112,6 @@ The following fields are available: - **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts. - **xid** A list of base10-encoded XBOX User IDs. -## Common data fields - -### Ms.Device.DeviceInventoryChange - -Describes the installation state for all hardware and software components available on a particular device. - -The following fields are available: - -- **action** The change that was invoked on a device inventory object. -- **inventoryId** Device ID used for Compatibility testing -- **objectInstanceId** Object identity which is unique within the device scope. -- **objectType** Indicates the object type that the event applies to. ## Component-based servicing events @@ -3463,11 +3465,19 @@ The following fields are available: - **Manufacturer** Name of the DRAM manufacturer. - **Model** Model and submodel of the memory. - **Slot** Slot the DRAM is plugged into the motherboard. -- **Speed** MHZ the memory is currently configured and used at. +- **Speed** The configured memory slot speed in MHz. - **Type** Reports DDR, etc. as an enumeration value per DMTF SMBIOS standard version 3.3.0, section 7.18.2. - **TypeDetails** Reports Non-volatile, etc. as a bit flag enumeration per DMTF SMBIOS standard version 3.3.0, section 7.18.3. +### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoRemove + +This event indicates that this particular data object represented by the objectInstanceId is no longer present. + +This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange). + + + ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousMemorySlotArrayInfoStartSync This diagnostic event indicates a new sync is being generated for this object type. @@ -3939,6 +3949,7 @@ The following fields are available: - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event, where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. @@ -3966,6 +3977,7 @@ The following fields are available: - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. @@ -3993,6 +4005,7 @@ The following fields are available: - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. @@ -4020,6 +4033,7 @@ The following fields are available: - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. @@ -4120,6 +4134,7 @@ The following fields are available: - **container_session_id** The session ID of the container, if in WDAG mode. This will be different from the UMA log session ID, which is the session ID of the host in WDAG mode. - **Etag** Etag is an identifier representing all service applied configurations and experiments for the current browser session. This field is left empty when Windows diagnostic level is set to Basic or lower or when consent for diagnostic data has been denied. - **EventInfo.Level** The minimum Windows diagnostic data level required for the event where 1 is basic, 2 is enhanced, and 3 is full. +- **experimentation_mode** A number representing the value set for the ExperimentationAndConfigurationServiceControl group policy. See https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-policies#experimentationandconfigurationservicecontrol for more details on this policy. - **install_date** The date and time of the most recent installation in seconds since midnight on January 1, 1970 UTC, rounded down to the nearest hour. - **installSource** An enumeration representing the source of this installation: source was not retrieved (0), unspecified source (1), website installer (2), enterprise MSI (3), Windows update (4), Edge updater (5), scheduled or timed task (6, 7), uninstall (8), Edge about page (9), self-repair (10), other install command line (11), reserved (12), unknown source (13). - **PayloadClass** The base class used to serialize and deserialize the Protobuf binary payload. @@ -4361,6 +4376,23 @@ The following fields are available: - **totalRuns** Total number of running/evaluation from last time. +## Other events + +### Microsoft.Surface.Battery.Prod.BatteryInfoEvent + +This event includes the hardware level data about battery performance. The data collected with this event is used to help keep Windows products and services performing properly. + +The following fields are available: + +- **batteryData** Battery Performance data. +- **batteryData.data()** Battery performance data. +- **BatteryDataSize:** Size of the battery performance data. +- **batteryInfo.data()** Battery performance data. +- **BatteryInfoSize:** Size of the battery performance data. +- **pszBatteryDataXml** Battery performance data. +- **szBatteryInfo** Battery performance data. + + ## Privacy consent logging events ### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted @@ -5071,6 +5103,24 @@ The following fields are available: - **PackageVersion** The package version label. +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterAlreadyExpectedUbr + +This event indicates that the device is already on the expected UBR. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpediteErrorBitMap** Bit map value for any error code. +- **ExpeditePolicyId** The policy id of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteUpdaterCurrentUbr** The ubr of the device. +- **ExpediteUpdaterExpectedUbr** The expected ubr of the device. +- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. +- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + ### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterFailedToUpdateToExpectedUbr This event indicates the expected UBR of the device. The data collected with this event is used to help keep Windows secure and up to date. @@ -5087,6 +5137,22 @@ The following fields are available: - **PackageVersion** The package version label. +### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootComplete + +This event indicates that the expedite update is completed with reboot. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **CV** Correlation vector. +- **ExpeditePolicyId** The policy id of the expedite request. +- **ExpediteResult** Boolean value for success or failure. +- **ExpediteUpdaterCurrentUbr** The ubr of the device. +- **ExpediteUpdaterOfferedUpdateId** Update Id of the LCU expected to be expedited. +- **ExpediteUpdaterPolicyRestoreResult** HRESULT of the policy restore. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version label. + + ### Microsoft.Windows.UpdateHealthTools.ExpediteUpdaterRebootRequired This event indicates that the device has finished servicing and a reboot is required. The data collected with this event is used to help keep Windows secure and up to date. @@ -5195,6 +5261,18 @@ The following fields are available: - **UnifiedInstUnifiedInstallerDeviceIsHomeSkuHresultllerDeviceIsHomeSku** The result code from checking whether a device is Home SKU. +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsBlobNotificationRetrieved + +This event is sent when a blob notification is received. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** Counts the number of events for this provider. +- **PackageVersion** The package version of the label. +- **UpdateHealthToolsBlobNotificationNotEmpty** True if the blob notification is not empty. + + ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsCachedNotificationRetrieved This event is sent when a notification is received. The data collected with this event is used to help keep Windows secure and up to date. @@ -5306,6 +5384,17 @@ The following fields are available: - **PackageVersion** Current package version of UpdateHealthTools. +### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceBlockedByNoDSSJoin + +This event is sent when the device is not joined to AAD. The data collected with this event is used to help keep Windows up to date and secure. + +The following fields are available: + +- **CV** Correlation vector. +- **GlobalEventCounter** The global event counter for counting total events for the provider. +- **PackageVersion** The version for the current package. + + ### Microsoft.Windows.UpdateHealthTools.UpdateHealthToolsServiceIsDSSJoin This event is sent when a device has been detected as DSS device. The data collected with this event is used to help keep Windows secure and up to date. @@ -5374,6 +5463,7 @@ The following fields are available: - **ContainsSafeOSDUPackage** Boolean indicating whether Safe DU packages are part of the payload. - **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted. - **DownloadComplete** Indicates if the download is complete. +- **DownloadedSizeBundle** Cumulative size (in bytes) of the downloaded bundle content. - **DownloadedSizeCanonical** Cumulative size (in bytes) of downloaded canonical content. - **DownloadedSizeDiff** Cumulative size (in bytes) of downloaded diff content. - **DownloadedSizeExpress** Cumulative size (in bytes) of downloaded express content. @@ -5383,11 +5473,13 @@ The following fields are available: - **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin. - **FlightId** Unique ID for each flight. - **InternalFailureResult** Indicates a non-fatal error from a plugin. +- **NumberOfHops** Number of intermediate packages used to reach target version. - **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360). - **PackageCategoriesSkipped** Indicates package categories that were skipped, if applicable. - **PackageCountOptional** Number of optional packages requested. - **PackageCountRequired** Number of required packages requested. - **PackageCountTotal** Total number of packages needed. +- **PackageCountTotalBundle** Total number of bundle packages. - **PackageCountTotalCanonical** Total number of canonical packages. - **PackageCountTotalDiff** Total number of diff packages. - **PackageCountTotalExpress** Total number of express packages. @@ -5979,6 +6071,19 @@ The following fields are available: - **totalCpuUtilizationPercent** A snapshot of the total CPU utilization of the machine running this gateway. +### Microsoft.ServerManagementExperience.Gateway.Service.ManagedNodeProperties + +This is a periodic rundown event that contains more detailed information about the nodes added to this Windows Admin Center gateway for management. + +The following fields are available: + +- **nodeId** Constructed from nodeTypeId concatenated with the hostname or IP address that gateway uses to connecting to this node. +- **nodeOperatingSystem** A user friendly description of the node's OS version. +- **nodeOSVersion** A major or minor build version string for the node's OS. +- **nodeTypeId** A string that distinguishes between a connection target, whether it is a client, server, cluster or a hyper-converged cluster. +- **otherProperties** Contains a JSON object with variable content and may contain: "nodes": a list of host names or IP addresses of the servers belonging to a cluster, "aliases": the alias if it is set for this connection, "lastUpdatedTime": the number of milliseconds since Unix epoch when this connection was last updated, "ncUri", "caption", "version", "productType", "networkName", "operatingSystem", "computerManufacturer", "computerModel", "isS2dEnabled". This JSON object is formatted as an quotes-escaped string. + + ## Windows as a Service diagnostic events ### Microsoft.Windows.WaaSMedic.DetectionFailed @@ -6052,7 +6157,7 @@ The following fields are available: ### Microsoft.Windows.Sense.Client.PerformanceScript.OnboardingScript -This event is triggered whenever Microsoft Defender for Endpoint onboarding script is run. The data collected with this event is used to keep Windows performing properly. +This event is triggered whenever WDATP onboarding script is run. The data collected with this event is used to keep Windows performing properly. The following fields are available: @@ -6584,6 +6689,7 @@ The following fields are available: - **cdnUrl** Url of the source Content Distribution Network (CDN). - **congestionPrevention** Indicates a download may have been suspended to prevent network congestion. - **dataSourcesTotal** Bytes received per source type, accumulated for the whole session. +- **doErrorCode** The Delivery Optimization error code that was returned. - **downlinkBps** The maximum measured available download bandwidth (in bytes per second). - **downlinkUsageBps** The download speed (in bytes per second). - **downloadMode** The download mode used for this file download session. @@ -6667,6 +6773,7 @@ The following fields are available: - **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM). - **diceRoll** Random number used for determining if a client will use peering. - **doClientVersion** The version of the Delivery Optimization client. +- **doErrorCode** The Delivery Optimization error code that was returned. - **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100). - **downloadModeReason** Reason for the download. - **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9). @@ -6992,6 +7099,7 @@ The following fields are available: - **applicableUpdateList** The list of available updates. - **durationInSeconds** The amount of time (in seconds) it took for the event to run. - **expeditedMode** Indicates whether Expedited Mode is on. +- **networkCostPolicy** The network cost. - **scanTriggerSource** Indicates whether the scan is Interactive or Background. - **scenario** The result code of the event. - **scenarioReason** The reason for the result code (scenario). @@ -7034,6 +7142,23 @@ The following fields are available: - **wuDeviceid** Unique device ID used by Windows Update. +### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels + +This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date. The data collected with this event is used to help keep Windows secure and up to date. + +The following fields are available: + +- **configVersion** The escalation configuration version on the device. +- **downloadElapsedTime** Indicates how long since the download is required on device. +- **downloadRiskLevel** At-risk level of download phase. +- **installElapsedTime** Indicates how long since the install is required on device. +- **installRiskLevel** The at-risk level of install phase. +- **isSediment** Assessment of whether is device is at risk. +- **scanElapsedTime** Indicates how long since the scan is required on device. +- **scanRiskLevel** At-risk level of the scan phase. +- **wuDeviceid** Device ID used by Windows Update. + + ### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask This event indicated that USO failed to add a trigger time to a task. The data collected with this event is used to help keep Windows secure and up to date. @@ -7221,6 +7346,17 @@ The following fields are available: - **wuDeviceid** Unique device ID controlled by the software distribution client. +### Microsoft.Windows.Update.Orchestrator.UpdaterMalformedData + +This event is sent when a registered updater has missing or corrupted information, to help keep Windows up to date. + +The following fields are available: + +- **malformedRegValue** The registry value that contains the malformed or missing entry. +- **updaterId** The ID of the updater. +- **wuDeviceid** Unique device ID used by Windows Update. + + ### Microsoft.Windows.Update.Ux.MusNotification.EnhancedEngagedRebootUxState This event sends information about the configuration of Enhanced Direct-to-Engaged (eDTE), which includes values for the timing of how eDTE will progress through each phase of the reboot. The data collected with this event is used to help keep Windows secure and up to date. @@ -7338,6 +7474,27 @@ The following fields are available: - **WuId** Unique ID for the Windows Update client. +### Mitigation360Telemetry.MitigationCustom.CryptcatsvcRebuild + +This event sends data specific to the CryptcatsvcRebuild mitigation used for OS Updates. The data collected with this event is used to help keep Windows up to date. + +The following fields are available: + +- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. +- **FlightId** The unique identifier for each flight. +- **InstanceId** Unique GUID that identifies each instances of setuphost.exe. +- **MitigationNeeded** Information on whether the mitigation was needed. +- **MitigationScenario** The update scenario in which the mitigation was executed. +- **RelatedCV** Correlation vector value generated from the latest USO scan. +- **Result** HResult of this operation. +- **ScenarioId** ID indicating the mitigation scenario. +- **ScenarioSupported** Indicates whether the scenario was supported. +- **ServiceDisabled** Information on whether the service was disabled. +- **SessionId** Unique value for each update attempt. +- **UpdateId** Unique ID for each Update. +- **WuId** Unique ID for the Windows Update client. + + ### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates. The data collected with this event is used to help keep Windows secure and up to date. @@ -7359,29 +7516,6 @@ The following fields are available: - **UpdateId** Unique ID for each Update. - **WuId** Unique ID for the Windows Update client. -### wilActivity - -This event provides a Windows Internal Library context used for Product and Service diagnostics. The data collected with this event is used to help keep Windows up to date. - -The following fields are available: - -- **callContext** The function where the failure occurred. -- **currentContextId** The ID of the current call context where the failure occurred. -- **currentContextMessage** The message of the current call context where the failure occurred. -- **currentContextName** The name of the current call context where the failure occurred. -- **failureCount** The number of failures for this failure ID. -- **failureId** The ID of the failure that occurred. -- **failureType** The type of the failure that occurred. -- **fileName** The file name where the failure occurred. -- **function** The function where the failure occurred. -- **hresult** The HResult of the overall activity. -- **lineNumber** The line number where the failure occurred. -- **message** The message of the failure that occurred. -- **module** The module where the failure occurred. -- **originatingContextId** The ID of the originating call context that resulted in the failure. -- **originatingContextMessage** The message of the originating call context that resulted in the failure. -- **originatingContextName** The name of the originating call context that resulted in the failure. -- **threadId** The ID of the thread on which the activity is executing. ## Windows Update Reserve Manager events @@ -7556,6 +7690,42 @@ The following fields are available: This event signals the completion of the setup process. It happens only once during the first logon. + + +## XBOX events + +### Microsoft.Xbox.EraControl.EraVmTerminationReason + +This event is triggered on ERA VM termination. + +The following fields are available: + +- **pfn** A package full name. +- **reasonNumber** A number associated with reason. + + +### Microsoft.Xbox.UpdateManager.TaskSuccess + +No content is currently available. + +The following fields are available: + +- **BeginUpdateFlags** No content is currently available. +- **CDNIdentifier** No content is currently available. +- **CDNInfo** No content is currently available. +- **ComboPolicy** No content is currently available. +- **ContentId** No content is currently available. +- **HighwindInfo** No content is currently available. +- **InstallId** No content is currently available. +- **LastCheckTime** No content is currently available. +- **LastResult** No content is currently available. +- **MSEdgeRef** No content is currently available. +- **PowerMode** No content is currently available. +- **RemoteAddress** No content is currently available. +- **SourceVersionId** No content is currently available. +- **TargetVersionId** No content is currently available. + + ## XDE events ### Microsoft.Emulator.Xde.RunTime.SystemReady