diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index eb68a9f921..6ac2e03625 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1,11 +1,56 @@
{
"redirections": [
{
+"source_path": "browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md",
+"redirect_url": "https://docs.microsoft.com/en-us/microsoft-edge/deploy/emie-to-improve-compatibility",
+"redirect_document_id": true
+},
+{
+"source_path": "browsers/edge/emie-to-improve-compatibility.md",
+"redirect_url": "https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/interoperability-enterprise-guidance-gp",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/deployment/update/windows-update-sources.md",
+"redirect_url": "/windows/deployment/update/how-windows-update-works",
+"redirect_document_id": true
+},
+{
+"source_path": "browsers/edge/hardware-and-software-requirements.md",
+"redirect_url": "https://docs.microsoft.com/en-us/microsoft-edge/deploy/about-microsoft-edge",
+"redirect_document_id": true
+},
+{
+"source_path": "browsers/edge/security-enhancements-microsoft-edge.md",
+"redirect_url": "https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/security-privacy-management-gp",
+"redirect_document_id": true
+},
+{
+"source_path": "browsers/edge/new-policies.md",
+"redirect_url": "https://docs.microsoft.com/en-us/microsoft-edge/deploy/change-history-for-microsoft-edge",
+"redirect_document_id": true
+},
+{
"source_path": "windows/security/threat-protection/intelligence/av-tests.md",
"redirect_url": "/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests",
"redirect_document_id": true
},
{
+"source_path": "windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md",
+"redirect_url": "/windows/security/information-protection/bitlocker/bitlocker-countermeasures",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md",
+"redirect_url": "/windows/security/information-protection/bitlocker/bitlocker-countermeasures",
+"redirect_document_id": false
+},
+{
+"source_path": "windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure.md",
+"redirect_url": "/windows/security/information-protection/bitlocker/bitlocker-countermeasures",
+"redirect_document_id": false
+},
+{
"source_path": "windows/security/threat-protection/intelligence/transparency-report.md",
"redirect_url": "/windows/security/threat-protection/intelligence/av-tests",
"redirect_document_id": true
@@ -6841,6 +6886,11 @@
"redirect_document_id": true
},
{
+"source_path": "windows/configuration/start-taskbar-lockscreen.md",
+"redirect_url": "/windows/configuration/windows-10-start-layout-options-and-policies",
+"redirect_document_id": true
+},
+{
"source_path": "windows/configure/stop-employees-from-using-the-windows-store.md",
"redirect_url": "/windows/configuration/stop-employees-from-using-the-windows-store",
"redirect_document_id": true
@@ -13742,7 +13792,7 @@
},
{
"source_path": "windows/privacy/basic-level-windows-diagnostic-events-and-fields.md",
-"redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803",
+"redirect_url": "/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809",
"redirect_document_id": true
},
{
@@ -13809,6 +13859,6 @@
"source_path": "education/windows/windows-automatic-redeployment.md",
"redirect_url": "/education/windows/autopilot-reset",
"redirect_document_id": true
-},
+}
]
}
diff --git a/browsers/edge/TOC.md b/browsers/edge/TOC.md
index 15060d33b4..304c8bd604 100644
--- a/browsers/edge/TOC.md
+++ b/browsers/edge/TOC.md
@@ -2,31 +2,27 @@
## [System requirements and supported languages](about-microsoft-edge.md)
-## [Use Enterprise Mode to improve compatibility](emie-to-improve-compatibility.md)
-
-## [(Preview) New Microsoft Edge Group Policies and MDM settings](new-policies.md)
-
-## [(Preview) Deploy Microsoft Edge kiosk mode](microsoft-edge-kiosk-mode-deploy.md)
+## [Deploy Microsoft Edge kiosk mode](microsoft-edge-kiosk-mode-deploy.md)
## [Group policies & configuration options](group-policies/index.yml)
-### [All group policies](available-policies.md)
-### [Address bar settings](group-policies/address-bar-settings-gp.md)
-### [Adobe settings](group-policies/adobe-settings-gp.md)
-### [Books Library management](group-policies/books-library-management-gp.md)
-### [Browser settings management](group-policies/browser-settings-management-gp.md)
-### [Developer settings](group-policies/developer-settings-gp.md)
-### [Extensions management](group-policies/extensions-management-gp.md)
-### [Favorites management](group-policies/favorites-management-gp.md)
-### [Home button settings](group-policies/home-button-gp.md)
-### [Interoperability and enterprise guidance](group-policies/interoperability-enterprise-guidance-gp.md)
-### [New tab page settings](group-policies/new-tab-page-settings-gp.md)
+### [Address bar](group-policies/address-bar-settings-gp.md)
+### [Adobe Flash](group-policies/adobe-settings-gp.md)
+### [Books Library](group-policies/books-library-management-gp.md)
+### [Browser experience](group-policies/browser-settings-management-gp.md)
+### [Developer tools](group-policies/developer-settings-gp.md)
+### [Extensions](group-policies/extensions-management-gp.md)
+### [Favorites](group-policies/favorites-management-gp.md)
+### [Home button](group-policies/home-button-gp.md)
+### [Interoperability and enterprise mode guidance](group-policies/interoperability-enterprise-guidance-gp.md)
+### [Kiosk mode deployment in Microsoft Edge](microsoft-edge-kiosk-mode-deploy.md)
+### [New Tab page](group-policies/new-tab-page-settings-gp.md)
### [Prelaunch Microsoft Edge and preload tabs](group-policies/prelaunch-preload-gp.md)
### [Search engine customization](group-policies/search-engine-customization-gp.md)
-### [Security and privacy management](group-policies/security-privacy-management-gp.md)
-### [Start pages settings](group-policies/start-pages-gp.md)
-### [Sync browser settings](group-policies/sync-browser-settings-gp.md)
+### [Security and privacy](group-policies/security-privacy-management-gp.md)
+### [Start page](group-policies/start-pages-gp.md)
+### [Sync browser](group-policies/sync-browser-settings-gp.md)
### [Telemetry and data collection](group-policies/telemetry-management-gp.md)
-
+### [All group policies](available-policies.md)
## [Change history for Microsoft Edge](change-history-for-microsoft-edge.md)
diff --git a/browsers/edge/about-microsoft-edge.md b/browsers/edge/about-microsoft-edge.md
index 60c5343bac..974364ebb1 100644
--- a/browsers/edge/about-microsoft-edge.md
+++ b/browsers/edge/about-microsoft-edge.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: general
ms.sitesec: library
title: Microsoft Edge for IT Pros
ms.localizationpriority: medium
-ms.date: 07/29/2018
+ms.date: 10/02/2018
---
# Microsoft Edge system and language requirements
@@ -21,7 +21,6 @@ Microsoft Edge is the new, default web browser for Windows 10, helping you to e
>The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don’t include Microsoft Edge or many other Universal Windows Platform (UWP) apps. Systems running the LTSB operating systems do not support these apps because their services get frequently updated with new functionality. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11.
-
## Minimum system requirements
Some of the components might also need additional system resources. Check the component's documentation for more information.
diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index f21ac4a827..93f763fc07 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -1,39 +1,38 @@
---
-description: Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings.
+description: You can customize your organization’s browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many.
ms.assetid: 2e849894-255d-4f68-ae88-c2e4e31fa165
author: shortpatti
ms.author: pashort
-manager: elizapo
+manager: dougkim
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros)
ms.localizationpriority: medium
-ms.date: 07/20/2018
+ms.date: 10/02/2018
---
# Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge
-> Applies to: Windows 10, Windows 10 Mobile
+> Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile
-Set up a policy setting once and then copy that setting onto many computers.
+You can customize your organization’s browser settings in Microsoft Edge with Group Policy or Microsoft Intune, or other MDM service. When you do this, you set the policy once and then copy it onto many computers—that is, touch once, configure many. For example, you can set up multiple security settings in a Group Policy Object (GPO) linked to a domain, and then apply those settings to every computer in the domain.
+Other policy settings in Microsoft Edge include allowing Adobe Flash content to play automatically, provision a favorites list, set default search engine, and more. You configure a Group Policy setting in the Administrative Templates folders, which are registry-based policy settings that Group Policy enforces. Group Policy stores these settings in a specific registry location, which users cannot change. Also, Group Policy-aware Windows features and applications look for these settings in the registry, and if found the policy setting gets used instead of the regular settings.
+**_You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:_**
+
+ *Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\*
-Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
+When you edit a Group Policy setting, you have the following configuration options:
-By using Group Policy and Intune, you can set up a policy setting once, and then copy that setting onto many computers. For example, you can set up multiple security settings in a GPO that is linked to a domain, and then apply all of those settings to every computer in the domain.
+• Enabled - writes the policy setting to the registry with a value that enables it.
+• Disabled - writes the policy setting to the registry with a value that disables it.
+• Not configured leaves the policy setting undefined. Group Policy does not write the policy setting to the registry and has no impact on computers or users.
-> [!NOTE]
-> For more info about the tools you can use to change your Group Policy objects, see the Internet Explorer 11 topics, [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921), [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922), [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923), and [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
+Some policy settings have additional options you can configure. For example, if you want to set the default search engine, set the Start page, or configure the Enterprise Mode Site List, you would type the URL.
-
->*You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor:*
->
-> *Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\*
-
-
## Allow a shared books folder
[!INCLUDE [allow-shared-folder-books-include.md](includes/allow-shared-folder-books-include.md)]
@@ -61,15 +60,33 @@ By using Group Policy and Intune, you can set up a policy setting once, and then
## Allow Extensions
[!INCLUDE [allow-extensions-include.md](includes/allow-extensions-include.md)]
+## Allow fullscreen mode
+[!INCLUDE [allow-full-screen-include](includes/allow-full-screen-include.md)]
+
## Allow InPrivate browsing
[!INCLUDE [allow-inprivate-browsing-include.md](includes/allow-inprivate-browsing-include.md)]
## Allow Microsoft Compatibility List
[!INCLUDE [allow-microsoft-compatibility-list-include.md](includes/allow-microsoft-compatibility-list-include.md)]
+## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed
+[!INCLUDE [allow-prelaunch-include](includes/allow-prelaunch-include.md)]
+
+## Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed
+[!INCLUDE [allow-tab-preloading-include](includes/allow-tab-preloading-include.md)]
+
+## Allow printing
+[!INCLUDE [allow-printing-include.md](includes/allow-printing-include.md)]
+
+## Allow Saving History
+[!INCLUDE [allow-saving-history-include.md](includes/allow-saving-history-include.md)]
+
## Allow search engine customization
[!INCLUDE [allow-search-engine-customization-include.md](includes/allow-search-engine-customization-include.md)]
+## Allow sideloading of Extensions
+[!INCLUDE [allow-sideloading-extensions-include.md](includes/allow-sideloading-extensions-include.md)]
+
## Allow web content on New Tab page
[!INCLUDE [allow-web-content-new-tab-page-include.md](includes/allow-web-content-new-tab-page-include.md)]
@@ -82,6 +99,9 @@ By using Group Policy and Intune, you can set up a policy setting once, and then
## Configure Autofill
[!INCLUDE [configure-autofill-include.md](includes/configure-autofill-include.md)]
+## Configure collection of browsing data for Microsoft 365 Analytics
+[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](includes/configure-browser-telemetry-for-m365-analytics-include.md)]
+
## Configure cookies
[!INCLUDE [configure-cookies-include.md](includes/configure-cookies-include.md)]
@@ -91,6 +111,21 @@ By using Group Policy and Intune, you can set up a policy setting once, and then
## Configure Favorites
[!INCLUDE [configure-favorites-include.md](includes/configure-favorites-include.md)]
+## Configure Favorites Bar
+[!INCLUDE [configure-favorites-bar-include.md](includes/configure-favorites-bar-include.md)]
+
+## Configure Home Button
+[!INCLUDE [configure-home-button-include.md](includes/configure-home-button-include.md)]
+
+## Configure kiosk mode
+[!INCLUDE [configure-microsoft-edge-kiosk-mode-include.md](includes/configure-microsoft-edge-kiosk-mode-include.md)]
+
+## Configure kiosk reset after idle timeout
+[!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include.md](includes/configure-edge-kiosk-reset-idle-timeout-include.md)]
+
+## Configure Open Microsoft Edge With
+[!INCLUDE [configure-open-edge-with-include.md](includes/configure-open-edge-with-include.md)]
+
## Configure Password Manager
[!INCLUDE [configure-password-manager-include.md](includes/configure-password-manager-include.md)]
@@ -133,6 +168,9 @@ By using Group Policy and Intune, you can set up a policy setting once, and then
## Prevent bypassing Windows Defender SmartScreen prompts for sites
[!INCLUDE [prevent-bypassing-win-defender-sites-include.md](includes/prevent-bypassing-win-defender-sites-include.md)]
+## Prevent certificate error overrides
+[!INCLUDE [prevent-certificate-error-overrides-include.md](includes/prevent-certificate-error-overrides-include.md)]
+
## Prevent changes to Favorites on Microsoft Edge
[!INCLUDE [prevent-changes-to-favorites-include.md](includes/prevent-changes-to-favorites-include.md)]
@@ -142,6 +180,12 @@ By using Group Policy and Intune, you can set up a policy setting once, and then
## Prevent the First Run webpage from opening on Microsoft Edge
[!INCLUDE [prevent-first-run-webpage-open-include.md](includes/prevent-first-run-webpage-open-include.md)]
+## Prevent turning off required extensions
+[!INCLUDE [prevent-turning-off-required-extensions-include.md](includes/prevent-turning-off-required-extensions-include.md)]
+
+## Prevent users from turning on browser syncing
+[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](includes/prevent-users-to-turn-on-browser-syncing-include.md)]
+
## Prevent using Localhost IP address for WebRTC
[!INCLUDE [prevent-localhost-address-for-webrtc-include.md](includes/prevent-localhost-address-for-webrtc-include.md)]
@@ -154,10 +198,23 @@ By using Group Policy and Intune, you can set up a policy setting once, and then
## Set default search engine
[!INCLUDE [set-default-search-engine-include.md](includes/set-default-search-engine-include.md)]
+## Set Home Button URL
+[!INCLUDE [set-home-button-url-include](includes/set-home-button-url-include.md)]
+
+## Set New Tab page URL
+[!INCLUDE [set-new-tab-url-include.md](includes/set-new-tab-url-include.md)]
+
## Show message when opening sites in Internet Explorer
-[!INCLUDE [show-message-opening-sites-ie-include.md](includes/show-message-opening-sites-ie-include.md)]
+[!INCLUDE [show-message-opening-sites-ie-include](includes/show-message-opening-sites-ie-include.md)]
+
+## Unlock Home Button
+[!INCLUDE [unlock-home-button-include.md](includes/unlock-home-button-include.md)]
## Related topics
-* [Mobile Device Management (MDM) settings]( https://go.microsoft.com/fwlink/p/?LinkId=722885)
+- [Mobile Device Management (MDM) settings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-configuration-service-provider)
+- [Group Policy and the Group Policy Management Console (GPMC)](https://go.microsoft.com/fwlink/p/?LinkId=617921)
+- [Group Policy and the Local Group Policy Editor](https://go.microsoft.com/fwlink/p/?LinkId=617922)
+- [Group Policy and the Advanced Group Policy Management (AGPM)](https://go.microsoft.com/fwlink/p/?LinkId=617923)
+- [Group Policy and Windows PowerShell](https://go.microsoft.com/fwlink/p/?LinkId=617924).
\ No newline at end of file
diff --git a/browsers/edge/change-history-for-microsoft-edge.md b/browsers/edge/change-history-for-microsoft-edge.md
index 2af18fcf6f..e008145cec 100644
--- a/browsers/edge/change-history-for-microsoft-edge.md
+++ b/browsers/edge/change-history-for-microsoft-edge.md
@@ -1,19 +1,56 @@
---
title: Change history for Microsoft Edge (Microsoft Edge for IT Pros)
-description: This topic lists new and updated topics in the Microsoft Edge documentation for Windows 10 and Windows 10 Mobile.
+description: Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile.
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
ms.localizationpriority: medium
-ms.date: ''
+manager: dougkim
ms.author: pashort
author: shortpatti
+ms.date: 10/02/2018
---
# Change history for Microsoft Edge
Discover what's new and updated in the Microsoft Edge for both Windows 10 and Windows 10 Mobile.
+# [2018](#tab/2018)
+
+## October 2018
+
+The Microsoft Edge team introduces new group policies and MDM settings for Microsoft Edge on Windows 10. The new policies let you enable/disable
+full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure the New Tab page, Home button, and startup options, as well as manage extensions.
+
+We have discontinued the **Configure Favorites** group policy, so use the [Provision Favorites](available-policies.md#provision-favorites) policy instead.
+
+>>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+>>
+>> **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
+
+
+
+| **New or updated** | **Group Policy** | **Description** |
+|------------|-----------------|--------------------|
+| New | [Allow fullscreen mode](group-policies/browser-settings-management-gp.md#allow-fullscreen-mode) | [!INCLUDE [allow-fullscreen-mode-shortdesc](shortdesc/allow-fullscreen-mode-shortdesc.md)] |
+| New | [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-prelaunch-shortdesc](shortdesc/allow-prelaunch-shortdesc.md)] |
+| New | [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](group-policies/prelaunch-preload-gp.md#allow-microsoft-edge-to-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | [!INCLUDE [allow-tab-preloading-shortdesc](shortdesc/allow-tab-preloading-shortdesc.md)] |
+| New | [Allow printing](group-policies/browser-settings-management-gp.md#allow-printing) | [!INCLUDE [allow-printing-shortdesc](shortdesc/allow-printing-shortdesc.md)] |
+| New | [Allow Saving History](group-policies/browser-settings-management-gp.md#allow-saving-history) | [!INCLUDE [allow-saving-history-shortdesc](shortdesc/allow-saving-history-shortdesc.md)] |
+| New | [Allow sideloading of Extensions](group-policies/extensions-management-gp.md#allow-sideloading-of-extensions) | [!INCLUDE [allow-sideloading-of-extensions-shortdesc](shortdesc/allow-sideloading-of-extensions-shortdesc.md)] |
+| New | [Configure collection of browsing data for Microsoft 365 Analytics](group-policies/telemetry-management-gp.md#configure-collection-of-browsing-data-for-microsoft-365-analytics) | [!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)] |
+| New | [Configure Favorites Bar](group-policies/favorites-management-gp.md#configure-favorites-bar) | [!INCLUDE [configure-favorites-bar-shortdesc](shortdesc/configure-favorites-bar-shortdesc.md)] |
+| New | [Configure Home Button](group-policies/home-button-gp.md#configure-home-button) | [!INCLUDE [configure-home-button-shortdesc](shortdesc/configure-home-button-shortdesc.md)] |
+| New | [Configure kiosk mode](microsoft-edge-kiosk-mode-deploy.md#relevant-policies) | [!INCLUDE [configure-kiosk-mode-shortdesc](shortdesc/configure-kiosk-mode-shortdesc.md)] |
+| New | [Configure kiosk reset after idle timeout](microsoft-edge-kiosk-mode-deploy.md#relevant-policies) |[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)] |
+| New | [Configure Open Microsoft Edge With](group-policies/start-pages-gp.md#configure-open-microsoft-edge-with) | [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](shortdesc/configure-open-microsoft-edge-with-shortdesc.md)] |
+| New | [Prevent certificate error overrides](group-policies/security-privacy-management-gp.md#prevent-certificate-error-overrides) | [!INCLUDE [prevent-certificate-error-overrides-shortdesc](shortdesc/prevent-certificate-error-overrides-shortdesc.md)] |
+| New | [Prevent users from turning on browser syncing](group-policies/sync-browser-settings-gp.md#prevent-users-from-turning-on-browser-syncing) | [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)] |
+| New | [Prevent turning off required extensions](group-policies/extensions-management-gp.md#prevent-turning-off-required-extensions) | [!INCLUDE [prevent-turning-off-required-extensions-shortdesc](shortdesc/prevent-turning-off-required-extensions-shortdesc.md)] |
+| New | [Set Home Button URL](group-policies/home-button-gp.md#set-home-button-url) | [!INCLUDE [set-home-button-url-shortdesc](shortdesc/set-home-button-url-shortdesc.md)] |
+| New | [Set New Tab page URL](group-policies/new-tab-page-settings-gp.md#set-new-tab-page-url) | [!INCLUDE [set-new-tab-url-shortdesc](shortdesc/set-new-tab-url-shortdesc.md)] |
+| Updated | [Show message when opening sites in Internet Explorer](group-policies/interoperability-enterprise-guidance-gp.md#show-message-when-opening-sites-in-internet-explorer) | [!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)] |
+| New | [Unlock Home Button](group-policies/home-button-gp.md#unlock-home-button) | [!INCLUDE [unlock-home-button-shortdesc](shortdesc/unlock-home-button-shortdesc.md)] |
# [2017](#tab/2017)
diff --git a/browsers/edge/emie-to-improve-compatibility.md b/browsers/edge/emie-to-improve-compatibility.md
deleted file mode 100644
index dbb4851e18..0000000000
--- a/browsers/edge/emie-to-improve-compatibility.md
+++ /dev/null
@@ -1,100 +0,0 @@
----
-description: If you're having problems with Microsoft Edge, this topic tells how to use the Enterprise Mode site list to automatically open sites using IE11.
-ms.assetid: 89c75f7e-35ca-4ca8-96fa-b3b498b53bE4
-author: shortpatti
-ms.author: pashort
-ms.prod: edge
-ms.mktglfcycl: support
-ms.sitesec: library
-ms.pagetype: appcompat
-title: Use Enterprise Mode to improve compatibility (Microsoft Edge for IT Pros)
-ms.localizationpriority: medium
-ms.date: 04/15/2018
----
-
-# Use Enterprise Mode to improve compatibility
-
-> Applies to: Windows 10
-
-If you have specific web sites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the web sites will automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work properly with Microsoft Edge, you can set all intranet sites to automatically open using IE11.
-
-Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11.
-
->[!NOTE]
->If you want to use Group Policy to set Internet Explorer as your default browser, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714).
-
-## Fix specific websites
-
-Microsoft Edge doesn't support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have websites or web apps that still use this technology and need IE11, you can add them to the Enterprise Mode site list, using the Enterprise Mode Site List Manager.
-
-**To add sites to your list**
-
-1. In the Enterprise Mode Site List Manager, click **Add**.
If you already have an existing site list, you can import it into the tool. After it's in the tool, the xml updates the list, checking **Open in IE** for each site. For info about importing the site list, see [Import your Enterprise Mode site list to the Enterprise Mode Site List Manager](https://go.microsoft.com/fwlink/p/?LinkId=618322).
-
-2. Type or paste the URL for the website that’s experiencing compatibility problems, like *<domain>*.com or *<domain>*.com/*<path>* into the **URL** box.
You don’t need to include the `http://` or `https://` designation. The tool will automatically try both versions during validation.
-
-3. Type any comments about the website into the **Notes about URL** box.
Administrators can only see comments while they’re in this tool.
-
-4. Click **Open in IE** next to the URL that should automatically open in IE11.
The path within a domain can require a different compatibility mode from the domain itself. For example, the domain might look fine in the default IE11 browser, but the path might have problems and require the use of Enterprise Mode. If you added the domain previously, your original compatibility choice is still selected. However, if the domain is new, Enterprise Mode is automatically selected.
-
-5. Click **Save** to validate your website and to add it to the site list for your enterprise.
If your site passes validation, it’s added to the global compatibility list. If the site doesn’t pass validation, you’ll get an error message explaining the problem. You’ll then be able to either cancel the site or ignore the validation problem and add it to your list anyway.
-
-6. On the **File** menu, go to where you want to save the file, and then click **Save to XML**.
You can save the file locally or to a network share. However, you must make sure you deploy it to the location specified in your Group Policy setting. For more info, see [Turn on Enterprise Mode and use a site list](https://go.microsoft.com/fwlink/p/?LinkId=618952).
-
-### Set up Microsoft Edge to use the Enterprise Mode site list
-
-You must turn on the **Configure the Enterprise Mode Site List** Group Policy setting before Microsoft Edge can use the Enterprise Mode site list. This Group Policy applies to both Microsoft Edge and IE11, letting Microsoft Edge switch to IE11 as needed, based on the Enterprise Mode site list. For more info about IE11 and Enterprise Mode, see [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377).
-
-> **Note**
-> If there’s an .xml file in the cache container, IE waits 65 seconds and then checks the local cache for a newer version of the file from the server, based on standard caching rules. If the server file has a different version number than the version in the cache container, the server file is used and stored in the cache container.
If you’re already using a site list, enterprise mode continues to work during the 65 second wait; it just uses your existing site list instead of your new one.
-
-**To turn on Enterprise Mode using Group Policy**
-
-1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode Site List** policy.
Turning this setting on also requires you to create and store a site list.
-
-2. Click **Enabled**, and then in the **Options** area, type the location to your site list.
-
-3. Refresh your policy in your organization and then view the affected sites in Microsoft Edge.
The site shows a message in Microsoft Edge, saying that the page needs IE. At the same time, the page opens in IE11; in a new frame if it's not yet running, or in a new tab if it is.
-
-**To turn on Enterprise Mode using the registry**
-
-1. **To turn on Enterprise Mode for all users on the PC:** Open a registry editor, like regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\MicrosoftEdge\Main\EnterpriseMode`.
-
-2. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example:
-
- - **HTTP location**: *“SiteList”=”http://localhost:8080/sites.xml”*
-
- - **Local network**: *"SiteList"="\\\network\\shares\\sites.xml"*
-
- - **Local file**: *"SiteList"="file:///c:/Users/<username>/Documents/testList.xml"*
-
- All of your managed devices must have access to this location if you want them to be able to access and use Enterprise Mode and your site list.
-
-
-
-3. Refresh your policy in your organization and then view the affected sites in Microsoft Edge.
The site shows a message in Microsoft Edge, saying that the page needs IE. At the same time, the page opens in IE11; in a new frame if it's not yet running, or in a new tab if it is.
-
-## Fix your intranet sites
-
-You can add the **Send all intranet traffic over to Internet Explorer** Group Policy setting for Windows 10 so that all of your intranet sites open in IE11. This means that even if your employees are using Microsoft Edge, they will automatically switch to IE11 while viewing the intranet.
-
-> **Note**
-> If you want to use Group Policy to set IE as the default browser for Internet sites, you can find the info here, [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714).
-
-**To turn on Sends all intranet traffic over to Internet Explorer using Group Policy**
-
-1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Microsoft Edge\Sends all intranet traffic over to Internet Explorer` setting.
-
- 
-
-2. Click **Enabled**.
-
-3. Refresh your policy in your organization and then view the affected sites in Microsoft Edge.
The site shows a message in Microsoft Edge, saying that the page needs IE. At the same time, the page opens in IE11; in a new frame if it's not yet running, or in a new tab if it is.
-
-## Related topics
-* [Blog: How Microsoft Edge and Internet Explorer 11 on Windows 10 work better together in the Enterprise](https://go.microsoft.com/fwlink/p/?LinkID=624035)
-* [Enterprise Mode Site List Manager for Windows 7 and Windows 8.1 download](https://go.microsoft.com/fwlink/p/?LinkId=394378)
-* [Enterprise Mode Site List Manager for Windows 10 download](https://go.microsoft.com/fwlink/?LinkId=746562)
-* [Enterprise Mode for Internet Explorer 11 (IE11)](https://go.microsoft.com/fwlink/p/?linkid=618377)
-* [Set the default browser using Group Policy]( https://go.microsoft.com/fwlink/p/?LinkId=620714)
-
diff --git a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md b/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
deleted file mode 100644
index 352bb35dff..0000000000
--- a/browsers/edge/enterprise-guidance-using-microsoft-edge-and-ie11.md
+++ /dev/null
@@ -1,59 +0,0 @@
----
-title: Microsoft Edge and Internet Explorer 11 (Microsoft Edge for IT Pros)
-description: Enterprise guidance for using Microsoft Edge and Internet Explorer 11.
-author: shortpatti
-ms.prod: edge
-ms.mktglfcycl: support
-ms.sitesec: library
-ms.pagetype: appcompat
-ms.localizationpriority: medium
-ms.date: 10/16/2017
----
-
-# Browser: Microsoft Edge and Internet Explorer 11
-**Microsoft Edge content applies to:**
-
-- Windows 10
-- Windows 10 Mobile
-
-**Internet Explorer 11 content applies to:**
-
-- Windows 10
-
-## Enterprise guidance
-Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, if you're running web apps that need ActiveX controls, we recommend that you continue to use Internet Explorer 11 for them. If you don't have IE11 installed anymore, you can download it from the Microsoft Store or from the [Internet Explorer 11 download page](https://go.microsoft.com/fwlink/p/?linkid=290956).
-
-We also recommend that you upgrade to IE11 if you're running any earlier versions of Internet Explorer. IE11 is supported on Windows 7, Windows 8.1, and Windows 10. So any legacy apps that work with IE11 will continue to work even as you migrate to Windows 10.
-
-If you're having trouble deciding whether Microsoft Edge is good for your organization, you can take a look at this infographic about the potential impact of using Microsoft Edge in an organization.
-
-
-[Click to enlarge](img-microsoft-edge-infographic-lg.md)
-[Click to download image](https://www.microsoft.com/download/details.aspx?id=53892)
-
-### Microsoft Edge
-Microsoft Edge takes you beyond just browsing to actively engaging with the web through features like Web Note, Reading View, and Cortana.
-
-- **Web Note.** Microsoft Edge lets you annotate, highlight, and call things out directly on webpages.
-- **Reading view.** Microsoft Edge lets you enjoy and print online articles in a distraction-free layout that's optimized for your screen size. While in reading view, you can also save webpages or PDF files to your reading list, for later viewing.
-- **Cortana.** Cortana is automatically enabled on Microsoft Edge. Microsoft Edge lets you highlight words for more info and gives you one-click access to things like restaurant reservations and reviews, without leaving the webpage.
-- **Compatibility and security.** Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or that are included on your Enterprise Mode Site List. You must use IE11 to run older, less secure technology, such as ActiveX controls.
-
-### IE11
-IE11 offers enterprises additional security, manageability, performance, backward compatibility, and modern standards support.
-
-- **Backward compatibility.** IE11 supports 9 document modes that include high-fidelity emulations for older versions of IE.
-- **Modern web standards.** IE11 supports modern web technologies like HTML5, CSS3, and WebGL, which help to ensure today's modern websites and apps work just as well as your old, legacy websites and apps.
-- **More secure.** IE11 was designed with security in mind and is more secure than older versions. Using security features like SmartScreen and Enhanced Protected Mode can help IE11 reduce your risk.
-- **Faster.** IE11 is significantly faster than previous versions of Internet Explorer, taking advantage of network optimization and hardware-accelerated text, graphics, and JavaScript rendering.
-- **Easier migration to Windows 10.** IE11 is the only version of IE that runs on Windows 7, Windows 8.1, and Windows 10. Upgrading to IE11 on Windows 7 can also help your organization support the next generation of software, services, and devices.
-- **Administration.** IE11 can use the Internet Explorer Administration Kit (IEAK) 11 or MSIs for deployment, and includes more than 1,600 Group Policies and preferences for granular control.
-
-## Related topics
-- [Total Economic Impact of Microsoft Edge: Infographic](https://www.microsoft.com/download/details.aspx?id=53892)
-- [Web Application Compatibility Lab Kit for Internet Explorer 11](https://technet.microsoft.com/browser/mt612809.aspx)
-- [Download Internet Explorer 11](https://windows.microsoft.com/internet-explorer/download-ie)
-- [Microsoft Edge - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/microsoft-edge/index)
-- [Internet Explorer 11 - Deployment Guide for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/index)
-- [IEAK 11 - Internet Explorer Administration Kit 11 Users Guide](https://technet.microsoft.com/itpro/internet-explorer/ie11-ieak/index)
-- [Internet Explorer 11 - FAQ for IT Pros](https://technet.microsoft.com/itpro/internet-explorer/ie11-faq/faq-for-it-pros-ie11)
diff --git a/browsers/edge/group-policies/address-bar-settings-gp.md b/browsers/edge/group-policies/address-bar-settings-gp.md
index 39cc4f17f8..da3686718d 100644
--- a/browsers/edge/group-policies/address-bar-settings-gp.md
+++ b/browsers/edge/group-policies/address-bar-settings-gp.md
@@ -1,18 +1,26 @@
---
-title: Microsoft Edge - Address bar settings
-description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result.
+title: Microsoft Edge - Address bar group policies
+description: Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services, hiding the functionality of the Address bar drop-down list.
services:
-keywords: Don’t add or edit keywords without consulting your SEO champ.
+keywords:
+ms.localizationpriority: medium
+manager: dougkim
author: shortpatti
ms.author: pashort
-ms.date: 07/29/2018
+ms.date: 10/02/2018
ms.topic: article
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
---
-# Address bar settings
+# Address bar
+
+Microsoft Edge, by default, shows a list of search suggestions in the address bar. You can minimize network connections from Microsoft Edge to Microsoft services by hiding the functionality of the Address bar drop-down list.
+
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
@@ -20,4 +28,5 @@ ms.sitesec: library
[!INCLUDE [allow-address-bar-suggestions-include.md](../includes/allow-address-bar-suggestions-include.md)]
## Configure search suggestions in Address bar
-[!INCLUDE [configure-search-suggestions-address-bar-include.md](../includes/configure-search-suggestions-address-bar-include.md)]
\ No newline at end of file
+[!INCLUDE [configure-search-suggestions-address-bar-include.md](../includes/configure-search-suggestions-address-bar-include.md)]
+
diff --git a/browsers/edge/group-policies/adobe-settings-gp.md b/browsers/edge/group-policies/adobe-settings-gp.md
index 36461a27fe..a5bcbb0ea4 100644
--- a/browsers/edge/group-policies/adobe-settings-gp.md
+++ b/browsers/edge/group-policies/adobe-settings-gp.md
@@ -1,20 +1,29 @@
---
-title: Microsoft Edge - Adobe settings
-description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result.
+title: Microsoft Edge - Adobe Flash group policies
+description: Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the Configure the Adobe Flash Click-to-Run setting group policy giving you a way to control the list of websites that have permission to run Adobe Flash content.
services:
-keywords: Don’t add or edit keywords without consulting your SEO champ.
+keywords:
+ms.localizationpriority: medium
+manager: dougkim
author: shortpatti
ms.author: pashort
-ms.date: 07/25/2018
+ms.date: 10/02/2018
ms.topic: article
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
---
-# Adobe settings
+# Adobe Flash
+
+Adobe Flash Player still has a significant presence on the internet, such as digital ads. However, open standards, such as HTML5, provide many of the capabilities and functionalities becoming an alternative for content on the web. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content.
+
+To learn more about Microsoft’s plan for phasing out Flash from Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash]( https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article).
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
## Allow Adobe Flash
[!INCLUDE [allow-adobe-flash-include.md](../includes/allow-adobe-flash-include.md)]
diff --git a/browsers/edge/group-policies/books-library-management-gp.md b/browsers/edge/group-policies/books-library-management-gp.md
index 2851dafc5b..2fc892d73b 100644
--- a/browsers/edge/group-policies/books-library-management-gp.md
+++ b/browsers/edge/group-policies/books-library-management-gp.md
@@ -1,21 +1,27 @@
---
-title: Microsoft Edge - Books Library management
-description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result.
+title: Microsoft Edge - Books Library group policies
+description: Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder. You can also allow Microsoft Edge to update the configuration data for the library automatically.
services:
-keywords: Don’t add or edit keywords without consulting your SEO champ.
+keywords:
+ms.localizationpriority: medium
+manager: dougkim
author: shortpatti
ms.author: pashort
-ms.date: 07/25/2018
+ms.date: 10/02/2018
ms.topic: article
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
---
-# Books Library management
+# Books Library
+
+Microsoft Edge decreases the amount of storage used by book files by downloading them to a shared folder in Windows. You can configure Microsoft Edge to update the configuration data for the library automatically or gather diagnostic data, such as usage data.
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
## Allow a shared books folder
[!INCLUDE [allow-shared-folder-books-include.md](../includes/allow-shared-folder-books-include.md)]
diff --git a/browsers/edge/group-policies/browser-settings-management-gp.md b/browsers/edge/group-policies/browser-settings-management-gp.md
index 213c901cfb..4cd1c73ad2 100644
--- a/browsers/edge/group-policies/browser-settings-management-gp.md
+++ b/browsers/edge/group-policies/browser-settings-management-gp.md
@@ -1,25 +1,35 @@
---
-title: Microsoft Edge - Browser settings management
-description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result.
+title: Microsoft Edge - Browser experience group policies
+description: Not only do the other Microsoft Edge group policies enhance the browsing experience, but we must also talk about some of the most common or somewhat common browsing experiences. For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing.
services:
-keywords: Don’t add or edit keywords without consulting your SEO champ.
+keywords:
+ms.localizationpriority: medium
+manager: dougkim
author: shortpatti
ms.author: pashort
-ms.date: 07/25/2018
+ms.date: 10/02/2018
ms.topic: article
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
---
-# Browser settings management
+# Browser experience
+
+Not only do the other Microsoft Edge group policies enhance the browsing experience, but we also want to mention some of the other and common browsing experiences. For example, printing web content is a common browsing experience. However, if you want to prevent users from printing web content, Microsoft Edge has a group policy that allows you to prevent printing. The same goes for Pop-up Blocker; Microsoft Edge has a group policy that lets you prevent pop-up windows or let users choose to use Pop-up Blocker. You can use any one of the following group policies to continue enhancing the browsing experience for your users.
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
## Allow clearing browsing data on exit
[!INCLUDE [allow-clearing-browsing-data-include](../includes/allow-clearing-browsing-data-include.md)]
+## Allow fullscreen mode
+[!INCLUDE [allow-full-screen-include](../includes/allow-full-screen-include.md)]
+
## Allow printing
[!INCLUDE [allow-printing-include](../includes/allow-printing-include.md)]
@@ -35,11 +45,7 @@ ms.sitesec: library
## Do not sync
[!INCLUDE [do-not-sync-include](../includes/do-not-sync-include.md)]
-## Do not sync browser settings
-[!INCLUDE [do-not-sync-browser-settings-include](../includes/do-not-sync-browser-settings-include.md)]
-
-## Prevent users from turning on browser syncing
-[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](../includes/prevent-users-to-turn-on-browser-syncing-include.md)]
+To learn about the policies to sync the browser settings, see [Sync browser settings](sync-browser-settings-gp.md).
diff --git a/browsers/edge/group-policies/developer-settings-gp.md b/browsers/edge/group-policies/developer-settings-gp.md
index 9108424f87..4e2e437372 100644
--- a/browsers/edge/group-policies/developer-settings-gp.md
+++ b/browsers/edge/group-policies/developer-settings-gp.md
@@ -1,21 +1,26 @@
---
-title: Microsoft Edge - Developer settings
-description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result.
+title: Microsoft Edge - Developer tools
+description: Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page. You can prevent users from using the F12 developer tools or from accessing the about:flags page.
services:
-keywords: Don’t add or edit keywords without consulting your SEO champ.
+keywords:
+ms.localizationpriority: medium
+managre: dougkim
author: shortpatti
ms.author: pashort
-ms.date: 07/25/2018
+ms.date: 10/02/2018
ms.topic: article
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
---
-# Developer settings
+# Developer tools
+Microsoft Edge, by default, allows users to use the F12 developer tools as well as access the about:flags page. You can prevent users from using the F12 developer tools or from accessing the about:flags page.
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
## Allow Developer Tools
[!INCLUDE [allow-dev-tools-include](../includes/allow-dev-tools-include.md)]
diff --git a/browsers/edge/group-policies/extensions-management-gp.md b/browsers/edge/group-policies/extensions-management-gp.md
index 4f12302469..577d254742 100644
--- a/browsers/edge/group-policies/extensions-management-gp.md
+++ b/browsers/edge/group-policies/extensions-management-gp.md
@@ -1,20 +1,26 @@
---
-title: Microsoft Edge - Extensions management
-description: 115-145 characters including spaces. Edit the intro para describing article intent to fit here. This abstract displays in the search result.
+title: Microsoft Edge - Extensions group policies
+description: Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions.
services:
-keywords: Don’t add or edit keywords without consulting your SEO champ.
+keywords:
+ms.localizationpriority: medium
+manager: dougkim
author: shortpatti
ms.author: pashort
-ms.date: 07/25/2018
+ms.date: 10/02/2018
ms.topic: article
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
---
-# Extensions management
+# Extensions
+Currently, Microsoft Edge allows users to add or personalize, and uninstall extensions. You can prevent users from uninstalling extensions or sideloading of extensions, which does not prevent sideloading using Add-AppxPackage via PowerShell. Allowing sideloading of extensions installs and runs unverified extensions.
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
## Allow Extensions
[!INCLUDE [allow-extensions-include](../includes/allow-extensions-include.md)]
diff --git a/browsers/edge/group-policies/favorites-management-gp.md b/browsers/edge/group-policies/favorites-management-gp.md
index e488c71611..d4fb07852c 100644
--- a/browsers/edge/group-policies/favorites-management-gp.md
+++ b/browsers/edge/group-policies/favorites-management-gp.md
@@ -1,20 +1,26 @@
---
-title: Microsoft Edge - Favorites management
-description:
+title: Microsoft Edge - Favorites group policies
+description: Configure Microsoft Edge to either show or hide the favorites bar on all pages. Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes.
services:
keywords:
+ms.localizationpriority: medium
+manager: dougkim
author: shortpatti
ms.author: pashort
-ms.date: 07/25/2018
+ms.date: 10/02/2018
ms.topic: article
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
---
-# Favorites management
+# Favorites
+You can customize the favorites bar, for example, you can turn off features such as Save a Favorite and Import settings, and hide or show the favorites bar on all pages. Another customization you can make is provisioning a standard list of favorites, including folders, to appear in addition to the user’s favorites. If it’s important to keep the favorites in both IE11 and Microsoft Edge synced, you can turn on syncing where changes to the list of favorites in one browser reflect in the other.
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
## Configure Favorites Bar
[!INCLUDE [configure-favorites-bar-include](../includes/configure-favorites-bar-include.md)]
diff --git a/browsers/edge/group-policies/home-button-gp.md b/browsers/edge/group-policies/home-button-gp.md
index 5d7808dfa9..a4bac9dd9a 100644
--- a/browsers/edge/group-policies/home-button-gp.md
+++ b/browsers/edge/group-policies/home-button-gp.md
@@ -1,18 +1,19 @@
---
-title: Microsoft Edge - Home button configuration options
-description: Microsoft Edge shows the home button and by clicking it the Start page loads by default.
+title: Microsoft Edge - Home button group policies
+description: Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button.
+manager: dougkim
ms.author: pashort
author: shortpatti
-ms.date: 07/23/2018
+ms.date: 10/02/2018
+ms.localizationpriority: medium
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
---
-# Home button configuration options
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+# Home button
-Microsoft Edge shows the home button and by clicking it the Start page loads by default. You can configure the Home button to load the New tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button.
+Microsoft Edge shows the home button, by default, and by clicking it the Start page loads. With the relevant Home button policies, you can configure the Home button to load the New tab page or a specific page. You can also configure Microsoft Edge to hide the home button.
## Relevant group policies
@@ -20,10 +21,13 @@ Microsoft Edge shows the home button and by clicking it the Start page loads by
- [Set Home Button URL](#set-home-button-url)
- [Unlock Home Button](#unlock-home-button)
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
## Configuration options
-
+
diff --git a/browsers/edge/group-policies/index.yml b/browsers/edge/group-policies/index.yml
index 1918d89136..8be9af2e9d 100644
--- a/browsers/edge/group-policies/index.yml
+++ b/browsers/edge/group-policies/index.yml
@@ -12,7 +12,7 @@ metadata:
description: Learn how to configure group policies in Microsoft Edge on Windows 10.
- text: Some of the features coming to Microsoft Edge gives you the ability to set a custom URL for the New tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar.
+ text: Some of the features in Microsoft Edge gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar.
keywords: Microsoft Edge, Windows 10, Windows 10 Mobile
@@ -22,7 +22,7 @@ metadata:
ms.author: pashort
- ms.date: 07/26/2018
+ ms.date: 10/02/2018
ms.topic: article
@@ -36,7 +36,7 @@ sections:
- type: markdown
- text: Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
+ text: Some of the features in Microsoft Edge gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar. Microsoft Edge works with Group Policy and Microsoft Intune to help you manage your organization's computer settings. Group Policy objects (GPOs) can include registry-based Administrative Template policy settings, security settings, software deployment information, scripts, folder redirection, and preferences.
- items:
@@ -50,17 +50,7 @@ sections:
items:
- - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies
-
- html:
View all available group policies for Microsoft Edge on Windows 10.
Learn how Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices.
Learn how Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices.
View all available group policies for Microsoft Edge on Windows 10.
+
+ image:
+
+ src: https://docs.microsoft.com/media/common/i_policy.svg
+
+ title: All group policies
\ No newline at end of file
diff --git a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md
index 9168988d09..65e68d1a5e 100644
--- a/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md
+++ b/browsers/edge/group-policies/interoperability-enterprise-guidance-gp.md
@@ -1,58 +1,77 @@
---
-title: Microsoft Edge - Interoperability and enterprise guidance
-description:
+title: Microsoft Edge - Interoperability and enterprise mode guidance
+description: Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support.
+ms.localizationpriority: medium
+manager: dougkim
ms.author: pashort
author: shortpatti
-ms.date: 07/23/2018
+ms.date: 10/02/2018
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
---
-# Interoperability and enterprise guidance
->*Supported versions: Microsoft Edge on Windows 10*
+# Interoperability and enterprise mode guidance
+
+Microsoft Edge is the default browser experience for Windows 10 and Windows 10 Mobile. However, Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support.
+
+>[!TIP]
+>If you are running an earlier version of Internet Explorer, we recommend upgrading to IE11, so that any legacy apps continue to work correctly.
+
+**Technology not supported by Microsoft Edge**
-Microsoft Edge lets you continue to use IE11 for sites that are on your corporate intranet or included on your Enterprise Mode Site List. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support.
-
-
->[!TIP]
-> If you are running an earlier version of Internet Explorer, then we recommend upgrading to IE11, so any legacy apps continue to work correctly.
-
-**Technology not supported by Microsoft Edge**
- ActiveX controls
+
+- Browser Heler Objects
+
+- VBScript
+
- x-ua-compatible headers
-- <meta> tags
+
+- \ tags
+
- Legacy document modes
-
-
->[!TIP]
->You can also use Enterprise Mode with Microsoft Edge to transition only the sites that need these technologies to load in IE11. For info about Enterprise Mode and Edge, see [Use Enterprise Mode to improve compatibility](../emie-to-improve-compatibility.md).
-
-
-If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically.
+If you have specific websites and apps that you know have compatibility problems with Microsoft Edge, you can use the Enterprise Mode site list so that the websites automatically open using Internet Explorer 11. Additionally, if you know that your intranet sites aren't going to work correctly with Microsoft Edge, you can set all intranet sites to open using IE11 automatically.
Using Enterprise Mode means that you can continue to use Microsoft Edge as your default browser, while also ensuring that your apps continue working on IE11.
## Relevant group policies
-1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list)
-2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11)
-3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer)
-4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge)
+1. [Configure the Enterprise Mode Site List](#configure-the-enterprise-mode-site-list)
+
+2. [Send all intranet sites to Internet Explorer 11](#send-all-intranet-sites-to-internet-explorer-11)
+
+3. [Show message when opening sites in Internet Explorer](#show-message-when-opening-sites-in-internet-explorer)
+
+4. [(IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge](#ie11-policy-send-all-sites-not-included-in-the-enterprise-mode-site-list-to-microsoft-edge)
+
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
+
+## Configuration options
+
## Configure the Enterprise Mode Site List
-[!INCLUDE [configure-enterprise-mode-site-list-include](../includes/configure-enterprise-mode-site-list-include.md)]
+
+[!INCLUDE [configure-enterprise-mode-site-list-include](../includes/configure-enterprise-mode-site-list-include.md)]
+
## Send all intranet sites to Internet Explorer 11
+
[!INCLUDE [send-all-intranet-sites-ie-include](../includes/send-all-intranet-sites-ie-include.md)]
-## Show message when opening sites in Internet Explorer
-[!INCLUDE [show-message-opening-sites-ie-include](../includes/show-message-opening-sites-ie-include.md)]
-## (IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge
-[!INCLUDE [ie11-send-all-sites-not-in-site-list-include](../includes/ie11-send-all-sites-not-in-site-list-include.md)]
\ No newline at end of file
+## Show message when opening sites in Internet Explorer
+
+[!INCLUDE [show-message-opening-sites-ie-include](../includes/show-message-opening-sites-ie-include.md)]
+
+
+## (IE11 policy) Send all sites not included in the Enterprise Mode Site List to Microsoft Edge
+
+[!INCLUDE [ie11-send-all-sites-not-in-site-list-include](../includes/ie11-send-all-sites-not-in-site-list-include.md)]
diff --git a/browsers/edge/group-policies/new-tab-page-settings-gp.md b/browsers/edge/group-policies/new-tab-page-settings-gp.md
index bc6f5d500d..6d6ba06617 100644
--- a/browsers/edge/group-policies/new-tab-page-settings-gp.md
+++ b/browsers/edge/group-policies/new-tab-page-settings-gp.md
@@ -1,20 +1,44 @@
---
-title: Microsoft Edge - New tab page
-description: Microsoft Edge loads the default New tab page by default. You can configure Microsoft Edge to load a New tab page URL and prevent users from changing it.
+title: Microsoft Edge - New Tab page group policies
+description: Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads.
+manager: dougkim
ms.author: pashort
author: shortpatti
-ms.date: 07/25/2018
+ms.date: 10/02/2018
+ms.localizationpriority: medium
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
---
-# New tab page
+# New Tab page
+Microsoft Edge loads the default New tab page by default. With the relevant New Tab policies, you can set a URL to load in the New Tab page and prevent users from making changes. You can also load a blank page instead or let the users choose what loads.
-Microsoft Edge loads the default New tab page by default. You can configure Microsoft Edge to load a New tab page URL and prevent users from changing it. When you enable this policy, and you disable the Allow web content on New tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank.
+>[!NOTE]
+>New tab pages do not load while running InPrivate mode.
+
+## Relevant group policies
+
+- [Set New Tab page URL](#set-new-tab-page-url)
+- [Allow web content on New Tab page](#allow-web-content-on-new-tab-page)
+
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
+
+## Configuration options
+
+
+
+
+
+
## Set New Tab page URL
-[!INCLUDE [set-new-tab-url-include](../includes/set-new-tab-url-include.md)]
\ No newline at end of file
+[!INCLUDE [set-new-tab-url-include](../includes/set-new-tab-url-include.md)]
+
+## Allow web content on New Tab page
+[!INCLUDE [allow-web-content-new-tab-page-include](../includes/allow-web-content-new-tab-page-include.md)]
\ No newline at end of file
diff --git a/browsers/edge/group-policies/prelaunch-preload-gp.md b/browsers/edge/group-policies/prelaunch-preload-gp.md
index e5558942b9..eae661d455 100644
--- a/browsers/edge/group-policies/prelaunch-preload-gp.md
+++ b/browsers/edge/group-policies/prelaunch-preload-gp.md
@@ -1,18 +1,18 @@
---
-title: Microsoft Edge - Prelaunch and tab preload configuration options
+title: Microsoft Edge - Prelaunch and tab preload group policies
description: Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge.
+manager: dougkim
ms.author: pashort
author: shortpatti
-ms.date: 07/25/2018
+ms.date: 10/02/2018
+ms.localizationpriority: medium
---
-# Prelaunch Microsoft Edge and preload tabs in the background
-
-
+# Prelaunch Microsoft Edge and preload tabs in the background
Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start up Microsoft Edge. You can also configure Microsoft Edge to prevent Microsoft Edge from pre-launching.
-Additionally, Microsoft Edge preloads the Start and New tab pages during Windows sign in, which minimizes the amount of time required to start Microsoft Edge and load a new tab. You can also configure Microsoft Edge to prevent preloading of tabs.
+Additionally, Microsoft Edge preloads the Start and New Tab pages during Windows sign in, which minimizes the amount of time required to start Microsoft Edge and load a new tab. You can also configure Microsoft Edge to prevent preloading of tabs.
## Relevant group policies
@@ -20,12 +20,15 @@ Additionally, Microsoft Edge preloads the Start and New tab pages during Windows
- [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](#allow-microsoft-edge-to-pre-launch-at-windows-startup-when-the-system-is-idle-and-each-time-microsoft-edge-is-closed)
- [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed)
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
## Configuration options
-
+
-
+
diff --git a/browsers/edge/group-policies/search-engine-customization-gp.md b/browsers/edge/group-policies/search-engine-customization-gp.md
index 1ce3437a76..75d3d2b070 100644
--- a/browsers/edge/group-policies/search-engine-customization-gp.md
+++ b/browsers/edge/group-policies/search-engine-customization-gp.md
@@ -1,14 +1,16 @@
---
-title: Microsoft Edge - Search engine customization
-description: By default, Microsoft Edge uses the default search engine specified in App settings, which lets users make changes to it. You can configure Microsoft Edge to use the policy-set search engine specified in the OpenSearch XML file.
+title: Microsoft Edge - Search engine customization group policies
+description: Microsoft Edge, by default, uses the search engine specified in App settings, which lets users make changes. You can prevent users from making changes and still use the search engine specified in App settings by disabling the Allow search engine customization policy. You can also use the policy-set search engine specified in the OpenSearch XML file in which you can configure up to five additional search engines and setting any one of them as the default.
+manager: dougkim
ms.author: pashort
author: shortpatti
-ms.date: 07/25/2018
+ms.date: 10/02/2018
+ms.localizationpriority: medium
---
-# Search engine customization
+# Search engine customization
-By default, Microsoft Edge uses the default search engine specified in App settings, which lets users make changes to it. You can configure Microsoft Edge to use the policy-set search engine specified in the OpenSearch XML file. You can also prevent users from making changes to the search engine settings.
+Microsoft Edge, by default, uses the search engine specified in App settings, which lets users make changes. You can prevent users from making changes and still use the search engine specified in App settings by disabling the Allow search engine customization policy. You can also use the policy-set search engine specified in the OpenSearch XML file in which you can configure up to five additional search engines and setting any one of them as the default.
## Relevant group policies
@@ -16,6 +18,11 @@ By default, Microsoft Edge uses the default search engine specified in App setti
- [Allow search engine customization](#allow-search-engine-customization)
- [Configure additional search engines](#configure-additional-search-engines)
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
+
+## Configuration options
diff --git a/browsers/edge/group-policies/security-privacy-management-gp.md b/browsers/edge/group-policies/security-privacy-management-gp.md
index 2af6f28da2..100feaa54d 100644
--- a/browsers/edge/group-policies/security-privacy-management-gp.md
+++ b/browsers/edge/group-policies/security-privacy-management-gp.md
@@ -1,12 +1,14 @@
---
-title: Microsoft Edge - Security and privacy management
+title: Microsoft Edge - Security and privacy group policies
description: Microsoft Edge helps to defend from increasingly sophisticated and prevalent web-based attacks against Windows. While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources.
+manager: dougkim
ms.author: pashort
author: shortpatti
-ms.date: 07/27/2018
+ms.date: 10/02/2018
+ms.localizationpriority: medium
---
-# Security and privacy management
+# Security and privacy
Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows. Because Microsoft Edge is designed like a Universal Windows app, changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the different content processes all live within app container sandboxes.
@@ -14,7 +16,11 @@ Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on
The value of running 64-bit all the time is that it strengthens Windows Address Space Layout Randomization (ASLR), randomizing the memory layout of the browser processes, making it much harder for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger and, therefore, more difficult for attackers to find sensitive memory components.
+For more details on the security features in Microsoft Edge, see [Help protect against web-based security threats](#help-protect-against-web-based-security-threats) below.
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
## Configure cookies
[!INCLUDE [configure-cookies-include](../includes/configure-cookies-include.md)]
@@ -38,14 +44,28 @@ The value of running 64-bit all the time is that it strengthens Windows Address
[!INCLUDE [prevent-localhost-address-for-webrtc-include](../includes/prevent-localhost-address-for-webrtc-include.md)]
+## Help protect against web-based security threats
-| | |
+While most websites are safe, some sites have been intentionally designed to steal sensitive and private information or gain access to your system’s resources. You can help protect against threats by using strong security protocols to ensure against such threats.
+
+Thieves use things like _phishing_ attacks to convince someone to enter personal information, such as a banking password, into a website that looks like a legitimate bank but isn't. Attempts to identify legitimate websites through the HTTPS lock symbol and the EV Cert green bar have met with only limited success since attackers are too good at faking legitimate experiences for many people to notice the difference.
+
+Another method thieves often use _hacking_ to attack a system through malformed content that exploits subtle flaws in the browser or various browser extensions. This exploit lets an attacker run code on a device, taking over a browsing session, and perhaps the entire device.
+
+Microsoft Edge addresses these threats to help make browsing the web a safer experience.
+
+
+| Feature | Description |
|---|---|
-| **[Windows Hello](http://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/)** | Authenticates the user and the website with asymmetric cryptography technology. Microsoft Edge natively supports Windows Hello as a more personal, seamless, and secure way to authenticate on the web, powered by an early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](http://w3c.github.io/webauthn/). |
-| **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any site that is thought to be a phishing site. SmartScreen also helps to defend against installing malicious software or file downloads, even from trusted sites. |
-| **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically. |
-| **Microsoft EdgeHTML** | Defends against hacking through the following security standards features:
Support for the W3C standard for Content Security Policy (CSP), which helps web developers defend their sites against cross-site scripting attacks.
Support for the HTTP Strict Transport Security (HSTS) feature, which is IETF-standard compliant, and helps to ensure that connections to sites are always secure.
|
-| **Code integrity and image loading restrictions** | Prevents malicious DLLs from loading or injecting into the content processes. Only signed images are allowed to load in Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can't load. |
-| **Memory corruption mitigations** | Defends against memory corruption weaknesses and vulnerabilities with the use of [CWE-416: Use After Free](http://cwe.mitre.org/data/definitions/416.html) (UAF). |
-| **Memory Garbage Collector (MemGC) mitigation** | Replaces Memory Protector and helps to defend the browser from UAF vulnerabilities by freeing memory from the programmer and automating it, only freeing memory when the automation detects that there are no more references left pointing to a given block of memory. |
-| **Control Flow Guard** | Compiles checks around code that performs indirect jumps based on a pointer, restricting those jumps to only going to function entry points with known addresses. Control Flow Guard is a Microsoft Visual Studio technology. |
\ No newline at end of file
+| **[Windows Hello](http://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/)** | Microsoft Edge is the first browser to natively support Windows Hello to authenticate the user and the website with asymmetric cryptography technology, powered by early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](http://w3c.github.io/webauthn/). |
+| **Microsoft SmartScreen** | Defends against phishing by performing reputation checks on sites visited and blocking any sites that are thought to be a phishing site. SmartScreen also helps to defend against installing malicious software, drive-by attacks, or file downloads, even from trusted sites. Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software and may be hosted on trusted sites. |
+| **Certificate Reputation system** | Collects data about certificates in use, detecting new certificates and flagging fraudulent certificates automatically, and sends the data to Microsoft. The systems and tools in place include
Certificate Reputation system: Protects users from fraudulent certificates.
|
+| **Microsoft EdgeHTML and modern web standards** | Microsoft Edge uses Microsoft EdgeHTML as the rendering engine. This engine focuses on modern standards letting web developers build and maintain a consistent site across all modern browsers. It also helps to defend against hacking through these security standards features:
Support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks.
Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). HSTS helps ensure that connections to important sites, such as to your bank, are always secured.
**NOTE:** Both Microsoft Edge and Internet Explorer 11 support HSTS. |
+| **Code integrity and image loading restrictions** | Microsoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or injecting into the content processes. Only [properly signed images](https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/) are allowed to load into Microsoft Edge. Binaries on remote devices (such as UNC or WebDAV) can’t load. |
+| **Memory corruption mitigations** | Memory corruption attacks frequently happen to apps written in C or C++ don’t provide safety or buffer overflow protection. When an attacker provides malformed input to a program, the program’s memory becomes corrupt allowing the attacker to take control of the program. Although attackers have adapted and invented new ways to attack, we’ve responded with memory safety defenses, mitigating the most common forms of attack, including and especially [use-after-free (UAF)](http://cwe.mitre.org/data/definitions/416.html) vulnerabilities. |
+| **Memory Garbage Collector (MemGC) mitigation** | MemGC replaces Memory Protector and helps to protect the browser from UAF vulnerabilities. MemGC frees up memory from the programmer and automating it. Only freeing memory when the automation detects no references left pointing to a given block of memory. |
+| **Control Flow Guard** | Attackers use memory corruption attacks to gain control of the CPU program counter to jump to any code location they want. Control Flow Guard, a Microsoft Visual Studio technology, compiles checks around code that performs indirect jumps based on a pointer. Those jumps get restricted to function entry points with known addresses only making attacker take-overs must more difficult constraining where an attack jumps. |
+| **All web content runs in an app container sandbox** |Microsoft Edge takes the sandbox even farther, running its content processes in containers not just by default, but all of the time. Microsoft Edge doesn’t support 3rd party binary extensions, so there is no reason for it to run outside of the container, making Microsoft Edge more secure. |
+| **Extension model and HTML5 support** |Microsoft Edge does not support binary extensions because they can bring code and data into the browser’s processes without any protection. So if anything goes wrong, the entire browser itself can be compromised or go down. We encourage everyone to use our scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/). |
+| **Reduced attack surfaces** |Microsoft Edge does not support VBScript, JScript, VML, Browser Helper Objects, Toolbars, ActiveX controls, and [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Many IE browser vulnerabilities only appear in legacy document modes, so removing support reduced attack surface making the browser more secure.
It also means that it’s not as backward compatible. With this reduced backward compatibility, Microsoft Edge automatically falls back to Internet Explorer 11 for any apps that need backward compatibility. This fall back happens when you use the Enterprise Mode Site List. |
+---
diff --git a/browsers/edge/group-policies/start-pages-gp.md b/browsers/edge/group-policies/start-pages-gp.md
index ddb428bcc4..4a048616d8 100644
--- a/browsers/edge/group-policies/start-pages-gp.md
+++ b/browsers/edge/group-policies/start-pages-gp.md
@@ -1,19 +1,19 @@
---
-title: Microsoft Edge - Start pages
-description: Configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages.
+title: Microsoft Edge - Start pages group policies
+description: Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes.
+manager: dougkim
ms.author: pashort
author: shortpatti
-ms.date: 07/25/2018
+ms.localizationpriority: medium
+ms.date: 10/02/2018
ms.prod: edge
ms.mktglfcycl: explore
ms.sitesec: library
---
-# Start pages configuration options
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+# Start pages
-
-Microsoft Edge loads the pages specified in App settings as the default Start pages. You can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes.
+Microsoft Edge loads the pages specified in App settings as the default Start pages. With the relevant Start pages policies, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages, or a specific page or pages. You can also configure Microsoft Edge to prevent users from making changes.
## Relevant group policies
@@ -21,6 +21,11 @@ Microsoft Edge loads the pages specified in App settings as the default Start pa
- [Configure Start Pages](#configure-start-pages)
- [Disable Lockdown of Start pages](#disable-lockdown-of-start-pages)
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
+
+## Configuration options
@@ -34,16 +39,3 @@ Microsoft Edge loads the pages specified in App settings as the default Start pa
## Disable Lockdown of Start pages
[!INCLUDE [disable-lockdown-of-start-pages-include](../includes/disable-lockdown-of-start-pages-include.md)]
-
-### Configuration options
-
-| **Configure Open Microsoft Edge With** | **Configure Start Pages** | **Disabled Lockdown of Start Pages** | **Outcome** |
-| --- | --- | --- | --- |
-| Enabled (applies to all options) | Enabled – String | Enabled (all configured start pages are editable) | Load URLs defined in the Configure Open Microsoft Edge With policy, and allow users to make changes. |
-| Disabled or not configured | Enabled – String | Enabled (any Start page configured in the Configured Start Pages policy) | Load any start page and let users make changes .|
-| Enabled (Start page) | Enabled – String | Blank or not configured | Load Start page(s) and prevent users from making changes. |
-| Enabled (New tab page) | Enabled – String | Blank or not configured | Load New tab page and prevent users from making changes. |
-| Enabled (Previous pages) | Enabled – String | Blank or not configured | Load previously opened pages and prevent users from making changes. |
-| Enabled (A specific page or pages) | Enabled – String | Blank or not configured | Load a specific page or pages and prevent users from making changes. |
-| Enabled (A specific page or pages) | Enabled – String | Enabled (any Start page configured in Configure Start Pages policy) | Load a specific page or pages and let users make changes. |
----
\ No newline at end of file
diff --git a/browsers/edge/group-policies/sync-browser-settings-gp.md b/browsers/edge/group-policies/sync-browser-settings-gp.md
index 957e790520..19670fa3e2 100644
--- a/browsers/edge/group-policies/sync-browser-settings-gp.md
+++ b/browsers/edge/group-policies/sync-browser-settings-gp.md
@@ -1,12 +1,14 @@
---
-title: Microsoft Edge - Sync browser settings options
-description: By default, the “browser” group syncs automatically between the user’s devices, letting users make changes.
+title: Microsoft Edge - Sync browser settings
+description: By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites.
+manager: dougkim
ms.author: pashort
author: shortpatti
-ms.date: 08/06/2018
+ms.date: 10/02/2018
+ms.localizationpriority: medium
---
-# Sync browser settings options
+# Sync browser settings
By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. The “browser” group uses the Sync your Settings option in Settings to sync information like history and favorites. You can configure Microsoft Edge to prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy.
@@ -16,6 +18,9 @@ By default, the “browser” group syncs automatically between the user’s dev
- [Do not sync browser settings](#do-not-sync-browser-settings)
- [Prevent users from turning on browser syncing](#prevent-users-from-turning-on-browser-syncing)
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
## Configuration options
@@ -24,8 +29,8 @@ By default, the “browser” group syncs automatically between the user’s dev
-## Verify the configuration
-To verify if syncing is turned on or off:
+### Verify the configuration
+To verify the settings:
1. In the upper-right corner of Microsoft Edge, click **More** \(**...**\).
2. Click **Settings**.
3. Under Account, see if the setting is toggled on or off.
diff --git a/browsers/edge/group-policies/telemetry-management-gp.md b/browsers/edge/group-policies/telemetry-management-gp.md
index 242ecf0298..446721b2a4 100644
--- a/browsers/edge/group-policies/telemetry-management-gp.md
+++ b/browsers/edge/group-policies/telemetry-management-gp.md
@@ -1,14 +1,20 @@
---
-title: Microsoft Edge - Telemetry and data collection
-description:
+title: Microsoft Edge - Telemetry and data collection group policies
+description: Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information.
+manager: dougkim
ms.author: pashort
author: shortpatti
-ms.date: 07/29/2018
+ms.date: 10/02/2018
+ms.localizationpriority: medium
---
-# Telemetry and data collection
+# Telemetry and data collection
+Microsoft Edge gathers diagnostic data, intranet history, internet history, tracking information of sites visited, and Live Tile metadata. You can configure Microsoft Edge to collect all or none of this information.
+You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
## Allow extended telemetry for the Books tab
[!INCLUDE [allow-ext-telemetry-books-tab-include.md](../includes/allow-ext-telemetry-books-tab-include.md)]
@@ -16,11 +22,8 @@ ms.date: 07/29/2018
## Configure collection of browsing data for Microsoft 365 Analytics
[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](../includes/configure-browser-telemetry-for-m365-analytics-include.md)]
-
-
## Configure Do Not Track
[!INCLUDE [configure-do-not-track-include.md](../includes/configure-do-not-track-include.md)]
-
## Prevent Microsoft Edge from gathering Live Tile information when pinning a site to Start
[!INCLUDE [prevent-live-tile-pinning-start-include](../includes/prevent-live-tile-pinning-start-include.md)]
\ No newline at end of file
diff --git a/browsers/edge/hardware-and-software-requirements.md b/browsers/edge/hardware-and-software-requirements.md
deleted file mode 100644
index 307e1293de..0000000000
--- a/browsers/edge/hardware-and-software-requirements.md
+++ /dev/null
@@ -1,167 +0,0 @@
----
-description: Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.
-ms.assetid: 3c5bc4c4-1060-499e-9905-2504ea6dc6aa
-author: shortpatti
-ms.prod: edge
-ms.mktglfcycl: support
-ms.sitesec: library
-ms.pagetype: appcompat
-title: Microsoft Edge requirements and language support (Microsoft Edge for IT Pros)
-ms.localizationpriority: medium
-ms.date: 07/27/2017
----
-
-# Microsoft Edge requirements and language support
-
->Applies to: Windows 10, Windows 10 Mobile
-
-
-Microsoft Edge is pre-installed on all Windows 10-capable devices that meet the minimum system requirements and are on the supported language list.
-
->[!NOTE]
->The Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality, and can't be supported on systems running the LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11.
-
-## Minimum system requirements
-Some of the components in this table might also need additional system resources. Check the component's documentation for more information.
-
-
-| Item | Minimum requirements |
-| ------------------ | -------------------------------------------- |
-| Computer/processor | 1 gigahertz (GHz) or faster (32-bit (x86) or 64-bit (x64)) |
-| Operating system |
Windows 10 (32-bit or 64-bit)
Windows 10 Mobile
**Note** For specific Windows 10 Mobile requirements, see the [Minimum hardware requirements for Windows 10 Mobile](https://go.microsoft.com/fwlink/p/?LinkID=699266) topic. |
-| Memory |
Windows 10 (32-bit) - 1 GB
Windows 10 (64-bit) - 2 GB
|
-| Hard drive space |
Windows 10 (32-bit) - 16 GB
Windows 10 (64-bit) - 20 GB
|
-| DVD drive | DVD-ROM drive (if installing from a DVD-ROM) |
-| Display | Super VGA (800 x 600) or higher-resolution monitor with 256 colors |
-| Graphics card | Microsoft DirectX 9 or later with Windows Display Driver Model (WDDM) 1.0 driver |
-| Peripherals | Internet connection and a compatible pointing device |
-
-
-
-## Supported languages
-
-
-Microsoft Edge supports all of the same languages as Windows 10, including:
-
-
-| Language | Country/Region | Code |
-| ------------------------ | -------------- | ------ |
-| Afrikaans (South Africa) | South Africa | af-ZA |
-| Albanian (Albania) | Albania | sq-AL |
-| Amharic | Ethiopia | am-ET |
-| Arabic (Saudi Arabia) | Saudi Arabia | ar-SA |
-| Armenian | Armenia | hy-AM |
-| Assamese | India | as-IN |
-| Azerbaijani (Latin, Azerbaijan) | Azerbaijan | az-Latn-AZ |
-| Bangla (Bangladesh) | Bangladesh | bn-BD |
-| Bangla (India) | India | bn-IN |
-| Basque (Basque) | Spain | eu-ES |
-| Belarusian (Belarus) | Belarus | be-BY |
-| Bosnian (Latin) | Bosnia and Herzegovina | bs-Latn-BA |
-| Bulgarian (Bulgaria) | Bulgaria | bg-BG |
-| Catalan (Catalan) | Spain | ca-ES |
-| Central Kurdish (Arabic) | Iraq | ku-Arab-IQ |
-| Cherokee (Cherokee) | United States | chr-Cher-US |
-| Chinese (Hong Kong SAR) | Hong Kong Special Administrative Region | zh-HK |
-| Chinese (Simplified, China) | People's Republic of China | zh-CN |
-| Chinese (Traditional, Taiwan) | Taiwan | zh-TW |
-| Croatian (Croatia) | Croatia | hr-HR |
-| Czech (Czech Republic) | Czech Republic | cs-CZ |
-| Danish (Denmark) | Denmark | da-DK |
-| Dari | Afghanistan | prs-AF |
-| Dutch (Netherlands) | Netherlands | nl-NL |
-| English (United Kingdom) | United Kingdom | en-GB |
-| English (United States) | United States | en-US |
-| Estonian (Estonia) | Estonia | et-EE |
-| Filipino (Philippines) | Philippines | fil-PH |
-| Finnish (Finland) | Finland | fi_FI |
-| French (Canada) | Canada | fr-CA |
-| French (France) | France | fr-FR |
-| Galician (Galician) | Spain | gl-ES |
-| Georgian | Georgia | ka-GE |
-| German (Germany) | Germany | de-DE |
-| Greek (Greece) | Greece | el-GR |
-| Gujarati | India | gu-IN |
-| Hausa (Latin, Nigeria) | Nigeria | ha-Latn-NG |
-| Hebrew (Israel) | Israel | he-IL |
-| Hindi (India) | India | hi-IN |
-| Hungarian (Hungary) | Hungary | hu-HU |
-| Icelandic | Iceland | is-IS |
-| Igbo | Nigeria | ig-NG |
-| Indonesian (Indonesia) | Indonesia | id-ID |
-| Irish | Ireland | ga-IE |
-| isiXhosa | South Africa | xh-ZA |
-| isiZulu | South Africa | zu-ZA |
-| Italian (Italy) | Italy | it-IT |
-| Japanese (Japan) | Japan | ja-JP |
-| Kannada | India | kn-IN |
-| Kazakh (Kazakhstan) | Kazakhstan | kk-KZ |
-| Khmer (Cambodia) | Cambodia | km-KH |
-| K'iche' | Guatemala | quc-Latn-GT |
-| Kinyarwanda | Rwanda | rw-RW |
-| KiSwahili | Kenya, Tanzania | sw-KE |
-| Konkani | India | kok-IN |
-| Korean (Korea) | Korea | ko-KR |
-| Kyrgyz | Kyrgyzstan | ky-KG |
-| Lao (Laos) | Lao P.D.R. | lo-LA |
-| Latvian (Latvia) | Latvia | lv-LV |
-| Lithuanian (Lithuania) | Lithuania | lt-LT |
-| Luxembourgish (Luxembourg) | Luxembourg | lb-LU |
-| Macedonian (Former Yugoslav Republic of Macedonia) | Macedonia (FYROM) | mk-MK |
-| Malay (Malaysia) | Malaysia, Brunei, and Singapore | ms-MY |
-| Malayalam | India | ml-IN |
-| Maltese | Malta | mt-MT |
-| Maori | New Zealand | mi-NZ |
-| Marathi | India | mr-IN |
-| Mongolian (Cyrillic) | Mongolia | mn-MN |
-| Nepali | Federal Democratic Republic of Nepal | ne-NP |
-| Norwegian (Nynorsk) | Norway | nn-NO |
-| Norwegian, Bokmål (Norway) | Norway | nb-NO |
-| Odia | India | or-IN |
-| Polish (Poland) | Poland | pl-PL |
-| Portuguese (Brazil) | Brazil | pt-BR |
-| Portuguese (Portugal) | Portugal | pt-PT |
-| Punjabi | India | pa-IN |
-| Punjabi (Arabic) | Pakistan | pa-Arab-PK |
-| Quechua | Peru | quz-PE |
-| Romanian (Romania) | Romania | ro-RO |
-| Russian (Russia) | Russia | ru-RU |
-| Scottish Gaelic | United Kingdom | gd-GB |
-| Serbian (Cyrillic, Bosnia, and Herzegovina) | Bosnia and Herzegovina | sr-Cyrl-BA |
-| Serbian (Cyrillic, Serbia) | Serbia | sr-Cyrl-RS |
-| Serbian (Latin, Serbia) | Serbia | sr-Latn-RS |
-| Sesotho sa Leboa | South Africa | nso-ZA |
-| Setswana (South Africa) | South Africa and Botswana | tn-ZA |
-| Sindhi (Arabic) | Pakistan | sd-Arab-PK |
-| Sinhala | Sri Lanka | si-LK |
-| Slovak (Slovakia) | Slovakia | sk-SK |
-| Slovenian (Slovenia) | Slovenia | sl-SL |
-| Spanish (Mexico) | Mexico | es-MX |
-| Spanish (Spain, International Sort) | Spain | en-ES |
-| Swedish (Sweden) | Sweden | sv-SE |
-| Tajik (Cyrillic) | Tajikistan | tg-Cyrl-TJ |
-| Tamil (India) | India and Sri Lanka | ta-IN |
-| Tatar | Russia | tt-RU |
-| Telugu | India | te-IN |
-| Thai (Thailand) | Thailand | th-TH |
-| Tigrinya (Ethiopia) | Ethiopia | ti-ET |
-| Turkish (Turkey) | Turkey | tr-TR |
-| Turkmen | Turkmenistan | tk-TM |
-| Ukrainian (Ukraine) | Ukraine | uk-UA |
-| Urdu | Pakistan | ur-PK |
-| Uyghur | People's Republic of China | ug-CN |
-| Uzbek (Latin, Uzbekistan) | Uzbekistan | uz-Latn-UZ |
-| Valencian | Spain | ca-ES-valencia |
-| Vietnamese | Vietnam | vi-VN |
-| Welsh | United Kingdom | cy-GB |
-| Wolof | Senegal | wo-SN |
-| Yoruba | Nigeria | yo-NG |
-
-
-
-
-
-
-
-
-
diff --git a/browsers/edge/images/Multi-app_kiosk_inFrame.png b/browsers/edge/images/Multi-app_kiosk_inFrame.png
deleted file mode 100644
index a1c62f8ffe..0000000000
Binary files a/browsers/edge/images/Multi-app_kiosk_inFrame.png and /dev/null differ
diff --git a/browsers/edge/images/Normal_inFrame.png b/browsers/edge/images/Normal_inFrame.png
deleted file mode 100644
index fccb0d4e56..0000000000
Binary files a/browsers/edge/images/Normal_inFrame.png and /dev/null differ
diff --git a/browsers/edge/images/SingleApp_contosoHotel_inFrame.png b/browsers/edge/images/SingleApp_contosoHotel_inFrame.png
deleted file mode 100644
index b7dfc0ee28..0000000000
Binary files a/browsers/edge/images/SingleApp_contosoHotel_inFrame.png and /dev/null differ
diff --git a/browsers/edge/images/load-blank-page-not-new-tab-page-sm.png b/browsers/edge/images/load-blank-page-not-new-tab-page-sm.png
new file mode 100644
index 0000000000..bddfed4cf8
Binary files /dev/null and b/browsers/edge/images/load-blank-page-not-new-tab-page-sm.png differ
diff --git a/browsers/edge/images/load-default-new-tab-page-sm.png b/browsers/edge/images/load-default-new-tab-page-sm.png
new file mode 100644
index 0000000000..66a5cc830f
Binary files /dev/null and b/browsers/edge/images/load-default-new-tab-page-sm.png differ
diff --git a/browsers/edge/images/microsoft-edge-kiosk-mode.png b/browsers/edge/images/microsoft-edge-kiosk-mode.png
index ec794911b7..ea96e6f845 100644
Binary files a/browsers/edge/images/microsoft-edge-kiosk-mode.png and b/browsers/edge/images/microsoft-edge-kiosk-mode.png differ
diff --git a/browsers/edge/images/multi-app-kiosk-mode.PNG b/browsers/edge/images/multi-app-kiosk-mode.PNG
deleted file mode 100644
index fd924f92b0..0000000000
Binary files a/browsers/edge/images/multi-app-kiosk-mode.PNG and /dev/null differ
diff --git a/browsers/edge/images/single-app-kiosk-mode.PNG b/browsers/edge/images/single-app-kiosk-mode.PNG
deleted file mode 100644
index a939973c62..0000000000
Binary files a/browsers/edge/images/single-app-kiosk-mode.PNG and /dev/null differ
diff --git a/browsers/edge/images/surface_hub_multi-app_kiosk_inframe.png b/browsers/edge/images/surface_hub_multi-app_kiosk_inframe.png
new file mode 100644
index 0000000000..b32638a4bc
Binary files /dev/null and b/browsers/edge/images/surface_hub_multi-app_kiosk_inframe.png differ
diff --git a/browsers/edge/images/surface_hub_multi-app_normal_kiosk_inframe.png b/browsers/edge/images/surface_hub_multi-app_normal_kiosk_inframe.png
new file mode 100644
index 0000000000..fb787943a9
Binary files /dev/null and b/browsers/edge/images/surface_hub_multi-app_normal_kiosk_inframe.png differ
diff --git a/browsers/edge/images/surface_hub_single-app_browse_kiosk_inframe.png b/browsers/edge/images/surface_hub_single-app_browse_kiosk_inframe.png
new file mode 100644
index 0000000000..8b9618e502
Binary files /dev/null and b/browsers/edge/images/surface_hub_single-app_browse_kiosk_inframe.png differ
diff --git a/browsers/edge/images/users-choose-new-tab-page-sm.png b/browsers/edge/images/users-choose-new-tab-page-sm.png
new file mode 100644
index 0000000000..9373069370
Binary files /dev/null and b/browsers/edge/images/users-choose-new-tab-page-sm.png differ
diff --git a/browsers/edge/includes/allow-address-bar-suggestions-include.md b/browsers/edge/includes/allow-address-bar-suggestions-include.md
index bd15a448b8..5afbcd58cf 100644
--- a/browsers/edge/includes/allow-address-bar-suggestions-include.md
+++ b/browsers/edge/includes/allow-address-bar-suggestions-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Enabled or not configured (Allowed)*
@@ -10,7 +18,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
-|Disabled |0 |0 |Prevented/not allowed. Hide the Address bar drop-down functionality and disable the _Show search and site suggestions as I type_ toggle in Settings. | |
+|Disabled |0 |0 |Prevented. Hide the Address bar drop-down list and disable the _Show search and site suggestions as I type_ toggle in Settings. | |
|Enabled or not configured **(default)** |1 |1 |Allowed. Show the Address bar drop-down list and make it available. | |
---
diff --git a/browsers/edge/includes/allow-adobe-flash-include.md b/browsers/edge/includes/allow-adobe-flash-include.md
index 669cdf2257..de6d5efb1c 100644
--- a/browsers/edge/includes/allow-adobe-flash-include.md
+++ b/browsers/edge/includes/allow-adobe-flash-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Enabled or not configured (Allowed)*
@@ -8,7 +16,7 @@
|Group Policy |MDM |Registry |Description |
|---|:---:|:---:|---|
-|Disabled |0 |0 |Prevented/not allowed |
+|Disabled |0 |0 |Prevented |
|Enabled **(default)** |1 |1 |Allowed |
---
diff --git a/browsers/edge/includes/allow-clearing-browsing-data-include.md b/browsers/edge/includes/allow-clearing-browsing-data-include.md
index 96e804b8cd..3ac05ab8ed 100644
--- a/browsers/edge/includes/allow-clearing-browsing-data-include.md
+++ b/browsers/edge/includes/allow-clearing-browsing-data-include.md
@@ -1,6 +1,14 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Prevented/not allowed)*
+>*Default setting: Disabled or not configured (Prevented)*
[!INCLUDE [allow-clearing-browsing-data-on-exit-shortdesc](../shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md)]
@@ -9,7 +17,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
-|Disabled or not configured **(default)** |0 |0 |Prevented/not allowed. Users can configure the _Clear browsing data_ option in Settings. | |
+|Disabled or not configured **(default)** |0 |0 |Prevented. Users can configure the _Clear browsing data_ option in Settings. | |
|Enabled |1 |1 |Allowed. Clear the browsing data upon exit automatically. | |
---
diff --git a/browsers/edge/includes/allow-config-updates-books-include.md b/browsers/edge/includes/allow-config-updates-books-include.md
index ee403d0ebc..faa1c01113 100644
--- a/browsers/edge/includes/allow-config-updates-books-include.md
+++ b/browsers/edge/includes/allow-config-updates-books-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10, version 1803 or later*
>*Default setting: Enabled or not configured (Allowed)*
@@ -8,7 +16,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
-|Disabled |0 |0 |Prevented/not allowed. | |
+|Disabled |0 |0 |Prevented. | |
|Enabled or not configured **(default)** |1 |1 |Allowed. Microsoft Edge updates the configuration data for the Books Library automatically. | |
---
@@ -33,6 +41,6 @@
### Related topics
-[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-
Also, the users must be signed in with a school or work account.| |
---
diff --git a/browsers/edge/includes/allow-sideloading-extensions-include.md b/browsers/edge/includes/allow-sideloading-extensions-include.md
index b6ebf001c6..4ca5fcad6b 100644
--- a/browsers/edge/includes/allow-sideloading-extensions-include.md
+++ b/browsers/edge/includes/allow-sideloading-extensions-include.md
@@ -1,5 +1,13 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled (Allowed)*
[!INCLUDE [allow-sideloading-of-extensions-shortdesc](../shortdesc/allow-sideloading-of-extensions-shortdesc.md)]
@@ -8,7 +16,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
-|Disabled or not configured |0 |0 |Prevented/not allowed. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, enable **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** policy, located at Windows Components > App Package Deployment.
For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). | |
+|Disabled or not configured |0 |0 |Prevented. Disabling does not prevent sideloading of extensions using Add-AppxPackage via PowerShell. To prevent this, you must enable the **Allows development of Windows Store apps and installing them from an integrated development environment (IDE)** group policy, which you can find:
For the MDM setting, set the **ApplicationManagement/AllowDeveloperUnlock** policy to 1 (enabled). | |
|Enabled **(default)** |1 |1 |Allowed. | |
---
diff --git a/browsers/edge/includes/allow-tab-preloading-include.md b/browsers/edge/includes/allow-tab-preloading-include.md
index b09c405754..4bef6e6c00 100644
--- a/browsers/edge/includes/allow-tab-preloading-include.md
+++ b/browsers/edge/includes/allow-tab-preloading-include.md
@@ -1,5 +1,13 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
->*Supported versions: Microsoft Edge on Windows 10, version 1802*
+>*Supported versions: Microsoft Edge on Windows 10, version 1802*
>*Default setting: Enabled or not configured (Allowed)*
[!INCLUDE [allow-tab-preloading-shortdesc](../shortdesc/allow-tab-preloading-shortdesc.md)]
@@ -8,15 +16,10 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
-|Disabled |0 |0 |Prevented/not allowed. | |
-|Enabled or not configured **(default)** |1 |1 |Allowed. Preload Start and New tab pages. | |
+|Disabled |0 |0 |Prevented. | |
+|Enabled or not configured **(default)** |1 |1 |Allowed. Preload Start and New Tab pages. | |
---
-
-### Configuration options
-
-For more details about configuring the prelaunch and preload options, see [Prelaunch Microsoft Edge and preload tabs in the background](../group-policies/prelaunch-preload-gp.md).
-
### ADMX info and settings
#### ADMX info
diff --git a/browsers/edge/includes/allow-web-content-new-tab-page-include.md b/browsers/edge/includes/allow-web-content-new-tab-page-include.md
index 7c6889225d..65b23105e2 100644
--- a/browsers/edge/includes/allow-web-content-new-tab-page-include.md
+++ b/browsers/edge/includes/allow-web-content-new-tab-page-include.md
@@ -1,6 +1,14 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Enabled (Default New tab page loads)*
+>*Default setting: Enabled (Default New Tab page loads)*
[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)]
@@ -10,9 +18,9 @@
|Group Policy |MDM |Registry |Description |
|---|:---:|:---:|---|
-|Not configured |Blank |Blank |Users can choose what loads on the New tab page. |
-|Disabled |0 |0 |Load a blank page instead of the default New tab page and prevent users from changing it. |
-|Enabled **(default)** |1 |1 |Load the default New tab page. |
+|Not configured |Blank |Blank |Users can choose what loads on the New Tab page. |
+|Disabled |0 |0 |Load a blank page instead of the default New Tab page and prevent users from changing it. |
+|Enabled **(default)** |1 |1 |Load the default New Tab page. |
---
### ADMX info and settings
@@ -34,4 +42,7 @@
- **Value name:** AllowWebContentOnNewTabPage
- **Value type:** REG_DWORD
+### Related policies
+[Set New Tab page URL](../available-policies.md#set-new-tab-page-url): [!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)]
+
\ No newline at end of file
diff --git a/browsers/edge/includes/always-enable-book-library-include.md b/browsers/edge/includes/always-enable-book-library-include.md
index 62804e3f93..573e9af1b5 100644
--- a/browsers/edge/includes/always-enable-book-library-include.md
+++ b/browsers/edge/includes/always-enable-book-library-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
>*Default setting: Disabled or not configured*
diff --git a/browsers/edge/includes/browser-extension-policy-shortdesc-include.md b/browsers/edge/includes/browser-extension-policy-shortdesc-include.md
index 4a64abb65c..d0f3827d4e 100644
--- a/browsers/edge/includes/browser-extension-policy-shortdesc-include.md
+++ b/browsers/edge/includes/browser-extension-policy-shortdesc-include.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
[Microsoft browser extension policy](https://docs.microsoft.com/en-us/legal/windows/agreements/microsoft-browser-extension-policy): This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**.
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-additional-search-engines-include.md b/browsers/edge/includes/configure-additional-search-engines-include.md
index f77a076f2a..faad5edd23 100644
--- a/browsers/edge/includes/configure-additional-search-engines-include.md
+++ b/browsers/edge/includes/configure-additional-search-engines-include.md
@@ -1,6 +1,14 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
->*Default setting: Disabled or not configured (Prevented/not allowed)*
+>*Default setting: Disabled or not configured (Prevented)*
[!INCLUDE [configure-additional-search-engines-shortdesc](../shortdesc/configure-additional-search-engines-shortdesc.md)]
@@ -8,15 +16,10 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
-|Disabled or not configured **(default)** |0 |0 |Prevented/not allowed. Microsoft Edge uses the search engine specified in App settings.
If you enabled this policy and now want to disable it, disabling removes all previously configured search engines. | |
+|Disabled or not configured **(default)** |0 |0 |Prevented. Use the search engine specified in App settings.
If you enabled this policy and now want to disable it, all previously configured search engines get removed. | |
|Enabled |1 |1 |Allowed. Add up to five additional search engines and set any one of them as the default.
For each search engine added you must specify a link to the OpenSearch XML file that contains, at a minimum, the short name and URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://developer.microsoft.com/en-us/microsoft-edge/platform/documentation/dev-guide/browser/search-provider-discovery/). | |
---
-
-### Configuration options
-
-For more details about configuring the search engine, see [Search engine customization](../group-policies/search-engine-customization-gp.md).
-
### ADMX info and settings
#### ADMX info
- **GP English name:** Configure additional search engines
diff --git a/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md
index d7b0fa6adb..c9c70e7638 100644
--- a/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md
+++ b/browsers/edge/includes/configure-adobe-flash-click-to-run-include.md
@@ -1,5 +1,13 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
->*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Enabled or not configured (Does not load content automatically)*
[!INCLUDE [configure-adobe-flash-click-to-run-setting-shortdesc](../shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md)]
@@ -9,7 +17,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled |0 |0 |Load and run Adobe Flash content automatically. | |
-|Enabled or not configured **(default)** |1 |1 |Do not load or run Adobe Flash content automatically. Requires action from the user. | |
+|Enabled or not configured **(default)** |1 |1 |Do not load or run Adobe Flash content and require action from the user. | |
---
### ADMX info and settings
diff --git a/browsers/edge/includes/configure-allow-flash-url-list-include.md b/browsers/edge/includes/configure-allow-flash-url-list-include.md
deleted file mode 100644
index 919215341c..0000000000
--- a/browsers/edge/includes/configure-allow-flash-url-list-include.md
+++ /dev/null
@@ -1,36 +0,0 @@
-
->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting:*
-
-[!INCLUDE [configure-allow-flash-for-url-list-shortdesc](../shortdesc/configure-allow-flash-for-url-list-shortdesc.md)]
-
-### Supported values
-
-|Group Policy |MDM |Registry |Description |Most restricted |
-|---|:---:|:---:|---|:---:|
-| | | | | |
-| | | | | |
-| | | | | |
----
-
-
-
-### ADMX info and settings
-#### ADMX info
-- **GP English name:**
-- **GP name:**
-- **GP path:** Windows Components/Microsoft Edge
-- **GP ADMX file name:** MicrosoftEdge.admx
-
-#### MDM settings
-- **MDM name:** Browser/[]()
-- **Supported devices:** Desktop and Mobile
-- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/
-- **Data type:** Integer
-
-#### Registry settings
-- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\
-- **Value name:**
-- **Value type:** REG_DWORD
-
-
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-autofill-include.md b/browsers/edge/includes/configure-autofill-include.md
index 3464943193..2be0fe1b32 100644
--- a/browsers/edge/includes/configure-autofill-include.md
+++ b/browsers/edge/includes/configure-autofill-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Not configured (Blank)*
@@ -8,7 +16,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
-|Not configured **(default)** | Blank |Blank |Users can choose to use AutoFill. | |
+|Not configured **(default)** | Blank |Blank |Users can choose to use Autofill. | |
|Disabled | 0 | no | Prevented. | |
|Enabled |1 |yes | Allowed. | |
---
diff --git a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md
index 3a0386c574..b5f8421fd3 100644
--- a/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md
+++ b/browsers/edge/includes/configure-browser-telemetry-for-m365-analytics-include.md
@@ -1,12 +1,26 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (No data collected or sent)*
[!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)]
>[!IMPORTANT]
->For this policy to work, enable the Allow Telemetry policy with the _Enhanced_ option and enable the Configure the Commercial ID policy by providing the Commercial ID.
+>For this policy to work, enable the **Allow Telemetry** group policy with the _Enhanced_ option and enable the **Configure the Commercial ID** group policy by providing the Commercial ID.
+>
+>You can find these policies in the following location of the Group Policy Editor:
+>
+>**Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\**
+>
Allow Telemetry = Enabled and set to _Enhanced_
Configure the Commercial ID = String of the Commercial ID
Configure collection of browsing data for Microsoft 365 Analytics = _Enabled_
+
### Supported values
@@ -19,12 +33,6 @@
|Enabled |3 |3 |Send both intranet and Internet history | |
---
->>You can find this policy and the related policies in the following location of the Group Policy Editor:
->>
->>**_Computer Configuration\\Administrative Templates\\Windows Components\\Data Collection and Preview Builds\\_**
->>
Allow Telemetry = Enabled, _Enhanced_
Configure the Commercial ID = String of the Commercial ID
Configure collection of browsing data for Microsoft 365 Analytics
-
-
### ADMX info and settings
#### ADMX info
diff --git a/browsers/edge/includes/configure-cookies-include.md b/browsers/edge/includes/configure-cookies-include.md
index f89816f8d8..58fd49a1a7 100644
--- a/browsers/edge/includes/configure-cookies-include.md
+++ b/browsers/edge/includes/configure-cookies-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled or not configured (Allow all cookies from all sites)*
@@ -8,9 +16,9 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
-|Enabled |0 |0 |Block all cookies from all sites | |
-|Enabled |1 |1 |Block only coddies from third party websites | |
-|Disabled or not configured **(default)** |2 |2 |Allow all cookies from all sites | |
+|Enabled |0 |0 |Block all cookies from all sites. | |
+|Enabled |1 |1 |Block only coddies from third party websites. | |
+|Disabled or not configured **(default)** |2 |2 |Allow all cookies from all sites. | |
---
### ADMX info and settings
diff --git a/browsers/edge/includes/configure-do-not-track-include.md b/browsers/edge/includes/configure-do-not-track-include.md
index 74478b6881..92430f3f95 100644
--- a/browsers/edge/includes/configure-do-not-track-include.md
+++ b/browsers/edge/includes/configure-do-not-track-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Not configured (Do not send tracking information)*
diff --git a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md
index a1dfe3e91c..e628013a54 100644
--- a/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md
+++ b/browsers/edge/includes/configure-edge-kiosk-reset-idle-timeout-include.md
@@ -1,6 +1,14 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: 5 minutes*
[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)]
@@ -36,7 +44,7 @@ You must set the Configure kiosk mode policy to enabled (1 - InPrivate public br
### Related policies
-[Configure kiosk mode](../new-policies.md#configure-kiosk-mode): [!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)]
+[Configure kiosk mode](../available-policies.md#configure-kiosk-mode): [!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)]
diff --git a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md
index 6b347ce989..10b23c7c4b 100644
--- a/browsers/edge/includes/configure-enterprise-mode-site-list-include.md
+++ b/browsers/edge/includes/configure-enterprise-mode-site-list-include.md
@@ -1,3 +1,5 @@
+
+
>*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled or not configured*
diff --git a/browsers/edge/includes/configure-favorites-bar-include.md b/browsers/edge/includes/configure-favorites-bar-include.md
index f4f537218f..79a2362f93 100644
--- a/browsers/edge/includes/configure-favorites-bar-include.md
+++ b/browsers/edge/includes/configure-favorites-bar-include.md
@@ -1,6 +1,14 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
->*Supported versions: Microsoft Edge on Windows 10, new major release*
->*Default setting: Not configured (Hidden)*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
+>*Default setting: Not configured (Hidden but shown on the Start and New Tab pages)*
[!INCLUDE [allow-favorites-bar-shortdesc](../shortdesc/configure-favorites-bar-shortdesc.md)]
@@ -11,9 +19,10 @@
|Group Policy |MDM |Registry |Description |
|---|:---:|:---:|---|
-|Not configured **(default)** |Blank |Blank |Hide the favorites bar but show it on the Start and New tab pages. The favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. |
-|Disabled |0 |0 |Hide the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to Off and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. |
-|Enabled |1 |1 |Show the favorites bar on all pages. Also, the favorites bar toggle, in Settings, is set to On and disabled preventing users from making changes. Microsoft Edge also hides the “show bar/hide bar” option in the context menu. |
+|Not configured **(default)** |Blank |Blank |Hidden but shown on the Start and New Tab pages.
Favorites Bar toggle (in Settings) = **Off** and enabled letting users make changes. |
+|Disabled |0 |0 |Hidden on all pages.
Favorites Bar toggle (in Settings) = **Off** and disabled preventing users from making changes
Show bar/Hide bar option (in the context menu) = hidden
|
+|Enabled |1 |1 |Shown on all pages.
Favorites Bar toggle (in Settings) = **On** and disabled preventing users from making changes
Show bar/Hide bar option (in the context menu) = hidden
|
+
---
### ADMX info and settings
diff --git a/browsers/edge/includes/configure-favorites-include.md b/browsers/edge/includes/configure-favorites-include.md
index 4b4862fef7..5287150eea 100644
--- a/browsers/edge/includes/configure-favorites-include.md
+++ b/browsers/edge/includes/configure-favorites-include.md
@@ -1,4 +1,12 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
->Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy in place of Configure Favorites.
+>Discontinued in the Windows 10 October 2018 Update. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** group policy instead.
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-home-button-include.md b/browsers/edge/includes/configure-home-button-include.md
index d9cf247781..a1e6e8a087 100644
--- a/browsers/edge/includes/configure-home-button-include.md
+++ b/browsers/edge/includes/configure-home-button-include.md
@@ -1,5 +1,13 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Show home button and load the Start page)*
@@ -11,14 +19,11 @@
|Group Policy |MDM |Registry |Description |
|---|:---:|:---:|---|
|Disabled or not configured **(default)** |0 |0 |Show home button and load the Start page. |
-|Enabled |1 |1 |Show home button and load the New tab page. |
-|Enabled |2 |2 |Show home button and load the custom URL defined in the Set Home Button URL policy. |
-|Enabled |3 |3 |Hide home button. |
+|Enabled |1 |1 |Show the home button and load the New Tab page. |
+|Enabled |2 |2 |Show the home button and load the custom URL defined in the Set Home Button URL policy. |
+|Enabled |3 |3 |Hide the home button. |
---
-### Configuration options
-
-For more details about configuring the different Home button options, see [Home button configuration options](../group-policies/home-button-gp.md).
>[!TIP]
>If you want to make changes to this policy:
Enable the **Unlock Home Button** policy.
Make changes to the **Configure Home Button** policy or **Set Home Button URL** policy.
Disable the **Unlock Home Button** policy.
@@ -45,9 +50,9 @@ For more details about configuring the different Home button options, see [Home
### Related policies
-- [Set Home Button URL](../new-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)]
+- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)]
-- [Unlock Home Button](../new-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)]
+- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)]
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-inprivate-include.md b/browsers/edge/includes/configure-inprivate-include.md
deleted file mode 100644
index c29a818b47..0000000000
--- a/browsers/edge/includes/configure-inprivate-include.md
+++ /dev/null
@@ -1,32 +0,0 @@
-## Configure InPrivate
-
->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured
-
-
-|Group Policy |MDM |Registry |Description |Most restricted |
-|---|:---:|:---:|---|:---:|
-| | | | | |
-| | | | | |
-| | | | | |
----
-
-### ADMX info and settings
-#### ADMX info
-- **GP English name:**
-- **GP name:**
-- **GP path:** Windows Components/Microsoft Edge
-- **GP ADMX file name:** MicrosoftEdge.admx
-
-#### MDM settings
-- **MDM name:** Browser/[]()
-- **Supported devices:** Desktop and Mobile
-- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/
-- **Data type:** Integer
-
-#### Registry settings
-- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\
-- **Value name:**
-- **Value type:** REG_DWORD
-
-
\ No newline at end of file
diff --git a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md
index 54880f184f..f2b75dd21e 100644
--- a/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md
+++ b/browsers/edge/includes/configure-microsoft-edge-kiosk-mode-include.md
@@ -1,6 +1,14 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Not configured*
[!INCLUDE [configure-kiosk-mode-shortdesc](../shortdesc/configure-kiosk-mode-shortdesc.md)]
@@ -37,7 +45,7 @@ For this policy to work, you must configure Microsoft Edge in assigned access; o
- **Value type:** REG_SZ
### Related policies
-[Configure kiosk reset after idle timeout](../new-policies.md#configure-kiosk-reset-after-idle-timeout): [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)]
+[Configure kiosk reset after idle timeout](../available-policies.md#configure-kiosk-reset-after-idle-timeout): [!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)]
### Related topics
diff --git a/browsers/edge/includes/configure-open-edge-with-include.md b/browsers/edge/includes/configure-open-edge-with-include.md
index 70ba21e6ab..de594145f7 100644
--- a/browsers/edge/includes/configure-open-edge-with-include.md
+++ b/browsers/edge/includes/configure-open-edge-with-include.md
@@ -1,29 +1,33 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled (A specific page or pages)*
[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)]
**Version 1703 or later:** If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL.
-**Version 1810:** When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.
+**version 1809:** When you enable this policy (Configure Open Microsoft Edge With) and select an option, and also enable the Configure Start Pages policy, Microsoft Edge ignores the Configure Start Page policy.
### Supported values
|Group Policy |MDM |Registry |Description |
|---|:---:|:---:|---|
|Not configured |Blank |Blank |If you don't configure this policy and you enable the Disable Lockdown of Start Pages policy, users can change or customize the Start page. |
-|Enabled |0 |0 |Loads the Start page. |
-|Enabled |1 |1 |Load the New tab page. |
+|Enabled |0 |0 |Load the Start page. |
+|Enabled |1 |1 |Load the New Tab page. |
|Enabled |2 |2 |Load the previous pages. |
|Enabled **(default)** |3 |3 |Load a specific page or pages. |
---
-### Configuration options
-
-For more details about configuring the Start pages, see [Start pages configuration options](../group-policies/start-pages-gp.md).
-
>[!TIP]
>If you want to make changes to this policy:
Set the **Disabled Lockdown of Start Pages** policy to not configured.
Make changes to the **Configure Open Microsoft With** policy.
Enable the **Disabled Lockdown of Start Pages** policy.
diff --git a/browsers/edge/includes/configure-password-manager-include.md b/browsers/edge/includes/configure-password-manager-include.md
index eb1e236003..a85cf78561 100644
--- a/browsers/edge/includes/configure-password-manager-include.md
+++ b/browsers/edge/includes/configure-password-manager-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Enabled (Allowed/users can change the setting)*
diff --git a/browsers/edge/includes/configure-pop-up-blocker-include.md b/browsers/edge/includes/configure-pop-up-blocker-include.md
index cb5d637204..1022f7d518 100644
--- a/browsers/edge/includes/configure-pop-up-blocker-include.md
+++ b/browsers/edge/includes/configure-pop-up-blocker-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled (Turned off)*
@@ -9,8 +17,8 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Not configured |Blank |Blank |Users can choose to use Pop-up Blocker. | |
-|Disabled **(default)** |0 |0 |Turn off Pop-up Blocker letting pop-up windows open. | |
-|Enabled |1 |1 |Turn on Pop-up Blocker stopping pop-up windows from opening. | |
+|Disabled **(default)** |0 |0 |Turned off. Allow pop-up windows to open. | |
+|Enabled |1 |1 |Turned on. Prevent pop-up windows from opening. | |
---
### ADMX info and settings
diff --git a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md
index fbe5457aa0..fd026a1630 100644
--- a/browsers/edge/includes/configure-search-suggestions-address-bar-include.md
+++ b/browsers/edge/includes/configure-search-suggestions-address-bar-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Not configured (Blank)*
@@ -9,7 +17,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Not configured **(default)** |Blank |Blank |Users can choose to see search suggestions. | |
-|Disabled |0 |0 |Prevented/not allowed. Hide the search suggestions. | |
+|Disabled |0 |0 |Prevented. Hide the search suggestions. | |
|Enabled |1 |1 |Allowed. Show the search suggestions. | |
---
diff --git a/browsers/edge/includes/configure-start-pages-include.md b/browsers/edge/includes/configure-start-pages-include.md
index 4a5c023576..20e1b93215 100644
--- a/browsers/edge/includes/configure-start-pages-include.md
+++ b/browsers/edge/includes/configure-start-pages-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Blank or not configured (Load pages specified in App settings)*
@@ -9,13 +17,9 @@
|Group Policy |MDM |Registry |Description |
|---|:---:|:---:|---|
|Not configured |Blank |Blank |Load the pages specified in App settings as the default Start pages. |
-|Enabled |String |String |Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:
\\
**Version 1703 or later:** If you do not want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.
**Version 1810:** When you enable the Configure Open Microsoft Edge With policy with any option selected, and you enable the Configure Start Pages policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the Configure Start Pages policy. |
+|Enabled |String |String |Enter the URLs of the pages you want to load as the Start pages, separating each page using angle brackets:
\\
**Version 1703 or later:** If you do not want to send traffic to Microsoft, use the \ value, which honors both domain and non-domain-joined devices when it's the only configured URL.
**Version 1809:** When you enable the Configure Open Microsoft Edge With policy with any option selected, and you enable the Configure Start Pages policy, the Configure Open Microsoft Edge With policy takes precedence, ignoring the Configure Start Pages policy. |
---
-### Configuration options
-
-For more details about configuring the Start pages, see [Start pages configuration options](../group-policies/start-pages-gp.md).
-
### ADMX info and settings
#### ADMX info
- **GP English name:** Configure Start pages
@@ -40,7 +44,7 @@ For more details about configuring the Start pages, see [Start pages configurati
- [Disable Lockdown of Start Pages](#disable-lockdown-of-start-pages-include): [!INCLUDE [disable-lockdown-of-start-pages-shortdesc](../shortdesc/disable-lockdown-of-start-pages-shortdesc.md)]
-- [Configure Open Microsoft Edge With](../new-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)]
+- [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)]
diff --git a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md
index b9545d480d..cece4ab0bc 100644
--- a/browsers/edge/includes/configure-windows-defender-smartscreen-include.md
+++ b/browsers/edge/includes/configure-windows-defender-smartscreen-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Enabled (Turned on)*
diff --git a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md
index 06a0642481..3bdfcb5675 100644
--- a/browsers/edge/includes/disable-lockdown-of-start-pages-include.md
+++ b/browsers/edge/includes/disable-lockdown-of-start-pages-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Enabled (Start pages are not editable)*
@@ -8,14 +16,10 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
-|Not configured |0 |0 |Lock down Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy. | |
+|Not configured |0 |0 |Locked. Start pages configured in either the Configure Open Microsoft Edge With policy and Configure Start Pages policy are not editable. | |
|Enabled |1 |1 |Unlocked. Users can make changes to all configured start pages.
When you enable this policy and define a set of URLs in the Configure Start Pages policy, Microsoft Edge uses the URLs defined in the Configure Open Microsoft Edge With policy. | |
---
-### Configuration options
-
-For more details about configuring the Start pages, see [Start pages configuration options](../group-policies/start-pages-gp.md).
-
### ADMX info and settings
#### ADMX info
@@ -42,7 +46,7 @@ For more details about configuring the Start pages, see [Start pages configurati
### Related Policies
- [Configure Start pages](../available-policies.md#configure-start-pages): [!INCLUDE [configure-start-pages-shortdesc](../shortdesc/configure-start-pages-shortdesc.md)]
-- [Configure Open Microsoft Edge With](../new-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)]
+- [Configure Open Microsoft Edge With](../available-policies.md#configure-open-microsoft-edge-with): [!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../shortdesc/configure-open-microsoft-edge-with-shortdesc.md)]
### Related topics
diff --git a/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md b/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md
deleted file mode 100644
index 3d4feeb168..0000000000
--- a/browsers/edge/includes/do-not-prompt-client-cert-if-only-one-exists-include.md
+++ /dev/null
@@ -1,31 +0,0 @@
-
->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured*
-
-
-|Group Policy |MDM |Registry |Description |Most restricted |
-|---|:---:|:---:|---|:---:|
-| | | | | |
-| | | | | |
-| | | | | |
----
-
-### ADMX info and settings
-#### ADMX info
-- **GP English name:**
-- **GP name:**
-- **GP path:** Windows Components/Microsoft Edge
-- **GP ADMX file name:** MicrosoftEdge.admx
-
-#### MDM settings
-- **MDM name:** Browser/[]()
-- **Supported devices:** Desktop and Mobile
-- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/
-- **Data type:** Integer
-
-#### Registry settings
-- **Path:** HKLM\Software\Policies\Microsoft\MicrosoftEdge\
-- **Value name:**
-- **Value type:** REG_DWORD
-
-
\ No newline at end of file
diff --git a/browsers/edge/includes/do-not-sync-browser-settings-include.md b/browsers/edge/includes/do-not-sync-browser-settings-include.md
index 2424c7de85..03f9746a15 100644
--- a/browsers/edge/includes/do-not-sync-browser-settings-include.md
+++ b/browsers/edge/includes/do-not-sync-browser-settings-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled or not configured (Allowed/turned on)*
@@ -12,10 +20,6 @@
|Enabled |2 |2 |Prevented/turned off. The “browser” group does not use the _Sync your Settings_ option. |
---
-### Configuration options
-
-For more details about configuring the browser syncing options, see [Sync browser settings options](../group-policies/sync-browser-settings-gp.md).
-
### ADMX info and settings
#### ADMX info
@@ -37,7 +41,7 @@ For more details about configuring the browser syncing options, see [Sync browse
### Related policies
-[Prevent users from turning on browser syncing](../new-policies.md#prevent-users-from-turning-on-browser-syncing): [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)]
+[Prevent users from turning on browser syncing](../available-policies.md#prevent-users-from-turning-on-browser-syncing): [!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)]
diff --git a/browsers/edge/includes/do-not-sync-include.md b/browsers/edge/includes/do-not-sync-include.md
index 8a8b4770f2..e572ce631a 100644
--- a/browsers/edge/includes/do-not-sync-include.md
+++ b/browsers/edge/includes/do-not-sync-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled or not configured (Allowed/turned on)*
diff --git a/browsers/edge/includes/edge-respects-applocker-lists-include.md b/browsers/edge/includes/edge-respects-applocker-lists-include.md
deleted file mode 100644
index 60b8d8f5e0..0000000000
--- a/browsers/edge/includes/edge-respects-applocker-lists-include.md
+++ /dev/null
@@ -1,22 +0,0 @@
-
->*Supported versions: Microsoft Edge on Windows 10*
->*Default setting: Disabled or not configured
-
-
-|Group Policy |MDM |Registry |Description |Most restricted |
-|---|:---:|:---:|---|:---:|
-| | | | | |
-| | | | | |
-| | | | | |
----
-
-### ADMX info and settings
-| | |
-|---|---|
-|ADMX info |
**GP English name:**
**GP name:**
**GP path:** Windows Components/Microsoft Edge
**GP ADMX file name:** MicrosoftEdge.admx
|
-|MDM settings |
**MDM name:** Browser/[]()
**Supported devices:** Desktop and Mobile
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/
|
----
-
-
----
\ No newline at end of file
diff --git a/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md
index f724a38af6..29285e2d27 100644
--- a/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md
+++ b/browsers/edge/includes/enable-device-for-dev-shortdesc-include.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
[Enable your device for development](https://docs.microsoft.com/en-us/windows/uwp/get-started/enable-your-device-for-development): Developers can access special development features, along with other developer-focused settings, which makes it possible for them to develop, test, and debug apps. Learn how to configure your environment for development, the difference between Developer Mode and sideloading, and the security risks of Developer mode.
\ No newline at end of file
diff --git a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md
index ed4e9b1019..d3d116dc84 100644
--- a/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md
+++ b/browsers/edge/includes/ie11-send-all-sites-not-in-site-list-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Internet Explorer 11 on Windows 10, version 1607 or later*
>*Default setting: Disabled or not configured*
@@ -5,3 +13,7 @@ By default, all sites open the currently active browser. With this policy, you c
>[!NOTE]
>If you’ve also enabled the Microsoft Edge [Send all intranet sites to Internet Explorer 11](../available-policies.md#send-all-intranet-sites-to-internet-explorer-11) policy, all intranet sites continue to open in Internet Explorer 11.
+
+You can find the group policy settings in the following location of the Group Policy Editor:
+
+ **Computer Configuration\\Administrative Templates\\Windows Components\\Internet Explorer\\**
diff --git a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md
index b1dda60948..cd98f1a8c3 100644
--- a/browsers/edge/includes/keep-fav-sync-ie-edge-include.md
+++ b/browsers/edge/includes/keep-fav-sync-ie-edge-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Disabled or not configured (Turned off/not syncing)*
diff --git a/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md
index c0590648fa..7884bbe03b 100644
--- a/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md
+++ b/browsers/edge/includes/man-connections-win-comp-services-shortdesc-include.md
@@ -1 +1,9 @@
-[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services): Learn about the network connections from Windows to Microsoft services. Also, learn about the privacy settings that affect the data shared with either Microsoft or apps and how to manage them in an enterprise. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+[Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/en-us/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services): Learn about the network connections from Windows to Microsoft services. Also, learn about the privacy settings that affect the data shared with either Microsoft or apps and how to manage them in an enterprise. You can configure diagnostic data at the lowest level for your edition of Windows and evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment.
diff --git a/browsers/edge/includes/prevent-access-about-flag-include.md b/browsers/edge/includes/prevent-access-about-flag-include.md
index 2ec1c055f5..b7cb5483d1 100644
--- a/browsers/edge/includes/prevent-access-about-flag-include.md
+++ b/browsers/edge/includes/prevent-access-about-flag-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10, version 1607 or later*
>*Default setting: Disabled or not configured (Allowed)*
@@ -8,8 +16,8 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
-|Disabled or not configured **(default)** |0 |0 |Allowed. | |
-|Enabled |1 |1 |Prevents users from accessing the about:flags page. | |
+|Disabled or not configured **(default)** |0 |0 |Allowed | |
+|Enabled |1 |1 |Prevented | |
---
### ADMX info and settings
diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md
index e547317eb3..511434ab4e 100644
--- a/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md
+++ b/browsers/edge/includes/prevent-bypassing-win-defender-files-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
>*Default setting: Disabled or not configured (Allowed/turned off)*
diff --git a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md
index e57bb9f213..01a87fe00e 100644
--- a/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md
+++ b/browsers/edge/includes/prevent-bypassing-win-defender-sites-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
>*Default setting: Disabled or not configured (Allowed/turned off)*
diff --git a/browsers/edge/includes/prevent-certificate-error-overrides-include.md b/browsers/edge/includes/prevent-certificate-error-overrides-include.md
index 052ef6499e..edc6eb48d8 100644
--- a/browsers/edge/includes/prevent-certificate-error-overrides-include.md
+++ b/browsers/edge/includes/prevent-certificate-error-overrides-include.md
@@ -1,6 +1,14 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Allowed/turned off)*
[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../shortdesc/prevent-certificate-error-overrides-shortdesc.md)]
diff --git a/browsers/edge/includes/prevent-changes-to-favorites-include.md b/browsers/edge/includes/prevent-changes-to-favorites-include.md
index 4bbb97f4b0..9807f5b9ce 100644
--- a/browsers/edge/includes/prevent-changes-to-favorites-include.md
+++ b/browsers/edge/includes/prevent-changes-to-favorites-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10, version 1709 or later*
>*Default setting: Disabled or not configured (Allowed/not locked down)*
@@ -8,7 +16,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
-|Disabled or not configured **(default)** |0 |0 |Allowed/not locked down. Users can add, import, and make changes to the Favorites list. | |
+|Disabled or not configured **(default)** |0 |0 |Allowed/unlocked. Users can add, import, and make changes to the Favorites list. | |
|Enabled |1 |1 |Prevented/locked down. | |
---
diff --git a/browsers/edge/includes/prevent-first-run-webpage-open-include.md b/browsers/edge/includes/prevent-first-run-webpage-open-include.md
index 21acfb5de4..09f5a55707 100644
--- a/browsers/edge/includes/prevent-first-run-webpage-open-include.md
+++ b/browsers/edge/includes/prevent-first-run-webpage-open-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Disabled or not configured (Allowed)*
diff --git a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md
index cfc5af6f08..39a929269e 100644
--- a/browsers/edge/includes/prevent-live-tile-pinning-start-include.md
+++ b/browsers/edge/includes/prevent-live-tile-pinning-start-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Disabled or not configured (Collect and send)*
@@ -9,7 +17,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled or not configured **(default)** |0 |0 |Collect and send Live Tile metadata. | |
-|Enabled |1 |1 |No data collected. | |
+|Enabled |1 |1 |Do not collect data. | |
---
### ADMX info and settings
diff --git a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md
index 4b5e20e3cb..bd72138fb1 100644
--- a/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md
+++ b/browsers/edge/includes/prevent-localhost-address-for-webrtc-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
>*Default setting: Disabled or not configured (Allowed/show localhost IP addresses)*
diff --git a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md
index 67f9bab3e2..12aad63505 100644
--- a/browsers/edge/includes/prevent-turning-off-required-extensions-include.md
+++ b/browsers/edge/includes/prevent-turning-off-required-extensions-include.md
@@ -1,6 +1,14 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Allowed)*
[!INCLUDE [prevent-turning-off-required-extensions-shortdesc](../shortdesc/prevent-turning-off-required-extensions-shortdesc.md)]
@@ -10,9 +18,11 @@
|Group Policy |Description |
|---|---|
|Disabled or not configured **(default)** |Allowed. Users can uninstall extensions. If you previously enabled this policy and you decide to disable it, the list of extension PFNs defined in this policy get ignored. |
-|Enabled |Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office Online extension prevents users from turning it off:
After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.
Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../available-policies.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. |
+|Enabled |Provide a semi-colon delimited list of extension PFNs. For example, adding the following OneNote Web Clipper and Office Online extension prevents users from turning it off:
After defining the list of extensions, you deploy them through any available enterprise deployment channel, such as Microsoft Intune.
Removing extensions from the list does not uninstall the extension from the user’s computer automatically. To uninstall the extension, use any available enterprise deployment channel. If you enable the [Allow Developer Tools](../group-policies/developer-settings-gp.md#allow-developer-tools) policy, then this policy does not prevent users from debugging and altering the logic on an extension. |
---
+
+
### ADMX info and settings
#### ADMX info
- **GP English name:** Prevent turning off required extensions
@@ -21,7 +31,7 @@
- **GP ADMX file name:** MicrosoftEdge.admx
#### MDM settings
-- **MDM name:** Browser/[PreventTurningOffRequiredExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)
+- **MDM name:** [Experience/PreventTurningOffRequiredExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventturningoffrequiredextensions)
- **Supported devices:** Desktop
- **URI full path:** ./Vendor/MSFT/Policy/Config/Browser/PreventTurningOffRequiredExtensions
- **Data type:** String
diff --git a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md
index 215ccfad37..d6d9abf40f 100644
--- a/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md
+++ b/browsers/edge/includes/prevent-users-to-turn-on-browser-syncing-include.md
@@ -1,5 +1,13 @@
-
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Enabled or not configured (Prevented/turned off)*
[!INCLUDE [prevent-users-to-turn-on-browser-syncing-shortdesc](../shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md)]
@@ -11,10 +19,6 @@
|Enabled or not configured **(default)** |1 |1 |Prevented/turned off. |
---
-### Configuration options
-
-For more details about configuring the browser syncing options, see [Sync browser settings options](../group-policies/sync-browser-settings-gp.md).
-
### ADMX info and settings
#### ADMX info
diff --git a/browsers/edge/includes/provision-favorites-include.md b/browsers/edge/includes/provision-favorites-include.md
index f0398c27c6..97c708932b 100644
--- a/browsers/edge/includes/provision-favorites-include.md
+++ b/browsers/edge/includes/provision-favorites-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10, version 1511 or later*
>*Default setting: Disabled or not configured (Customizable)*
diff --git a/browsers/edge/includes/search-provider-discovery-shortdesc-include.md b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md
index e550bc4e57..2f7d7dab86 100644
--- a/browsers/edge/includes/search-provider-discovery-shortdesc-include.md
+++ b/browsers/edge/includes/search-provider-discovery-shortdesc-include.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
[Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery): Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar.
\ No newline at end of file
diff --git a/browsers/edge/includes/send-all-intranet-sites-ie-include.md b/browsers/edge/includes/send-all-intranet-sites-ie-include.md
index 904c78270d..fa61ceaac2 100644
--- a/browsers/edge/includes/send-all-intranet-sites-ie-include.md
+++ b/browsers/edge/includes/send-all-intranet-sites-ie-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10*
>*Default setting: Disabled or not configured*
@@ -13,7 +21,7 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
|Disabled or not configured **(default)** |0 |0 |All sites, including intranet sites, open in Microsoft Edge automatically. | |
-|Enabled |1 |1 |Only intranet sites open in Internet Explorer 11 automatically.
Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.
In Group Policy Editor, navigate to:
**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** and click **Enable**.
Refresh the policy and then view the affected sites in Microsoft Edge.
A message displays saying that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.
| |
+|Enabled |1 |1 |Only intranet sites open in Internet Explorer 11 automatically.
Enabling this policy automatically opens all intranet sites in IE11, even if the users have Microsoft Edge as their default browser.
In Group Policy Editor, navigate to:
**Computer Configuration\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file**
Click **Enable** and then refresh the policy to view the affected sites in Microsoft Edge.
A message opens stating that the page needs to open in IE. At the same time, the page opens in IE11 automatically; in a new frame if it is not yet running, or in a new tab.
| |
---
diff --git a/browsers/edge/includes/set-default-search-engine-include.md b/browsers/edge/includes/set-default-search-engine-include.md
index 4a65053d39..5458337ff4 100644
--- a/browsers/edge/includes/set-default-search-engine-include.md
+++ b/browsers/edge/includes/set-default-search-engine-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
>*Supported versions: Microsoft Edge on Windows 10, version 1703 or later*
>*Default setting: Not configured (Defined in App settings)*
@@ -8,15 +16,12 @@
|Group Policy |MDM |Registry |Description |Most restricted |
|---|:---:|:---:|---|:---:|
-|Not configured **(default)** |Blank |Blank |Microsoft Edge uses the default search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../available-policies.md#allow-search-engine-customization) policy, users cannot make changes. | |
-|Disabled |0 |0 |Microsoft Edge removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. | |
-|Enabled |1 |1 |Microsoft Edge uses the policy-set search engine specified in the OpenSearch XML file. Users cannot change the default search engine.
Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.
If you want users to use the default Microsoft Edge settings for each market set the string to **EDGEDEFAULT**.
If you would like users to use Microsoft Bing as the default search engine set the string to **EDGEBING**. | |
+|Not configured **(default)** |Blank |Blank |Use the search engine specified in App settings. If you don't configure this policy and disable the [Allow search engine customization](../group-policies/search-engine-customization-gp.md#allow-search-engine-customization) policy, users cannot make changes. | |
+|Disabled |0 |0 |Remove or don't use the policy-set search engine and use the search engine for the market, letting users make changes. | |
+|Enabled |1 |1 |Use the policy-set search engine specified in the OpenSearch XML file, preventing users from making changes.
Specify a link to the OpenSearch XML file that contains, at a minimum, the short name and the URL template (HTTPS) of the search engine. For more information about creating the OpenSearch XML file, see [Search provider discovery](https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/browser/search-provider-discovery). Use this format to specify the link you want to add.
If you want users to use the default Microsoft Edge settings for each market set the string to **EDGEDEFAULT**.
If you would like users to use Microsoft Bing as the default search engine set the string to **EDGEBING**. | |
---
-### Configuration options
-
-For more details about configuring the search engine, see [Search engine customization](../group-policies/search-engine-customization-gp.md).
### ADMX info and settings
#### ADMX info
diff --git a/browsers/edge/includes/set-home-button-url-include.md b/browsers/edge/includes/set-home-button-url-include.md
index 7e9b36ea77..5fbf5227ad 100644
--- a/browsers/edge/includes/set-home-button-url-include.md
+++ b/browsers/edge/includes/set-home-button-url-include.md
@@ -1,5 +1,13 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Blank)*
[!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)]
@@ -8,16 +16,11 @@
|Group Policy |MDM |Registry |Description |
|---|:---:|:---:|---|
-|Disabled or not configured **(default)** |Blank |Blank |Show the home button and loads the Start page and locks down the home button to prevent users from changing what page loads. |
-|Enabled - String |String |String |Load a custom URL for the home button. You must also enable the [Configure Home Button](../new-policies.md#configure-home-button) policy and select the _Show home button & set a specific page_ option.
Enter a URL in string format, for example, https://www.msn.com. |
+|Disabled or not configured **(default)** |Blank |Blank |Show the home button, load the Start pages, and lock down the home button to prevent users from changing what page loads. |
+|Enabled - String |String |String |Enter a URL in string format, for example, https://www.msn.com.
For this policy to work, you must also enable the [Configure Home Button](../available-policies.md#configure-home-button) policy and select the _Show home button & set a specific page_ option. |
---
-### Configuration options
-
-For more details about configuring the different Home button options, see [Home button configuration options](../group-policies/home-button-gp.md).
-
-
### ADMX info and settings
#### ADMX info
- **GP English name:** Set Home Button URL
@@ -39,8 +42,8 @@ For more details about configuring the different Home button options, see [Home
### Related policies
-- [Configure Home Button](../new-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)]
+- [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)]
-- [Unlock Home Button](../new-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)]
+- [Unlock Home Button](../available-policies.md#unlock-home-button): [!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)]
diff --git a/browsers/edge/includes/set-new-tab-url-include.md b/browsers/edge/includes/set-new-tab-url-include.md
index ffd31bd264..d558c67cf7 100644
--- a/browsers/edge/includes/set-new-tab-url-include.md
+++ b/browsers/edge/includes/set-new-tab-url-include.md
@@ -1,5 +1,13 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Blank)*
[!INCLUDE [set-new-tab-url-shortdesc](../shortdesc/set-new-tab-url-shortdesc.md)]
@@ -8,8 +16,8 @@
|Group Policy |MDM |Registry |Description |
|---|:---:|:---:|---|
-|Disabled or not configured **(default)** |Blank |Blank |Load the default New tab page. |
-|Enabled - String |String |String |Prevent users from changing the New tab page.
Enter a URL in string format, for example, https://www.msn.com. |
+|Disabled or not configured **(default)** |Blank |Blank |Load the default New Tab page. |
+|Enabled - String |String |String |Enter a URL in string format, for example, https://www.msn.com.
Enabling this policy prevents users from making changes.
|
---
### ADMX info and settings
diff --git a/browsers/edge/includes/show-message-opening-sites-ie-include.md b/browsers/edge/includes/show-message-opening-sites-ie-include.md
index 75c8366ae9..8b851708f3 100644
--- a/browsers/edge/includes/show-message-opening-sites-ie-include.md
+++ b/browsers/edge/includes/show-message-opening-sites-ie-include.md
@@ -1,11 +1,20 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
->*Supported versions: Microsoft Edge on Windows 10, version 1607 and later*
+>*Supported versions: Microsoft Edge on Windows 10, version 1607 and later*
>*Default setting: Disabled or not configured (No additional message)*
[!INCLUDE [show-message-when-opening-sites-in-ie-shortdesc](../shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md)]
+
### Supported values
|Group Policy |MDM |Registry |Description |Most restricted |
@@ -15,9 +24,6 @@
|Enabled |2 |2 |Show an additional message with a _Keep going in Microsoft Edge_ link to allow users to open the site in Microsoft Edge. | |
---
-### Configuration options
-For more details about configuring the search engine, see [Interoperability and enterprise guidance](../group-policies/interoperability-enterprise-guidance-gp.md).
-
### ADMX info and settings
#### ADMX info
- **GP English name:** Show message when opening sites in Internet Explorer
diff --git a/browsers/edge/includes/unlock-home-button-include.md b/browsers/edge/includes/unlock-home-button-include.md
index e6cb4d2e9f..6ca46698db 100644
--- a/browsers/edge/includes/unlock-home-button-include.md
+++ b/browsers/edge/includes/unlock-home-button-include.md
@@ -1,5 +1,13 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1809*
>*Default setting: Disabled or not configured (Home button is locked)*
[!INCLUDE [unlock-home-button-shortdesc](../shortdesc/unlock-home-button-shortdesc.md)]
@@ -8,15 +16,10 @@
|Group Policy |MDM |Registry |Description |
|---|:---:|:---:|---|
-|Disabled or not configured **(default)** |0 |0 |Lock down and prevent users from making changes to the home button settings. |
-|Enabled |1 |1 |Let users make changes. |
+|Disabled or not configured **(default)** |0 |0 |Locked, preventing users from making changes. |
+|Enabled |1 |1 |Unlocked, letting users make changes. |
---
-
-### Configuration options
-
-For more details about configuring the different Home button options, see [Home button configuration options](../group-policies/home-button-gp.md).
-
### ADMX info and settings
#### ADMX info
- **GP English name:** Unlock Home Button
@@ -37,9 +40,9 @@ For more details about configuring the different Home button options, see [Home
### Related policies
-- [Configure Home Button](../new-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)]
+- [Configure Home Button](../available-policies.md#configure-home-button): [!INCLUDE [configure-home-button-shortdesc](../shortdesc/configure-home-button-shortdesc.md)]
-- [Set Home Button URL](../new-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)]
+- [Set Home Button URL](../available-policies.md#set-home-button-url): [!INCLUDE [set-home-button-url-shortdesc](../shortdesc/set-home-button-url-shortdesc.md)]
\ No newline at end of file
diff --git a/browsers/edge/index.yml b/browsers/edge/index.yml
index f70b140995..5798e4ee62 100644
--- a/browsers/edge/index.yml
+++ b/browsers/edge/index.yml
@@ -12,7 +12,7 @@ metadata:
description:
- text: Learn how to deploy and configure group policies in Microsoft Edge on Windows 10. Some of the features coming to Microsoft Edge gives you the ability to set a custom URL for the New tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar.
+ text: Learn how to deploy and configure group policies in Microsoft Edge on Windows 10. Some of the features coming to Microsoft Edge gives you the ability to set a custom URL for the New Tab page or Home button. Another new feature allows you to hide or show the Favorites bar, giving you more control over the favorites bar.
keywords: Microsoft Edge, Windows 10
@@ -50,6 +50,16 @@ sections:
items:
+ - href: https://docs.microsoft.com/en-us/microsoft-edge/deploy/change-history-for-microsoft-edge
+
+ html:
Learn more about the latest group policies and features added to Microsoft Edge.
diff --git a/browsers/edge/microsoft-edge-faq.md b/browsers/edge/microsoft-edge-faq.md
index 59299f93a9..d5a7390752 100644
--- a/browsers/edge/microsoft-edge-faq.md
+++ b/browsers/edge/microsoft-edge-faq.md
@@ -1,18 +1,22 @@
---
-title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros (Microsoft Edge for IT Pros)
-description: Answering frequently asked questions about Microsoft Edge features, integration, support, and potential problems.
+title: Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros
+description: Answers to frequently asked questions about Microsoft Edge features, integration, support, and potential problems.
author: shortpatti
ms.author: pashort
ms.prod: edge
ms.mktglfcycl: general
ms.sitesec: library
ms.localizationpriority: medium
-ms.date: 09/19/2017
+ms.date: 10/02/2018
---
-# Microsoft Edge - Frequently Asked Questions (FAQs) for IT Pros
+# Frequently Asked Questions (FAQs) for IT Pros
->Applies to: Windows 10, Windows 10 Mobile
+>Applies to: Microsoft Edge on Windows 10 and Windows 10 Mobile
+
+**Q: What is the size of the local storage for Microsoft Edge overall and per domain?**
+
+**A:** The limits are 5MB per subdomain, 10MB per domain, and 50MB total.
**Q: What is the difference between Microsoft Edge and Internet Explorer 11? How do I know which one to use?**
@@ -27,7 +31,7 @@ For more information on how Internet Explorer and Microsoft Edge can work togeth
**Q: I have Windows 10, but I don’t seem to have Microsoft Edge. Why?**
-**A:** Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality and can't be supported on systems running LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11.
+**A:** Long-Term Servicing Branch (LTSB) versions of Windows, including Windows Server 2016 and Windows Server 2019, don't include Microsoft Edge or many other Universal Windows Platform (UWP) apps. These apps and their services are frequently updated with new functionality and can't be supported on systems running LTSB operating systems. For customers who require the LTSB for specialized devices, we recommend using Internet Explorer 11.
**Q: How do I get the latest Canary/Beta/Preview version of Microsoft Edge?**
@@ -35,17 +39,19 @@ For more information on how Internet Explorer and Microsoft Edge can work togeth
**Q: How do I customize Microsoft Edge and related settings for my organization?**
-**A:** You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies) for a list of available policies for Microsoft Edge.
+**A:** You can use Group Policy or Microsoft Intune to manage settings related to Microsoft Edge, such as security settings, folder redirection, and preferences. See [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](https://docs.microsoft.com/en-us/microsoft-edge/deploy/group-policies/index) for a list of available policies for Microsoft Edge and configuration combinations.
**Q: Is Adobe Flash supported in Microsoft Edge?**
-**A:** Currently, Adobe Flash is supported as a built-in feature of Microsoft Edge on devices running the desktop version of Windows 10. In July 2017, Adobe announced that Flash will no longer be supported after 2020. We will phase out Flash from Microsoft Edge and Internet Explorer, culminating in the removal of Flash from Windows entirely by the end of 2020. This process began already for Microsoft Edge with [Click-to-Run for Flash](https://blogs.windows.com/msedgedev/2016/12/14/edge-flash-click-run/) in the Windows 10 Creators Update.
+**A:** Currently, Adobe Flash is supported as a built-in feature of Microsoft Edge on devices running the desktop version of Windows 10. In July 2017, Adobe announced that Flash will no longer be supported after 2020. With Adobe no longer supporting Flash after 2020, Microsoft has started to phase out Flash from Microsoft Edge by adding the [Configure the Adobe Flash Click-to-Run setting](#configure-the-adobe-flash-click-to-run-setting) group policy giving you a way to control the list of websites that have permission to run Adobe Flash content.
-For more information about the phasing out of Flash, read the [End of an Era – Next Steps for Adobe Flash](https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#85ZBy7aiVlDQHebO.97) blog post.
+To learn more about Microsoft’s plan for phasing out Flash from Microsoft Edge and Internet Explorer, see [The End of an Era — Next Steps for Adobe Flash]( https://blogs.windows.com/msedgedev/2017/07/25/flash-on-windows-timeline/#3Bcc3QjRw0l7XsZ4.97) (blog article).
-**Q: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java?**
-**A:** No, ActiveX controls and BHOs such as Silverlight or Java are not supported in Microsoft Edge. The need for ActiveX controls has been significantly reduced by modern web standards, which are more interoperable across browsers. We are working on plans for an extension model based on the modern web platform in Microsoft Edge. We look forward to sharing more details on these plans soon. Not supporting legacy controls in Microsoft Edge provides many benefits including better interoperability with other modern browsers, as well as increased performance, security, and reliability.
+**Q: Does Microsoft Edge support ActiveX controls or BHOs like Silverlight or Java?**
+
+**A:** No. Microsoft Edge does not support ActiveX controls and BHOs such as Silverlight or Java. If you are running web apps that continue to use ActiveX controls, x-ua-compatible headers, or legacy document modes, you need to keep running them in IE11. IE11 offers additional security, manageability, performance, backward compatibility, and modern standards support.
+
**Q: How often will Microsoft Edge be updated?**
@@ -77,5 +83,5 @@ For more information about the phasing out of Flash, read the [End of an Era –
**Q: Will Windows 7 or Windows 8.1 users get Microsoft Edge or the new Microsoft EdgeHTML rendering engine?**
-**A:** Microsoft Edge has been designed and built to showcase Windows 10 features like Cortana, and is built on top of the Universal Windows Platform. Although we don’t have any plans to bring Microsoft Edge to Windows 7 or Windows 8.1 at this time, you can test Microsoft Edge with older versions of Internet Explorer using [free virtual machines](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/).
+**A:** No. Microsoft Edge has been designed and built to showcase Windows 10 features like Cortana, and is built on top of the Universal Windows Platform.
diff --git a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
index 5a3b6328ee..fb5b39d441 100644
--- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
+++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
@@ -7,26 +7,26 @@ ms.prod: edge
ms.sitesec: library
title: Deploy Microsoft Edge kiosk mode
ms.localizationpriority: medium
-ms.date: 07/25/2018
+ms.date: 10/02/2018
---
-# Deploy Microsoft Edge kiosk mode (Preview)
+# Deploy Microsoft Edge kiosk mode
->Applies to: Microsoft Edge on Windows 10
->Preview build 17723
+>Applies to: Microsoft Edge on Windows 10, version 1809
-Microsoft Edge kiosk mode works with assigned access to let IT administrators create a tailored browsing experience designed for kiosk devices. To use Microsoft Edge kiosk mode, you must configure Microsoft Edge as an application in assigned access. Learn more about [Configuring kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc).
+In the Windows 10 October 2018 Update, we added the capability to use Microsoft Edge as a kiosk (referred to as Microsoft Edge kiosk mode). We added and updated Microsoft Edge group policies to enhance the kiosk experience depending on the Microsoft Edge kiosk mode type you configure.
-When you configure Microsoft Edge kiosk mode in assigned access, you can set it up to show only a single URL in full-screen, in the case of digital/interactive signage on a single-app kiosk device. You can restrict Microsoft Edge for public browsing (on a single and multi-app kiosk device) which runs a multi-tab version of InPrivate with limited functionality. Also, you can configure a multi-app kiosk device to run a full or normal version of Microsoft Edge.
+Microsoft Edge kiosk mode works with assigned access, which lets IT administrators create a tailored browsing experience designed for kiosk devices. Assigned access prevents users from accessing the file system and running other apps from Microsoft Edge, such as the address bar or downloads. For example, you can configure Microsoft Edge to load only a single URL in full-screen mode when you configure digital/interactive signage on a single-app kiosk device.
-Digital/Interactive signage and public browsing protects the user’s data by running Microsoft Edge InPrivate. In single-app public browsing, there is both an idle timer and an 'End Session' button. The idle timer resets the browsing session after a specified time of user inactivity.
+In addition to digital/interactive signage, you can configure Microsoft Edge for public browsing either on a single and multi-app kiosk device. Public browsing runs a multi-tab version of InPrivate browsing mode with limited functionality to run in full-screen mode or normal browsing of Microsoft Edge.
-In this deployment guidance, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn how to setup your Microsoft Edge kiosk mode experience.
+Both digital/interactive signage and public browsing help protect the user’s data by running Microsoft Edge with InPrivate browsing. In single-app public browsing, there is both an ‘End Session’ button that users click to end the browsing session or that resets the session after a specified time of user inactivity. The idle timer is set to 5 minutes by default, but you can choose a value of your own.
+In this topic, you learn about the different Microsoft Edge kiosk mode types to help you determine what configuration is best suited for your kiosk device. You also learn how to set up your Microsoft Edge kiosk mode experience. Learn more about [Configuring kiosk and shared devices running Windows desktop editions](https://docs.microsoft.com/en-us/windows/configuration/kiosk-shared-pc).
## Microsoft Edge kiosk types
-Microsoft Edge kiosk mode supports **four** types, depending on how Microsoft Edge is set up in assigned access; single-app or multi-app kiosk. Learn more about [assigned access](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/assigned-access).
+Depending on how Microsoft Edge is set up in assigned access, Microsoft Edge kiosk mode supports four types, single-app or multi-app kiosk mode with both supporting public browsing. Learn more about [assigned access](https://docs.microsoft.com/en-us/windows-hardware/customize/enterprise/assigned-access).
### Single-app kiosk
@@ -34,29 +34,33 @@ When you set up Microsoft Edge kiosk mode in single-app assigned access, Microso
The single-app Microsoft Edge kiosk mode types include:
-1. **Digital / Interactive signage** devices display a specific site in full-screen mode in which Microsoft Edge runs InPrivate mode. Examples of Digital signage are a rotating advertisement or menu. Examples of Interactive signage include an interactive museum display or a restaurant order/pay station.
+1. **Digital / Interactive signage** devices display a specific site in full-screen mode that runs InPrivate browsing mode.
-2. **Public browsing** devices run a limited multi-tab version of InPrivate and Microsoft Edge is the only app available. Users can’t minimize, close, or open new Microsoft Edge windows or customize Microsoft Edge. Users can clear browsing data, downloads and restart Microsoft Edge by clicking the “End session” button. You can configure Microsoft Edge to restart after a period of inactivity by using the “Configure kiosk reset after idle timeout” policy. A public library or hotel concierge desk are two examples of public browsing in single-app kiosk device.
+ - **Digital signage** does not require user interaction and best used for a rotating advertisement or menu.
- 
+ - **Interactive signage**, on the other hand, requires user interaction within the page but doesn’t allow for any other uses, such as browsing the internet. Use interactive signage for things like a building business directory or restaurant order/pay station.
+
+2. **Public browsing** devices are publicly accessible and run a limited multi-tab version of InPrivate browsing in Microsoft Edge, which is the only app available on the device. Users can’t minimize, close, or open new Microsoft Edge windows or customize Microsoft Edge.
The single-app public browsing mode is the only kiosk mode that has an ‘End Session’ button that users click to end the browsing session and an idle timer that resets the session after a specified time of user inactivity. Use the “Configure kiosk reset after idle timeout” policy to set the idle timer, which is set to 5 minutes by default, but you can provide a value of your own.
A public library or hotel concierge desk are two examples of public browsing that restricts access to only Microsoft Edge.
+
+ 
### Multi-app kiosk
When you set up Microsoft Edge kiosk mode in multi-app assigned access, Microsoft Edge runs a limited multi-tab version of InPrivate or a normal browsing version. For more details about running a multi-app kiosk, or fixed-purpose device, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps). Here you learn how to create kiosks that run more than one app and the benefits of a multi-app kiosk, or fixed-purpose device.
The multi-app Microsoft Edge kiosk mode types include:
-3. **Public browsing** supports browsing the internet and runs InPrivate with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate windows. On a multi-app kiosk device, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access. You can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support. A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other app(s).
+3. **Public browsing** devices are publicly accessible and supports browsing the internet. Public browsing runs a multi-tab version of InPrivate browsing mode with limited functionality that runs in full-screen mode.
In this configuration, Microsoft Edge can interact with other applications. For example, if Internet Explorer 11 is set up in multi-app assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.
A public library or hotel concierge desk are two examples of public browsing that provides access to Microsoft Edge and other apps.
- 
+ 
-4. **Normal mode** mode runs a full version of Microsoft Edge, but some features may not work depending on what other apps you configured in assigned access. For example, if Internet Explorer 11 is set up in assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.
+4. **Normal mode** devices run a full-featured version of Microsoft Edge (referred to as normal browsing).
Some features may not work depending on what other apps you have configured in assigned access. For example, if Internet Explorer 11 is set up in assigned access, you can enable Enterprise Mode to automatically switch users to Internet Explorer 11 for sites that need backward compatibility support.
- 
+ 
## Let’s get started!
-Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Edge in assigned access. You can set up Microsoft Edge kiosk mode in assigned access using:
+Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Edge in assigned access. With assigned access, you restrict a local standard user account so that it only has access to one Windows app, such as Microsoft Edge in kiosk mode. You can set up Microsoft Edge kiosk mode in assigned access using:
-- **Windows Settings.** Best for physically setting up a single device as a kiosk. With this method, you set up assigned access and configure the kiosk or digital sign device using Settings. You can configure Microsoft Edge in single-app (kiosk type – Full-screen or public browsing) and define a single URL for the Home button, Start page, and New tab page. You can also set the reset after an idle timeout.
+- **Windows Settings.** Best for physically setting up a couple of devices as kiosks. You can configure Microsoft Edge in single-app (full-screen or public browsing as the kiosk type) and define a single URL for the Home button, Start page, and New Tab page. You can also set the reset after an idle timeout.
- **Microsoft Intune or other MDM service.** Best for setting up multiple devices as a kiosk. With this method, you configure Microsoft Edge in assigned access and configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access.
@@ -69,88 +73,94 @@ Before you can configure Microsoft Edge kiosk mode, you must set up Microsoft Ed
### Prerequisites
-- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education).
+- Microsoft Edge on Windows 10, version 1809 (Professional, Enterprise, and Education).
-- Configuration and deployment service, such as Windows PowerShell, Microsoft Intune or other MDM service, or Windows Configuration Designer. With these methods, you must have the [AppUserModelID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app); this does not apply to the Windows Settings method.
-
->[!Important]
->If you are using a local account as a kiosk account in Intune or provisioning package, make sure to sign into this account and then sign out before configuring the assigned access single-app kiosk.
+- Configuration and deployment service, such as Windows PowerShell, Microsoft Intune or other MDM service, or Windows Configuration Designer. With these methods, you must have the [AppUserModelID](https://docs.microsoft.com/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app); this does not apply to the Windows Settings method.
### Use Windows Settings
-Windows Settings is the simplest and easiest way to set up one or a couple of devices because you must perform these steps on each device. This method is ideal for small businesses.
+Windows Settings is the simplest and easiest way to set up one or a couple of devices because you perform these steps physically on each device. This method is ideal for small businesses.
-1. In Windows Settings, select **Accounts** \> **Other people**.
+When you set up a single-app kiosk device using Windows Settings, you must first set up assigned access before configuring the device. With assigned access, you restrict a local standard user account so that it only has access to one Windows app, such as Microsoft Edge, in kiosk mode.
-2. Under **Set up a kiosk**, select **Assigned access**.
+1. In the search field of Windows Settings, type **kiosk** and then select **Set up a kiosk (assigned access)**.
-3. Select **Get started**.
+2. On the **Set up a kiosk** page, click **Get started**.
-4. Create a standard user account or choose an existing account for your kiosk.
+3. Type a name to create a new account or you can choose an existing account and click **Next**.
-5. Select **Next**.
+4. On the **Choose a kiosk app** page, select **Microsoft Edge** and then click **Next**.
-6. On the **Choose a kiosk app** page, select **Microsoft Edge.**
-
-7. Select **Next**.
-
-8. Select how Microsoft Edge displays when running in kiosk mode:
+5. Select how Microsoft Edge displays when running in kiosk mode:
- **As a digital sign or interactive display**, the default URL shows in full screen, without browser controls.
- **As a public browser**, the default URL shows in a browser view with limited browser controls.
-9. Select **Next**.
+6. Select **Next**.
-10. Enter the URL that you want to load when the kiosk launches.
+7. Type the URL to load when the kiosk launches.
- >[!NOTE]
- >The URL sets the Home button, Start page, and New tab page.
+ >[!NOTE]
+ >The URL sets the Home button, Start page, and New Tab page.
-11. Microsoft Edge in kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If **Continue** is not selected, Microsoft Edge resets to the default URL. You can accept the default value of **5 minutes**, or you can choose your own idle timer value.
+8. Accept the default value of **5 minutes** for the idle time or provide your own value.
-12. Select **Next**, and then select **Close**.
+ >[!TIP]
+ >Microsoft Edge kiosk mode has a built-in timer to help keep data safe in public browsing sessions. When the idle time (no user activity) meets the time limit, a confirmation message prompts the user to continue. If the user does not **Continue**, Microsoft Edge resets to the default URL.
-13. Close **Settings** to save your choices automatically and apply them the next time the user account logs on.
+9. Click **Next**.
-14. Configure the policies for Microsoft Edge kiosk mode. For details on the valid kiosk policy settings, see [Relevant policies](#relevant-policies).
+10. Close the **Settings** window to save and apply your choices.
-15. Validate the Microsoft Edge kiosk mode by restarting the device and signing in with the local kiosk account.
+11. Now that you have configured assigned access, selected how Microsoft Edge displays the kiosk, and set the idle timer, you can configure the group policies for Microsoft Edge kiosk mode.
-**_Congratulations!_** You’ve finished setting up Microsoft Edge in assigned access and a kiosk or digital sign, and configured browser policies for Microsoft Edge kiosk mode.
+ >>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
+ >>
+ >> **Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\**
+
+ - **[Configure kiosk mode](#configure-kiosk-mode)**: Configure the display mode for Microsoft Edge as a kiosk app. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge. For this policy to work, you must configure assigned access; otherwise, Microsoft Edge ignores the settings in this policy.
+
+ - **[Configure kiosk reset after idle timeout](#configure-kiosk-reset-idle-timeout)**: Change the time, in minutes, from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration. For this policy to work, you must enable the Configure kiosk mode policy (InPrivate public browsing) and configure Microsoft Edge as a single-app in assigned access; otherwise, Microsoft Edge ignores this setting.
+
+ - **[Additional policies for kiosk mode](#additional-policies-for-kiosk-mode)**: We have other new and existing policies that work with Microsoft Edge kiosk mode, such as Allow cookies, Allow printing, Configure Home button, and Configure telemetry for Microsoft 365 analytics. At this time, only a few features work in all kiosk types, for example, Unlock Home button works only in normal browsing.
+
+12. Once you've configured the group policies, restart the kiosk device and sign in with the local kiosk account to validate the configuration.
+
+**_Congratulations!_** You’ve just finished setting up Microsoft Edge in assigned access, a kiosk or digital sign, and configured the group policies for Microsoft Edge kiosk mode.
**_Next steps._**
-- Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app.
-- If you want to make changes to your kiosk, you can quickly change the display option and default URL for Microsoft Edge.
-
- 1. Go to **Start** \> **Settings** \> **Accounts** \> **Other people**.
-
- 2. Under **Set up a kiosk**, select **Assigned access**.
-
- 3. Make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**.
+|If you want to... |Then... |
+|---|---|
+|Use your new kiosk |Sign into the device with the kiosk account that you selected to run Microsoft Edge kiosk mode. |
+|Make changes to your kiosk such as change the display option or the URL that loads |
In Windows Settings, type **kiosk** in the search field and select **Set up a kiosk (assigned access)**.
On the **Set up a kiosk** page, make your changes to **Choose a kiosk mode** and **Set up Microsoft Edge**.
|
+---
### Use Microsoft Intune or other MDM service
With this method, you can use Microsoft Intune or other MDM services to configure Microsoft Edge kiosk mode in assigned access and how it behaves on a kiosk device.
+>[!IMPORTANT]
+>If you are using a local account as a kiosk account in Intune or a provisioning package, make sure to sign into this account and then sign out before configuring the assigned access single-app kiosk.
+
1. In Microsoft Intune or other MDM service, configure [AssignedAccess](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) to prevent users from accessing the file system, running executables, or other apps.
2. Configure the following MDM settings to control a web browser app on the kiosk device and then restart the device.
| | |
|---|---|
- | **[ConfigureKioskMode](new-policies.md#configure-kiosk-mode)**
 | Configure the display mode for Microsoft Edge as a kiosk app.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode
**Data type:** Integer
**Allowed values:**
**Single-app kiosk experience**
**0** - Digital signage and interactive display
**1** - InPrivate Public browsing
**Multi-app kiosk experience**
**0** - Normal Microsoft Edge running in assigned access
 | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
**Data type:** Integer
**Allowed values:**
**0** - No idle timer
**1-1440 (5 minutes is the default)** - Set reset on idle timer
 | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
**Data type:** Integer
**Allowed values:**
**0** - No idle timer
**1-1440 (5 minutes is the default)** - Set reset on idle timer
 | Set a custom URL for the New tab page.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.msn.com |
- | **[SetHomeButtonURL](new-policies.md#set-home-button-url)**
 | If you set ConfigureHomeButton to 2, configure the home button URL.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.bing.com |
+ | **[ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**
 | Configure how the Home Button behaves.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton
**Data type:** Integer
**Allowed values:**
**0 (default)** - Not configured. Show home button, and load the default Start page.
**1** - Enabled. Show home button and load New Tab page
**2** - Enabled. Show home button & set a specific page.
 | If you set ConfigureHomeButton to 2, configure the home button URL.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.bing.com |
+ | **[SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**
 | Set a custom URL for the New Tab page.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.msn.com |
---
-**_Congratulations!_** You’ve finished setting up a kiosk or digital signage and configuring policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service.
+**_Congratulations!_** You’ve just finished setting up a kiosk or digital signage and configuring group policies for Microsoft Edge kiosk mode using Microsoft Intune or other MDM service.
**_Next steps._** Use your new kiosk. Sign in to the device using the user account that you selected to run the kiosk app.
@@ -158,27 +168,32 @@ With this method, you can use Microsoft Intune or other MDM services to configur
With this method, you can use a provisioning package to configure Microsoft Edge kiosk mode in assigned access. After you set up the provisioning package for configuring Microsoft Edge in assigned access, you configure how Microsoft Edge behaves on a kiosk device.
-1. Open Windows Configuration Designer to create a provisioning package and configure Microsoft Edge in assigned access.
+>[!IMPORTANT]
+>If you are using a local account as a kiosk account in Intune or a provisioning package, make sure to sign into this account and then sign out before configuring the assigned access single-app kiosk.
-2. After creating the provisioning package and configuring assigned access, and before you build the package, switch to the advanced editor.
+1. Open Windows Configuration Designer and select **Provision Kiosk devices**.
-3. Navigate to **Runtime settings \> Policies \> Browser** and set the following policies:
+2. Name your project, and click **Next**.
+
+3. [Set up a kiosk](https://docs.microsoft.com/en-us/windows/configuration/kiosk-single-app#set-up-a-kiosk-using-the-kiosk-wizard-in-windows-configuration-designer).
+
+4. Switch to the advanced editor and navigate to **Runtime settings \> Policies \> Browser** and set the following policies:
| | |
|---|---|
- | **[ConfigureKioskMode](new-policies.md#configure-kiosk-mode)**
 | Configure the display mode for Microsoft Edge as a kiosk app.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode
**Data type:** Integer
**Allowed values:**
**Single-app kiosk experience**
**0** - Digital signage and interactive display
**1** - InPrivate Public browsing
**Multi-app kiosk experience**
**0** - Normal Microsoft Edge running in assigned access
 | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
**Data type:** Integer
**Allowed values:**
**0** - No idle timer
**1-1440 (5 minutes is the default)** - Set reset on idle timer
 | Change the time in minutes from the last user activity before Microsoft Edge kiosk mode resets to the default kiosk configuration.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout
**Data type:** Integer
**Allowed values:**
**0** - No idle timer
**1-1440 (5 minutes is the default)** - Set reset on idle timer
 | Set a custom URL for the New tab page.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.msn.com |
- | **[SetHomeButtonURL](new-policies.md#set-home-button-url)**
 | If you set ConfigureHomeButton to 2, configure the home button URL.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.bing.com |
+ | **[ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**
 | Configure how the Home Button behaves.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton
**Data type:** Integer
**Allowed values:**
**0 (default)** - Not configured. Show home button, and load the default Start page.
**1** - Enabled. Show home button and load New Tab page
**2** - Enabled. Show home button & set a specific page.
 | If you set ConfigureHomeButton to 2, configure the home button URL.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.bing.com |
+ | **[SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**
 | Set a custom URL for the New Tab page.
**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL
**Data type:** String
**Allowed values:** Enter a URL, for example, https://www.msn.com |
---
-
-4. After you’ve configured the Microsoft Edge kiosk mode policies, including any of the related policies, it’s time to build the package.
-5. Click **Finish**. The wizard closes taking you back to the Customizations page.
+5. After you’ve configured the Microsoft Edge kiosk mode policies, including any of the related policies, it’s time to [build the package](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-create-package#build-package).
-6. Apply the provisioning package to the device, which you can do during the first-run experience (out-of-box experience or OOBE) and after (runtime). For more details, see [Apply a provisioning package](https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-apply-package).
+6. Click **Finish**.
*1) For multi-app assigned access, you must configure Internet Explorer 11.*
*2) For digital/interactive signage to enable Flash, set [AllowFlashClickToRun].(https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowflashclicktorun) to 0.*
@@ -284,14 +309,6 @@ Use any of the Microsoft Edge policies listed below to enhance the kiosk experie
---
-## Known issues with prerelease build 17723
-
-When you set up Microsoft Edge kiosk mode on a single-app kiosk device you must set the “ConfigureKioskMode” policy because the default behavior is not honored.
-- **Expected behavior** – Microsoft Edge kiosk mode launches in full-screen mode.
-- **Actual behavior** – Normal Microsoft Edge launches.
-
----
-
## Provide feedback or get support
To provide feedback on Microsoft Edge kiosk mode in Feedback Hub, select **Microsoft Edge** as the **Category**, and **All other issues** as the subcategory.
diff --git a/browsers/edge/new-policies.md b/browsers/edge/new-policies.md
deleted file mode 100644
index 421bd3945c..0000000000
--- a/browsers/edge/new-policies.md
+++ /dev/null
@@ -1,116 +0,0 @@
----
-description: Microsoft Edge now has new Group Policies and MDM Settings for IT administrators to configure Microsoft Edge. The new policies allow you to enable/disabled full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure New tab page, Home button and startup options, as well as manage extensions.
-ms.assetid:
-ms.prod: edge
-ms.mktglfcycl: explore
-ms.sitesec: library
-title: New Microsoft Edge Group Policies and MDM settings
-ms.localizationpriority: medium
-author: shortpatti
-ms.author: pashort
-ms.date: 07/25/2018
----
-
-# New Microsoft Edge Group Policies and MDM settings (Preview)
-
-> Applies to: Microsoft Edge on Windows 10
-> Preview build 17713+
-
-The Microsoft Edge team introduces new Group Policies and MDM Settings for the Windows 10 Insider Preview Build 17713+. The new policies allow IT administrators to enable/disable full-screen mode, printing, favorites bar, saving history. You can also prevent certificate error overrides, and configure New tab page, Home button and startup options, as well as manage extensions.
-
-We are discontinuing the **Configure Favorites** group policy. Use the **[Provision Favorites](available-policies.md#provision-favorites)** instead.
-
-
-
->>You can find the Microsoft Edge Group Policy settings in the following location of the Group Policy Editor unless otherwise noted in the policy:
->>
->> **_Computer Configuration\\Administrative Templates\\Windows Components\\Microsoft Edge\\_**
-
-
-
-
-| **Group Policy** | **New/update?** | **MDM Setting** | **New/update?** |
-| --- | --- | --- | --- |
-| [Allow fullscreen mode](#allow-fullscreen-mode) | New | [AllowFullscreen](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowfullscreenmode) | New |
-| [Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed](#allow-prelaunch) | New | [AllowPrelaunch](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | New |
-| [Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed](#allow-microsoft-edge-to-start-and-load-the-start-and-new-tab-page-at-windows-startup-and-each-time-microsoft-edge-is-closed) | New | [AllowTabPreloading](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | New |
-| [Allow printing](#allow-printing) | New | [AllowPrinting](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | New |
-| [Allow Saving History](#allow-saving-history) | New | [AllowSavingHistory](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | New |
-| [Allow sideloading of Extensions](#allow-sideloading-of-extensions) | New | [AllowSideloadingExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | New |
-| [Allow web content on new tab page](available-policies.md#allow-web-content-on-new-tab-page) | -- | [AllowWebContentOnNewTabPage](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | New |
-| [Configure collection of browsing data for Microsoft 365 Analytics](#configure-collection-of-browsing-data-for-microsoft-365-analytics) | New | [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | New |
-| [Configure Favorites Bar](#configure-favorites-bar) | New | [ConfigureFavoritesBar](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | New |
-| [Configure Home Button](#configure-home-button) | New | [ConfigureHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | New |
-| [Configure kiosk mode](#configure-kiosk-mode) | New | [ConfigureKioskMode](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | New |
-| [Configure kiosk reset after idle timeout](#configure-kiosk-reset-after-idle-timeout) | New | [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | New |
-| [Configure Open Microsoft Edge With](#configure-open-microsoft-edge-with) | New | [ConfigureOpenEdgeWith](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | New |
-| [Do not sync browser settings](available-policies.md#do-not-sync-browser-settings) | -- | [Experience/DoNotSyncBrowserSettings](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-donotsyncbrowsersetting) | New |
-| [Prevent certificate error overrides](#prevent-certificate-error-overrides) | New | [PreventCertErrorOverrides](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | New |
-| [Prevent users from turning on browser syncing](#preventusersfromturningonbrowsersyncing) | New | [Experience/PreventUsersFromTurningOnBrowserSyncing](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) | New |
-| [Prevent turning off required extensions](#prevent-turning-off-required-extensions) | New | [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-experience#experience-preventusersfromturningonbrowsersyncing) | New |
-| [Set Home Button URL](#set-home-button-url) | New | [SetHomeButtonURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | New |
-| [Set New Tab page URL](#set-new-tab-page-url) | New | [SetNewTabPageURL](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | New |
-| [Show message when opening sites in Internet Explorer](#showmessagewhenopeninginteretexplorersites) | Updated | [ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-showmessagewhenopeningsitesininternetexplorer) | Updated |
-| [Unlock Home Button](#unlock-home-button) | New | [UnlockHomeButton](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | New |
----
-
-
-
-
-## Allow fullscreen mode
-[!INCLUDE [allow-full-screen-include](includes/allow-full-screen-include.md)]
-
-## Allow Microsoft Edge to pre-launch at Windows startup, when the system is idle, and each time Microsoft Edge is closed
-[!INCLUDE [allow-prelaunch-include](includes/allow-prelaunch-include.md)]
-
-## Allow Microsoft Edge to load the Start and New Tab page at Windows startup and each time Microsoft Edge is closed
-[!INCLUDE [allow-tab-preloading-include](includes/allow-tab-preloading-include.md)]
-
-## Allow printing
-[!INCLUDE [allow-printing-include.md](includes/allow-printing-include.md)]
-
-## Allow Saving History
-[!INCLUDE [allow-saving-history-include.md](includes/allow-saving-history-include.md)]
-
-## Allow sideloading of Extensions
-[!INCLUDE [allow-sideloading-extensions-include.md](includes/allow-sideloading-extensions-include.md)]
-
-## Configure collection of browsing data for Microsoft 365 Analytics
-[!INCLUDE [configure-browser-telemetry-for-m365-analytics-include](includes/configure-browser-telemetry-for-m365-analytics-include.md)]
-
-## Configure Favorites Bar
-[!INCLUDE [configure-favorites-bar-include.md](includes/configure-favorites-bar-include.md)]
-
-## Configure Home Button
-[!INCLUDE [configure-home-button-include.md](includes/configure-home-button-include.md)]
-
-## Configure kiosk mode
-[!INCLUDE [configure-microsoft-edge-kiosk-mode-include.md](includes/configure-microsoft-edge-kiosk-mode-include.md)]
-
-## Configure kiosk reset after idle timeout
-[!INCLUDE [configure-edge-kiosk-reset-idle-timeout-include.md](includes/configure-edge-kiosk-reset-idle-timeout-include.md)]
-
-## Configure Open Microsoft Edge With
-[!INCLUDE [configure-open-edge-with-include.md](includes/configure-open-edge-with-include.md)]
-
-## Prevent certificate error overrides
-[!INCLUDE [prevent-certificate-error-overrides-include.md](includes/prevent-certificate-error-overrides-include.md)]
-
-## Prevent turning off required extensions
-[!INCLUDE [prevent-turning-off-required-extensions-include.md](includes/prevent-turning-off-required-extensions-include.md)]
-
-## Prevent users from turning on browser syncing
-[!INCLUDE [prevent-users-to-turn-on-browser-syncing-include](includes/prevent-users-to-turn-on-browser-syncing-include.md)]
-
-## Set Home Button URL
-[!INCLUDE [set-home-button-url-include](includes/set-home-button-url-include.md)]
-
-## Set New Tab page URL
-[!INCLUDE [set-new-tab-url-include.md](includes/set-new-tab-url-include.md)]
-
-## Show message when opening sites in Internet Explorer
-[!INCLUDE [show-message-opening-sites-ie-include](includes/show-message-opening-sites-ie-include.md)]
-
-## Unlock Home Button
-[!INCLUDE [unlock-home-button-include.md](includes/unlock-home-button-include.md)]
-
diff --git a/browsers/edge/security-enhancements-microsoft-edge.md b/browsers/edge/security-enhancements-microsoft-edge.md
deleted file mode 100644
index ae5d5916d8..0000000000
--- a/browsers/edge/security-enhancements-microsoft-edge.md
+++ /dev/null
@@ -1,119 +0,0 @@
----
-description: Microsoft Edge is designed with significant security improvements over existing browsers, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows.
-ms.prod: edge
-ms.mktglfcycl: explore
-ms.sitesec: library
-ms.pagetype: security
-title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)
-ms.localizationpriority: medium
-ms.date: 10/16/2017
-ms.author: pashort
-author: shortpatti
----
-
-# Security enhancements for Microsoft Edge
-
->Applies to: Windows 10, Windows 10 Mobile
-
-Microsoft Edge is designed with improved security in mind, helping to defend people from increasingly sophisticated and prevalent web-based attacks against Windows.
-
-## Help to protect against web-based security threats
-While most websites are safe, some sites have been designed to steal personal information or gain access to your system’s resources. Thieves by nature don’t care about rules, and will use any means to take advantage of victims, most often using trickery or hacking:
-
-- **Trickery** uses things like “phishing” attacks to convince a person to enter a banking password into a website that looks like the bank, but isn’t.
-
-- **Hacking** attacks a system through malformed content that exploits subtle flaws in a browser, or in various browser extensions, such as video decoders. This exploit lets an attacker run code on a device, taking over first a browsing session, and perhaps ultimately the entire device.
-
-While trickery and hacking are threats faced by every browser, it’s important that we explore how Microsoft Edge addresses these threats and is helping make the web a safer experience.
-
-### Help against trickery
-Web browsers can help defend your employees against trickery by identifying and blocking known tricks, and by using strong security protocols to ensure that they’re talking to the web site they think they’re talking to.
-
-#### Windows Hello
-Phishing scams get people to enter passwords into a fake version of a trusted website, such as a bank. Attempts to identify legitimate websites through the HTTPS lock symbol and the EV Cert green bar have met with only limited success, since attackers are too good at faking legitimate experiences for many people to notice the difference.
-
-To really address this problem, we need to stop people from entering plain-text passwords into websites. So in Windows 10, we gave you [Windows Hello](http://blogs.windows.com/bloggingwindows/2015/03/17/making-windows-10-more-personal-and-more-secure-with-windows-hello/) technology with asymmetric cryptography that authenticates both the person and the website.
-
-Microsoft Edge is the first browser to natively support Windows Hello as a more personal, seamless, and secure way to authenticate on the web, powered by an early implementation of the [Web Authentication (formerly FIDO 2.0 Web API) specification](http://w3c.github.io/webauthn/).
-
-#### Microsoft SmartScreen
-Microsoft SmartScreen, used in Windows 10 and both Internet Explorer 11 and Microsoft Edge, helps to defend against phishing by performing reputation checks on visited sites and blocking any sites that are thought to be phishing sites. SmartScreen also helps to defend people against being tricked into installing malicious [socially-engineered software downloads](http://operationstech.about.com/od/glossary/g/Socially-Engineered-Malware.htm and against [drive-by attacks](https://blogs.windows.com/msedgedev/2015/12/16/smartscreen-drive-by-improvements/). Drive-by attacks are malicious web-based attacks that compromise your system by targeting security vulnerabilities in commonly used software, and may be hosted on trusted sites.
-
-#### Certificate Reputation system
-While people trust sites that have encrypted web traffic, that trust can be undermined by malicious sites using improperly obtained or fake certificates to impersonate legitimate sites. To help address this problem, we introduced the [Certificate Reputation system](https://blogs.msdn.com/b/ie/archive/2014/03/10/certificate-reputation-a-novel-approach-for-protecting-users-from-fraudulent-certificates.aspx) last year. This year, we’ve extended the system to let web developers use the [Bing Webmaster Tools](http://www.bing.com/toolbox/webmaster) to report directly to Microsoft to let us know about fake certificates.
-
-### Help against hacking
-While Microsoft Edge has done much to help defend against trickery, the browser’s “engine” has also been overhauled to resist hacking (attempts to corrupt the browser itself) including a major overhaul of the DOM representation in the browser’s memory, and the security mitigations described here.
-
-#### Microsoft EdgeHTML and modern web standards
-Microsoft Edge has a new rendering engine, Microsoft EdgeHTML, which is focused on modern standards that let web developers build and maintain a consistent site across all modern browsers.
-
-The Microsoft EdgeHTML engine also helps to defend against hacking through these new security standards features:
-
-- Support for the W3C standard for [Content Security Policy (CSP)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/content-Security-Policy), which can help web developers defend their sites against cross-site scripting attacks.
-
-- Support for the [HTTP Strict Transport Security (HSTS)](https://developer.microsoft.com/microsoft-edge/platform/documentation/dev-guide/security/HSTS/) security feature (IETF-standard compliant). This helps ensure that connections to important sites, such as to your bank, are always secured.
-
->[!NOTE]
->Both Microsoft Edge and Internet Explorer 11 support HSTS.
-
-#### All web content runs in an app container sandbox
-Internet Explorer 7 on Windows Vista was the first web browser to provide a browsing sandbox, called [Protected Mode](https://windows.microsoft.com/windows-vista/What-does-Internet-Explorer-protected-mode-do). Protected Mode forced the part of the browser that rendered web content to run with less privilege than the browser controls or the user, providing a level of isolation and protection should a malicious website attempt to exploit a bug in the browser or one of its plug-ins.
-
-Internet Explorer 10 introduced Enhanced Protected Mode (EPM), based on the Windows 8 app container technology, providing a stronger sandbox by adding deny-by-default and no-read-up semantics. EPM was turned on by default in the Windows 8 and Windows 8.1 immersive browser, but was optional on the Internet Explorer 10 and Internet Explorer 11 desktop versions.
-
-Microsoft Edge takes the sandbox even farther, running its content processes in app containers not just by default, but all of the time. Because Microsoft Edge doesn’t support 3rd party binary extensions, there’s no reason for it to run outside of the containers, ensuring that Microsoft Edge is more secure.
-
-#### Microsoft Edge is now a 64-bit app
-The largest security change to Microsoft Edge is that it's designed like a Universal Windows app. By changing the browser to an app, it fundamentally changes the process model so that both the outer manager process and the assorted content processes all live within app container sandboxes; helping to provide the user and the platform with the [confidence](https://blogs.msdn.com/b/b8/archive/2012/05/17/delivering-reliable-and-trustworthy-metro-style-apps.aspx) provided by other Microsoft Store apps.
-
-##### 64-bit processes and Address Space Layout Randomization (ASLR)
-Microsoft Edge runs in 64-bit not just by default, but anytime it’s running on a 64-bit operating system. Because Microsoft Edge doesn’t support legacy ActiveX controls or 3rd-party binary extensions, there’s no longer a reason to run 32-bit processes on a 64-bit system.
-
-The value of running 64-bit all the time is that it strengthens Windows Address Space Layout Randomization (ASLR). ASLR randomizes the memory layout of the browser processes, making it much harder for attackers to hit precise memory locations. In turn, 64-bit processes make ASLR much more effective by making the address space exponentially larger and, therefore, more difficult for attackers to find the sensitive memory components they’re looking for.
-
-#### New extension model and HTML5 support
-Back in 1996, we introduced ActiveX for web browser extensions in an attempt to let 3rd parties experiment with various forms of alternate content on the web. However, we quickly learned that browser extensions can come at a cost of security and reliability. For example, binary extensions can bring code and data into the browser’s processes without any protection, meaning that if anything goes wrong, the entire browser itself can be compromised or go down.
-
-Based on that learning, we’ve stopped supporting binary extensions in Microsoft Edge and instead encourage everyone to use our new, scripted HTML5-based extension model. For more info about the new extensions, see the [Microsoft Edge Developer Center](https://developer.microsoft.com/microsoft-edge/extensions/).
-
-#### Reduced attack surfaces
-In addition to removing support for VBScript, Jscript, VML, Browser Helper Objects, Toolbars, and ActiveX controls, Microsoft Edge also removed support for legacy Internet Explorer [document modes](https://msdn.microsoft.com/library/jj676915.aspx). Because many IE browser vulnerabilities are only present in legacy document modes, removing support for document modes significantly reduces attack surface, making the browser much more secure than before. However, it also means that it’s not as backward compatible.
-
-Because of the reduced backward compatibility, we’ve given Microsoft Edge the ability to automatically fall back to Internet Explorer 11, using the Enterprise Mode Site List, for any apps that need backward compatibility.
-
-#### Code integrity and image loading restrictions
-Microsoft Edge content processes support code integrity and image load restrictions, helping to prevent malicious DLLs from loading or being injected into the content processes. Only [properly signed images](https://blogs.windows.com/msedgedev/2015/11/17/microsoft-edge-module-code-integrity/) are allowed to load into Microsoft Edge. Binaries on remote devices (such as, UNC or WebDAV) can’t be loaded.
-
-#### Memory corruption mitigations
-Memory corruption happens most frequently to apps written in C or C++ because those languages don’t provide type safety or buffer overflow protection. Broadly speaking, memory corruption attacks happen when an attacker provides malformed input to a program and the program can’t handle it, corrupting the program’s memory state and allowing the attacker to take control of the program.
-
-Over the years, a broad variety of mitigations have been created around memory corruption, but even as these mitigations roll out, attackers adapt and invent new ways to attack. At the same time, we’ve responded with new memory safety defenses, mitigating the most common new forms of attack, including and especially [use-after-free (UAF)](http://cwe.mitre.org/data/definitions/416.html) vulnerabilities.
-
-##### Memory Garbage Collector (MemGC) mitigation
-MemGC is the replacement for Memory Protector, currently turned on for both Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7 and newer operating systems. MemGC is a memory garbage collection system that helps to defend the browser from UAF vulnerabilities by taking the responsibility for freeing memory away from the programmer and instead automating it, only freeing memory when the automation detects that there are no more references left pointing to a given block of memory.
-
-##### Control Flow Guard
-Ultimately, attackers use memory corruption attacks to gain control of the CPU program counter so that they can jump to any code location they want. Control Flow Guard is a Microsoft Visual Studio technology that compiles checks around code that performs indirect jumps based on a pointer, restricting those jumps to only go to function entry points with known addresses. This makes attacker take-overs much more difficult by severely constraining where a memory corruption attack can jump to.
-
-#### Designed for security
-We’ve spent countless hours reviewing, testing, and using Microsoft Edge to make sure that you’re more protected than ever before.
-
-##### Fuzzing/Static Analysis
-We’ve devoted more than 670 machine-years to fuzz testing Microsoft Edge and Internet Explorer during product development, including monitoring for possible exceptions such as crashes or memory leaks. We’ve also generated more than 400-billion DOM manipulations from 1-billion HTML files. Because of all of this, hundreds of security issues were addressed before the product shipped.
-
-##### Code Review & Penetration Testing
-Over 70 end-to-end security engagements reviewed all key features, helping to address security implementation and design issues before shipping.
-
-##### Windows REDTEAM
-The Windows REDTEAM emulates the techniques and expertise of skilled, real-world attackers. Exploited Microsoft Edge vulnerabilities discovered through penetration testing can be addressed before public discovery and real-world exploits.
-
-
-
-
-
-
-
-
-
-
diff --git a/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md
index 19e8c5a8a4..7eb5da6bd4 100644
--- a/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-a-shared-books-folder-shortdesc.md
@@ -1 +1,9 @@
-Microsoft Edge does not use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the Allow a Windows app to share application data between users group policy. Also, the users must be signed in with a school or work account.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+Microsoft Edge does not use a shared folder by default but downloads book files to a per-user folder for each user. With this policy, you can configure Microsoft Edge to store books from the Books Library to a default, shared folder in Windows, which decreases the amount of storage used by book files. When you enable this policy, Microsoft Edge downloads books to a shared folder after user action to download the book to their device, which allows them to remove downloaded books at any time. For this policy to work correctly, you must also enable the **Allow a Windows app to share application data between users** group policy. Also, the users must be signed in with a school or work account.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md b/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md
index 4a49c8dc67..d970c98301 100644
--- a/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-address-bar-drop-down-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Microsoft Edge shows the Address bar drop-down list and makes it available by default, which takes precedence over the Configure search suggestions in Address bar policy. We recommend disabling this policy if you want to minimize network connections from Microsoft Edge to Microsoft service, which hides the functionality of the Address bar drop-down list. When you disable this policy, Microsoft Edge also disables the _Show search and site suggestions as I type_ toggle in Settings.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md b/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md
index 6c0c3cf0be..a06ece3f82 100644
--- a/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-adobe-flash-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Adobe Flash is integrated with Microsoft Edge and runs Adobe Flash content by default. With this policy, you can configure Microsoft Edge to prevent Adobe Flash content from running.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md b/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md
index 31127ca2d7..75e6fa71ed 100644
--- a/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-clearing-browsing-data-on-exit-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Microsoft Edge does not clear the browsing data on exit by default, but users can configure the _Clear browsing data_ option in Settings. Browsing data includes information you entered in forms, passwords, and even the websites visited. With this policy, you can configure Microsoft Edge to clear the browsing data automatically each time Microsoft Edge closes.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md
index e5fd1dde74..69f981f0d4 100644
--- a/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-configuration-updates-for-books-library-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Microsoft Edge automatically updates the configuration data for the Books library. Disabling this policy prevents Microsoft Edge from updating the configuration data. If Microsoft receives feedback about the amount of data about the Books library, the data comes as a JSON file.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-cortana-shortdesc.md b/browsers/edge/shortdesc/allow-cortana-shortdesc.md
index 2857a93d27..cc694ab73b 100644
--- a/browsers/edge/shortdesc/allow-cortana-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-cortana-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Since Microsoft Edge is integration with Cortana, Microsoft Edge allows users to use Cortana voice assistant by default. With this policy, you can configure Microsoft Edge to prevent users from using Cortana but can still search to find items on their device.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md b/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md
index b9bab04325..ef095e5733 100644
--- a/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-developer-tools-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Microsoft Edge allows users to use the F12 developer tools to build and debug web pages by default. With this policy, you can configure Microsoft Edge to prevent users from using the F12 developer tools.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md b/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md
index 1c11de47c0..1bbf337754 100644
--- a/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-extended-telemetry-for-books-tab-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, and depending on the device configuration, Microsoft Edge gathers basic diagnostic data about the books in the Books Library and sends it to Microsoft. Enabling this policy gathers and sends both basic and additional diagnostic data, such as usage data.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-extensions-shortdesc.md b/browsers/edge/shortdesc/allow-extensions-shortdesc.md
index 2d1f8ec802..41849af3ef 100644
--- a/browsers/edge/shortdesc/allow-extensions-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-extensions-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Microsoft Edge allows users to add or personalize extensions in Microsoft Edge by default. With this policy, you can configure Microsoft to prevent users from adding or personalizing extensions.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md b/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md
index 0ce0f11a60..6f37d4a659 100644
--- a/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md
@@ -1 +1,9 @@
-Microsoft Edge allows full-screen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing full-screen mode, users and extensions must have the proper permissions. Disabling this policy prevents full-screen mode in Microsoft Edge.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+Microsoft Edge allows fullscreen mode by default, which shows only the web content and hides the Microsoft Edge UI. When allowing fullscreen mode, users and extensions must have the proper permissions. Disabling this policy prevents fullscreen mode in Microsoft Edge.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md b/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md
index 75def749bb..0171d9c8a5 100644
--- a/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-inprivate-browsing-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, Microsoft Edge allows InPrivate browsing, and after closing all InPrivate tabs, Microsoft Edge deletes the browsing data from the device. With this policy, you can configure Microsoft Edge to prevent InPrivate web browsing.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md b/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md
index a56056d3e9..769d1ee379 100644
--- a/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-microsoft-compatibility-list-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
During browser navigation, Microsoft Edge checks the Microsoft Compatibility List for websites with known compatibility issues. If found, users are prompted to use Internet Explorer, where the site loads and displays correctly. Periodically during browser navigation, Microsoft Edge downloads the latest version of the list and applies the updates. With this policy, you can configure Microsoft Edge to ignore the compatibility list. You can view the compatibility list at about:compat.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md
index 405fca5e9c..3d939db8c0 100644
--- a/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-prelaunch-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Microsoft Edge pre-launches as a background process during Windows startup when the system is idle waiting to be launched by the user. Pre-launching helps the performance of Microsoft Edge and minimizes the amount of time required to start Microsoft Edge. You can also configure Microsoft Edge to prevent from pre-launching.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-printing-shortdesc.md b/browsers/edge/shortdesc/allow-printing-shortdesc.md
index 5abb3b7dc7..b9e4cf691f 100644
--- a/browsers/edge/shortdesc/allow-printing-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-printing-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Microsoft Edge allows users to print web content by default. With this policy, you can configure Microsoft Edge to prevent users from printing web content.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-saving-history-shortdesc.md b/browsers/edge/shortdesc/allow-saving-history-shortdesc.md
index bec7172c23..e37a1e9bfc 100644
--- a/browsers/edge/shortdesc/allow-saving-history-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-saving-history-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Microsoft Edge saves the browsing history of visited websites and shows them in the History pane by default. Disabling this policy prevents Microsoft Edge from saving the browsing history. If browsing history existed before disabling this policy, the previous browsing history remains in the History pane. Disabling this policy does not stop roaming of existing browsing history or browsing history from other devices.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md b/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md
index 2b4e25a7c3..e94443a99b 100644
--- a/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-search-engine-customization-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, users can add new search engines or change the default search engine, in Settings. With this policy, you can prevent users from customizing the search engine in Microsoft Edge.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md b/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md
index bb723ab0c6..e9e9fd0512 100644
--- a/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, Microsoft Edge allows sideloading, which installs and runs unverified extensions. Disabling this policy prevents sideloading of extensions but does not prevent sideloading using Add-AppxPackage via PowerShell. You can only install extensions through Microsoft store (including a store for business), enterprise storefront (such as Company Portal) or PowerShell (using Add-AppxPackage).
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md b/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md
index 3b245ca258..b276822d74 100644
--- a/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md
@@ -1 +1,9 @@
-Microsoft Edge allows preloading of the Start and New tab pages during Windows sign in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+Microsoft Edge allows preloading of the Start and New Tab pages during Windows sign in, and each time Microsoft Edge closes by default. Preloading minimizes the amount of time required to start Microsoft Edge and load a new tab. With this policy, you can configure Microsoft Edge to prevent preloading of tabs.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md
index bad40654c0..9c8dea176e 100644
--- a/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md
@@ -1 +1,9 @@
-By default, Microsoft Edge loads the default New tab page. Disabling this policy loads a blank page instead of the New tab page and prevents users from changing it. Not configuring this policy lets users choose what loads on the New tab page.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+By default, Microsoft Edge loads the default New Tab page. Disabling this policy loads a blank page instead of the New Tab page and prevents users from changing it. Not configuring this policy lets users choose what loads on the New Tab page.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md b/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md
index 7ec95879df..86ac25c632 100644
--- a/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md
+++ b/browsers/edge/shortdesc/allow-windows-app-to-share-data-users-shortdesc.md
@@ -1 +1,9 @@
-With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data is shared through the SharedLocal folder, which is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+With this policy, you can configure Windows 10 to share application data among multiple users on the system and with other instances of that app. Data shared through the SharedLocal folder is available through the Windows.Storage API. If you previously enabled this policy and now want to disable it, any shared app data remains in the SharedLocal folder.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/always-show-books-library-shortdesc.md b/browsers/edge/shortdesc/always-show-books-library-shortdesc.md
index 9a382427fa..a91b389923 100644
--- a/browsers/edge/shortdesc/always-show-books-library-shortdesc.md
+++ b/browsers/edge/shortdesc/always-show-books-library-shortdesc.md
@@ -1 +1,9 @@
-Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+Microsoft Edge shows the Books Library only in countries or regions where supported. With this policy, you can configure Microsoft Edge to show the Books Library regardless of the device’s country or region.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md b/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md
index c68642520a..39961b4f01 100644
--- a/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-additional-search-engines-shortdesc.md
@@ -1 +1,9 @@
-By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the Set default search engine policy. With this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+By default, users cannot add, remove, or change any of the search engines in Microsoft Edge, but they can set a default search engine. You can set the default search engine using the Set default search engine policy. However, with this policy, you can configure up to five additional search engines and set any one of them as the default. If you previously enabled this policy and now want to disable it, disabling deletes all configured search engines.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md b/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md
index c58d446834..d0be48cb2b 100644
--- a/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-adobe-flash-click-to-run-setting-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Microsoft Edge supports Adobe Flash as a built-in feature rather than as an external add-on and updates automatically via Windows Update. By default, Microsoft Edge prevents Adobe Flash content from loading automatically, requiring action from the user, for example, clicking the **Click-to-Run** button. Depending on how often the content loads and runs, the sites for the content gets added to the auto-allowed list. Disable this policy if you want Adobe Flash content to load automatically.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-allow-flash-for-url-list-shortdesc.md b/browsers/edge/shortdesc/configure-allow-flash-for-url-list-shortdesc.md
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/browsers/edge/shortdesc/configure-autofill-shortdesc.md b/browsers/edge/shortdesc/configure-autofill-shortdesc.md
index 247308fee8..1688989ef7 100644
--- a/browsers/edge/shortdesc/configure-autofill-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-autofill-shortdesc.md
@@ -1 +1,9 @@
-By default, users can choose to use the Autofill feature to automatically populate the form fields. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+By default, users can choose to use the Autofill feature to populate the form fields automatically. With this policy, you can configure Microsoft Edge, when enabled to use Autofill or, when disabled to prevent using Autofill.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md b/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md
index 6a9cce12e0..32abbdf60a 100644
--- a/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Microsoft Edge does not send browsing history data to Microsoft 365 Analytics by default. With this policy though, you can configure Microsoft Edge to send intranet history only, internet history only, or both to Microsoft 365 Analytics for enterprise devices with a configured Commercial ID.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-cookies-shortdesc.md b/browsers/edge/shortdesc/configure-cookies-shortdesc.md
index a35c4d0f31..ea5cb7e557 100644
--- a/browsers/edge/shortdesc/configure-cookies-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-cookies-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Microsoft Edge allows all cookies from all websites by default. With this policy, you can configure Microsoft to block only 3rd-party cookies or block all cookies.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md b/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md
index d3026c51e7..f9de9cd2ec 100644
--- a/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-do-not-track-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Microsoft Edge does not send ‘Do Not Track’ requests to websites asking for tracking information, but users can choose to send tracking information to sites they visit. With this policy, you can configure Microsoft Edge to send or never send tracking information.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md
index 80383e4f0a..fd49f0e0c9 100644
--- a/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-enterprise-mode-site-list-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Microsoft Edge does not support ActiveX controls, Browser Helper Objects, VBScript, or other legacy technology. If you have sites or apps that use this technology, you can configure Microsoft Edge to check the Enterprise Mode Site List XML file that lists the sites and domains with compatibility issues and switch to IE11 automatically. You can use the same site list for both Microsoft Edge and IE11, or you can use separate lists. By default, Microsoft Edge ignores the Enterprise Mode and the Enterprise Mode Site List XML file. In this case, users might experience problems while using legacy apps. These sites and domains must be viewed using Internet Explorer 11 and Enterprise Mode.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md
index 4536456e59..0303f69e10 100644
--- a/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md
@@ -1 +1,9 @@
-Microsoft Edge hides the favorites bar by default but shows the favorites bar on the Start and New tab pages. Also, by default, the favorites bar toggle, in Settings, is set to Off but enabled allowing users to make changes. With this policy, you can configure Microsoft Edge to either show or hide the favorites bar on all pages.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+Microsoft Edge hides the favorites bar by default but shows it on the Start and New Tab pages. Also, by default, the Favorites Bar toggle, in Settings, is set to Off but enabled letting users make changes. With this policy, you can configure Microsoft Edge to either show or hide the Favorites Bar on all pages.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-favorites-shortdesc.md b/browsers/edge/shortdesc/configure-favorites-shortdesc.md
index c5bfae7541..ae90afc8af 100644
--- a/browsers/edge/shortdesc/configure-favorites-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-favorites-shortdesc.md
@@ -1 +1,9 @@
-Discontinued in Windows 10, version 1810. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy instead.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+Discontinued in Windows 10, version 1809. Use the **[Provision Favorites](../available-policies.md#provision-favorites)** policy instead.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-home-button-shortdesc.md b/browsers/edge/shortdesc/configure-home-button-shortdesc.md
index 8f31b8505f..7a0260f8ea 100644
--- a/browsers/edge/shortdesc/configure-home-button-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-home-button-shortdesc.md
@@ -1 +1,9 @@
-Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the home button to load the New tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+Microsoft Edge shows the home button and by clicking it the Start page loads by default. With this policy, you can configure the home button to load the New Tab page or a URL defined in the Set Home Button URL policy. You can also configure Microsoft Edge to hide the home button.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-inprivate-shortdesc.md b/browsers/edge/shortdesc/configure-inprivate-shortdesc.md
deleted file mode 100644
index e69de29bb2..0000000000
diff --git a/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md b/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md
index a0e1cbf398..6515189a19 100644
--- a/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md
@@ -1 +1,9 @@
-Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal Microsoft Edge.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+Configure how Microsoft Edge behaves when it’s running in kiosk mode with assigned access, either as a single-app or as one of many apps running on the kiosk device. You can control whether Microsoft Edge runs InPrivate full screen, InPrivate multi-tab with limited functionality, or normal browsing in Microsoft Edge.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md b/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md
index 4772d2d2dd..3bcba1b944 100644
--- a/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
You can configure Microsoft Edge kiosk mode to reset to the configured start experience after a specified amount of idle time in minutes (0-1440). The reset timer begins after the last user interaction. Once the idle time meets the time specified, a confirmation message prompts the user to continue, and if no user action, Microsoft Edge kiosk mode resets after 30 seconds. Resetting to the configured start experience deletes the current user’s browsing data.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md b/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md
index 7383d68455..5bf099b3ca 100644
--- a/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md
@@ -1 +1,9 @@
-By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+By default, Microsoft Edge loads a specific page or pages defined in the Configure Start Pages policy and allow users to make changes. With this policy, you can configure Microsoft Edge to load either the Start page, New Tab page, previously opened pages. You can also configure Microsoft Edge to prevent users from changing or customizing the Start page. For this policy to work correctly, you must also configure the Configure Start Pages. If you want to prevent users from making changes, don’t configure the Disable Lockdown of Start Pages policy.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-password-manager-shortdesc.md b/browsers/edge/shortdesc/configure-password-manager-shortdesc.md
index 63a62cfff5..0f77b004ba 100644
--- a/browsers/edge/shortdesc/configure-password-manager-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-password-manager-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, Microsoft Edge uses Password Manager automatically, allowing users to manager passwords locally. Disabling this policy restricts Microsoft Edge from using Password Manager. Don’t configure this policy if you want to let users choose to save and manage passwords locally using Password Manager.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md b/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md
index e89395a2ab..18d5e9bf38 100644
--- a/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-pop-up-blocker-shortdesc.md
@@ -1 +1,10 @@
-Microsoft Edge turns off Pop-up Blocker allowing pop-up windows to appear. Enabling this policy turns on Pop-up Blocker stopping pop-up windows from appearing. Don’t configure this policy to let users choose to use Pop-up Blocker.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+By default, Microsoft Edge turns off Pop-up Blocker, which opens pop-up windows. Enabling this policy turns on Pop-up Blocker preventing pop-up windows from opening. If you want users to choose to use Pop-up Blocker, don’t configure this policy.
+
diff --git a/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md b/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md
index e95e652f45..f9e057b6a5 100644
--- a/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-search-suggestions-in-address-bar-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, users can choose to see search suggestions in the Address bar of Microsoft Edge. Disabling this policy hides the search suggestions and enabling this policy shows the search suggestions.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-start-pages-shortdesc.md b/browsers/edge/shortdesc/configure-start-pages-shortdesc.md
index f027fdb17e..f9b5185f3d 100644
--- a/browsers/edge/shortdesc/configure-start-pages-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-start-pages-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, Microsoft Edge loads the pages specified in App settings as the default Start pages. With this policy, you can configure one or more Start pages when you enable this policy and enable the Configure Open Microsoft Edge With policy. Once you set the Start pages, either in this policy or Configure Open Microsoft Edge With policy, users cannot make changes.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md
index 752f554dca..58dfd6be9a 100644
--- a/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md
+++ b/browsers/edge/shortdesc/configure-windows-defender-smartscreen-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Microsoft Edge uses Windows Defender SmartScreen (turned on) to protect users from potential phishing scams and malicious software by default. Also, by default, users cannot disable (turn off) Windows Defender SmartScreen. Enabling this policy turns off Windows Defender SmartScreen and prevent users from turning it on. Don’t configure this policy to let users choose to turn Windows defender SmartScreen on or off.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md b/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md
index 9286227f0e..e0c635c0c7 100644
--- a/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md
+++ b/browsers/edge/shortdesc/disable-lockdown-of-start-pages-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, the Start pages configured in either the Configure Start Pages policy or Configure Open Microsoft Edge policies cannot be changed and remain locked down. Enabling this policy unlocks the Start pages, and lets users make changes to either all configured Start page or any Start page configured with the Configure Start pages policy.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md b/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md
index 5e485a0200..93ecd60efe 100644
--- a/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md
+++ b/browsers/edge/shortdesc/do-not-sync-browser-settings-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, the “browser” group syncs automatically between user’s devices and allowing users to choose to make changes. The “browser” group uses the _Sync your Settings_ option in Settings to sync information like history and favorites. Enabling this policy prevents the “browser” group from using the Sync your Settings option. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/do-not-sync-shortdesc.md b/browsers/edge/shortdesc/do-not-sync-shortdesc.md
index 69425a77f3..5902fb6656 100644
--- a/browsers/edge/shortdesc/do-not-sync-shortdesc.md
+++ b/browsers/edge/shortdesc/do-not-sync-shortdesc.md
@@ -1 +1,9 @@
-By default, Microsoft Edge turns on the Sync your Settings toggle in Settings and let users choose what to sync on their device. Enabling this policy turns off and disables the Sync your Settings toggle in Settings, preventing syncing of user’s settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option in this policy.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+By default, Microsoft Edge turns on the _Sync your settings_ toggle in **Settings > Device sync settings** letting users choose what to sync on their devices. Enabling this policy turns off and disables the _Sync your settings_ toggle preventing the syncing of user’s settings between their devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable this policy and select the _Allow users to turn syncing on_ option.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md b/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md
index 71de365bde..981ef9d876 100644
--- a/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md
+++ b/browsers/edge/shortdesc/keep-favorites-in-sync-between-ie-and-edge-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, Microsoft Edge does not sync the user’s favorites between IE and Microsoft Edge. Enabling this policy syncs favorites between Internet Explorer and Microsoft Edge. Changes to favorites in one browser reflect in the other, including additions, deletions, modifications, and ordering of favorites.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md
index 132291b931..95116f7ddc 100644
--- a/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md
+++ b/browsers/edge/shortdesc/microsoft-browser-extension-policy-shortdesc.md
@@ -1 +1,9 @@
-This document describes the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+In this topic, we describe the supported mechanisms for extending or modifying the behavior or user experience of Microsoft Edge and Internet Explorer, or the content displayed by these browsers. Any technique not explicitly listed in this document is considered **unsupported**.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md b/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md
index b13677be33..518f94bdea 100644
--- a/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md
+++ b/browsers/edge/shortdesc/prevent-access-to-about-flags-page-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, users can access the about:flags page in Microsoft Edge, which is used to change developer settings and enable experimental features. Enabling this policy prevents users from accessing the about:flags page.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md
index 135bd4f574..6330b51213 100644
--- a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md
+++ b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-files-shortdesc.md
@@ -1 +1,9 @@
-By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of unverified file(s).
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious files, allowing them to continue downloading the unverified file(s). Enabling this policy prevents users from bypassing the warnings, blocking them from downloading of the unverified file(s).
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md
index 56a2ecdd15..d5eaea4a31 100644
--- a/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md
+++ b/browsers/edge/shortdesc/prevent-bypassing-windows-defender-prompts-for-sites-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, Microsoft Edge allows users to bypass (ignore) the Windows Defender SmartScreen warnings about potentially malicious sites, allowing them to continue to the site. With this policy though, you can configure Microsoft Edge to prevent users from bypassing the warnings, blocking them from continuing to the site.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md b/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md
index 0d4351e0cb..156b1bb385 100644
--- a/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md
+++ b/browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md
@@ -1 +1,9 @@
-Web security certificates are used to ensure a site that users go to is legitimate, and in some circumstances, encrypts the data. By default, Microsoft Edge allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+Microsoft Edge, by default, allows overriding of the security warnings to sites that have SSL errors, bypassing or ignoring certificate errors. Enabling this policy prevents overriding of the security warnings.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md b/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md
index 195318866f..78c77baf42 100644
--- a/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md
+++ b/browsers/edge/shortdesc/prevent-changes-to-favorites-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, users can add, import, and make changes to the Favorites list in Microsoft Edge. Enabling this policy locks down the Favorites list in Microsoft Edge, preventing users from making changes. When enabled, Microsoft Edge turns off the Save a Favorite, Import settings, and context menu items, such as Create a new folder. Enable only this policy or the Keep favorites in sync between Internet Explorer and Microsoft Edge policy. If you enable both, Microsoft Edge prevents users from syncing their favorites between the two browsers.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md b/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md
index 4be519322f..87d3b927ed 100644
--- a/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md
+++ b/browsers/edge/shortdesc/prevent-edge-from-gathering-live-tile-info-shortdesc.md
@@ -1 +1,9 @@
-By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a more complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users a limited experience.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+By default, Microsoft Edge collects the Live Tile metadata and sends it to Microsoft to help provide users a complete experience when they pin Live Tiles to the Start menu. However, with this policy, you can configure Microsoft Edge to prevent Microsoft from collecting Live Tile metadata, providing users with a limited experience.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md b/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md
index f587cc839c..af24d3583b 100644
--- a/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md
+++ b/browsers/edge/shortdesc/prevent-first-run-webpage-from-opening-shortdesc.md
@@ -1 +1,9 @@
-By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via a FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+By default, when launching Microsoft Edge for the first time, the First Run webpage (a welcome page) hosted on Microsoft.com loads automatically via an FWLINK. The welcome page lists the new features and helpful tips of Microsoft Edge. With this policy, you can configure Microsoft Edge to prevent loading the welcome page on first explicit user-launch.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md b/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md
index e428d938ed..7875990600 100644
--- a/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md
+++ b/browsers/edge/shortdesc/prevent-turning-off-required-extensions-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Microsoft Edge allows users to uninstall extensions by default. Enabling this policy prevents users from uninstalling extensions but lets them configure options for extensions defined in this policy, such as allowing InPrivate browsing. Any additional permissions requested by future updates of the extension gets granted automatically. If you enabled this policy and now you want to disable it, the list of extension package family names (PFNs) defined in this policy get ignored after disabling this policy.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md b/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md
index 1211a69dfa..daa02c5729 100644
--- a/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md
+++ b/browsers/edge/shortdesc/prevent-users-to-turn-on-browser-syncing-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, the “browser” group syncs automatically between the user’s devices, letting users make changes. With this policy, though, you can prevent the “browser” group from syncing and prevent users from turning on the _Sync your Settings_ toggle in Settings. If you want syncing turned off by default but not disabled, select the _Allow users to turn “browser” syncing_ option in the Do not sync browser policy. For this policy to work correctly, you must enable the Do not sync browser policy.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md b/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md
index defb76bdf5..4ba3bff11a 100644
--- a/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md
+++ b/browsers/edge/shortdesc/prevent-using-localhost-ip-address-for-webrtc-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, Microsoft Edge shows localhost IP address while making calls using the WebRTC protocol. Enabling this policy hides the localhost IP addresses.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/provision-favorites-shortdesc.md b/browsers/edge/shortdesc/provision-favorites-shortdesc.md
index 7f02b200c8..e2ed5da50f 100644
--- a/browsers/edge/shortdesc/provision-favorites-shortdesc.md
+++ b/browsers/edge/shortdesc/provision-favorites-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, users can customize the Favorites list in Microsoft Edge. With this policy though, you provision a standard list of favorites, which can include folders, to appear in the Favorites list in addition to the user’s favorites. Edge. Once you provision the Favorites list, users cannot customize it, such as adding folders for organizing, and adding or removing any of the favorites configured.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md b/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md
index c5684bc753..454549bffe 100644
--- a/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md
+++ b/browsers/edge/shortdesc/search-provider-discovery-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
Microsoft Edge follows the OpenSearch 1.1 specification to discover and use web search providers. When a user browses to a search service, the OpenSearch description is picked up and saved for later use. Users can then choose to add the search service to use in the Microsoft Edge address bar.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md b/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md
index 296965ba86..79dfd220c1 100644
--- a/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md
+++ b/browsers/edge/shortdesc/send-all-intranet-sites-to-ie-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, all websites, including intranet sites, open in Microsoft Edge automatically. Only enable this policy if there are known compatibility problems with Microsoft Edge. Enabling this policy loads only intranet sites in Internet Explorer 11 automatically.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md b/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md
index 839e07428b..c9d57f2140 100644
--- a/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md
+++ b/browsers/edge/shortdesc/set-default-search-engine-shortdesc.md
@@ -1 +1,9 @@
-By default, Microsoft Edge uses the default search engine specified in App settings. In this case, users can make changes to the default search engine at any time unless the Allow search engine customization policy is disabled, which restricts users from making any changes. Disabling this policy removes the policy-set search engine and uses the Microsoft Edge specified engine for the market. Enabling this policy uses the policy-set search engine specified in the OpenSearch XML file, prevent users from changing the default search engine.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+By default, Microsoft Edge uses the search engine specified in App settings, letting users make changes at any time unless the Allow search engine customization policy is disabled, which restricts users from making changes. With this policy, you can either remove or use the policy-set search engine. When you remove the policy-set search engine, Microsoft Edge uses the specified search engine for the market, which lets users make changes to the default search engine. You can use the policy-set search engine specified in the OpenSearch XML, which prevents users from making changes.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/set-home-button-url-shortdesc.md b/browsers/edge/shortdesc/set-home-button-url-shortdesc.md
index 80b7cf8040..98fcc7aef2 100644
--- a/browsers/edge/shortdesc/set-home-button-url-shortdesc.md
+++ b/browsers/edge/shortdesc/set-home-button-url-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, Microsoft Edge shows the home button and loads the Start page, and locks down the home button to prevent users from changing what page loads. Enabling this policy loads a custom URL for the home button. When you enable this policy, and enable the Configure Home Button policy with the _Show home button & set a specific page_ option selected, a custom URL loads when the user clicks the home button.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md b/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md
index 35ae30c337..9f27db97ce 100644
--- a/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md
+++ b/browsers/edge/shortdesc/set-new-tab-url-shortdesc.md
@@ -1 +1,9 @@
-Microsoft Edge loads the default New tab page by default. Enabling this policy lets you set a New tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank.
\ No newline at end of file
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
+Microsoft Edge loads the default New Tab page by default. Enabling this policy lets you set a New Tab page URL in Microsoft Edge, preventing users from changing it. When you enable this policy, and you disable the Allow web content on New Tab page policy, Microsoft Edge ignores any URL specified in this policy and opens about:blank.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/shortdesc-test.md b/browsers/edge/shortdesc/shortdesc-test.md
index 2c796253ef..c1d657d88b 100644
--- a/browsers/edge/shortdesc/shortdesc-test.md
+++ b/browsers/edge/shortdesc/shortdesc-test.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
UI settings for the home button are disabled preventing your users from making changes
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md
index 80e4360bb0..a15e780afe 100644
--- a/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md
+++ b/browsers/edge/shortdesc/show-message-when-opening-sites-in-ie-shortdesc.md
@@ -1 +1,8 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
Microsoft Edge does not show a notification before opening sites in Internet Explorer 11. However, with this policy, you can configure Microsoft Edge to display a notification before a site opens in IE11 or let users continue in Microsoft Edge. If you want users to continue in Microsoft Edge, enable this policy to show the _Keep going in Microsoft Edge_ link in the notification. For this policy to work correctly, you must also enable the Configure the Enterprise Mode Site List or Send all intranet sites to Internet Explorer 11, or both.
\ No newline at end of file
diff --git a/browsers/edge/shortdesc/unlock-home-button-shortdesc.md b/browsers/edge/shortdesc/unlock-home-button-shortdesc.md
index aff697e8f0..d412d67e72 100644
--- a/browsers/edge/shortdesc/unlock-home-button-shortdesc.md
+++ b/browsers/edge/shortdesc/unlock-home-button-shortdesc.md
@@ -1 +1,9 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
By default, when you enable the Configure Home Button policy or provide a URL in the Set Home Button URL policy, Microsoft Edge locks down the home button to prevent users from changing the settings. When you enable this policy, users can make changes to the home button even if you enabled the Configure Home Button or Set Home Button URL policies.
\ No newline at end of file
diff --git a/browsers/edge/use-powershell-to manage-group-policy.md b/browsers/edge/use-powershell-to manage-group-policy.md
new file mode 100644
index 0000000000..b4a16608e7
--- /dev/null
+++ b/browsers/edge/use-powershell-to manage-group-policy.md
@@ -0,0 +1,27 @@
+---
+title: Use Windows PowerShell to manage group policy
+description:
+ms.prod: edge
+ms.mktglfcycl: explore
+ms.sitesec: library
+ms.pagetype: security
+title: Security enhancements for Microsoft Edge (Microsoft Edge for IT Pros)
+ms.localizationpriority: medium
+ms.date: 10/02/2018
+ms.author: pashort
+author: shortpatti
+---
+
+# Use Windows PowerShell to manage group policy
+
+Windows PowerShell supports group policy automation of the same tasks you perform in Group Policy Management Console (GPMC) for domain-based group policy objects (GPOs):
+
+- Maintain GPOs (GPO creation, removal, backup, and import)
+- Associate GPOs with Active Directory service containers (group policy link creation, update, and removal)
+- Set permissions on GPOs
+- Modify inheritance flags on Active Directory organization units (OUs) and domains
+- Configure registry-based policy settings and group policy preferences registry settings (update, retrieval, and removal)
+- Create starter GPOs
+
+
+
diff --git a/browsers/includes/available-duel-browser-experiences-include.md b/browsers/includes/available-duel-browser-experiences-include.md
index 175646f824..3ea0832564 100644
--- a/browsers/includes/available-duel-browser-experiences-include.md
+++ b/browsers/includes/available-duel-browser-experiences-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
## Available dual-browser experiences
Based on the size of your legacy web app dependency, determined by the data collected with [Windows Upgrade Analytics](https://blogs.windows.com/windowsexperience/2016/09/26/new-windows-10-and-office-365-features-for-the-secure-productive-enterprise/), there are several options from which you can choose to configure your enterprise browsing environment:
diff --git a/browsers/includes/configuration-options.md b/browsers/includes/configuration-options.md
deleted file mode 100644
index 2b2516dfe2..0000000000
--- a/browsers/includes/configuration-options.md
+++ /dev/null
@@ -1,11 +0,0 @@
-## Configuration options
-You can make changes to your deployment through the software management system you have chosen.
-
-### Choosing an update channel
-
-### Configure policies using Group Policy Editor
-
-### Configure policies using Registry Editor
-
-### Configure policies using Intune
-
diff --git a/browsers/includes/control-browser-content.md b/browsers/includes/control-browser-content.md
deleted file mode 100644
index e32eda17a8..0000000000
--- a/browsers/includes/control-browser-content.md
+++ /dev/null
@@ -1,18 +0,0 @@
-## Controlling browser content
-This section explains how to control content in the browser.
-
-### Configure Pop-up Blocker
-[configure-pop-up-blocker-include](../edge/includes/configure-pop-up-blocker-include.md)
-
-### Allow exentions
-[allow-extensions-include](../edge/includes/allow-extensions-include.md)
-
-[send-all-intranet-sites-ie-include](../edge/includes/send-all-intranet-sites-ie-include.md)
-
-[keep-fav-sync-ie-edge-include](../edge/includes/keep-fav-sync-ie-edge-include.md)
-
-extensions
-javascript
-Tracking your browser:
-- Do not track
-
diff --git a/browsers/includes/control-browsing-behavior.md b/browsers/includes/control-browsing-behavior.md
deleted file mode 100644
index 067eba3f7d..0000000000
--- a/browsers/includes/control-browsing-behavior.md
+++ /dev/null
@@ -1,90 +0,0 @@
-
-# Control browsing behavior
-This section explains how to contol the behavior of Microsoft Edge in certain circumstances. Besides changing how sites deplay and the look and feel of the browser itself, you can also change how the browser behaves, for example, you can change the settings for security.
-
-
-
-## Security settings
-
-## Cookies
-
-[configure-cookies-include](../edge/includes/configure-cookies-include.md)
-
-## Search engine settings
-...shortdesc of search engines...how admins can control the default search engine...
-
-### Allow address bar suggestions
-[allow-address-bar-suggestions-include](../edge/includes/allow-address-bar-suggestions-include.md)
-
-[configure-search-suggestions-address-bar-include](../edge/includes/configure-search-suggestions-address-bar-include.md)
-
-[allow-search-engine-customization-include](../edge/includes/allow-search-engine-customization-include.md)
-
-[configure-additional-search-engines-include](../edge/includes/configure-additional-search-engines-include.md)
-
-[set-default-search-engine-include](../edge/includes/set-default-search-engine-include.md)
-
-
-
-
-## Extensions
-Extensions allow you to add features and functionality directly into the browser itself. Choose from a range of extensions from the Microsoft Store.
-
-
-
-[Allow Extensions](../edge/available-policies.md#allow-extensions)
-
-[allow-sideloading-extensions-include](../edge/includes/allow-sideloading-extensions-include.md)
-
-[prevent-turning-off-required-extensions-include](../edge/includes/prevent-turning-off-required-extensions-include.md)
-
-## Home button settings
-The Home page...
-
-
-### Scenarios
-You can specify www.bing.com or www.google.com as the startup pages for Microsoft Edge using "HomePages" (MDM) or Configure Start Pages (GP). You can also enable the Disable Lockdown of Start pages (GP) policy or set the the DisableLockdownOfStartPages (MDM) setting to 1 allowing users to change the Microsoft Edge start options. Additionally, you can enable the Disable Lockdown of Start Pages or set the DisableLockdownOfStartPages to 2 locking down the IT-provided URLs, but allowing users to add or remove additional URLs. Users cannot switch Startup setting to another, for example, to load New Tab page or "previous pages" at startup.
-
-### Configuration combinations
-
-| **Configure Home Button** | **Set Home Button URL** | **Unlock Home Button** | **Results** |
-|---------------------------------|-------------------------|------------------------|---------------------------------|
-| Not configured (0/Null default) | N/A | N/A | Shows home button and loads the Start page. |
-| Enabled (1) | N/A | Disabled (0 default) | Shows home button, loads the New tab page, and prevent users from making changes to it. |
-| Enabled (1) | N/A | Disabled (0 default) | Shows home button, loads the New tab page, and let users from making changes to it. |
-| Enabled (2) | Enabled | Disabled (0 default) | Shows home button, loads custom URL defined in the Set Home Button URL policy, prevent users from changing what page loads. |
-| Enabled (2) | Enabled | Enabled | Shows home button, loads custom URL defined in the Set Home Button URL policy, and allow users to change what page loads. |
-| Enabled (3) | N/A | N/A | Hides home button. |
----
-
-[configure-home-button-include](configure-home-button-include.md)
-
-[set-home-button-url-include](set-home-button-url-include.md)
-
-[unlock-home-button-include](unlock-home-button-include.md)
-
-## Start page settings
-
-[configure-start-pages-include](configure-start-pages-include.md)
-
-[disable-lockdown-of-start-pages-include](disable-lockdown-of-start-pages-include.md)
-
-
-
-## New Tab page settings
-
-[set-new-tab-url-include](set-new-tab-url-include.md)
-
-[allow-web-content-new-tab-page-include](allow-web-content-new-tab-page-include.md)
-
-
-## Exit tasks
-
-[allow-clearing-browsing-data-include](allow-clearing-browsing-data-include.md)
-
-
-## Kiosk mode
-
-[Configure kiosk mode](configure-microsoft-edge-kiosk-mode-include.md)
-
-[Configure kiosk reset after idle timeout](configure-edge-kiosk-reset-idle-timeout-include.md)
diff --git a/browsers/includes/customize-look-and-feel.md b/browsers/includes/customize-look-and-feel.md
deleted file mode 100644
index 5bada8092e..0000000000
--- a/browsers/includes/customize-look-and-feel.md
+++ /dev/null
@@ -1,2 +0,0 @@
-## Customize the look and feel
-
diff --git a/browsers/includes/helpful-topics-include.md b/browsers/includes/helpful-topics-include.md
index 21a3238bd5..40a63009d1 100644
--- a/browsers/includes/helpful-topics-include.md
+++ b/browsers/includes/helpful-topics-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
## Helpful information and additional resources
- [Enterprise Mode Site List Portal source code](https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal)
diff --git a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md
index 2e8b76896b..02ad5fe86d 100644
--- a/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md
+++ b/browsers/includes/import-into-the-enterprise-mode-site-list-mgr-include.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
If you need to replace your entire site list because of errors, or simply because it’s out of date, you can import your exported Enterprise Mode site list using the Enterprise Mode Site List Manager.
>[!IMPORTANT]
diff --git a/browsers/includes/interoperability-goals-enterprise-guidance.md b/browsers/includes/interoperability-goals-enterprise-guidance.md
index 5937eb6bef..f980f943ee 100644
--- a/browsers/includes/interoperability-goals-enterprise-guidance.md
+++ b/browsers/includes/interoperability-goals-enterprise-guidance.md
@@ -1,3 +1,11 @@
+---
+author: shortpatti
+ms.author: pashort
+ms.date: 10/02/2018
+ms.prod: edge
+ms:topic: include
+---
+
## Interoperability goals and enterprise guidance
Our primary goal is that your websites work in Microsoft Edge. To that end, we've made Microsoft Edge the default browser.
diff --git a/devices/hololens/hololens-insider.md b/devices/hololens/hololens-insider.md
index 6418b56548..77e90ddb18 100644
--- a/devices/hololens/hololens-insider.md
+++ b/devices/hololens/hololens-insider.md
@@ -82,14 +82,14 @@ In order to switch to the Chinese or Japanese version of HoloLens, you’ll need
6. The tool will automatically detect your HoloLens. Select the Microsoft HoloLens tile.
7. On the next screen, select **Manual package selection** and choose the installation file contained in the folder you unzipped in step 4. (Look for a file with the extension “.ffu”.)
8. Select **Install software** and follow the instructions to finish installing.
-9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions.
+9. Once the build is installed, HoloLens setup will start automatically. Put on the device and follow the setup directions.
+10. After you complete setup, go to **Settings -> Update & Security -> Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider. Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms. Select **Confirm -> Restart Now** to finish up. After your device has rebooted, go to **Settings -> Update & Security -> Check for updates** to get the latest build.
-When you’re done with setup, go to **Settings -> Update & Security -> Windows Insider Program** and check that you’re configured to receive the latest preview builds. The Chinese/Japanese version of HoloLens will be kept up-to-date with the latest preview builds via the Windows Insider Program the same way the English version is.
## Note for language support
- You can’t change the system language between English, Japanese, and Chinese using the Settings app. Flashing a new build is the only supported way to change the device system language.
-- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the ~ key on a hardware keyboard toggles the keyboard to type in English).
+- While you can enter Simplified Chinese / Japanese text using the on-screen Pinyin keyboard, typing in Simplified Chinese / Japanese using a Bluetooth hardware keyboard is not supported at this time. However, on Chinese/Japanese HoloLens, you can continue to use a BT keyboard to type in English (the Shift key on a hardware keyboard toggles the keyboard to type in English).
## Note for developers
diff --git a/devices/hololens/hololens-install-apps.md b/devices/hololens/hololens-install-apps.md
index 3de34452cf..0799523310 100644
--- a/devices/hololens/hololens-install-apps.md
+++ b/devices/hololens/hololens-install-apps.md
@@ -8,7 +8,7 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: medium
-ms.date: 12/20/2017
+ms.date: 09/11/2018
---
# Install apps on HoloLens
@@ -55,8 +55,7 @@ The method that you use to install an app from your Microsoft Store for Business
## Use MDM to deploy apps to HoloLens
->[!IMPORTANT]
->Online-licensed apps cannot be deployed with Microsoft Store for Business on HoloLens via an MDM provider. If attempted, apps will remain in “downloading” state. Instead, you can use your MDM provider to deploy MDM-hosted apps to HoloLens, or deploy offline-licensed apps to HoloLens via Store for Business
+
You can deploy UWP apps to HoloLens using your MDM provider. For Intune instructions, see [Deploy apps in Microsoft Intune](https://docs.microsoft.com/intune/deploy-use/add-apps).
@@ -64,6 +63,8 @@ You can deploy UWP apps to HoloLens using your MDM provider. For Intune instruct
Using Intune, you can also [monitor your app deployment](https://docs.microsoft.com/intune/deploy-use/monitor-apps-in-microsoft-intune).
+>[!TIP]
+>In Windows 10, version 1607, online-licensed apps cannot be deployed with Microsoft Store for Business on HoloLens via an MDM provider. If attempted, apps will remain in “downloading” state. [Update your HoloLens to a later build](https://support.microsoft.com/help/12643/hololens-update-hololens) for this capability.
## Use the Windows Device Portal to install apps on HoloLens
@@ -79,13 +80,15 @@ Using Intune, you can also [monitor your app deployment](https://docs.microsoft.
>[!TIP]
>If you see a certificate error in the browser, follow [these troubleshooting steps](https://developer.microsoft.com/windows/mixed-reality/Using_the_Windows_Device_Portal.html#security_certificate).
-4. In the Windows Device Portal, click **Apps**.
+4. In the Windows Device Portal, click **Views** and select **Apps**.
-5. In **Install app**, select an **app package** from a folder on your computer or network. If the app package requires additional software, click **Add dependency**.
+5. Click **Add** to open the **Deploy or Install Application dialog**.
-6. In **Deploy**, click **Go** to deploy the app package and added dependencies to the connected HoloLens.
+6. Select an **app package** from a folder on your computer or network. If the app package requires additional software or framework packages, click **I want to specify framework packages**.
+
+7. Click **Next** to deploy the app package and added dependencies to the connected HoloLens.
diff --git a/devices/hololens/images/apps.png b/devices/hololens/images/apps.png
index 5cb3b7ec8f..4e00aa96fc 100644
Binary files a/devices/hololens/images/apps.png and b/devices/hololens/images/apps.png differ
diff --git a/devices/hololens/images/minimenu.png b/devices/hololens/images/minimenu.png
new file mode 100644
index 0000000000..7aa0018011
Binary files /dev/null and b/devices/hololens/images/minimenu.png differ
diff --git a/devices/hololens/images/windows-device-portal-home-page.png b/devices/hololens/images/windows-device-portal-home-page.png
index 9604161bcd..55e4b0eaad 100644
Binary files a/devices/hololens/images/windows-device-portal-home-page.png and b/devices/hololens/images/windows-device-portal-home-page.png differ
diff --git a/devices/surface-hub/index.md b/devices/surface-hub/index.md
index 8ff6d0d31f..f91b3e81bf 100644
--- a/devices/surface-hub/index.md
+++ b/devices/surface-hub/index.md
@@ -54,6 +54,7 @@ In some ways, adding your new Surface Hub is just like adding any other Microsof
## Additional resources
- [Surface Hub update history](https://support.microsoft.com/help/4037666/surface-surface-hub-update-history)
+- [Surface Hub help](https://support.microsoft.com/hub/4343507/surface-hub-help)
- [Surface IT Pro Blog](https://blogs.technet.microsoft.com/surface/)
- [Surface Playlist of videos](https://www.youtube.com/playlist?list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ)
- [Microsoft Surface on Twitter](https://twitter.com/surface)
diff --git a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
index d009237304..a023fdb141 100644
--- a/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
+++ b/devices/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices.md
@@ -9,7 +9,7 @@ ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: brecords
-ms.date: 12/07/2017
+ms.date: 09/13/2018
ms.author: jdecker
ms.topic: article
---
@@ -23,11 +23,7 @@ As easy as it is to keep Surface device drivers and firmware up to date automati
On the Microsoft Download Center page for your device, you will find several files available. These files allow you to deploy drivers and firmware in various ways. You can read more about the different deployment methods for Surface drivers and firmware in [Manage Surface driver and firmware updates](manage-surface-pro-3-firmware-updates.md).
-Driver and firmware updates for Surface devices are released in one of two ways:
-
-- **Point updates** are released for specific drivers or firmware revisions and provide the latest update for a specific component of the Surface device.
-
-- **Cumulative updates** provide comprehensive roundups of all of the latest files for the Surface device running that version of Windows.
+Driver and firmware updates for Surface devices are **cumulative updates** which provide comprehensive roundups of all of the latest files for the Surface device running that version of Windows.
Installation files for administrative tools, drivers for accessories, and updates for Windows are also available for some devices and are detailed here in this article.
@@ -212,10 +208,10 @@ Download the following updates [for Surface Pro (Model 1514) from the Microsoft
- Windows8.1-KB2969817-x64.msu – Fixes an issue that causes Surface devices to reboot twice after firmware updates are installed on all supported x64-based versions of Windows 8.1
-## Surface RT
+## Surface devices with Windows RT
-There are no downloadable firmware or driver updates available for Surface RT. Updates can only be applied using Windows Update.
+There are no downloadable firmware or driver updates available for Surface devices with Windows RT, including Surface RT and Surface 2. Updates can only be applied using Windows Update.
If you have additional questions on the driver pack and updates, please contact [Microsoft Surface support for business](https://www.microsoft.com/surface/support/business).
diff --git a/devices/surface/microsoft-surface-data-eraser.md b/devices/surface/microsoft-surface-data-eraser.md
index 9b9736af68..3ba289e3e6 100644
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@@ -26,6 +26,7 @@ Find out how the Microsoft Surface Data Eraser tool can help you securely wipe d
Compatible Surface devices include:
+* Surface Go
* Surface Book 2
* Surface Pro with LTE Advanced (Model 1807)
* Surface Pro (Model 1796)
@@ -60,7 +61,7 @@ Some scenarios where Microsoft Surface Data Eraser can be helpful include:
To create a Microsoft Surface Data Eraser USB stick, first install the Microsoft Surface Data Eraser setup tool from the Microsoft Download Center using the link provided at the beginning of this article. You do not need a Surface device to *create* the USB stick. After you have downloaded the installation file to your computer, follow these steps to install the Microsoft Surface Data Eraser creation tool:
-1. Run the DataEraserSetup.msi installation file that you downloaded from the Microsoft Download Center.
+1. Run the DataEraserSetup.msi installation file that you downloaded from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=46703).
2. Select the check box to accept the terms of the license agreement, and then click **Install**.
@@ -147,10 +148,16 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
Microsoft Surface Data Eraser is periodically updated by Microsoft. For information about the changes provided in each new version, see the following:
+### Version 3.2.68.0
+This version of Microsoft Surface Data Eraser adds support for the following:
+
+- Surface Go
+
+
### Version 3.2.58.0
This version of Microsoft Surface Data Eraser adds support for the following:
-- • Additional storage devices (drives) for Surface Pro and Surface Laptop devices
+- Additional storage devices (drives) for Surface Pro and Surface Laptop devices
### Version 3.2.46.0
diff --git a/devices/surface/microsoft-surface-deployment-accelerator.md b/devices/surface/microsoft-surface-deployment-accelerator.md
index da0e607baf..8dfbc020a2 100644
--- a/devices/surface/microsoft-surface-deployment-accelerator.md
+++ b/devices/surface/microsoft-surface-deployment-accelerator.md
@@ -94,6 +94,12 @@ SDA is periodically updated by Microsoft. For instructions on how these features
>[!NOTE]
>To install a newer version of SDA on a server with a previous version of SDA installed, you only need to run the installation file for the new version of SDA. The installer will handle the upgrade process automatically. If you used SDA to create a deployment share prior to the upgrade and want to use new features of the new version of SDA, you will need to create a new deployment share. SDA does not support upgrades of an existing deployment share.
+### Version 2.8.136.0
+This version of SDA supports deployment of the following:
+* Surface Book 2
+* Surface Laptop
+* Surface Pro LTE
+
### Version 2.0.8.0
This version of SDA supports deployment of the following:
* Surface Pro
diff --git a/devices/surface/step-by-step-surface-deployment-accelerator.md b/devices/surface/step-by-step-surface-deployment-accelerator.md
index cbc27f2355..e239bcea68 100644
--- a/devices/surface/step-by-step-surface-deployment-accelerator.md
+++ b/devices/surface/step-by-step-surface-deployment-accelerator.md
@@ -126,7 +126,26 @@ The following steps show you how to create a deployment share for Windows 10 th
*Figure 5. The Installation Progress window*
+>[!NOTE]
+>The following error message may be hit while Installing the latest ADK or MDT: "An exception occurred during a WebClient request.". This is due to incompatibility between SDA and BITS. Here is the workaround for this:
+ ```
+In the following two PowerShell scripts:
+%ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\Install-MDT.ps1
+%ProgramFiles%\Microsoft\Surface\Deployment Accelerator\Data\PowerShell\INSTALL-WindowsADK.ps1
+
+Edit the $BITSTransfer variable in the input parameters to $False as shown below:
+
+Param(
+ [Parameter(
+ Position=0,
+ Mandatory=$False,
+ HelpMessage="Download via BITS bool true/false"
+ )]
+ [string]$BITSTransfer = $False
+ )
+ ```
+
8. When the SDA process completes the creation of your deployment share, a **Success** window is displayed. Click **Finish** to close the window. At this point your deployment share is now ready to perform a Windows deployment to Surface devices.
### Optional: Create a deployment share without an Internet connection
diff --git a/devices/surface/surface-enterprise-management-mode.md b/devices/surface/surface-enterprise-management-mode.md
index 42df3fd641..2932bee71c 100644
--- a/devices/surface/surface-enterprise-management-mode.md
+++ b/devices/surface/surface-enterprise-management-mode.md
@@ -189,8 +189,23 @@ For use with SEMM and Microsoft Surface UEFI Configurator, the certificate must
>[!NOTE]
>For organizations that use an offline root in their PKI infrastructure, Microsoft Surface UEFI Configurator must be run in an environment connected to the root CA to authenticate the SEMM certificate. The packages generated by Microsoft Surface UEFI Configurator can be transferred as files and therefore can be transferred outside the offline network environment with removable storage, such as a USB stick.
+## Version History
+
+### Version 2.14.136.0
+* Add support to Surface Go
+
+### Version 2.9.136.0
+* Add support to Surface Book 2
+* Add support to Surface Pro LTE
+* Accessibility improvements
+
+### Version 1.0.74.0
+* Add support to Surface Laptop
+* Add support to Surface Pro
+* Bug fixes and general improvement
+
## Related topics
[Enroll and configure Surface devices with SEMM](enroll-and-configure-surface-devices-with-semm.md)
-[Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
\ No newline at end of file
+[Unenroll Surface devices from SEMM](unenroll-surface-devices-from-semm.md)
diff --git a/devices/surface/windows-autopilot-and-surface-devices.md b/devices/surface/windows-autopilot-and-surface-devices.md
index cbfbebde41..bb250ba302 100644
--- a/devices/surface/windows-autopilot-and-surface-devices.md
+++ b/devices/surface/windows-autopilot-and-surface-devices.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.pagetype: surface, devices
ms.sitesec: library
author: brecords
-ms.date: 01/31/2018
+ms.date: 09/12/2018
ms.author: jdecker
ms.topic: article
---
@@ -45,6 +45,7 @@ Surface devices with support for out-of-box deployment with Windows Autopilot, e
* Surface Book 2
* Surface Laptop
* Surface Studio
+* Surface Go
## Surface partners enabled for Windows Autopilot
Enrolling Surface devices in Windows Autopilot at the time of purchase is a capability provided by select Surface partners that are enabled with the capability to identify individual Surface devices during the purchase process and perform enrollment on an organization’s behalf. Devices enrolled by a Surface partner at time of purchase can be shipped directly to users and configured entirely through the zero-touch process of Windows Autopilot, Azure Active Directory, and Mobile Device Management.
diff --git a/education/index.md b/education/index.md
index c78b456b9e..20840df5df 100644
--- a/education/index.md
+++ b/education/index.md
@@ -125,245 +125,6 @@ ms.date: 10/30/2017
-
diff --git a/windows/application-management/app-v/appv-delete-a-connection-group.md b/windows/application-management/app-v/appv-delete-a-connection-group.md
index b6e27aece2..ee3f71058e 100644
--- a/windows/application-management/app-v/appv-delete-a-connection-group.md
+++ b/windows/application-management/app-v/appv-delete-a-connection-group.md
@@ -1,34 +1,30 @@
---
-title: How to Delete a Connection Group (Windows 10)
-description: How to Delete a Connection Group
+title: How to delete a connection group (Windows 10)
+description: How to delete a connection group.
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 09/27/2018
---
+# How to delete a connection group
-
-# How to Delete a Connection Group
-
-**Applies to**
-- Windows 10, version 1607
+>Applies to: Windows 10, version 1607
Use the following procedure to delete an existing App-V connection group.
-**To delete a connection group**
+## Delete a connection group
-1. Open the App-V Management Console and select **CONNECTION GROUPS**.
+1. Open the App-V Management Console and select **CONNECTION GROUPS**.
-2. Right-click the connection group to be removed, and select **delete**.
+2. Right-click the connection group to be removed and select **delete**.
## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
-[Operations for App-V](appv-operations.md)
-
-[Managing Connection Groups](appv-managing-connection-groups.md)
+- [Operations for App-V](appv-operations.md)
+- [Managing connection groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
index 0a3464836a..81a067b1eb 100644
--- a/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-delete-a-package-with-the-management-console.md
@@ -1,32 +1,29 @@
---
-title: How to Delete a Package in the Management Console (Windows 10)
-description: How to Delete a Package in the Management Console
+title: How to delete a package in the Management Console (Windows 10)
+description: How to delete a package in the Management Console.
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 09/27/2018
---
+# How to delete a package in the Management Console
-
-# How to Delete a Package in the Management Console
-
-**Applies to**
-- Windows 10, version 1607
+>Applies to: Windows 10, version 1607
Use the following procedure to delete an App-V package.
-**To delete a package in the Management Console**
+## Delete a package in the Management Console
-1. To view the package you want to delete, open the App-V Management Console and select **Packages**. Select the package to be removed.
+1. To view the package you want to delete, open the App-V Management Console and select **Packages**. Select the package to be removed.
-2. Click or right-click the package. Select **Delete** to remove the package.
+2. Select or right-click the package, then select **Delete** to remove the package.
## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
-[Operations for App-V](appv-operations.md)
+- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
index 439a1617b9..29eafeeefa 100644
--- a/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md
@@ -1,45 +1,45 @@
---
-title: How to deploy App-V Packages Using Electronic Software Distribution (Windows 10)
-description: How to deploy App-V Packages Using Electronic Software Distribution
+title: How to deploy App-V packages using electronic software distribution (Windows 10)
+description: How to deploy App-V packages using electronic software distribution.
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 09/27/2018
---
-
# How to deploy App-V packages using electronic software distribution
-**Applies to**
-- Windows 10, version 1607
+>Applies to: Windows 10, version 1607
You can use an electronic software distribution (ESD) system to deploy App-V virtual applications to App-V clients.
-For component requirements and options for using an ESD to deploy App-V packages, see [Planning to Deploy App-V with an Electronic Software Distribution System](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md).
+For component requirements and options for using an ESD to deploy App-V packages, see [Planning to deploy App-V with an electronic software distribution system](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md).
Use one of the following methods to publish packages to App-V client computers with an ESD:
+- Use the functionality in a third-party ESD.
+- Install the application on the target client computer with the associated Windows Installer (.msi) file that's created when you initially sequence the application. The .msi file contains the associated App-V package file information used to configure a package and copies the required package files to the client.
+- Use Windows PowerShell cmdlets to deploy virtualized applications. For more information about using Windows PowerShell and App-V, see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md).
+
| Method | Description |
-| - | - |
-| Functionality provided by a third-party ESD | Use the functionality in a third-party ESD.|
+|---|---|
+| Functionality provided by a third-party ESD | Use the functionality in a third-party ESD.|
| Stand-alone Windows Installer | Install the application on the target client computer by using the associated Windows Installer (.msi) file that is created when you initially sequence an application. The Windows Installer file contains the associated App-V package file information used to configure a package and copies the required package files to the client. |
-| Windows PowerShell | Use Windows PowerShell cmdlets to deploy virtualized applications. For more information about using Windows PowerShell and App-V, see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md).|
+| Windows PowerShell | Use Windows PowerShell cmdlets to deploy virtualized applications. For more information about using Windows PowerShell and App-V, see [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md).|
-
+## Deploy App-V packages with an ESD
-**To deploy App-V packages by using an ESD**
+1. Install the App-V Sequencer on a computer in your environment. For more information about installing the sequencer, see [How to install the Sequencer](appv-install-the-sequencer.md).
-1. Install the App-V Sequencer on a computer in your environment. For more information about installing the sequencer, see [How to Install the Sequencer](appv-install-the-sequencer.md).
+2. Use the App-V Sequencer to create a virtual application. To learn more about creating virtual applications, see [Creating and managing App-V virtualized applications](appv-creating-and-managing-virtualized-applications.md).
-2. Use the App-V Sequencer to create virtual application. For information about creating a virtual application, see [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md).
-
-3. After you create the virtual application, deploy the package by using your ESD solution.
+3. After you create the virtual application, deploy the package by using your ESD solution.
## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
-- [Operations for App-V](appv-operations.md)
+- [Operations for App-V](appv-operations.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
index e43a70509e..8e9bb9ec5c 100644
--- a/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
+++ b/windows/application-management/app-v/appv-deploying-microsoft-office-2016-with-appv.md
@@ -1,6 +1,6 @@
---
-title: Deploying Microsoft Office 2016 by Using App-V (Windows 10)
-description: Deploying Microsoft Office 2016 by Using App-V
+title: Deploying Microsoft Office 2016 by using App-V (Windows 10)
+description: Deploying Microsoft Office 2016 by using App-V
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.prod: w10
ms.date: 04/18/2018
---
-# Deploying Microsoft Office 2016 by Using App-V
+# Deploying Microsoft Office 2016 by using App-V
>Applies to: Windows 10, version 1607
diff --git a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
index 79da7a2972..0c17ea490a 100644
--- a/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-deploying-packages-with-electronic-software-distribution-solutions.md
@@ -1,55 +1,34 @@
---
-title: Deploying App-V Packages by Using Electronic Software Distribution (ESD)
-description: Deploying App-V Packages by Using Electronic Software Distribution (ESD)
+title: Deploying App-V packages by using electronic software distribution (ESD)
+description: Deploying App-V packages by using electronic software distribution (ESD)
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 09/27/2018
---
+# Deploying App-V packages by using electronic software distribution (ESD)
+>Applies to: Windows 10, version 1607
-# Deploying App-V Packages by Using Electronic Software Distribution (ESD)
+You can deploy App-V packages using an electronic software distribution (ESD) solution. For information about planning to deploy App-V packages with an ESD, see [Planning to deploy App-V with an electronic software distribution system](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md).
-**Applies to**
-- Windows 10, version 1607
-
-You can deploy App-V packages using an Electronic Software Distribution (ESD) solution. For information about planning to deploy App-V packages with an ESD, see [Planning to Deploy App-V with an Electronic Software Distribution System](appv-planning-to-deploy-appv-with-electronic-software-distribution-solutions.md).
-
-To deploy App-V packages with Microsoft System Center 2012 Configuration Manager, see [Introduction to Application Management in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682125.aspx#BKMK_Appv)
+To learn how to deploy App-V packages with Microsoft System Center 2012 Configuration Manager, see [Introduction to application management in Configuration Manager](https://technet.microsoft.com/en-us/library/gg682125.aspx#BKMK_Appv)
## How to deploy virtualized packages using an ESD
+To learn more about how to deploy virtualized packages using an ESD, see [How to deploy App-V packages using electronic software distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md).
-Describes the methods you can use to deploy App-V packages by using an ESD.
+## How to enable only administrators to publish packages by using an ESD
-[How to deploy App-V Packages Using Electronic Software Distribution](appv-deploy-appv-packages-with-electronic-software-distribution-solutions.md)
+To learn how to configure the App-V client to enable only administrators to publish and unpublish packages when you’re using an ESD, see [How to enable only administrators to publish packages by using an ESD](appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md).
-## How to Enable Only Administrators to Publish Packages by Using an ESD
+## Related topics
-
-Explains how to configure the App-V client to enable only administrators to publish and unpublish packages when you’re using an ESD.
-
-[How to Enable Only Administrators to Publish Packages by Using an ESD](appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md)
+- [App-V and Citrix integration](https://www.microsoft.com/en-us/download/details.aspx?id=40885)
+- [Operations for App-V](appv-operations.md)
## Have a suggestion for App-V?
-
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
-
-## Other resources for using an ESD and App-V
-
-
-Use the following link for more information about [App-V and Citrix Integration](https://www.microsoft.com/en-us/download/details.aspx?id=40885).
-
-[Operations for App-V](appv-operations.md)
-
-
-
-
-
-
-
-
-
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
index 58d77d2a5a..638235a066 100644
--- a/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
+++ b/windows/application-management/app-v/appv-deploying-the-appv-sequencer-and-client.md
@@ -1,6 +1,6 @@
---
-title: Deploying the App-V Sequencer and Configuring the Client (Windows 10)
-description: Deploying the App-V Sequencer and Configuring the Client
+title: Deploying the App-V Sequencer and configuring the client (Windows 10)
+description: Deploying the App-V Sequencer and configuring the client
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
diff --git a/windows/application-management/app-v/appv-dynamic-configuration.md b/windows/application-management/app-v/appv-dynamic-configuration.md
index 5cc4247912..e0b0f8d0f6 100644
--- a/windows/application-management/app-v/appv-dynamic-configuration.md
+++ b/windows/application-management/app-v/appv-dynamic-configuration.md
@@ -6,110 +6,84 @@ ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 09/27/2018
---
+# About App-V dynamic configuration
+>Applies to: Windows 10, version 1607
-# About App-V Dynamic Configuration
+You can use dynamic configuration to customize an App-V package for a user. This article will tell you how to create or edit an existing dynamic configuration file.
-**Applies to**
-- Windows 10, version 1607
-
-You can use the dynamic configuration to customize an App-V package for a user. Use the following information to create or edit an existing dynamic configuration file.
-
-When you edit the dynamic configuration file it customizes how an App-V package will run for a user or group. This helps to provide a more convenient method for package customization by removing the need to re-sequence packages using the desired settings, and provides a way to keep package content and custom settings independent.
-
-## Advanced: Dynamic Configuration
+When you edit the Dynamic Configuration file, it customizes how an App-V package will run for a user or group. This makes package customization more convenient by removing the need to resequence packages using the desired settings and provides a way to keep package content and custom settings independent.
+## Advanced: dynamic configuration
Virtual application packages contain a manifest that provides all the core information for the package. This information includes the defaults for the package settings and determines settings in the most basic form (with no additional customization). If you want to adjust these defaults for a particular user or group, you can create and edit the following files:
-- User Configuration file
+- User Configuration file
+- Deployment Configuration file
-- Deployment configuration file
+These .xml files specify package settings let you customize packages without directly affecting the packages. When a package is created, the sequencer automatically generates default deployment and user configuration .xml files using the package manifest data. These automatically generated configuration files reflect the package's default settings that were configured during sequencing. If you apply these configuration files to a package in the form generated by the sequencer, the packages will have the same default settings that came from their manifest. This provides you with a package-specific template to get started if any of the defaults must be changed.
-The previous .xml files specify package settings and allow for packages to be customized without directly affecting the packages. When a package is created, the sequencer automatically generates default deployment and user configuration .xml files using the package manifest data. Therefore, these automatically generated configuration files simply reflect the default settings that the package innately as from how things were configured during sequencing. If you apply these configuration files to a package in the form generated by the sequencer, the packages will have the same default settings that came from their manifest. This provides you with a package-specific template to get started if any of the defaults must be changed.
+>[!NOTE]
+>The following information can only be used to modify sequencer generated configuration files to customize packages to meet specific user or group requirements.
-**Note**
-The following information can only be used to modify sequencer generated configuration files to customize packages to meet specific user or group requirements.
+## Dynamic Configuration file contents
-
+All of the additions, deletions, and updates in the configuration files need to be made in relation to the default values specified by the package's manifest information. The following list represents the relationship between these files in how they'll be read, from most to least precedence:
-### Dynamic Configuration file contents
+- User Configuration .xml file
+- Deployment Configuration .xml file
+- Package Manifest
-All of the additions, deletions, and updates in the configuration files need to be made in relation to the default values specified by the package's manifest information. Review the following table:
+The first item represents what will be read last. Therefore, its content takes precedence. All packages inherently contain and provide default settings from the Package Manifest, but it also has the least precedence. If you apply a Deployment Configuration .xml file with customized settings, it will override the Package Manifest's defaults. If you apply a User Configuration .xml file with customized settings prior to that, it will override both the deployment configuration and the Package Manifest's defaults.
-
-
-
-
-
-
-
User Configuration .xml file
-
-
-
Deployment Configuration .xml file
-
-
-
Package Manifest
-
-
-
+There are two types of configuration files:
-
+- **User Configuration file (UserConfig)**: Allows you to specify or modify custom settings for a package. These settings will be applied for a specific user when the package is deployed to a computer running the App-V client.
+- **Deployment Configuration file (DeploymentConfig)**: Allows you to specify or modify the default settings for a package. These settings will be applied for all users when a package is deployed to a computer running the App-V client.
-The previous table represents how the files will be read. The first entry represents what will be read last, therefore, its content takes precedence. Therefore, all packages inherently contain and provide default settings from the package manifest. If a deployment configuration .xml file with customized settings is applied, it will override the package manifest defaults. If a user configuration .xml file with customized settings is applied prior to that, it will override both the deployment configuration and the package manifest defaults.
+You can use the UserConfig file to customize the settings for a package for a specific set of users on a computer or make changes that will be applied to local user locations such as HKCU. You can use the DeploymentConfig file to modify the default settings of a package for all users on a machine or make changes that will be applied to global locations such as HKEY\_LOCAL\_MACHINE and the All Users folder.
-The following list displays more information about the two file types:
+The UserConfig file provides configuration settings that you can apply to a single user without affecting any other users on a client:
-- **User Configuration File (UserConfig)** – Allows you to specify or modify custom settings for a package. These settings will be applied for a specific user when the package is deployed to a computer running the App-V client.
+- Extensions that will be integrated into the native system per user: shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients, and COM.
+- Virtual Subsystems: Application Objects, Environment variables, Registry modifications, Services, and Fonts.
+- Scripts (user context only).
-- **Deployment Configuration File (DeploymentConfig)** – Allows you to specify or modify the default settings for a package. These settings will be applied for all users when a package is deployed to a computer running the App-V client.
+The DeploymentConfig file provides configuration settings in two sections, one relative to the machine context and one relative to the user context providing the same capabilities listed in the preceding UserConfig list:
-To customize the settings for a package for a specific set of users on a computer or to make changes that will be applied to local user locations such as HKCU, the UserConfig file should be used. To modify the default settings of a package for all users on a machine or to make changes that will be applied to global locations such as HKEY\_LOCAL\_MACHINE and the all users folder, the DeploymentConfig file should be used.
+- All UserConfig settings from the preceding section in this topic
+- Extensions that can only be applied globally for all users
+- Virtual Subsystems that can be configured for global machine locations, such as the registry
+- Product Source URL
+- Scripts (Machine context only)
+- Controls to terminate child processes
-The UserConfig file provides configuration settings that can be applied to a single user without affecting any other users on a client:
-
-- Extensions that will be integrated into the native system per user:- shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients and COM
-
-- Virtual Subsystems:- Application Objects, Environment variables, Registry modifications, Services and Fonts
-
-- Scripts (User context only)
-
-The DeploymentConfig file provides configuration settings in two sections, one relative to the machine context and one relative to the user context providing the same capabilities listed in the UserConfig list above:
-
-- All UserConfig settings above
-
-- Extensions that can only be applied globally for all users
-
-- Virtual Subsystems that can be configured for global machine locations e.g. registry
-
-- Product Source URL
-
-- Scripts (Machine context only)
-
-- Controls to Terminate Child Processes
-
-### File structure
+## File structure
The structure of the App-V Dynamic Configuration file is explained in the following section.
-### Dynamic User Configuration file
+## Dynamic User Configuration file
-**Header** - the header of a dynamic user configuration file is as follows:
+### Header
-```
+The following is an example of a Dynamic User Configuration file's header:
+
+```xml
```
-The **PackageId** is the same value as exists in the Manifest file.
+The **PackageId** is the same value that exists in the Manifest file.
-**Body** - the body of the Dynamic User Configuration file can include all the app extension points that are defined in the Manifest file, as well as information to configure virtual applications. There are four subsections allowed in the body:
+### Dynamic User Configuration file body
-**Applications** - All app-extensions that are contained in the Manifest file within a package are assigned with an Application ID, which is also defined in the manifest file. This allows you to enable or disable all the extensions for a given application within a package. The **Application ID** must exist in the Manifest file or it will be ignored.
+The Dynamic User Configuration file's body can include all app extension points defined in the Manifest file, as well as information to configure virtual applications. There are four subsections allowed in the body:
-```
+**Applications**: All app-extensions contained in the Manifest file within a package are assigned with an Application ID, which is also defined in the manifest file. This allows you to enable or disable all the extensions for a given application within a package. The **Application ID** must exist in the Manifest file or it will be ignored.
+
+```xml
@@ -120,9 +94,9 @@ The **PackageId** is the same value as exists in the Manifest file.
```
-**Subsystems** - AppExtensions and other subsystems are arranged as subnodes under the :
+**Subsystems**: AppExtensions and other subsystems are arranged as subnodes under ``, as shown in the following example.
-```
+```xml
..
@@ -131,19 +105,21 @@ The **PackageId** is the same value as exists in the Manifest file.
```
-Each subsystem can be enabled/disabled using the “**Enabled**” attribute. Below are the various subsystems and usage samples.
+Each subsystem can be enabled/disabled using the **Enabled** attribute. The following sections describe the various subsystems and usage samples.
-**Extensions:**
+### Dynamic User Configuration file extensions
-Some subsystems (Extension Subsystems) control Extensions. Those subsystems are:- shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients and COM
+Extension Subsystems control extensions. These subsystems are Shortcuts, File-Type associations, URL Protocols, AppPaths, Software Clients, and COM.
-Extension Subsystems can be enabled and disabled independently of the content. Thus if Shortcuts are enabled, The client will use the shortcuts contained within the manifest by default. Each Extension Subsystem can contain an node. If this child element is present, the client will ignore the content in the Manifest file for that subsystem and only use the content in the configuration file.
+Extension Subsystems can be enabled and disabled independently of the content. Therefore, if Shortcuts are enabled, the client will use the shortcuts contained within the manifest by default. Each Extension Subsystem can contain an `` node. If this child element is present, the client will ignore the content in the Manifest file for that subsystem and only use the content in the configuration file.
-Example using the shortcuts subsystem:
+### Examples of the shortcuts subsystem
-**Example 1** If the user defined this in either the dynamic or deployment config file:
+#### Example 1
-```
+Content will be ignored if the user defined the following in either the dynamic or deployment config file:
+
+```xml
```
-Content in the manifest will be ignored.
+#### Example 2
-**Example 2** If the user defined only the following:
+Content in the manifest will be integrated during publishing if the user defined only the following:
+
+```xml
``
-
-Then the content in the Manifest will be integrated during publishing.
-
-**Example 3** If the user defines the following
-
```
+
+#### Example 3
+
+All shortcuts in the manifest will be ignored and no shortcuts will be integrated if the user defines the following:
+
+```xml
```
-Then all the shortcuts within the manifest will still be ignored. There will be no shortcuts integrated.
+### Supported Extension Subsystems
-The supported Extension Subsystems are:
+**Shortcuts**: This controls shortcuts that will be integrated into the local system. The following example has two shortcuts:
-**Shortcuts:** This controls shortcuts that will be integrated into the local system. Below is a sample with 2 shortcuts:
-
-```
+```xml
@@ -209,9 +186,9 @@ The supported Extension Subsystems are:
```
-**File-Type Associations:** Associates File-types with programs to open by default as well as setup the context menu. (MIME types can also be setup using this susbsystem). Sample File-type Association is below:
+**File Type Associations**: Associates file types with programs to open by default as well as setup the context menu. (MIME types can also be set up with this susbsystem). The following is an example of a FileType association:
-```
+```xml
@@ -275,9 +252,9 @@ The supported Extension Subsystems are:
```
-**URL Protocols**: This controls the URL Protocols that are integrated into the local registry of the client machine e.g. “mailto:”.
+**URL Protocols**: This controls the URL Protocols integrated into the local registry of the client machine. The following example illustrates the “mailto:” ptrotocol.
-```
+```xml
@@ -322,17 +299,17 @@ The supported Extension Subsystems are:
```
-**Software Clients**: Allows the app to register as an Email client, news reader, media player and makes the app visible in the Set Program Access and Computer Defaults UI. In most cases you should only need to enable and disable it. There is also a control to enable and disable the email client specifically if you want the other clients still enabled except for that client.
+**Software Clients**: Allows the app to register as an email client, news reader, or media player and makes the app visible in the Set Program Access and Computer Defaults UI. In most cases, you only need to enable and disable it. There's also a control that lets you enable or disable the email client only in case you want all the other clients to remain as they are.
-```
+```xml
```
-**AppPaths**: If an application for example contoso.exe is registered with an apppath name of “myapp”, it allows you type “myapp” under the run menu and it will open contoso.exe.
+**AppPaths**: If an application, such as contoso.exe, is registered with an apppath name of “myapp”, this subsystem lets you open the app by entering “myapp” into the run menu.
-```
+```xml
@@ -349,21 +326,25 @@ The supported Extension Subsystems are:
```
-**COM**: Allows an Application register Local COM servers. Mode can be Integration, Isolated or Off. When Isol.
-
-` `
-
-**Other Settings**:
-
-In addition to Extensions, other subsystems can be enabled/disabled and edited:
-
-**Virtual Kernel Objects**:
-
-` `
-
-**Virtual Registry**: Used if you want to set a registry in the Virtual Registry within HKCU
+**COM**: Allows an Application to register Local COM servers. Mode can be Integration, Isolated or Off. When Isol.
+```xml
+
```
+
+### Other settings for Dynamic User Configuration file
+
+In addition to Extensions, the following other subsystems can be enabled/disabled and edited.
+
+#### Virtual Kernel Objects
+
+```xml
+
+```xml
+
+**Virtual Registry**: use this if you want to set a registry in the Virtual Registry within HKCU.
+
+```xml
@@ -375,17 +356,21 @@ In addition to Extensions, other subsystems can be enabled/disabled and edited:
```
-**Virtual File System**
-
-` `
-
-**Virtual Fonts**
-
-` `
-
-**Virtual Environment Variables**
+#### Virtual File System
+```xml
+
```
+
+#### Virtual Fonts
+
+```xml
+
+```
+
+#### Virtual Environment Variables
+
+```xml
@@ -397,32 +382,39 @@ In addition to Extensions, other subsystems can be enabled/disabled and edited:
```
-**Virtual services**
-
-` `
-
-**UserScripts** – Scripts can be used to setup or alter the virtual environment as well as execute scripts at time of deployment or removal, before an application executes, or they can be used to “clean up” the environment after the application terminates. Please reference a sample User configuration file that is output by the sequencer to see a sample script. The Scripts section below provides more information on the various triggers that can be used.
-
-### Dynamic Deployment Configuration file
-
-**Header** - The header of a Deployment Configuration file is as follows:
+#### Virtual services
+```xml
+
```
+
+#### UserScripts
+
+Scripts can be used to set up or alter the virtual environment and execute scripts on deployment or removal, before an application executes, or they can clean up the environment after the application terminates. Please refer to a sample User Configuration file output by the sequencer to see a sample script. See the [Scripts](appv-dynamic-configuration.md#scripts) section for more information about the various triggers you can use to set up scripts.
+
+## Dynamic Deployment Configuration file
+
+### Dynamic Deployment Configuration file header
+
+The header of a Deployment Configuration file should look something like this:
+
+```xml
```
-The **PackageId** is the same value as exists in the manifest file.
+The **PackageId** is the same value as the one that exists in the Manifest file.
-**Body** - The body of the deployment configuration file includes two sections:
+### Dynamic Deployment Configuration file body
-- User Configuration section –allows the same content as the User Configuration file described in the previous section. When the package is published to a user, any appextensions configuration settings in this section will override corresponding settings in the Manifest within the package unless a user configuration file is also provided. If a UserConfig file is also provided, it will be used instead of the User settings in the deployment configuration file. If the package is published globally, then only the contents of the deployment configuration file will be used in combination with the manifest.
+The body of the deployment configuration file includes two sections:
-- Machine Configuration section–contains information that can be configured only for an entire machine, not for a specific user on the machine. For example, HKEY\_LOCAL\_MACHINE registry keys in the VFS.
+- The User Configuration section allows the same content as the User Configuration file described in the previous section. When the package is published to a user, any appextensions configuration settings in this section will override corresponding settings in the Manifest within the package unless a user configuration file is also provided. If a UserConfig file is also provided, it will be used instead of the User settings in the deployment configuration file. If the package is published globally, then only the contents of the deployment configuration file will be used in combination with the manifest.
+- The Machine Configuration section contains information that can only be configured for an entire machine, not for a specific user on the machine. For example, HKEY\_LOCAL\_MACHINE registry keys in the VFS.
-```
+```xml
- ..
+..
..
@@ -432,13 +424,15 @@ The **PackageId** is the same value as exists in the manifest file.
```
-**User Configuration** - use the previous **Dynamic User Configuration file** section for information on settings that are provided in the user configuration section of the Deployment Configuration file.
+User Configuration: see [Dynamic User Configuration](appv-dynamic-configuration.md#dynamic-user-configuration) for more information about this section.
-Machine Configuration - the Machine configuration section of the Deployment Configuration File is used to configure information that can be set only for an entire machine, not for a specific user on the computer. For example, HKEY\_LOCAL\_MACHINE registry keys in the Virtual Registry. There are four subsections allowed in under this element
+Machine Configuration: The Machine Configuration section of the Deployment Configuration File configures information that can only be set for an entire machine, not a specific user on the computer, like the HKEY\_LOCAL\_MACHINE registry keys in the Virtual Registry. This element can have the following four subsections.
-1. **Subsystems** - AppExtensions and other subsystems are arranged as subnodes under :
+#### Subsystems
-```
+AppExtensions and other subsystems are arranged as subnodes under ``:
+
+```xml
..
@@ -447,15 +441,17 @@ Machine Configuration - the Machine configuration section of the Deployment Conf
```
-The following section displays the various subsystems and usage samples.
+The following section describes the various subsystems and usage samples.
-**Extensions**:
+#### Extensions
-Some subsystems (Extension Subsystems) control Extensions which can only apply to all users. The subsystem is application capabilities. Because this can only apply to all users, the package must be published globally in order for this type of extension to be integrated into the local system. The same rules for controls and settings that apply to the Extensions in the User Configuration also apply to those in the MachineConfiguration section.
+Some subsystems (Extension Subsystems) control extensions that can only apply to all users. The subsystem is application capabilities. Because this can only apply to all users, the package must be published globally in order for this type of extension to be integrated into the local system. The rules for User Configuration extension controls and settings also apply to the ones in Machine Configuration.
-**Application Capabilities**: Used by default programs in windows operating system Interface. Allows an application to register itself as capable of opening certain file extensions, as a contender for the start menu internet browser slot, as capable of opening certain windows MIME types. This extension also makes the virtual application visible in the Set Default Programs UI.:
+#### Application Capabilities
-```
+Used by default programs in the Windows OS interface, the Application Capabilities extension allows an application to register itself as capable of opening certain file extensions, as a contender for the Start menu's internet browser slot, and as capable of opening certain Windows MIME types. This extension also makes the virtual application visible in the Set Default Programs UI.
+
+```xml
@@ -491,13 +487,13 @@ Some subsystems (Extension Subsystems) control Extensions which can only apply t
```
-**Other Settings**:
+#### Other settings for Dynamic Deployment Configuration file
-In addition to Extensions, other subsystems can be edited:
+You can edit other subsystems in addition to extensions:
-**Machine Wide Virtual Registry**: Used when you want to set a registry key in the virtual registry within HKEY\_Local\_Machine
+- Machine-wide Virtual Registry: use this when you want to set a registry key in the virtual registry within HKEY\_Local\_Machine.
-```
+```xml
@@ -509,9 +505,9 @@ In addition to Extensions, other subsystems can be edited:
```
-**Machine Wide Virtual Kernel Objects**
+- Machine-wide Virtual Kernel Objects
-```
+```xml
@@ -519,23 +515,23 @@ In addition to Extensions, other subsystems can be edited:
```
-**ProductSourceURLOptOut**: Indicates whether the URL for the package can be modified globally through PackageSourceRoot (to support branch office scenarios). Default is false and the setting change takes effect on the next launch.
+- ProductSourceURLOptOut: Indicates whether the URL for the package can be modified globally through PackageSourceRoot to support branch office scenarios. It's set to False by default. Changes to the value take effect on the next launch.
-```
+```xml
- ..
+ ..
..
```
-**MachineScripts** – Package can be configured to execute scripts at time of deployment, publishing or removal. Please reference a sample deployment configuration file that is generated by the sequencer to see a sample script. The Scripts section below provides more information on the various triggers that can be used
+- MachineScripts: The package can be configured to execute scripts upon deployment, publishing, or removal. To see an example script, please see a sample deployment configuration file generated by the sequencer. The following section provides more information about the various triggers you can use to set up scripts.
-**TerminateChildProcess**:- An application executable can be specified, whose child processes will be terminated when the application exe process is terminated.
+- TerminateChildProcess: you can use this to specify that an application executable's child processes will be terminated when the application.exe process is terminated.
-```
+```xml
- ..
+ ..
@@ -549,113 +545,33 @@ In addition to Extensions, other subsystems can be edited:
The following table describes the various script events and the context under which they can be run.
-
-
-
-
-
-
-
-
-
-
-
-
Script Execution Time
-
Can be specified in Deployment Configuration
-
Can be specified in User Configuration
-
Can run in the Virtual Environment of the package
-
Can be run in the context of a specific application
-
Runs in system/user context: (Deployment Configuration, User Configuration)
-
-
-
-
-
AddPackage
-
X
-
-
-
-
(SYSTEM, N/A)
-
-
-
PublishPackage
-
X
-
X
-
-
-
(SYSTEM, User)
-
-
-
UnpublishPackage
-
X
-
X
-
-
-
(SYSTEM, User)
-
-
-
RemovePackage
-
X
-
-
-
-
(SYSTEM, N/A)
-
-
-
StartProcess
-
X
-
X
-
X
-
X
-
(User, User)
-
-
-
ExitProcess
-
X
-
X
-
-
X
-
(User, User)
-
-
-
StartVirtualEnvironment
-
X
-
X
-
X
-
-
(User, User)
-
-
-
TerminateVirtualEnvironment
-
X
-
X
-
-
-
(User, User)
-
-
-
-
-
+|Script execution time|Can be specified in Deployment Configuration|Can be specified in User Configuration|Can run in the package's virtual environment|Can be run in the context of a specific application|Runs in system/user context: (Deployment Configuration, User Configuration)|
+|---|:---:|:---:|:---:|:---:|:---:|
+|AddPackage|X||||(SYSTEM, N/A)|
+|PublishPackage|X|X|||(SYSTEM, User)|
+|UnpublishPackage|X|X|||(SYSTEM, User)|
+|RemovePackage|X||||(SYSTEM, N/A)|
+|StartProcess|X|X|X|X|(User, User)|
+|ExitProcess|X|X||X|(User, User)|
+|StartVirtualEnvironment|X|X|X||(User, User)|
+|TerminateVirtualEnvironment|X|X|||(User, User)|
### Using multiple scripts on a single event trigger
App-V supports the use of multiple scripts on a single event trigger for App-V packages, including packages that you convert from App-V 4.6 to App-V for Windows 10. To enable the use of multiple scripts, App-V uses a script launcher application, named ScriptRunner.exe, which is included in the App-V client.
-**How to use multiple scripts on a single event trigger:**
+#### How to use multiple scripts on a single event trigger
-For each script that you want to run, pass that script as an argument to the ScriptRunner.exe application. The application then runs each script separately, along with the arguments that you specify for each script. Use only one script (ScriptRunner.exe) per trigger.
+For each script that you want to run, pass that script as an argument to the ScriptRunner.exe application. The application will run each script separately, along with the arguments that you specify for each script. Use only one script (ScriptRunner.exe) per trigger.
-**Note**
-We recommended that you run the multi-script line from a command prompt first to make sure that all arguments are built correctly before adding them to the deployment configuration file.
+>[!NOTE]
+>We recommended you first run the multi-script line from a command prompt to make sure all arguments are built correctly before adding them to the deployment configuration file.
-
-
-**Example script and parameter descriptions**
+#### Example script and parameter descriptions
Using the following example file and table, modify the deployment or user configuration file to add the scripts that you want to run.
-``` syntax
+```xml
ScriptRunner.exe
@@ -669,78 +585,29 @@ Using the following example file and table, modify the deployment or user config
```
-
-
-
-
-
-
-
-
Parameter in the example file
-
Description
-
-
-
-
-
-
Name of the event trigger for which you are running a script, such as adding a package or publishing a package.
-
-
-
ScriptRunner.exe
-
The script launcher application that is included in the App-V client.
-
-Note
-
Although ScriptRunner.exe is included in the App-V client, the location of the App-V client must be in %path% or ScriptRunner will not run. ScriptRunner.exe is typically located in the C:\Program Files\Microsoft Application Virtualization\Client folder.
-
-
-
-
-
-
-
--appvscript script1.exe arg1 arg2 –appvscriptrunnerparameters –wait –timeout=10
+|Parameter in the example file|Description|
+|---|---|
+|``|Name of the event trigger you're running a script for, such as when adding or publishing a package.|
+|`ScriptRunner.exe`|The script launcher application included in the App-V client.
Although ScriptRunner.exe is included in the App-V client, the App-V client's location must be in %path% or ScriptRunner won't run. `ScriptRunner.exe` is typically located in the C:\Program Files\Microsoft Application Virtualization\Client folder.|
+|`-appvscript script1.exe arg1 arg2 –appvscriptrunnerparameters –wait –timeout=10`
`-appvscript script2.vbs arg1 arg2`
`-appvscript script3.bat arg1 arg2 –appvscriptrunnerparameters –wait –timeout=30 -rollbackonerror`|`-appvscript`—token that represents the actual script you want to run. `script1.exe`—name of the script you want to run. `arg1 arg2`—arguments for the script you want to run. `-appvscriptrunnerparameters`—token that represents the execution options for script1.exe. `-wait`—token that tells ScriptRunner to wait for execution of script1.exe to finish before proceeding to the next script. `-timeout=x`—token that informs ScriptRunner to stop running the current script after *x* number of seconds. All other specified scripts will still run. `-rollbackonerror`—token that tells ScriptRunner to stop running all scripts that haven't yet run and roll back an error to the App-V client.|
+|``|Waits for overall completion of ScriptRunner.exe.
Set the timeout value for the overall runner to be greater than or equal to the sum of the timeout values on the individual scripts.
If any individual script reported an error and rollbackonerror was set to True, then ScriptRunner should report the error to App-V client.|
--appvscript script2.vbs arg1 arg2
-
--appvscript script3.bat arg1 arg2 –appvscriptrunnerparameters –wait –timeout=30 -rollbackonerror
-
-
-appvscript - Token that represents the actual script that you want to run.
-
script1.exe – Name of the script that you want to run.
-
arg1 arg2 – Arguments for the script that you want to run.
-
-appvscriptrunnerparameters – Token that represents the execution options for script1.exe
-
-wait – Token that informs ScriptRunner to wait for execution of script1.exe to complete before proceeding to the next script.
-
-timeout=x – Token that informs ScriptRunner to stop running the current script after x number of seconds. All other specified scripts will still run.
-
-rollbackonerror – Token that informs ScriptRunner to stop running all scripts that haven't yet run and to roll back an error to the App-V client.
-
-
-
-
Waits for overall completion of ScriptRunner.exe.
-
Set the timeout value for the overall runner to be greater than or equal to the sum of the timeout values on the individual scripts.
-
If any individual script reported an error and rollbackonerror was set to true, then ScriptRunner would report the error to App-V client.
-
-
-
-
-
-
-ScriptRunner will run any script whose file type is associated with an application installed on the computer. If the associated application is missing, or the script’s file type is not associated with any application on the computer, the script will not run.
+ScriptRunner will run any script whose file type is associated with an application installed on the computer. If the associated application is missing, or the script’s file type isn't associated with any of the computer's applications, the script won't run.
### Create a Dynamic Configuration file using an App-V Manifest file
-You can create the Dynamic Configuration file using one of three methods: either manually, using the App-V Management Console or sequencing a package, which will be generated with 2 sample files.
+You can create the Dynamic Configuration file using one of three methods: manually, using the App-V Management Console, or by sequencing a package, which will generate a package with two sample files.
-For more information about how to create the file using the App-V Management Console see, [How to Create a Custom Configuration File by Using the App-V Management Console](appv-create-a-custom-configuration-file-with-the-management-console.md).
+For more information about how to create the file using the App-V Management Console, see [How to create a Custom Configuration file by using the App-V Management Console](appv-create-a-custom-configuration-file-with-the-management-console.md).
-To create the file manually, the information above in previous sections can be combined into a single file. We recommend you use files generated by the sequencer.
+To create the file manually, you can combine the components listed in the previous sections into a single file. However, we recommend you use files generated by the sequencer instead of manually created ones.
## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
-[How to Apply the Deployment Configuration File by Using Windows PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md)
-
-[How to Apply the User Configuration File by Using Windows PowerShell](appv-apply-the-user-configuration-file-with-powershell.md)
-
-[Operations for App-V](appv-operations.md)
+- [How to Apply the Deployment Configuration File by Using Windows PowerShell](appv-apply-the-deployment-configuration-file-with-powershell.md)
+- [How to Apply the User Configuration File by Using Windows PowerShell](appv-apply-the-user-configuration-file-with-powershell.md)
+- [Operations for App-V](appv-operations.md)
diff --git a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
index 3ae3740c77..803d11d76e 100644
--- a/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
+++ b/windows/application-management/app-v/appv-enable-administrators-to-publish-packages-with-electronic-software-distribution-solutions.md
@@ -8,25 +8,22 @@ ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
---
+# How to enable only administrators to publish packages by using an ESD
-
-# How to Enable Only Administrators to Publish Packages by Using an ESD
-
-**Applies to**
-- Windows 10, version 1607
+>Applies to: Windows 10, version 1607
Starting in App-V 5.0 SP3, you can configure the App-V client so that only administrators (not end users) can publish or unpublish packages. In earlier versions of App-V, you could not prevent end users from performing these tasks.
-**To enable only administrators to publish or unpublish packages**
+Here's how to enable only administrators to publish or unpublish packages:
-1. Navigate to the following Group Policy Object node:
+1. Navigate to the following Group Policy Object node:
- **Computer Configuration > Administrative Templates > System > App-V > Publishing**.
+ **Computer Configuration** > **Administrative Templates** > **System** > **App-V** > **Publishing**.
-2. Enable the **Require publish as administrator** Group Policy setting.
+2. Enable the **Require publish as administrator** Group Policy setting.
- To instead use Windows PowerShell to set this item, see [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs).
+ To instead use Windows PowerShell to set this item, see [Understanding pending packages: UserPending and GlobalPending](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#about-pending-packages-userpending-and-globalpending).
## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
diff --git a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
index c21abca90a..b6df634063 100644
--- a/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
+++ b/windows/application-management/app-v/appv-enable-reporting-on-the-appv-client-with-powershell.md
@@ -8,8 +8,6 @@ ms.sitesec: library
ms.prod: w10
ms.date: 04/19/2017
---
-
-
# How to Enable Reporting on the App-V Client by Using Windows PowerShell
**Applies to**
diff --git a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
index ff0ad45667..0696778b9f 100644
--- a/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
+++ b/windows/application-management/app-v/appv-enable-the-app-v-desktop-client.md
@@ -35,7 +35,7 @@ Check out these articles for more information about how to configure the App-V c
* [Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)
* [How to modify client configuration by using Windows PowerShell](appv-modify-client-configuration-with-powershell.md)
* [Using the client management console](appv-using-the-client-management-console.md)
-* [How to configure the client to receive package and connection group updates From the Publishing server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md)
+* [How to configure the client to receive package and connection group updates from the Publishing server](appv-configure-the-client-to-receive-updates-from-the-publishing-server.md)
## Have a suggestion for App-V?
diff --git a/windows/application-management/app-v/appv-for-windows.md b/windows/application-management/app-v/appv-for-windows.md
index 857938e467..3642e254c5 100644
--- a/windows/application-management/app-v/appv-for-windows.md
+++ b/windows/application-management/app-v/appv-for-windows.md
@@ -6,64 +6,61 @@ ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 09/27/2018
---
-
-
# Application Virtualization (App-V) for Windows 10 overview
-**Applies to**
-- Windows 10, version 1607
+>Applies to: Windows 10, version 1607
-The topics in this section provide information and step-by-step procedures to help you administer App-V and its components. This information will be valuable for system administrators who manage large installations with many servers and clients and for support personnel who interact directly with the computers or the end users.
+The topics in this section provide information and instructions to help you administer App-V and its components. This information is for system administrators who manage large installations with many servers and clients, and for support personnel who interact directly with the computers or users.
-[Getting Started with App-V](appv-getting-started.md)
+[Getting started with App-V](appv-getting-started.md)
- [What's new in App-V](appv-about-appv.md)
- [Evaluating App-V](appv-evaluating-appv.md)
-- [High Level Architecture for App-V](appv-high-level-architecture.md)
+- [High-level architecture for App-V](appv-high-level-architecture.md)
[Planning for App-V](appv-planning-for-appv.md)
-- [Preparing Your Environment for App-V](appv-preparing-your-environment.md)
-- [App-V Prerequisites](appv-prerequisites.md)
-- [Planning to Deploy App-V](appv-planning-to-deploy-appv.md)
-- [App-V Supported Configurations](appv-supported-configurations.md)
-- [App-V Planning Checklist](appv-planning-checklist.md)
+- [Preparing your environment for App-V](appv-preparing-your-environment.md)
+- [App-V prerequisites](appv-prerequisites.md)
+- [Planning to deploy App-V](appv-planning-to-deploy-appv.md)
+- [App-V supported configurations](appv-supported-configurations.md)
+- [App-V planning checklist](appv-planning-checklist.md)
[Deploying App-V](appv-deploying-appv.md)
-- [Deploying the App-V Sequencer and Configuring the Client](appv-deploying-the-appv-sequencer-and-client.md)
+- [Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)
- [Deploying the App-V Server](appv-deploying-the-appv-server.md)
-- [App-V Deployment Checklist](appv-deployment-checklist.md)
-- [Deploying Microsoft Office 2016 by Using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
-- [Deploying Microsoft Office 2013 by Using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
-- [Deploying Microsoft Office 2010 by Using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
+- [App-V deployment checklist](appv-deployment-checklist.md)
+- [Deploying Microsoft Office 2016 by using App-V](appv-deploying-microsoft-office-2016-with-appv.md)
+- [Deploying Microsoft Office 2013 by using App-V](appv-deploying-microsoft-office-2013-with-appv.md)
+- [Deploying Microsoft Office 2010 by using App-V](appv-deploying-microsoft-office-2010-wth-appv.md)
[Operations for App-V](appv-operations.md)
-- [Creating and Managing App-V Virtualized Applications](appv-creating-and-managing-virtualized-applications.md)
+- [Creating and managing App-V virtualized applications](appv-creating-and-managing-virtualized-applications.md)
- [Automatically provision your sequencing environment using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-provision-a-vm.md)
- [Automatically sequence multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-sequencing.md)
- [Automatically update multiple apps at the same time using Microsoft Application Virtualization Sequencer (App-V Sequencer)](appv-auto-batch-updating.md)
-- [Administering App-V Virtual Applications by Using the Management Console](appv-administering-virtual-applications-with-the-management-console.md)
-- [Managing Connection Groups](appv-managing-connection-groups.md)
-- [Deploying App-V Packages by Using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md)
+- [Administering App-V Virtual Applications by using the Management Console](appv-administering-virtual-applications-with-the-management-console.md)
+- [Managing connection groups](appv-managing-connection-groups.md)
+- [Deploying App-V packages by using Electronic Software Distribution (ESD)](appv-deploying-packages-with-electronic-software-distribution-solutions.md)
- [Using the App-V Client Management Console](appv-using-the-client-management-console.md)
-- [Automatically cleanup unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md)
-- [Migrating to App-V from a Previous Version](appv-migrating-to-appv-from-a-previous-version.md)
+- [Automatically clean up unpublished packages on the App-V client](appv-auto-clean-unpublished-packages.md)
+- [Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md)
- [Maintaining App-V](appv-maintaining-appv.md)
-- [Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md)
+- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md)
[Troubleshooting App-V](appv-troubleshooting.md)
-[Technical Reference for App-V](appv-technical-reference.md)
+[Technical reference for App-V](appv-technical-reference.md)
-- [Performance Guidance for Application Virtualization](appv-performance-guidance.md)
-- [Application Publishing and Client Interaction](appv-application-publishing-and-client-interaction.md)
-- [Viewing App-V Server Publishing Metadata](appv-viewing-appv-server-publishing-metadata.md)
-- [Running a Locally Installed Application Inside a Virtual Environment with Virtualized Applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md)
+- [Performance guidance for Application Virtualization](appv-performance-guidance.md)
+- [Application publishing and client interaction](appv-application-publishing-and-client-interaction.md)
+- [Viewing App-V Server publishing metadata](appv-viewing-appv-server-publishing-metadata.md)
+- [Running a locally installed application inside a virtual environment with virtualized applications](appv-running-locally-installed-applications-inside-a-virtual-environment.md)
## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
index 2a510d8f89..f914466f82 100644
--- a/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
+++ b/windows/application-management/app-v/appv-load-the-powershell-cmdlets-and-get-cmdlet-help.md
@@ -6,172 +6,90 @@ ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 09/27/2018
---
+# How to load the Windows PowerShell cmdlets for App-V and get cmdlet help
+>Applies to: Windows 10, version 1607
-# How to Load the Windows PowerShell Cmdlets for App-V and Get Cmdlet Help
+## Requirements for using Windows PowerShell cmdlets
-**Applies to**
-- Windows 10, version 1607
+This section will tell you what you'll need to use the PowerShell cmdlets.
-What this topic covers:
+### How to let users access PowerShell cmdlets
-- [Requirements for using Windows PowerShell cmdlets](#bkmk-reqs-using-posh)
+You can grant your users access to PowerShell cmdlets through one of the following methods:
-- [Loading the Windows PowerShell cmdlets](#bkmk-load-cmdlets)
+* While you're deploying and configuring the App-V server, specify an Active Directory group or individual user with permissions to manage the App-V environment. For more information, see [How to deploy the App-V Server](appv-deploy-the-appv-server.md).
+* After you've deployed the App-V server, you can use the App-V Management console to add an additional Active Directory group or user. For more information, see [How to add or remove an administrator by using the Management console](appv-add-or-remove-an-administrator-with-the-management-console.md).
-- [Getting help for the Windows PowerShell cmdlets](#bkmk-get-cmdlet-help)
+### Elevated command prompt
-- [Displaying the help for a Windows PowerShell cmdlet](#bkmk-display-help-cmdlet)
+You'll need an elevated command prompt to run the following cmdlets:
-## Requirements for using Windows PowerShell cmdlets
+* **Add-AppvClientPackage**
+* **Remove-AppvClientPackage**
+* **Set-AppvClientConfiguration**
+* **Add-AppvClientConnectionGroup**
+* **Remove-AppvClientConnectionGroup**
+* **Add-AppvPublishingServer**
+* **Remove-AppvPublishingServer**
+* **Send-AppvClientReport**
+* **Set-AppvClientMode**
+* **Set-AppvClientPackage**
+* **Set-AppvPublishingServer**
+### Other cmdlets
-Review the following requirements for using the Windows PowerShell cmdlets:
+The following cmdlets are ones that end-users can run unless you configure them to require an elevated command prompt.
-
-
-
-
-
-
-
-
Requirement
-
Details
-
-
-
-
-
Users can run App-V Server cmdlets only if you grant them access by using one of the following methods:
-
-
When you are deploying and configuring the App-V Server:
-
Specify an Active Directory group or individual user that has permissions to manage the App-V environment. See [How to Deploy the App-V Server](appv-deploy-the-appv-server.md).
-
After you’ve deployed the App-V Server:
-
Use the App-V Management console to add an additional Active Directory group or user. See [How to Add or Remove an Administrator by Using the Management Console](appv-add-or-remove-an-administrator-with-the-management-console.md).
-
-
-
-
Cmdlets that require an elevated command prompt
-
-
Add-AppvClientPackage
-
Remove-AppvClientPackage
-
Set-AppvClientConfiguration
-
Add-AppvClientConnectionGroup
-
Remove-AppvClientConnectionGroup
-
Add-AppvPublishingServer
-
Remove-AppvPublishingServer
-
Send-AppvClientReport
-
Set-AppvClientMode
-
Set-AppvClientPackage
-
Set-AppvPublishingServer
-
-
-
-
Cmdlets that end users can run, unless you configure them to require an elevated command prompt
-
-
Publish-AppvClientPackage
-
Unpublish-AppvClientPackage
-
-
To configure these cmdlets to require an elevated command prompt, use one of the following methods:
-
-
Run the Set-AppvClientConfiguration cmdlet with the -RequirePublishAsAdmin parameter.
-
For more information, see: [How to Manage Connection Groups on a Stand-alone Computer by Using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md) [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs).
-
Enable the “Require publish as administrator” Group Policy setting for App-V Clients.
-
For more information, see [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md)
-
-
-
-
-
+* **Publish-AppvClientPackage**
+* **Unpublish-AppvClientPackage**
-
+To configure these cmdlets to require an elevated command prompt, use one of the following methods:
-## Loading the Windows PowerShell cmdlets
+* Run the **Set-AppvClientConfiguration** cmdlet with the *-RequirePublishAsAdmin* parameter. For more information, see the following resources:
+ * [How to manage connection groups on a stand-alone computer by using Windows PowerShell](appv-manage-connection-groups-on-a-stand-alone-computer-with-powershell.md)
+ * [Understanding pending packages: UserPending and GlobalPending](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#about-pending-packages-userpending-and-globalpending)
+* Enable the **Require publish as administrator** Group Policy setting for App-V Clients. For more information, see [How to publish a package by using the Management Console](appv-publish-a-packages-with-the-management-console.md).
+## Loading the Windows PowerShell cmdlets
To load the Windows PowerShell cmdlet modules:
-1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
+1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
+2. Enter one of the following cmdlets to load a list of usable cmdlets for the module you want:
-2. Type one of the following commands to load the cmdlets for the module you want:
+|App-v component|Cmdlet to enter|
+|---|---|
+|App-V Server|**Import-Module AppvServer**|
+|App-V Sequencer|**Import-Module AppvSequencer**|
+|App-V Client|**Import-Module AppvClient**|
-
-
-
-
-
-
-
-
App-V component
-
Command to type
-
-
-
-
-
App-V Server
-
Import-Module AppvServer
-
-
-
App-V Sequencer
-
Import-Module AppvSequencer
-
-
-
App-V Client
-
Import-Module AppvClient
-
-
-
-
-
-
-## Getting help for the Windows PowerShell cmdlets
+## Getting help for the Windows PowerShell cmdlets
Starting in App-V 5.0 SP3, cmdlet help is available in two formats:
-- **As a downloadable module**: To download the latest help after downloading the cmdlet module, open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE), and type one of the following commands:
+* As a downloadable module in PowerShell. To access the module, open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE) and enter one of the cmdlets from the following table.
-
-
-
-
-
-
-
-
App-V component
-
Command to type
-
-
-
-
-
App-V Server
-
Update-Help -Module AppvServer
-
-
-
App-V Sequencer
-
Update-Help -Module AppvSequencer
-
-
-
App-V Client
-
Update-Help -Module AppvClient
-
-
-
+|App-v component|Cmdlet to enter|
+|---|---|
+|App-V Server|**Update-Help -Module AppvServer**|
+|App-V Sequencer|**Update-Help -Module AppvSequencer**|
+|App-V Client|**Update-Help -Module AppvClient**|
-
-
-- **On TechNet as web pages**: See the App-V node under [Microsoft Desktop Optimization Pack Automation with Windows PowerShell](https://technet.microsoft.com/library/dn520245.aspx).
-
-## Displaying the help for a Windows PowerShell cmdlet
+* Online in the [Microsoft Desktop Optimization Pack](https://docs.microsoft.com/en-us/powershell/mdop/get-started?view=win-mdop2-ps).
+## Displaying the help for a Windows PowerShell cmdlet
To display help for a specific Windows PowerShell cmdlet:
-1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
-
-2. Type **Get-Help** <*cmdlet*>, for example, **Get-Help Publish-AppvClientPackage**.
-
+1. Open Windows PowerShell or Windows PowerShell Integrated Scripting Environment (ISE).
+2. Enter **Get-Help** followed by the cmdlet you need help with. For example:
+ ```PowerShell
+ Get-Help Publish-AppvClientPackage
+ ```
## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-maintaining-appv.md b/windows/application-management/app-v/appv-maintaining-appv.md
index 3db885c191..f98668cea5 100644
--- a/windows/application-management/app-v/appv-maintaining-appv.md
+++ b/windows/application-management/app-v/appv-maintaining-appv.md
@@ -6,45 +6,30 @@ ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 09/27/2018
---
-
-
# Maintaining App-V
-**Applies to**
-- Windows 10, version 1607
+>Applies to: Windows 10, version 1607
After you have deployed App-V for Windows 10, you can use the following information to maintain the App-V infrastructure.
## Moving the App-V server
-The App-V server connects to the App-V database. Therefore you can install the management component on any computer on the network and then connect it to the App-V database.
+The App-V server connects to the App-V database, which means you can install the management component and connect it to the App-V database on any computer on the network. For more information, see [How to move the App-V server to another computer](appv-move-the-appv-server-to-another-computer.md).
-[How to Move the App-V Server to Another Computer](appv-move-the-appv-server-to-another-computer.md)
+## Determine if an App-V application is running virtualized
-## Determine if an App-V Application is Running Virtualized
+Independent software vendors (ISV) who want to determine if an application is running virtualized with App-V should open a named object called **AppVVirtual-<PID>** in the default namespace (PID stands for process ID). To find the process ID of the process you're currently using, enter the Windows API **GetCurrentProcessId()**.
+For example, let's say the process ID is 4052. If you can successfully open a named Event object called **AppVVirtual-4052** with the **OpenEvent()** API in the default read access namespace, then the application is virtual. If the **OpenEvent()** call fails, the application isn't virtual.
-Independent software vendors (ISV) who want to determine if an application is running virtualized with App-V should open a named object called **AppVVirtual-<PID>** in the default namespace. For example, Windows API **GetCurrentProcessId()** can be used to obtain the current process's ID, for example 4052, and then if a named Event object called **AppVVirtual-4052** can be successfully opened using **OpenEvent()** in the default namespace for read access, then the application is virtual. If the **OpenEvent()** call fails, the application is not virtual.
-
-Additionally, ISV’s who want to explicitly virtualize or not virtualize calls on specific API’s with App-V 5.1 and later, can use the **VirtualizeCurrentThread()** and **CurrentThreadIsVirtualized()** functions implemented in the AppEntSubsystems32.dll module. These provide a way of hinting at a downstream component that the call should or should not be virtualized.
+Additionally, ISVs who want to explicitly virtualize or not virtualize calls on specific APIs with App-V 5.1 and later can use the **VirtualizeCurrentThread()** and **CurrentThreadIsVirtualized()** functions implemented in the AppEntSubsystems32.dll module to hint to a downstream component whether the call should be virtualized or not.
## Have a suggestion for App-V?
-
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Other resources for maintaining App-V
-
-[Operations for App-V](appv-operations.md)
-
-
-
-
-
-
-
-
-
+* [Operations for App-V](appv-operations.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
index e3c9eca586..dc187289aa 100644
--- a/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
+++ b/windows/application-management/app-v/appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md
@@ -1,283 +1,171 @@
---
-title: How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell (Windows 10)
-description: How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell
+title: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell (Windows 10)
+description: How to manage App-V packages running on a stand-alone computer by using Windows PowerShell.
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 09/24/2018
---
+# How to manage App-V packages running on a stand-alone computer by using Windows PowerShell
+>Applies to: Windows 10, version 1607
-# How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell
+The following sections explain how to perform various management tasks on a stand-alone client computer with Windows PowerShell cmdlets.
-**Applies to**
-- Windows 10, version 1607
+## Return a list of packages
+Enter the **Get-AppvClientPackage** cmdlet to return a list of packages entitled to a specific user. Its parameters are *-Name*, *-Version*, *-PackageID*, and *-VersionID*.
-The following sections explain how to perform various management tasks on a stand-alone client computer by using Windows PowerShell:
+For example:
-- [To return a list of packages](#bkmk-return-pkgs-standalone-posh)
+```PowerShell
+Get-AppvClientPackage –Name “ContosoApplication” -Version 2
+```
-- [To add a package](#bkmk-add-pkgs-standalone-posh)
+## Add a package
-- [To publish a package](#bkmk-pub-pkg-standalone-posh)
+Use the **Add-AppvClientPackage** cmdlet to add a package to a computer.
-- [To publish a package to a specific user](#bkmk-pub-pkg-a-user-standalone-posh)
+>[!IMPORTANT]
+>This example only adds a package. It does not publish the package to the user or the computer.
-- [To add and publish a package](#bkmk-add-pub-pkg-standalone-posh)
+For example:
-- [To unpublish an existing package](#bkmk-unpub-pkg-standalone-posh)
+```PowerShell
+$Contoso = Add-AppvClientPackage \\\\path\\to\\appv\\package.appv
+```
-- [To unpublish a package for a specific user](#bkmk-unpub-pkg-specfc-use)
+## Publish a package
-- [To remove an existing package](#bkmk-remove-pkg-standalone-posh)
+Use the **Publish-AppvClientPackage** cmdlet to publish a package that has been added to either a specific user or globally to any user on the computer.
-- [To enable only administrators to publish or unpublish packages](#bkmk-admins-pub-pkgs)
+Enter the cmdlet with the application name to publish it to the user.
-- [Understanding pending packages (UserPending and GlobalPending)](#bkmk-understd-pend-pkgs)
+```PowerShell
+Publish-AppvClientPackage “ContosoApplication”
+```
-## To return a list of packages
+To publish the application globally, just add the *-Global* parameter.
+```Powershell
+Publish-AppvClientPackage “ContosoApplication” -Global
+```
-Use the following information to return a list of packages that are entitled to a specific user:
+## Publish a package to a specific user
-**Cmdlet**: Get-AppvClientPackage
+>[!NOTE]
+>You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter.
-**Parameters**: -Name -Version -PackageID -VersionID
-
-**Example**: Get-AppvClientPackage –Name “ContosoApplication” -Version 2
-
-## To add a package
-
-
-Use the following information to add a package to a computer.
-
-**Important**
-This example only adds a package. It does not publish the package to the user or the computer.
-
-
-
-**Cmdlet**: Add-AppvClientPackage
-
-**Example**: $Contoso = Add-AppvClientPackage \\\\path\\to\\appv\\package.appv
-
-## To publish a package
-
-
-Use the following information to publish a package that has been added to a specific user or globally to any user on the computer.
-
-
-
-
-
-## To publish a package to a specific user
-
-
-**Note**
-You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter.
-
-
-
-An administrator can publish a package to a specific user by specifying the optional **–UserSID** parameter with the **Publish-AppvClientPackage** cmdlet, where **-UserSID** represents the end user’s security identifier (SID).
+An administrator can publish a package to a specific user by specifying the optional *–UserSID* parameter with the **Publish-AppvClientPackage** cmdlet, where *-UserSID* represents the end user’s security identifier (SID).
To use this parameter:
-- You can run this cmdlet from the user or administrator session.
+- You can run this cmdlet from the user or administrator session.
+- You must be logged in with administrative credentials to use the parameter.
+- The end user must be signed in.
+- You must provide the end user’s security identifier (SID).
-- You must be logged in with administrative credentials to use the parameter.
+For example:
-- The end user must be logged in.
+```PowerShell
+Publish-AppvClientPackage “ContosoApplication” -UserSID S-1-2-34-56789012-3456789012-345678901-2345
+```
-- You must provide the end user’s security identifier (SID).
+## Add and publish a package
-**Cmdlet**: Publish-AppvClientPackage
+Use the **Add-AppvClientPackage** cmdlet to add a package to a computer and publish it to the user.
-**Example**: Publish-AppvClientPackage “ContosoApplication” -UserSID S-1-2-34-56789012-3456789012-345678901-2345
+For example:
-## To add and publish a package
+```PowerShell
+Add-AppvClientPackage | Publish-AppvClientPackage
+```
+## Unpublish an existing package
-Use the following information to add a package to a computer and publish it to the user.
+Use the **Unpublish-AppvClientPackage** cmdlet to unpublish a package which has been entitled to a user but not remove the package from the computer.
-**Cmdlet**: Add-AppvClientPackage
+For example:
-**Example**: Add-AppvClientPackage \\\\path\\to\\appv\\package.appv | Publish-AppvClientPackage
+```PowerShell
+Unpublish-AppvClientPackage “ContosoApplication”
+```
-## To unpublish an existing package
+## Unpublish a package for a specific user
+>[!NOTE]
+>You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter.
-Use the following information to unpublish a package which has been entitled to a user but not remove the package from the computer.
-
-**Cmdlet**: Unpublish-AppvClientPackage
-
-**Example**: Unpublish-AppvClientPackage “ContosoApplication”
-
-## To unpublish a package for a specific user
-
-
-**Note**
-You must use App-V 5.0 SP2 Hotfix Package 5 or later to use this parameter.
-
-
-
-An administrator can unpublish a package for a specific user by using the optional **–UserSID** parameter with the **Unpublish-AppvClientPackage** cmdlet, where **-UserSID** represents the end user’s security identifier (SID).
+An administrator can unpublish a package for a specific user by using the optional *-UserSID* parameter with the **Unpublish-AppvClientPackage** cmdlet, where *-UserSID* represents the end user’s security identifier (SID).
To use this parameter:
-- You can run this cmdlet from the user or administrator session.
+- You can run this cmdlet from the user or administrator session.
+- You must sign in with administrative credentials to use the parameter.
+- The end user must be signed in.
+- You must provide the end user’s security identifier (SID).
-- You must be logged in with administrative credentials to use the parameter.
+For example:
-- The end user must be logged in.
+```PowerShell
+Unpublish-AppvClientPackage “ContosoApplication” -UserSID S-1-2-34-56789012-3456789012-345678901-2345
+```
-- You must provide the end user’s security identifier (SID).
+## Remove an existing package
-**Cmdlet**: Unpublish-AppvClientPackage
+Use the **Remove-AppvClientPackage** cmdlet to remove a package from the computer.
-**Example**: Unpublish-AppvClientPackage “ContosoApplication” -UserSID S-1-2-34-56789012-3456789012-345678901-2345
+For example:
-## To remove an existing package
+```PowerShell
+Remove-AppvClientPackage “ContosoApplication”
+```
+>[!NOTE]
+>App-V cmdlets have been assigned to variables for the previous examples for clarity only; assignment is not a requirement. Most cmdlets can be combined as displayed in [Add and publish a package](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#add-and-publish-a-package). For a detailed tutorial, see [App-V 5.0 Client PowerShell Deep Dive](https://blogs.technet.microsoft.com/appv/2012/12/03/app-v-5-0-client-powershell-deep-dive/).
-Use the following information to remove a package from the computer.
+## Enable only administrators to publish or unpublish packages
-**Cmdlet**: Remove-AppvClientPackage
+Starting in App-V 5.0 SP3, you can use the **Set-AppvClientConfiguration** cmdlet and *-RequirePublishAsAdmin* parameter to enable only administrators (not end users) to publish or unpublish packages.
-**Example**: Remove-AppvClientPackage “ContosoApplication”
+You can set the *-RequirePublishAsAdmin* parameter to the following values:
-**Note**
-App-V cmdlets have been assigned to variables for the previous examples for clarity only; assignment is not a requirement. Most cmdlets can be combined as displayed in [To add and publish a package](#bkmk-add-pub-pkg-standalone-posh). For a detailed tutorial, see [App-V 5.0 Client PowerShell Deep Dive](https://blogs.technet.microsoft.com/appv/2012/12/03/app-v-5-0-client-powershell-deep-dive/).
+- 0: False
+- 1: True
-
+For example:
-## To enable only administrators to publish or unpublish packages
+```PowerShell
+Set-AppvClientConfiguration –RequirePublishAsAdmin1
+```
-Starting in App-V 5.0 SP3, you can use the following cmdlet and parameter to enable only administrators (not end users) to publish or unpublish packages:
+To use the App-V Management console to set this configuration, see [How to publish a package by using the Management Console](appv-publish-a-packages-with-the-management-console.md).
-
+## About pending packages: UserPending and GlobalPending
-
+Starting in App-V 5.0 SP2, if you run a Windows PowerShell cmdlet that affects a package currently in use, the task you're trying to perform is placed in a pending state. For example, if you try to publish a package when an application in that package is being used, and then run **Get-AppvClientPackage**, the pending status appears in the cmdlet output as follows:
-To use the App-V Management console to set this configuration, see [How to Publish a Package by Using the Management Console](appv-publish-a-packages-with-the-management-console.md).
-
-## Understanding pending packages (UserPending and GlobalPending)
-
-
-**Starting in App-V 5.0 SP2**: If you run a Windows PowerShell cmdlet that affects a package that is currently in use, the task that you are trying to perform is placed in a pending state. For example, if you try to publish a package when an application in that package is being used, and then run **Get-AppvClientPackage**, the pending status appears in the cmdlet output as follows:
-
-
-
-
-
-
-
-
-
Cmdlet output item
-
Description
-
-
-
-
-
UserPending
-
Indicates whether the listed package has a pending task that is being applied to the user:
-
-
True
-
False
-
-
-
-
GlobalPending
-
Indicates whether the listed package has a pending task that is being applied globally to the computer:
-
-
True
-
False
-
-
-
-
-
-
+|Cmdlet output item|Description|
+|---|---|
+|UserPending|Indicates whether the listed package has a pending task that is being applied to the user: - True - False|
+|GlobalPending|Indicates whether the listed package has a pending task that is being applied globally to the computer: - True - False|
The pending task will run later, according to the following rules:
-
-
-
-
-
-
-
-
Task type
-
Applicable rule
-
-
-
-
-
User-based task, e.g., publishing a package to a user
-
The pending task will be performed after the user logs off and then logs back on.
-
-
-
Globally based task, e.g., enabling a connection group globally
-
The pending task will be performed when the computer is shut down and then restarted.
-
-
-
+|Task type|Applicable rule|
+|---|---|
+|User-based (for example, publishing a package to a user)|The pending task will be performed after the user logs off and then logs back on.|
+|Globally based (for example, enabling a connection group globally)|The pending task will be performed when the computer is shut down and then restarted.|
For more information about pending tasks, see [Upgrading an in-use App-V package](appv-application-publishing-and-client-interaction.md#upgrading-an-in-use-app-v-package).
## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
-[Operations for App-V](appv-operations.md)
-
-[Administering App-V by Using Windows PowerShell](appv-administering-appv-with-powershell.md)
-
+- [Operations for App-V](appv-operations.md)
+- [Administering App-V by using Windows PowerShell](appv-administering-appv-with-powershell.md)
\ No newline at end of file
diff --git a/windows/application-management/app-v/appv-publish-a-connection-group.md b/windows/application-management/app-v/appv-publish-a-connection-group.md
index 739de9f0a3..cebbaac7ad 100644
--- a/windows/application-management/app-v/appv-publish-a-connection-group.md
+++ b/windows/application-management/app-v/appv-publish-a-connection-group.md
@@ -6,29 +6,25 @@ ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 09/27/2018
---
-
-
# How to Publish a Connection Group
-**Applies to**
-- Windows 10, version 1607
+>Applies to: Windows 10, version 1607
After you create a connection group, you must publish it to computers that run the App-V client.
-**To publish a connection group**
+## Publish a connection group
-1. Open the App-V Management Console, and select **CONNECTION GROUPS**.
+1. Open the App-V Management Console and select **CONNECTION GROUPS**.
-2. Right-click the connection group to be published, and select **publish**.
+2. Right-click the connection group to be published, and select **publish**.
## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
-[Operations for App-V](appv-operations.md)
-
-[Managing Connection Groups](appv-managing-connection-groups.md)
+* [Operations for App-V](appv-operations.md)
+* [Managing connection groups](appv-managing-connection-groups.md)
diff --git a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
index fb9ad9b19f..8451509577 100644
--- a/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
+++ b/windows/application-management/app-v/appv-publish-a-packages-with-the-management-console.md
@@ -1,51 +1,45 @@
---
-title: How to Publish a Package by Using the Management Console (Windows 10)
-description: How to Publish a Package by Using the Management Console
+title: How to publish a package by using the Management console (Windows 10)
+description: How to publish a package by using the Management console.
author: MaggiePucciEvans
ms.pagetype: mdop, appcompat, virtualization
ms.mktglfcycl: deploy
ms.sitesec: library
ms.prod: w10
-ms.date: 04/19/2017
+ms.date: 09/27/2018
---
+# How to publish a package by using the Management console
+>Applies to: Windows 10, version 1607
-# How to Publish a Package by Using the Management Console
+Use the following procedure to publish an App-V package. Once you publish a package, computers running the App-V client can access and run the applications in that package.
-**Applies to**
-- Windows 10, version 1607
+>[!NOTE]
+>The ability to enable only administrators to publish or unpublish packages (described below) is supported starting in App-V 5.0 SP3.
-Use the following procedure to publish an App-V package. Once you publish a package, computers that are running the App-V client can access and run the applications in that package.
+## Publish an App-V package
-**Note**
-The ability to enable only administrators to publish or unpublish packages (described below) is supported starting in App-V 5.0 SP3.
+1. In the App-V Management console. Select or right-click the name of the package to be published. Select **Publish**.
-
-
-**To publish an App-V package**
-
-1. In the App-V Management console. Click or right-click the name of the package to be published. Select **Publish**.
-
-2. Review the **Status** column to verify that the package has been published and is now available. If the package is available, the status **published** is displayed.
+2. Review the **Status** column to verify that the package has been published and is now available. If the package is available, the status **published** is displayed.
If the package is not published successfully, the status **unpublished** is displayed, along with error text that explains why the package is not available.
-**To enable only administrators to publish or unpublish packages**
+## Enable only administrators to publish or unpublish packages
-1. Navigate to the following Group Policy Object node:
+1. Navigate to the following Group Policy Object node:
- **Computer Configuration > Administrative Templates > System > App-V > Publishing**.
+ **Computer Configuration** > **Administrative Templates** > **System** > **App-V** > **Publishing**.
-2. Enable the **Require publish as administrator** Group Policy setting.
+2. Enable the **Require publish as administrator** Group Policy setting.
- To instead use Windows PowerShell to set this item, see [How to Manage App-V Packages Running on a Stand-Alone Computer by Using Windows PowerShell](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#bkmk-admins-pub-pkgs).
+ To instead use Windows PowerShell to set this item, see [Understanding pending packages: UserPending and GlobalPending](appv-manage-appv-packages-running-on-a-stand-alone-computer-with-powershell.md#about-pending-packages-userpending-and-globalpending).
## Have a suggestion for App-V?
-Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). For App-V issues, use the [App-V TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopappv).
+Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization).
## Related topics
-[Operations for App-V](appv-operations.md)
-
-[How to Configure Access to Packages by Using the Management Console](appv-configure-access-to-packages-with-the-management-console.md)
+* [Operations for App-V](appv-operations.md)
+* [How to configure access to packages by using the Management console](appv-configure-access-to-packages-with-the-management-console.md)
\ No newline at end of file
diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md
index af6faf50b6..b6515bbde1 100644
--- a/windows/application-management/apps-in-windows-10.md
+++ b/windows/application-management/apps-in-windows-10.md
@@ -15,7 +15,7 @@ ms.date: 08/23/2018
The following types of apps run on Windows 10:
- Windows apps - introduced in Windows 8, primarily installed from the Store app.
- Universal Windows Platform (UWP) apps - designed to work across platforms, can be installed on multiple platforms including Windows client, Windows Phone, and Xbox. All UWP apps are also Windows apps, but not all Windows apps are UWP apps.
-- "Win32" apps - traditional Windows applications, built for 32-bit systems.
+- "Win32" apps - traditional Windows applications.
Digging into the Windows apps, there are two categories:
- System apps - Apps that are installed in the c:\Windows\* directory. These apps are integral to the OS.
@@ -38,115 +38,66 @@ Some of the apps show up in multiple tables - that's because their status change
System apps are integral to the operating system. Here are the typical system apps in Windows 10 versions 1703, 1709, and 1803.
-| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? |
-|------------------|--------------------------------------------|:----:|:----:|:----:|:----------------------------------:|
-| Cortana UI | CortanaListenUIApp | x | | |No |
-| | Desktop Learning | x | | |No |
-| | DesktopView | x | | |No |
-| | EnvironmentsApp | x | | |No |
-| Mixed Reality + | HoloCamera | x | | |No |
-| Mixed Reality + | HoloItemPlayerApp | x | | |No |
-| Mixed Reality + | HoloShell | x | | |No |
-| | InputApp | | x | x |No |
-| | Microsoft.AAD.BrokerPlugin | x | x | x |No |
-| | Microsoft.AccountsControl | x | x | x |No |
-| Hello setup UI | Microsoft.BioEnrollment | x | x | x |No |
-| | Microsoft.CredDialogHost | x | x | x |No |
-| | Microsoft.ECApp | | x | x |No |
-| | Microsoft.LockApp | x | x | x |No |
-| Microsoft Edge | Microsoft.MicrosoftEdge | x | x | x |No |
-| | Microsoft.PPIProjection | x | x | x |No |
-| | Microsoft.Windows.Apprep.ChxApp | x | x | x |No |
-| | Microsoft.Windows.AssignedAccessLockApp | x | x | x |No |
-| | Microsoft.Windows.CloudExperienceHost | x | x | x |No |
-| | Microsoft.Windows.ContentDeliveryManager | x | x | x |No |
-| Cortana | Microsoft.Windows.Cortana | x | x | x |No |
-| | Microsoft.Windows.Holographic.FirstRun | x | x | x |No |
-| | Microsoft.Windows.ModalSharePickerHost | x | | |No |
-| | Microsoft.Windows.OOBENetworkCaptivePort | x | x | x |No |
-| | Microsoft.Windows.OOBENetworkConnectionFlow| x | x | x |No |
-| | Microsoft.Windows.ParentalControls | x | x | x |No |
-| People Hub | Microsoft.Windows.PeopleExperienceHost | | x | x |No |
-| | Microsoft.Windows.PinningConfirmationDialog| | x | x |No |
-| | Microsoft.Windows.SecHealthUI | x | x | x |No |
-| | Microsoft.Windows.SecondaryTileExperience | x | x | |No |
-| | Microsoft.Windows.SecureAssessmentBrowser | x | x | x |No |
-| Start | Microsoft.Windows.ShellExperienceHost | x | x | x |No |
-| Windows Feedback | Microsoft.WindowsFeedback | * | * | |No |
-| | Microsoft.XboxGameCallableUI | x | x | x |No |
-| Contact Support\* | Windows.ContactSupport | x | * | |via Optional Features app |
-| Settings | Windows.ImmersiveControlPanel | x | x | |No |
-| Connect | Windows.MiracastView | x | | |No |
-| Print 3D | Windows.Print3D | | x | |Yes |
-| Print UI | Windows.PrintDialog | x | x | x |No |
-| Purchase UI | Windows.PurchaseDialog | | | x |No |
-| | Microsoft.AsyncTextService | | | x |No |
-| | Microsoft.MicrosoftEdgeDevToolsClient | | | x |No |
-| | Microsoft.Win32WebViewHost | | | x |No |
-| | Microsoft.Windows.CapturePicker | | | x |No |
-| | Windows.CBSPreview | | | x |No |
-|File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x |No |
-|File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x |No |
-|App Resolver | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x |No |
-|Add Suggested folder Dialog box| F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE|| | x |No |
-
->[!NOTE]
->\* The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
-
-## Provisioned Windows apps
-
-Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709, and 1803.
-
-| App Name (Canonical) | Display Name | 1703 | 1709 | 1803 | Uninstall via UI? |
-|--------------------------------|------------------------|:-----:|:----:|:----:|:-----------------:|
-| 3D Builder | [Microsoft.3DBuilder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | x | | | Yes |
-| App Installer | [Microsoft.DesktopAppInstaller](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | Via Settings App |
-| Feedback Hub | [Microsoft.WindowsFeedbackHub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | Yes |
-| Get Help | [Microsoft.GetHelp](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | | x | x | No |
-| Get Office | [Microsoft.MicrosoftOfficeHub](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | Yes |
-| Groove Music | [Microsoft.ZuneMusic](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | No |
-| Mail and Calendar | [Microsoft.windowscommunicationsapps](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | No |
-| Microsoft Messaging | [Microsoft.Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | No |
-| Microsoft People | [Microsoft.People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | No |
-| Microsoft Photos | [Microsoft.Windows.Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | No |
-| Microsoft Solitaire Collection | [Microsoft.MicrosoftSolitaireCollection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | Yes |
-| Microsoft Sticky Notes | [Microsoft.MicrosoftStickyNotes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | No |
-| Microsoft Tips | [Microsoft.Getstarted](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | Yes |
-| Mixed Reality Viewer | [Microsoft.Microsoft3DViewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | No |
-| Movies & TV | [Microsoft.ZuneVideo](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | No |
-| MSN Weather (BingWeather | [Microsoft.BingWeather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | Yes |
-| One Note | [Microsoft.Office.OneNote](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | Yes |
-| Paid Wi-Fi & Cellular | [Microsoft.OneConnect](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | Yes |
-| Paint 3D | [Microsoft.MSPaint](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | No |
-| Print 3D | [Microsoft.Print3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | | x | x | No |
-| Skype | [Microsoft.SkypeApp](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | Yes |
-| Store Purchase App\* | App not available in store | x | x | x | No |
-| Wallet | App not available in store | x | x | x | No |
-| Web Media Extensions | [Microsoft.WebMediaExtensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | | | x | No |
-| Windows Alarms & Clock | [Microsoft.WindowsAlarms](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | No |
-| Windows Calculator | [Microsoft.WindowsCalculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | No |
-| Windows Camera | [Microsoft.WindowsCamera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | No |
-| Windows Maps | [Microsoft.WindowsMaps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | No |
-| Windows Store | [Microsoft.WindowsStore](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | No |
-| Windows Voice Recorder | [Microsoft.SoundRecorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | No |
-| Xbox | [Microsoft.XboxApp](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | No |
-| Xbox Game Bar | [Microsoft.XboxGameOverlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | No |
-| Xbox Gaming Overlay | [Microsoft.XboxGamingOverlay](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | | | x | No |
-| Xbox Identity Provider | [Microsoft.XboxIdentityProvider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | No |
-| Xbox Speech to Text Overlay | App not available in store | x | x | x | No |
-| Xbox TCUI | [Microsoft.Xbox.TCUI](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | | x | x | No |
-
->[!NOTE]
->\* The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.
-
-
+| Name | Full name |1703 | 1709 | 1803 |Uninstall through UI? |
+|------------------|-------------------------------------------|:------:|:------:|:------:|-------------------------------------------------------|
+| Cortana UI | CortanaListenUIApp | x | | |No |
+| | Desktop Learning | x | | |No |
+| | DesktopView | x | | |No |
+| | EnvironmentsApp | x | | |No |
+| Mixed Reality + | HoloCamera | x | | |No |
+| Mixed Reality + | HoloItemPlayerApp | x | | |No |
+| Mixed Reality + | HoloShell | x | | |No |
+| | InputApp | | x | x |No |
+| | Microsoft.AAD.Broker.Plugin | x | x | x |No |
+| | Microsoft.AccountsControl | x | x | x |No |
+| Hello setup UI | Microsoft.BioEnrollment | x | x | x |No |
+| | Microsoft.CredDialogHost | x | x | x |No |
+| | Microsoft.ECApp | | x | x |No |
+| | Microsoft.LockApp | x | x | x |No |
+| Microsoft Edge | Microsoft.Microsoft.Edge | x | x | x |No |
+| | Microsoft.PPIProjection | x | x | x |No |
+| | Microsoft.Windows. Apprep.ChxApp | x | x | x |No |
+| | Microsoft.Windows. AssignedAccessLockApp | x | x | x |No |
+| | Microsoft.Windows. CloudExperienceHost | x | x | x |No |
+| | Microsoft.Windows. ContentDeliveryManager | x | x | x |No |
+| Cortana | Microsoft.Windows.Cortana | x | x | x |No |
+| | Microsoft.Windows. Holographic.FirstRun | x | x | x |No |
+| | Microsoft.Windows. ModalSharePickerHost | x | | |No |
+| | Microsoft.Windows. OOBENetworkCaptivePort | x | x | x |No |
+| | Microsoft.Windows. OOBENetworkConnectionFlow | x | x | x |No |
+| | Microsoft.Windows. ParentalControls | x | x | x |No |
+| People Hub | Microsoft.Windows. PeopleExperienceHost | | x | x |No |
+| | Microsoft.Windows. PinningConfirmationDialog | | x | x |No |
+| | Microsoft.Windows. SecHealthUI | x | x | x |No |
+| | Microsoft.Windows. SecondaryTileExperience | x | x | |No |
+| | Microsoft.Windows. SecureAssessmentBrowser | x | x | x |No |
+| Start | Microsoft.Windows. ShellExperienceHost | x | x | x |No |
+| Windows Feedback | Microsoft.WindowsFeedback | * | * | |No |
+| | Microsoft.XboxGameCallableUI | x | x | x |No |
+| Contact Support* | Windows.ContactSupport | x | * | |Via Optional Features app |
+| Settings | Windows.ImmersiveControlPanel | x | x | |No |
+| Connect | Windows.MiracastView | x | | |No |
+| Print 3D | Windows.Print3D | | x | |Yes |
+| Print UI | Windows.PrintDialog | x | x | x |No |
+| Purchase UI | Windows.PurchaseDialog | | | x |No |
+| | Microsoft.AsyncTextService | | | x |No |
+| | Microsoft.MicrosoftEdgeDevToolsClient | | | x |No |
+| | Microsoft.Win32WebViewHost | | | x |No |
+| | Microsoft.Windows.CapturePicker | | | x |No |
+| | Windows.CBSPreview | | | x |No |
+|File Picker | 1527c705-839a-4832-9118-54d4Bd6a0c89 | | | x |No |
+|File Explorer | c5e2524a-ea46-4f67-841f-6a9465d9d515 | | | x |No |
+|App Resolver | E2A4F912-2574-4A75-9BB0-0D023378592B | | | x |No |
+|Add Suggested folder Dialog box| F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE|| | x |No |
+> [!NOTE]
+> - The Contact Support app changed to Get Help in version 1709. Get Help is a provisioned app (instead of system app like Contact Support).
## Installed Windows apps
Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, and 1803.
-| Name | DisplayName | 1703 | 1709 | 1803 |Uninstall through UI? |
+| Name | Full name | 1703 | 1709 | 1803 |Uninstall through UI? |
|--------------------|------------------------------------------|:----:|:----:|:----:|:----------------------:|
| Remote Desktop | Microsoft.RemoteDesktop | x | x | | Yes |
| PowerBI | Microsoft.Microsoft PowerBIforWindows | x | | | Yes |
@@ -176,13 +127,14 @@ Here are the typical installed Windows apps in Windows 10 versions 1703, 1709, a
| | Microsoft.VCLibs.120.00.Universal | | x | | Yes |
| | Microsoft.VCLibs.140.00.UWPDesktop | | | x | Yes |
| | Microsoft.WinJS.2.0 | x | | | Yes |
+---
## Provisioned Windows apps
Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709, and 1803.
| Name | Full name | 1703 | 1709 | 1803 | Uninstall through UI? |
-|---------------------------------|----------------------------------------|:------:|:------:|:------:|---------------------------|
+|---------------------------------|----------------------------------------|:------:|:------:|:------:|:---------------------------:|
| 3D Builder | Microsoft.3DBuilder | x | | | Yes |
| Alarms & Clock | Microsoft.WindowsAlarms | x | x | x | No |
| App Installer | Microsoft.DesktopAppInstaller | x | x | x | Via Settings App |
@@ -221,7 +173,8 @@ Here are the typical provisioned Windows apps in Windows 10 versions 1703, 1709,
| | Microsoft.XboxGameOverlay | x | x | x | No |
| | Microsoft.XboxGamingOverlay | | | x | No |
| | Microsoft.XboxIdentityProvider | x | x | x | No |
-| | Microsoft.XboxSpeech ToTextOverlay | x | x | x | No |
+| | Microsoft.XboxSpeech ToTextOverlay | x | x | x | No |
+---
>[!NOTE]
>The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it.
diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
index f36c6be04b..20b71d39e8 100644
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ b/windows/application-management/manage-windows-mixed-reality.md
@@ -9,7 +9,7 @@ ms.localizationpriority: medium
author: jdeckerms
ms.author: jdecker
ms.topic: article
-ms.date: 05/16/2018
+ms.date: 10/02/2018
---
# Enable or block Windows Mixed Reality apps in the enterprise
@@ -34,8 +34,7 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD.
- a. Download [the FOD .cab file for Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab) or [the FOD .cab file for Windows 10, version 1709]
- (http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
+ a. Download the FOD .cab file for [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](http://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
>[!NOTE]
>You must download the FOD .cab file that matches your operating system version.
diff --git a/windows/application-management/msix-app-packaging-tool.md b/windows/application-management/msix-app-packaging-tool.md
index 9fbf85d99b..c4e31dc19c 100644
--- a/windows/application-management/msix-app-packaging-tool.md
+++ b/windows/application-management/msix-app-packaging-tool.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: mikeblodge
ms.topic: article
-ms.date: 08/01/2018
+ms.date: 09/21/2018
---
# Repackage existing win32 applications to the MSIX format
@@ -23,6 +23,13 @@ The MSIX Packaging Tool (Preview) is now available to install from the Microsoft
- A valid MSA alias (to access the app from the Store)
## What's new
+v1.2018.915.0
+- Updated UI to improve clarity and experience
+- Ability to generate a template file for use with a command line
+- Ability to add/remove entry points
+- Ability to sign your package from package editor
+- File extension handling
+
v1.2018.821.0
- Command Line Support
- Ability to use existing local virtual machines for packaging environment.
@@ -147,7 +154,9 @@ Requirements:
DisableWindowsUpdateService ="true"/>
-
+ [!NOTE]
>You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet:
>
- >`net localgroup "Remote Desktop Users" /add "AzureAD\FirstnameLastname"`
+ >`net localgroup "Remote Desktop Users" /add "AzureAD\FirstnameLastname"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD.
>
>In Windows 10, version 1709, the user does not have to sign in to the remote device first.
>
diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md
index b51971615e..231682d2b9 100644
--- a/windows/client-management/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/manage-settings-app-with-group-policy.md
@@ -8,9 +8,20 @@ author: brianlic-msft
ms.date: 04/19/2017
---
+**Applies to**
+
+- Windows 10, Windows Server 2016
+
+
# Manage the Settings app with Group Policy
-Starting in Windows 10, version 1703, you can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely.
+You can now manage the pages that are shown in the Settings app by using Group Policy. This lets you hide specific pages from users. Before Windows 10, version 1703, you could either show everything in the Settings app or hide it completely.
+To make use of the Settings App group polices on Windows server 2016, install fix [4457127](https://support.microsoft.com/help/4457127/windows-10-update-kb4457127) or a later cumulative update.
+
+>[!Note]
+>Each server that you want to manage access to the Settings App must be patched.
+
+To centrally manage the new policies copy the ControlPanel.admx and ControlPanel.adml file to [Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) if your company uses one or the PolicyDefinitions folder of the Domain Controllers used for Group Policy management.
This policy is available at **Computer Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**.
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index 01387c62d6..3225ed9730 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.author: jdecker
-ms.date: 08/28/2018
+ms.date: 10/02/2018
---
# Create mandatory user profiles
@@ -39,7 +39,7 @@ The name of the folder in which you store the mandatory profile must use the cor
| Windows 8 | Windows Server 2012 | v3 |
| Windows 8.1 | Windows Server 2012 R2 | v4 |
| Windows 10, versions 1507 and 1511 | N/A | v5 |
-| Windows 10, versions 1607, 1703, 1709, and 1803 | Windows Server 2016 | v6 |
+| Windows 10, versions 1607, 1703, 1709, 1803, and 1809 | Windows Server 2016 | v6 |
For more information, see [Deploy Roaming User Profiles, Appendix B](https://technet.microsoft.com/library/jj649079.aspx) and [Roaming user profiles versioning in Windows 10 and Windows Server Technical Preview](https://support.microsoft.com/kb/3056198).
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index 961f686782..3ea9a42360 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 04/25/2018
+ms.date: 09/18/2018
---
# AssignedAccess CSP
@@ -95,15 +95,36 @@ In Windows 10, version 1803, Assigned Access runtime status only supports monito
Note that status codes available in the Status payload correspond to a specific KioskModeAppRuntimeStatus.
-
|Status code | KioskModeAppRuntimeStatus |
|---------|---------|
| 1 | KioskModeAppRunning |
| 2 | KioskModeAppNotFound |
| 3 | KioskModeAppActivationFailure |
+Additionally, the status payload includes a profileId that can be used by the MDM server to correlate which kiosk app caused the error.
-Additionally, the status payload includes a profileId, which can be used by the MDM server to correlate which kiosk app caused the error.
+In Windows 10, version 1810, Assigned Access runtime status supports monitoring single-app kiosk and multi-app modes. Here are the possible status codes.
+
+|Status|Description|
+|---|---|
+|Running|The AssignedAccess account (kiosk or multi-app) is running normally.|
+|AppNotFound|The kiosk app isn't deployed to the machine.|
+|ActivationFailed|The AssignedAccess account (kiosk or multi-app) failed to sign in.|
+|AppNoResponse|The kiosk app launched successfully but is now unresponsive.|
+
+Note that status codes available in the Status payload correspond to a specific AssignedAccessRuntimeStatus.
+
+|Status code|AssignedAccessRuntimeStatus|
+|---|---|
+|1|Running|
+|2|AppNotFound|
+|3|ActivationFailed|
+|4|AppNoResponse|
+
+Additionally, the Status payload includes the following fields:
+
+- profileId: can be used by the MDM server to correlate which account caused the error.
+- OperationList: list of failed operations that occurred while applying the assigned access CSP, if any exist.
Supported operation is Get.
@@ -1116,10 +1137,11 @@ ShellLauncherConfiguration Get
-
-
-
-
+
+
+
+
+
@@ -1129,19 +1151,35 @@ ShellLauncherConfiguration Get
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
+
-
+
-
+
diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md
index 44813e0616..5925f48358 100644
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@@ -14,7 +14,7 @@ ms.date: 08/31/2018
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, next major version, it is also supported in Windows 10 Pro.
+The BitLocker configuration service provider (CSP) is used by the enterprise to manage encryption of PCs and devices. This CSP was added in Windows 10, version 1703. Starting in Windows 10, version 1809, it is also supported in Windows 10 Pro.
> [!Note]
> Settings are enforced only at the time encryption is started. Encryption is not restarted with settings changes.
diff --git a/windows/client-management/mdm/bitlocker-ddf-file.md b/windows/client-management/mdm/bitlocker-ddf-file.md
index df0326e929..9d1fd9bf4d 100644
--- a/windows/client-management/mdm/bitlocker-ddf-file.md
+++ b/windows/client-management/mdm/bitlocker-ddf-file.md
@@ -18,7 +18,7 @@ This topic shows the OMA DM device description framework (DDF) for the **BitLock
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is the current version Windows 10, next major version.
+The XML below is the current version Windows 10, version 1809.
``` syntax
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index dbcadd6903..350ea6ad5e 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -29,7 +29,7 @@ Footnotes:
- 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1709
- 4 - Added in Windows 10, version 1803
-- 5 - Added in Windows 10, next major version
+- 5 - Added in Windows 10, version 1809
@@ -2652,7 +2652,7 @@ Footnotes:
- 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1709
- 4 - Added in Windows 10, version 1803
-- 5 - Added in Windows 10, next major version
+- 5 - Added in Windows 10, version 1809
## CSP DDF files download
@@ -2700,7 +2700,7 @@ The following list shows the configuration service providers supported in Window
- 2 - Added in Windows 10, version 1703
- 3 - Added in Windows 10, version 1709
- 4 - Added in Windows 10, version 1803
-- 5 - Added in Windows 10, next major version
+- 5 - Added in Windows 10, version 1809
## CSPs supported in Microsoft Surface Hub
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 30c188ac88..9782ed9ad1 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -179,7 +179,7 @@ An interior node to group information about Windows Defender health status.
Supported operation is Get.
**Health/ProductStatus**
-Added in Windows 10, next major version. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list.
+Added in Windows 10, version 1809. Provide the current state of the product. This is a bitmask flag value that can represent one or multiple product states from below list.
Data type is integer. Supported operation is Get.
diff --git a/windows/client-management/mdm/defender-ddf.md b/windows/client-management/mdm/defender-ddf.md
index afd02d79f2..7d4f147be9 100644
--- a/windows/client-management/mdm/defender-ddf.md
+++ b/windows/client-management/mdm/defender-ddf.md
@@ -17,7 +17,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Defende
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, next major version.
+The XML below is for Windows 10, version 1809.
``` syntax
diff --git a/windows/client-management/mdm/devdetail-csp.md b/windows/client-management/mdm/devdetail-csp.md
index 27dd7bead4..5f9609bccf 100644
--- a/windows/client-management/mdm/devdetail-csp.md
+++ b/windows/client-management/mdm/devdetail-csp.md
@@ -146,7 +146,7 @@ The following diagram shows the DevDetail configuration service provider managem
Supported operation is Get.
**Ext/Microsoft/SMBIOSSerialNumber**
-Added in Windows 10, next major version. SMBIOS Serial Number of the device.
+Added in Windows 10, version 1809. SMBIOS Serial Number of the device.
Value type is string. Supported operation is Get.
diff --git a/windows/client-management/mdm/devdetail-ddf-file.md b/windows/client-management/mdm/devdetail-ddf-file.md
index 737bb65143..e84b804e6c 100644
--- a/windows/client-management/mdm/devdetail-ddf-file.md
+++ b/windows/client-management/mdm/devdetail-ddf-file.md
@@ -19,7 +19,7 @@ This topic shows the OMA DM device description framework (DDF) for the **DevDeta
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, next major version.
+The XML below is for Windows 10, version 1809.
``` syntax
diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md
index 0af729754b..84e3a07225 100644
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@@ -2,6 +2,7 @@
title: Device update management
description: In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology.
ms.assetid: C27BAEE7-2890-4FB7-9549-A6EACC790777
+keywords: mdm,management,administrator
ms.author: maricia
ms.topic: article
ms.prod: w10
@@ -13,15 +14,18 @@ ms.date: 11/15/2017
# Device update management
-In the current device landscape of PC, tablets, phones, and IoT devices, the Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up-to-date with the latest Microsoft Updates.
+>[!TIP]
+>If you're not a developer or administrator, you'll find more helpful information in the [Windows Update: Frequently Asked Questions](https://support.microsoft.com/help/12373/windows-update-faq).
-In particular, Windows 10 provides additional APIs to enable MDMs to:
+In the current device landscape of PC, tablets, phones, and IoT devices, Mobile Device Management (MDM) solutions are becoming prevalent as a lightweight device management technology. In Windows 10, we are investing heavily in extending the management capabilities available to MDMs. One key feature we are adding is the ability for MDMs to keep devices up-to-date with the latest Microsoft updates.
+
+In particular, Windows 10 provides APIs to enable MDMs to:
- Ensure machines stay up-to-date by configuring Automatic Update policies.
- Test updates on a smaller set of machines before enterprise-wide rollout by configuring which updates are approved for a given device.
- Get compliance status of managed devices so IT can easily understand which machines still need a particular security patch, or how up-to-date is a particular machine.
-This topic provides MDM ISVs with the information they need to implement update management in Windows 10.
+This topic provides MDM independent software vendors (ISV) with the information they need to implement update management in Windows 10.
In Windows 10, the MDM protocol has been extended to better enable IT admins to manage updates. In particular, Windows has added configuration service providers (CSPs) that expose policies and actions for MDMs to:
@@ -30,7 +34,8 @@ In Windows 10, the MDM protocol has been extended to better enable IT admins to
- Specify a per-device update approval list, to ensure devices don’t install unapproved updates that have not been tested.
- Approve EULAs on behalf of the end-user so update deployment can be automated even for updates with EULAs.
-The OMA DM APIs for specifying update approvals and getting compliance status reference updates using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the update’s title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526707).
+The OMA DM APIs for specifying update approvals and getting compliance status refer to updates by using an Update ID, which is a GUID that identifies a particular update. The MDM, of course, will want to expose IT-friendly information about the update (instead of a raw GUID), including the update’s title, description, KB, update type (for example, a security update or service pack). For more information, see [\[MS-WSUSSS\]: Windows Update Services: Server-Server Protocol](https://go.microsoft.com/fwlink/p/?LinkId=526707).
+
For more information about the CSPs, see [Update CSP](update-csp.md) and the update policy area of the [Policy CSP](policy-configuration-service-provider.md).
The following diagram provides a conceptual overview of how this works:
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
index aed90a1771..febb95a255 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-csp.md
@@ -164,35 +164,35 @@ Required. Used for managing apps from the Microsoft Store.
Supported operations are Get and Delete.
**AppManagement/AppStore/ReleaseManagement**
-Added in Windows 10, next major version. Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
+Added in Windows 10, version 1809. Interior node for the managing updates through the Microsoft Store. These settings allow the IT admin to specify update channels for apps that they want their users to use for receiving updates. It allows the IT admin to assign a specific release to a smaller group for testing before the large deployment to the rest of the organization.
> [!Note]
> ReleaseManagement settings only apply to updates through the Microsoft Store.
**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_**
-Added in Windows 10, next major version. Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
+Added in Windows 10, version 1809. Identifier for the app or set of apps. If there is only one app, it is the PackageFamilyName. If it is for a set of apps, it is the PackageFamilyName of the main app.
**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ChannelId**
-Added in Windows 10, next major version. Specifies the app channel ID.
+Added in Windows 10, version 1809. Specifies the app channel ID.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/ReleaseManagementId**
-Added in Windows 10, next major version. The IT admin can specify a release ID to indicate a specific release they would like the user or device to be on.
+Added in Windows 10, version 1809. The IT admin can specify a release ID to indicate a specific release they would like the user or device to be on.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease**
-Added in Windows 10, next major version. Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
+Added in Windows 10, version 1809. Interior node used to specify the effective app release to use when multiple user policies are set on the device. The device policy or last user policy is used.
**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ChannelId**
-Added in Windows 10, next major version. Returns the last user channel ID on the device.
+Added in Windows 10, version 1809. Returns the last user channel ID on the device.
Value type is string. Supported operation is Get.
**AppManagement/AppStore/ReleaseManagement/_ReleaseManagementKey_/EffectiveRelease/ReleaseManagementId**
-Added in Windows 10, next major version. Returns the last user release ID on the device.
+Added in Windows 10, version 1809. Returns the last user release ID on the device.
Value type is string. Supported operation is Get.
@@ -389,7 +389,7 @@ Expected Behavior on an AMD64 machine that has x86 flavor of an app installed (M
|False (not set) |Not configured |X64 flavor is picked |
**.../_PackageFamilyName_/NonRemovable**
-Added in Windows 10, next major version. Specifies if an app is nonremovable by the user.
+Added in Windows 10, version 1809. Specifies if an app is nonremovable by the user.
This setting allows the IT admin to set an app to be nonremovable, or unable to be uninstalled by a user. This is useful in enterprise and education scenarios, where the IT admin might want to ensure that everyone always has certain apps and they won't be removed accidentally. This is also useful when there are multiple users per device, and you want to ensure that one user doesn’t remove it for all users.
diff --git a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
index cb7ad9e1c9..10a37ce63c 100644
--- a/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
+++ b/windows/client-management/mdm/enterprisemodernappmanagement-ddf.md
@@ -19,7 +19,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Enterpr
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, next major version.
+The XML below is for Windows 10, version 1809.
``` syntax
diff --git a/windows/client-management/mdm/images/provisioning-csp-bitlocker.png b/windows/client-management/mdm/images/provisioning-csp-bitlocker.png
index cc7920f7f5..d3d33ff9f6 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-bitlocker.png and b/windows/client-management/mdm/images/provisioning-csp-bitlocker.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-defender.png b/windows/client-management/mdm/images/provisioning-csp-defender.png
index fa27e9baf2..c4a743deeb 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-defender.png and b/windows/client-management/mdm/images/provisioning-csp-defender.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png
index f5cf62ff0f..6926801241 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png and b/windows/client-management/mdm/images/provisioning-csp-devdetail-dm.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png
index b33a9020ec..018354545f 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png and b/windows/client-management/mdm/images/provisioning-csp-enterprisemodernappmanagement.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-office.png b/windows/client-management/mdm/images/provisioning-csp-office.png
index 2c8ec1f444..c6bf90a18a 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-office.png and b/windows/client-management/mdm/images/provisioning-csp-office.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png b/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png
index af267f4f6d..8f804b9185 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png and b/windows/client-management/mdm/images/provisioning-csp-passportforwork2.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png
index be91906aa3..73494217f8 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png and b/windows/client-management/mdm/images/provisioning-csp-remotewipe-dmandcp.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png b/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png
index a066d9261e..6c4c961a58 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png and b/windows/client-management/mdm/images/provisioning-csp-supl-dmandcp.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-uefi.png b/windows/client-management/mdm/images/provisioning-csp-uefi.png
index 6900dd0c83..42adcc7895 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-uefi.png and b/windows/client-management/mdm/images/provisioning-csp-uefi.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-wifi.png b/windows/client-management/mdm/images/provisioning-csp-wifi.png
index f5891084ea..28f5080466 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-wifi.png and b/windows/client-management/mdm/images/provisioning-csp-wifi.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png b/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png
index 0f5e318d8f..5d8eaab42f 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png and b/windows/client-management/mdm/images/provisioning-csp-windowsdefenderapplicationguard.png differ
diff --git a/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png b/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png
index 3345eb730c..07ca4f9982 100644
Binary files a/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png and b/windows/client-management/mdm/images/provisioning-csp-windowslicensing.png differ
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index 71c4e0aa6f..a5e489976e 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -5,12 +5,12 @@ MS-HAID:
- 'p\_phDeviceMgmt.provisioning\_and\_device\_management'
- 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm'
ms.assetid: 50ac90a7-713e-4487-9cb9-b6d6fdaa4e5b
-ms.author: maricia
+ms.author: jdecker
ms.topic: article
ms.prod: w10
ms.technology: windows
-author: MariciaAlforque
-ms.date: 06/26/2017
+author: jdeckerms
+ms.date: 09/12/2018
---
# Mobile device management
@@ -25,6 +25,29 @@ There are two parts to the Windows 10 management component:
Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a third-party server proxy that supports the protocols outlined in this document to perform enterprise management tasks. The third-party server will have the same consistent first-party user experience for enrollment, which also provides simplicity for Windows 10 users. MDM servers do not need to create or download a client to manage Windows 10. For details about the MDM protocols, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
+## MDM security baseline
+
+With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros’ operational needs, addressing security concerns for modern cloud-managed devices.
+
+The MDM security baseline includes policies that cover the following areas:
+
+- Microsoft inbox security technology (not deprecated) such as Bitlocker, Smartscreen, and DeviceGuard (virtual-based security), ExploitGuard, Defender, and Firewall
+- Restricting remote access to devices
+- Setting credential requirements for passwords and PINs
+- Restricting use of legacy technology
+- Legacy technology policies that offer alternative solutions with modern technology
+- And much more
+
+For more details about the MDM policies defined in the MDM security baseline and what Microsoft’s recommended baseline policy values are, see [Security baseline (DRAFT) for Windows 10 v1809 and Windows Server 2019](https://blogs.technet.microsoft.com/secguide/2018/10/01/security-baseline-draft-for-windows-10-v1809-and-windows-server-2019/).
+
+
+
+
+## Learn about migrating to MDM
+
+When an organization wants to move to MDM to manage devices, they should prepare by analyzing their current Group Policy settings to see what they need to transition to MDM management. Microsoft created the [MDM Migration Analysis Tool](https://aka.ms/mmat/) (MMAT) to help. MMAT determines which Group Policies have been set for a target user or computer and then generates a report that lists the level of support for each policy settings in MDM equivalents. For more information, see [MMAT Instructions](https://github.com/WindowsDeviceManagement/MMAT/blob/master/MDM%20Migration%20Analysis%20Tool%20Instructions.pdf).
+
+
## Learn about device enrollment
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index d02371d2dc..432c713588 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 08/27/2018
+ms.date: 09/20/2018
---
# What's new in MDM enrollment and management
@@ -27,7 +27,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
- [What's new in Windows 10, version 1703](#whatsnew10)
- [What's new in Windows 10, version 1709](#whatsnew1709)
- [What's new in Windows 10, version 1803](#whatsnew1803)
-- [What's new in Windows 10, next major version](#whatsnewnext)
+- [What's new in Windows 10, version 1809](#whatsnew1809)
- [Change history in MDM documentation](#change-history-in-mdm-documentation)
- [Breaking changes and known issues](#breaking-changes-and-known-issues)
- [Get command inside an atomic command is not supported](#getcommand)
@@ -1359,7 +1359,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
-## What's new in Windows 10, next major version
+## What's new in Windows 10, version 1809
@@ -1375,7 +1375,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
Added new settings in Windows 10, next major version.
+
Added new settings in Windows 10, version 1809.
[RemoteWipe CSP](remotewipe-csp.md)
-
Added new settings in Windows 10, next major version.
+
Added new settings in Windows 10, version 1809.
-
[TenantLockdown CSP](\tenantlockdown--csp.md)
-
Added new CSP in Windows 10, next major version.
+
[TenantLockdown CSP](tenantlockdown-csp.md)
+
Added new CSP in Windows 10, version 1809.
[Office CSP](office-csp.md)
-
Added FinalStatus setting in Windows 10, next major version.
+
Added FinalStatus setting in Windows 10, version 1809.
@@ -1605,7 +1605,8 @@ The following list describes the prerequisites for a certificate to be used with
The following XML sample explains the properties for the EAP TLS XML including certificate filtering.
-> **Note** For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements.
+>[!NOTE]
+>For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements.
``` syntax
@@ -1707,7 +1708,8 @@ The following XML sample explains the properties for the EAP TLS XML including c
```
-> **Note** The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd**
+>[!NOTE]
+>The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd**
@@ -1758,6 +1760,13 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
## Change history in MDM documentation
+### September 2018
+
+|New or updated topic | Description|
+|--- | ---|
+|[Mobile device management](index.md#mmat) | Added information about the MDM Migration Analysis Tool (MMAT).|
+|[Policy CSP - DeviceGuard](policy-csp-deviceguard.md) | Updated ConfigureSystemGuardLaunch policy and replaced EnableSystemGuard with it.|
+
### August 2018
@@ -1774,31 +1783,31 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
[BitLocker CSP](bitlocker-csp.md)
-
Added support for Windows 10 Pro starting in the next major version.
+
Added support for Windows 10 Pro starting in the version 1809.
[Office CSP](office-csp.md)
-
Added FinalStatus setting in Windows 10, next major version.
+
Added FinalStatus setting in Windows 10, version 1809.
[RemoteWipe CSP](remotewipe-csp.md)
-
Added new settings in Windows 10, next major version.
@@ -1980,7 +1989,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
[WiredNetwork CSP](wirednetwork-csp.md)
-
New CSP added in Windows 10, next major version.
+
New CSP added in Windows 10, version 1809.
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index 61b8062660..0570cae0e3 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -48,7 +48,7 @@ The Microsoft Office installation status.
The only supported operation is Get.
**Installation/_id_/FinalStatus**
-Added in Windows 10, next major version. Indicates the status of the Final Office 365 installation.
+Added in Windows 10, version 1809. Indicates the status of the Final Office 365 installation.
The only supported operation is Get.
diff --git a/windows/client-management/mdm/office-ddf.md b/windows/client-management/mdm/office-ddf.md
index 22e2ece540..1fb6d40a20 100644
--- a/windows/client-management/mdm/office-ddf.md
+++ b/windows/client-management/mdm/office-ddf.md
@@ -19,7 +19,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Office*
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, next major version.
+The XML below is for Windows 10, version 1809.
``` syntax
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 3dd02f716d..4b08386596 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -194,7 +194,7 @@ Supported operations are Add, Get, Delete, and Replace.
*Not supported on Windows Holographic and Windows Holographic for Business.*
***TenantId*/Policies/UseHelloCertificatesAsSmartCardCertificates** (only for ./Device/Vendor/MSFT)
-Added in Windows 10, next major version. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
+Added in Windows 10, version 1809. If you enable this policy setting, applications use Windows Hello for Business certificates as smart card certificates. Biometric factors are unavailable when a user is asked to authorize the use of the certificate's private key. This policy setting is designed to allow compatibility with applications that rely exclusively on smart card certificates.
If you disable or do not configure this policy setting, applications do not use Windows Hello for Business certificates as smart card certificates, and biometric factors are available when a user is asked to authorize the use of the certificate's private key.
diff --git a/windows/client-management/mdm/passportforwork-ddf.md b/windows/client-management/mdm/passportforwork-ddf.md
index 06eabcf651..6f65055513 100644
--- a/windows/client-management/mdm/passportforwork-ddf.md
+++ b/windows/client-management/mdm/passportforwork-ddf.md
@@ -19,7 +19,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Passpor
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, next major version.
+The XML below is for Windows 10, version 1809.
``` syntax
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index f636ec9c6d..6f425c85b1 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -987,7 +987,7 @@ The following diagram shows the Policy configuration service provider in tree fo
DeviceGuard/EnableVirtualizationBasedSecurity
@@ -4324,7 +4324,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [DeliveryOptimization/DOSetHoursToLimitBackgroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth)
- [DeliveryOptimization/DOSetHoursToLimitForegroundDownloadBandwidth](./policy-csp-deliveryoptimization.md#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](./policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
-- [DeviceGuard/EnableSystemGuard](./policy-csp-deviceguard.md#deviceguard-enablesystemguard)
+- [DeviceGuard/ConfigureSystemGuardLaunch](./policy-csp-deviceguard.md#deviceguard-configuresystemguardlaunch)
- [DeviceGuard/EnableVirtualizationBasedSecurity](./policy-csp-deviceguard.md#deviceguard-enablevirtualizationbasedsecurity)
- [DeviceGuard/LsaCfgFlags](./policy-csp-deviceguard.md#deviceguard-lsacfgflags)
- [DeviceGuard/RequirePlatformSecurityFeatures](./policy-csp-deviceguard.md#deviceguard-requireplatformsecurityfeatures)
diff --git a/windows/client-management/mdm/policy-csp-browser.md b/windows/client-management/mdm/policy-csp-browser.md
index 624f92fed0..44209b479a 100644
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@@ -873,7 +873,7 @@ Most restricted value: 1
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [allow-fullscreen-mode-shortdesc](../../../browsers/edge/shortdesc/allow-fullscreen-mode-shortdesc.md)]
@@ -1211,7 +1211,7 @@ To verify AllowPopups is set to 0 (not allowed):
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [allow-prelaunch-shortdesc](../../../browsers/edge/shortdesc/allow-prelaunch-shortdesc.md)]
@@ -1280,7 +1280,7 @@ Most restricted value: 0
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [allow-printing-shortdesc](../../../browsers/edge/shortdesc/allow-printing-shortdesc.md)]
@@ -1350,7 +1350,7 @@ Most restricted value: 0
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [allow-saving-history-shortdesc](../../../browsers/edge/shortdesc/allow-saving-history-shortdesc.md)]
@@ -1549,7 +1549,7 @@ Most restricted value: 0
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [allow-sideloading-of-extensions-shortdesc](../../../browsers/edge/shortdesc/allow-sideloading-of-extensions-shortdesc.md)]
@@ -1688,7 +1688,7 @@ To verify AllowSmartScreen is set to 0 (not allowed):
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [allow-tab-preloading-shortdesc](../../../browsers/edge/shortdesc/allow-tab-preloading-shortdesc.md)]
@@ -1757,7 +1757,7 @@ Most restricted value: 1
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [allow-web-content-on-new-tab-page-shortdesc](../../../browsers/edge/shortdesc/allow-web-content-on-new-tab-page-shortdesc.md)]
@@ -2029,7 +2029,7 @@ Most restricted value: 0
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [configure-favorites-bar-shortdesc](../../../browsers/edge/shortdesc/configure-favorites-bar-shortdesc.md)]
@@ -2099,7 +2099,7 @@ Supported values:
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [configure-home-button-shortdesc](../../../browsers/edge/shortdesc/configure-home-button-shortdesc.md)]
@@ -2174,7 +2174,7 @@ Supported values:
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [configure-kiosk-mode-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-mode-shortdesc.md)]
@@ -2252,7 +2252,7 @@ Supported values:
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [configure-kiosk-reset-after-idle-timeout-shortdesc](../../../browsers/edge/shortdesc/configure-kiosk-reset-after-idle-timeout-shortdesc.md)]
@@ -2324,7 +2324,7 @@ Supported values:
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [configure-open-microsoft-edge-with-shortdesc](../../../browsers/edge/shortdesc/configure-open-microsoft-edge-with-shortdesc.md)]
@@ -2333,7 +2333,7 @@ Supported values:
If you don't want to send traffic to Microsoft, use the \ value, which honors both domain and non domain-joined devices when it's the only configured URL.
-**Next major version**:
+**version 1809**:
When you enable this policy and select an option, and also enter the URLs of the pages you want in HomePages, Microsoft Edge ignores HomePages.
@@ -2407,7 +2407,7 @@ Supported values:
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [configure-browser-telemetry-for-m365-analytics-shortdesc](../../../browsers/edge/shortdesc/configure-browser-telemetry-for-m365-analytics-shortdesc.md)]
@@ -2970,7 +2970,7 @@ Most restricted value: 1
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [prevent-certificate-error-overrides-shortdesc](../../../browsers/edge/shortdesc/prevent-certificate-error-overrides-shortdesc.md)]
@@ -3620,7 +3620,7 @@ Most restricted value: 1
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [set-home-button-url-shortdesc](../../../browsers/edge/shortdesc/set-home-button-url-shortdesc.md)]
@@ -3689,7 +3689,7 @@ Supported values:
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [set-new-tab-url-shortdesc](../../../browsers/edge/shortdesc/set-new-tab-url-shortdesc.md)]
@@ -3897,7 +3897,7 @@ To verify that favorites are in synchronized between Internet Explorer and Micro
->*Supported versions: Microsoft Edge on Windows 10, next major update to Windows*
+>*Supported versions: Microsoft Edge on Windows 10, version 1810*
[!INCLUDE [unlock-home-button-shortdesc](../../../browsers/edge/shortdesc/unlock-home-button-shortdesc.md)]
diff --git a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
index 1295ab27a3..5369a3d16d 100644
--- a/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
+++ b/windows/client-management/mdm/policy-csp-controlpolicyconflict.md
@@ -68,7 +68,7 @@ Added in Windows 10, version 1803. This policy allows the IT admin to control wh
> MDMWinsOverGP only applies to policies in Policy CSP. It does not apply to other MDM settings with equivalent GP settings that are defined on other configuration service providers.
This policy is used to ensure that MDM policy wins over GP when same setting is set by both GP and MDM channel. The default value is 0. The MDM policies in Policy CSP will behave as described if this policy value is set 1.
-Note: This policy doesn’t support Delete command. This policy doesn’t support setting the value to be 0 again after it was previously set 1. In Windows 10, next major version, Delete command and setting the value to be 0 again if it was previously set to 1 will be supported.
+Note: This policy doesn’t support Delete command. This policy doesn’t support setting the value to be 0 again after it was previously set 1. In Windows 10, version 1809, Delete command and setting the value to be 0 again if it was previously set to 1 will be supported.
The following list shows the supported values:
diff --git a/windows/client-management/mdm/policy-csp-datausage.md b/windows/client-management/mdm/policy-csp-datausage.md
index 285c21097a..b1a2f2dfa1 100644
--- a/windows/client-management/mdm/policy-csp-datausage.md
+++ b/windows/client-management/mdm/policy-csp-datausage.md
@@ -34,7 +34,7 @@ ms.date: 07/13/2018
**DataUsage/SetCost3G**
-This policy is deprecated in Windows 10, next major version.
+This policy is deprecated in Windows 10, version 1809.
diff --git a/windows/client-management/mdm/policy-csp-deviceguard.md b/windows/client-management/mdm/policy-csp-deviceguard.md
index cacbb2acc6..18694ad290 100644
--- a/windows/client-management/mdm/policy-csp-deviceguard.md
+++ b/windows/client-management/mdm/policy-csp-deviceguard.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 07/30/2018
+ms.date: 09/20/2018
---
# Policy CSP - DeviceGuard
@@ -22,7 +22,7 @@ ms.date: 07/30/2018
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 47018e826f..c536cc66a5 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -822,7 +822,7 @@ GP Info:
> [!Warning]
-> Starting in the next major version of Windows, this policy is deprecated.
+> Starting in the version 1809 of Windows, this policy is deprecated.
Domain member: Digitally encrypt or sign secure channel data (always)
@@ -892,7 +892,7 @@ GP Info:
> [!Warning]
-> Starting in the next major version of Windows, this policy is deprecated.
+> Starting in the version 1809 of Windows, this policy is deprecated.
Domain member: Digitally encrypt secure channel data (when possible)
@@ -959,7 +959,7 @@ GP Info:
> [!Warning]
-> Starting in the next major version of Windows, this policy is deprecated.
+> Starting in the version 1809 of Windows, this policy is deprecated.
Domain member: Disable machine account password changes
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index f45615badd..d9da419854 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -370,7 +370,7 @@ The following list shows the supported values:
-Added in Windows 10, next major version. Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device.
+Added in Windows 10, version 1809. Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device.
Most restricted value is 0.
@@ -430,7 +430,7 @@ The following list shows the supported values:
-Updated in Windows 10, next major version. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users.
+Updated in Windows 10, version 1809. This policy specifies whether users on the device have the option to enable online speech recognition. When enabled, users can use their voice for dictation and to talk to Cortana and other apps that use Microsoft cloud-based speech recognition. Microsoft will use voice input to help improve our speech services. If the policy value is set to 0, online speech recognition will be disabled and users cannot enable online speech recognition via settings. If policy value is set to 1 or is not configured, control is deferred to users.
Most restricted value is 0.
diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md
index e2bc67b21b..b3f6a039a4 100644
--- a/windows/client-management/mdm/policy-csp-restrictedgroups.md
+++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md
@@ -66,7 +66,7 @@ This security setting allows an administrator to define the members of a securit
Caution: If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members.
-Starting in Windows 10, next major version, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution.
+Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution.
``` syntax
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index e6171c839d..fb505e937f 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -530,7 +530,7 @@ The following list shows the supported values:
-Added in Windows 10, next major version. This policy controls the Admin Authentication requirement in RecoveryEnvironment.
+Added in Windows 10, version 1809. This policy controls the Admin Authentication requirement in RecoveryEnvironment.
Supported values:
- 0 - Default: Keep using default(current) behavior
diff --git a/windows/client-management/mdm/policy-csp-settings.md b/windows/client-management/mdm/policy-csp-settings.md
index 5886443c5d..ffb4629d06 100644
--- a/windows/client-management/mdm/policy-csp-settings.md
+++ b/windows/client-management/mdm/policy-csp-settings.md
@@ -788,6 +788,7 @@ The following list shows the supported values:
> [!div class = "checklist"]
> * Device
+> * User
diff --git a/windows/client-management/mdm/policy-ddf-file.md b/windows/client-management/mdm/policy-ddf-file.md
index 2cb51a98c1..1c14be4723 100644
--- a/windows/client-management/mdm/policy-ddf-file.md
+++ b/windows/client-management/mdm/policy-ddf-file.md
@@ -27,7 +27,7 @@ You can download the DDF files from the links below:
- [Download the Policy DDF file for Windows 10, version 1607 release 8C](https://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml)
- [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download)
-The XML below is the DDF for Windows 10, next major version.
+The XML below is the DDF for Windows 10, version 1809.
``` syntax
@@ -25635,7 +25635,7 @@ Related policy:
- EnableSystemGuard
+ ConfigureSystemGuardLaunch
@@ -27217,7 +27217,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
- You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user.
+ You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user.
Related policy: PreventUsersFromTurningOnBrowserSyncing
0 (default) = allow syncing, 2 = disable syncing
@@ -33474,7 +33474,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal.
-
+
This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal.
@@ -33862,7 +33862,7 @@ If you disable or do not configure this policy (recommended), users will be able
Notes
If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
-Disabling the Administrator account can become a maintenance issue under certain circumstances.
+Disabling the Administrator account can become a maintenance issue under certain circumstances.
Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled.
@@ -34352,7 +34352,7 @@ The options are:
No Action
Lock Workstation
Force Logoff
- Disconnect if a Remote Desktop Services session
+ Disconnect if a Remote Desktop Services session
If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
@@ -35374,7 +35374,7 @@ This policy setting controls the behavior of all User Account Control (UAC) poli
The options are:
-• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
+• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
@@ -44745,7 +44745,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
- Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+ Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
1) The access token that is being impersonated is for this user.
2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
3) The requested level is less than Impersonate, such as Anonymous or Identify.
@@ -47064,11 +47064,11 @@ Because of these factors, users do not usually need this user right. Warning: If
-
-
-
-
-
+
+
+
+
+ ]]>
@@ -55084,7 +55084,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
0
- You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user.
+ You can configure Microsoft Edge, when enabled, to prevent the "browser" group from using the Sync your Settings option to sync information, such as history and favorites, between user's devices. If you want syncing turned off by default in Microsoft Edge but not disabled, enable the Allow users to turn browser syncing on policy. If disabled or not configured, the Sync your Settings options are turned on in Microsoft Edge by default, and configurable by the user.
Related policy: PreventUsersFromTurningOnBrowserSyncing
0 (default) = allow syncing, 2 = disable syncing
@@ -62093,7 +62093,7 @@ Configure the minimum password age to be more than 0 if you want Enforce passwor
Devices joined to Azure Active Directory in a hybrid environment need to interact with Active Directory Domain Controllers, but they lack the built-in ability to find a Domain Controller that a domain-joined device has. This can cause failures when such a device needs to resolve an AAD UPN into an Active Directory Principal.
-
+
This parameter adds a list of domains that an Azure Active Directory joined device should attempt to contact if it is otherwise unable to resolve a UPN to a principal.
@@ -62491,7 +62491,7 @@ If you disable or do not configure this policy (recommended), users will be able
Notes
If you try to reenable the Administrator account after it has been disabled, and if the current Administrator password does not meet the password requirements, you cannot reenable the account. In this case, an alternative member of the Administrators group must reset the password on the Administrator account. For information about how to reset a password, see To reset a password.
-Disabling the Administrator account can become a maintenance issue under certain circumstances.
+Disabling the Administrator account can become a maintenance issue under certain circumstances.
Under Safe Mode boot, the disabled Administrator account will only be enabled if the machine is non-domain joined and there are no other local active administrator accounts. If the computer is domain joined the disabled administrator will not be enabled.
@@ -63024,7 +63024,7 @@ The options are:
No Action
Lock Workstation
Force Logoff
- Disconnect if a Remote Desktop Services session
+ Disconnect if a Remote Desktop Services session
If you click Lock Workstation in the Properties dialog box for this policy, the workstation is locked when the smart card is removed, allowing users to leave the area, take their smart card with them, and still maintain a protected session.
@@ -64127,7 +64127,7 @@ This policy setting controls the behavior of all User Account Control (UAC) poli
The options are:
-• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
+• Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode.
• Disabled: Admin Approval Mode and all related UAC policy settings are disabled. Note: If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced.
@@ -74444,7 +74444,7 @@ Caution: If a Restricted Groups policy is applied, any current member not on the
- Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+ Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
1) The access token that is being impersonated is for this user.
2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
3) The requested level is less than Impersonate, such as Anonymous or Identify.
diff --git a/windows/client-management/mdm/remotewipe-ddf-file.md b/windows/client-management/mdm/remotewipe-ddf-file.md
index b2adadcfd1..990cf2ae5a 100644
--- a/windows/client-management/mdm/remotewipe-ddf-file.md
+++ b/windows/client-management/mdm/remotewipe-ddf-file.md
@@ -17,7 +17,7 @@ This topic shows the OMA DM device description framework (DDF) for the **RemoteW
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is the DDF for Windows 10, next major version.
+The XML below is the DDF for Windows 10, version 1809.
``` syntax
diff --git a/windows/client-management/mdm/supl-csp.md b/windows/client-management/mdm/supl-csp.md
index 3733920512..5ff2a27abd 100644
--- a/windows/client-management/mdm/supl-csp.md
+++ b/windows/client-management/mdm/supl-csp.md
@@ -241,31 +241,31 @@ Specifies the name of the H-SLP root certificate as a string, in the format *nam
The base 64 encoded blob of the H-SLP root certificate.
**RootCertificate4**
-Added in Windows 10, next major version. Specifies the root certificate for the H-SLP server.
+Added in Windows 10, version 1809. Specifies the root certificate for the H-SLP server.
**RootCertificate4/Name**
-Added in Windows 10, next major version. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
+Added in Windows 10, version 1809. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
**RootCertificate4/Data**
-Added in Windows 10, next major version. The base 64 encoded blob of the H-SLP root certificate.
+Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root certificate.
**RootCertificate5**
-Added in Windows 10, next major version. Specifies the root certificate for the H-SLP server.
+Added in Windows 10, version 1809. Specifies the root certificate for the H-SLP server.
**RootCertificate5/Name**
-Added in Windows 10, next major version. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
+Added in Windows 10, version 1809. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
**RootCertificate5/Data**
-Added in Windows 10, next major version. The base 64 encoded blob of the H-SLP root certificate.
+Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root certificate.
**RootCertificate6**
-Added in Windows 10, next major version. Specifies the root certificate for the H-SLP server.
+Added in Windows 10, version 1809. Specifies the root certificate for the H-SLP server.
**RootCertificate6/Name**
-Added in Windows 10, next major version. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
+Added in Windows 10, version 1809. Specifies the name of the H-SLP root certificate as a string, in the format *name*.cer.
**RootCertificate6/Data**
-Added in Windows 10, next major version. The base 64 encoded blob of the H-SLP root certificate.
+Added in Windows 10, version 1809. The base 64 encoded blob of the H-SLP root certificate.
**V2UPL1**
Required for V2 UPL for CDMA. Specifies the account settings for user plane location and IS-801 for CDMA. Only one account is supported at a given time.
diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md
index ec126158b6..2d75e82287 100644
--- a/windows/client-management/mdm/supl-ddf-file.md
+++ b/windows/client-management/mdm/supl-ddf-file.md
@@ -19,7 +19,7 @@ This topic shows the OMA DM device description framework (DDF) for the **SUPL**
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, next major version.
+The XML below is for Windows 10, version 1809.
``` syntax
diff --git a/windows/client-management/mdm/tenantlockdown-csp.md b/windows/client-management/mdm/tenantlockdown-csp.md
index 43449f403a..a52598d88f 100644
--- a/windows/client-management/mdm/tenantlockdown-csp.md
+++ b/windows/client-management/mdm/tenantlockdown-csp.md
@@ -12,7 +12,7 @@ ms.date: 08/13/2018
# TenantLockdown CSP
> [!WARNING]
-> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This CSP was added in Windows 10, next major version.
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here. This CSP was added in Windows 10, version 1809.
The TenantLockdown configuration service provider is used by the IT admin to lock a device to a tenant, which ensures that the device remains bound to the tenant in case of accidental or intentional resets or wipes.
diff --git a/windows/client-management/mdm/tenantlockdown-ddf.md b/windows/client-management/mdm/tenantlockdown-ddf.md
index 4c75123a3f..041e4c97ff 100644
--- a/windows/client-management/mdm/tenantlockdown-ddf.md
+++ b/windows/client-management/mdm/tenantlockdown-ddf.md
@@ -18,7 +18,7 @@ This topic shows the OMA DM device description framework (DDF) for the **TenantL
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, next major version.
+The XML below is for Windows 10, version 1809.
``` syntax
diff --git a/windows/client-management/mdm/uefi-csp.md b/windows/client-management/mdm/uefi-csp.md
index ef549e1753..f434251f74 100644
--- a/windows/client-management/mdm/uefi-csp.md
+++ b/windows/client-management/mdm/uefi-csp.md
@@ -6,13 +6,16 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 02/01/2018
+ms.date: 10/02/2018
---
# UEFI CSP
-The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1803.
+The UEFI configuration service provider (CSP) interfaces to UEFI's Device Firmware Configuration Interface (DFCI) to make BIOS configuration changes. This CSP was added in Windows 10, version 1809.
+
+> [!Note]
+> The UEFI CSP version published in Windows 10, version 1803 is replaced with this one (version 1809).
The following diagram shows the UEFI CSP in tree format.
@@ -23,62 +26,102 @@ The following list describes the characteristics and parameters.
**./Vendor/MSFT/Uefi**
Root node.
-**UefiDeviceIdentifier**
-Retrieves XML from UEFI which describes the device identifier.
+**DeviceIdentifier**
+Retrieves XML from UEFI that describes the device identifier.
Supported operation is Get.
-**IdentityInfo**
-Node for provisioned signers operations.
-
-
-**IdentityInfo/Current**
-Retrieves XML from UEFI which describes the current UEFI identity information.
+**Identity**
+Node for identity certificate operations.
Supported operation is Get.
-**IdentityInfo/Apply**
-Apply an identity information package to UEFI. Input is the signed package in base64 encoded format.
-
-Supported operation is Replace.
-
-**IdentityInfo/ApplyResult**
-Retrieves XML describing the results of previous ApplyIdentityInfo operation.
+**Identity/Current**
+Retrieves XML from UEFI that describes the current UEFI identity certificate information.
Supported operation is Get.
-**AuthInfo**
-Node for permission information operations.
+**Identity/Apply**
+Applies an identity information package to UEFI. Input is the signed package in base64 encoded format.
-**AuthInfo/Current**
-Retrieves XML from UEFI which describes the current UEFI permission/authentication information.
+Value type is Base64. Supported operation is Replace.
+
+**Identity/Result**
+Retrieves the binary result package of the previous Identity/Apply operation.
Supported operation is Get.
-**AuthInfo/Apply**
-Apply a permission/authentication information package to UEFI. Input is the signed package in base64 encoded format.
+**Permissions**
+Node for settings permission operations..
-Supported operation is Replace.
-
-**AuthInfo/ApplyResult**
-Retrieves XML describing the results of previous ApplyAuthInfo operation.
+**Permissions/Current**
+Retrieves XML from UEFI that describes the current UEFI settings permissions.
Supported operation is Get.
-**Config**
-Node for device configuration
+**Permissions/Apply**
+Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format.
-**Config/Current**
-Retrieves XML from UEFI which describes the current UEFI configuration.
+Value type is Base64. Supported operation is Replace.
+
+**Permissions/Result**
+Retrieves the binary result package of the previous Permissions/Apply operation. This binary package contains XML describing the action taken for each individual permission.
Supported operation is Get.
-**Config/Apply**
-Apply a configuration package to UEFI. Input is the signed package in base64 encoded format.
+**Settings**
+Node for device settings operations.
-Supported operation is Replace.
-
-**Config/ApplyResult**
-Retrieves XML describing the results of previous ApplyConfig operation.
+**Settings/Current**
+Retrieves XML from UEFI that describes the current UEFI settings.
Supported operation is Get.
+
+**Settings/Apply**
+Apply a settings information package to UEFI. Input is the signed package in base64 encoded format.
+
+Value type is Base64. Supported operation is Replace.
+
+**Settings/Result**
+Retrieves the binary result package of the previous Settings/Apply operation. This binary package contains XML describing the action taken for each individual setting.
+
+Supported operation is Get.
+
+**Identity2**
+Node for identity certificate operations. Alternate endpoint for sending a second identity package without an OS restart.
+
+**Identity2/Apply**
+Apply an identity information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two identity packages in the same session.
+
+Value type is Base64. Supported operation is Replace.
+
+**Identity2/Result**
+Retrieves the binary result package of the previous Identity2/Apply operation.
+
+Supported operation is Get.
+
+**Permissions2**
+Node for settings permission operations. Alternate endpoint for sending a second permission package without an OS restart.
+
+**Permissions2/Apply**
+Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two permissions information packages in the same session.
+
+Value type is Base64. Supported operation is Replace.
+
+**Permissions2/Result**
+Retrieves the binary result package from the previous Permissions2/Apply operation. This binary package contains XML describing the action taken for each individual permission.
+
+Supported operation is Get.
+
+**Settings2**
+Nodefor device settings operations. Alternate endpoint for sending a second settings package without an OS restart.
+
+**Settings2/Apply**
+Apply a settings information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two settings information packages in the same session.
+
+Value type is Base64. Supported operation is Replace.
+
+**Settings2/Result**
+Retrieves the binary result package of previous Settings2/Apply operation. This binary package contains XML describing the action taken for each individual setting.
+
+Supported operation is Get.
\ No newline at end of file
diff --git a/windows/client-management/mdm/uefi-ddf.md b/windows/client-management/mdm/uefi-ddf.md
index de67ae71b4..ddfe446519 100644
--- a/windows/client-management/mdm/uefi-ddf.md
+++ b/windows/client-management/mdm/uefi-ddf.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 02/01/2018
+ms.date: 10/02/2018
---
# UEFI DDF file
@@ -16,7 +16,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Uefi**
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is the current version for this CSP.
+The XML below is for Windows 10, version 1809.
``` syntax
@@ -32,6 +32,7 @@ The XML below is the current version for this CSP.
+ UEFI Firmware Configuration Service Provider.
@@ -46,12 +47,12 @@ The XML below is the current version for this CSP.
- UefiDeviceIdentifier
+ DeviceIdentifier
- Retrieves XML from UEFI which describes the device identifier.
+ Retrieves XML from UEFI which contains the device identifier.
@@ -61,21 +62,18 @@ The XML below is the current version for this CSP.
-
-
- text/plain
- IdentityInfo
+ Identity
- Provisioned signers
+ Identity certificate operations.
@@ -95,7 +93,7 @@ The XML below is the current version for this CSP.
- Retrieves XML from UEFI which describes the current UEFI identity information
+ Retrieves XML from UEFI which describes the current UEFI identity certificate information.
@@ -132,14 +130,14 @@ The XML below is the current version for this CSP.
- ApplyResult
+ Result
- Retrieves XML describing the results of previous ApplyIdentityInfo operation.
+ Retrieves the binary result package of the previous Identity/Apply operation.
-
+
@@ -148,18 +146,18 @@ The XML below is the current version for this CSP.
- text/plain
+
- AuthInfo
+ Permissions
- Permission Information
+ Settings permission operations.
@@ -179,7 +177,7 @@ The XML below is the current version for this CSP.
- Retrieves XML from UEFI which describes the current UEFI permission/authentication information.
+ Retrieves XML from UEFI which describes the current UEFI settings permissions.
@@ -200,7 +198,7 @@ The XML below is the current version for this CSP.
- Apply a permission/authentication information package to UEFI. Input is the signed package in base64 encoded format.
+ Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format.
@@ -216,14 +214,14 @@ The XML below is the current version for this CSP.
- ApplyResult
+ Result
- Retrieves XML describing the results of previous ApplyAuthInfo operation.
+ Retrieves the binary result package of the previous Permissions/Apply operation. This binary package contains XML describing the action taken for each individual permission.
-
+
@@ -232,18 +230,18 @@ The XML below is the current version for this CSP.
- text/plain
+
- Config
+ Settings
- Device Configuration
+ Device settings operations.
@@ -263,7 +261,7 @@ The XML below is the current version for this CSP.
- Retrieves XML from UEFI which describes the current UEFI configuration.
+ Retrieves XML from UEFI which describes the current UEFI settings.
@@ -284,7 +282,7 @@ The XML below is the current version for this CSP.
- Apply a configuration package to UEFI. Input is the signed package in base64 encoded format.
+ Apply a settings information package to UEFI. Input is the signed package in base64 encoded format.
@@ -300,14 +298,14 @@ The XML below is the current version for this CSP.
- ApplyResult
+ Result
- Retrieves XML describing the results of previous ApplyConfig operation.
+ Retrieves the binary result package of the previous Settings/Apply operation. This binary package contains XML describing the action taken for each individual setting.
-
+
@@ -316,7 +314,196 @@ The XML below is the current version for this CSP.
- text/plain
+
+
+
+
+
+
+ Identity2
+
+
+
+
+ Identity certificate operations. Alternate endpoint for sending a second identity package without an OS restart.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Apply
+
+
+
+
+ Apply an identity information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two identity packages in the same session.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Result
+
+
+
+
+ Retrieves the binary result package of the previous Identity2/Apply operation.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Permissions2
+
+
+
+
+ Settings permission operations. Alternate endpoint for sending a second permission package without an OS restart.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Apply
+
+
+
+
+ Apply a permissions information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two permissions information packages in the same session.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Result
+
+
+
+
+ Retrieves the binary result package from the previous Permissions2/Apply operation. This binary package contains XML describing the action taken for each individual permission.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Settings2
+
+
+
+
+ Device settings operations. Alternate endpoint for sending a second settings package without an OS restart.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Apply
+
+
+
+
+ Apply a settings information package to UEFI. Input is the signed package in base64 encoded format. Alternate location for sending two settings information packages in the same session.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ Result
+
+
+
+
+ Retrieves the binary result package of previous Settings2/Apply operation. This binary package contains XML describing the action taken for each individual setting.
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index ef75fa6755..cce5885ca9 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -97,7 +97,7 @@ Added in Windows 10, version 1607. Optional. When set to true it enables Web Pr
Value type is bool.
**WiFiCost**
-Added in Windows 10, next major version. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behaviour: Unrestricted.
+Added in Windows 10, version 1809. Optional. This policy sets the cost of WLAN connection for the Wi-Fi profile. Default behaviour: Unrestricted.
Supported values:
diff --git a/windows/client-management/mdm/wifi-ddf-file.md b/windows/client-management/mdm/wifi-ddf-file.md
index a4ec65ad3c..d09ff0684c 100644
--- a/windows/client-management/mdm/wifi-ddf-file.md
+++ b/windows/client-management/mdm/wifi-ddf-file.md
@@ -17,7 +17,7 @@ ms.date: 06/28/2018
This topic shows the OMA DM device description framework (DDF) for the **WiFi** configuration service provider. DDF files are used only with OMA DM provisioning XML.
-The XML below is for Windows 10, next major version.
+The XML below is for Windows 10, version 1809.
``` syntax
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-csp.md b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
index 5718fd4b66..d519cb965d 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-csp.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-csp.md
@@ -14,7 +14,7 @@ ms.date: 07/19/2018
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-The Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telementry health. This CSP was added in Windows 10, next major version.
+The Win32CompatibilityAppraiser configuration service provider enables the IT admin to query the current status of the Appraiser and UTC telementry health. This CSP was added in Windows 10, version 1809.
The following diagram shows the Win32CompatibilityAppraiser configuration service provider in tree format.
diff --git a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
index 9b8a7d81c5..1b6e03919f 100644
--- a/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
+++ b/windows/client-management/mdm/win32compatibilityappraiser-ddf.md
@@ -18,7 +18,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Win32Co
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, next major version.
+The XML below is for Windows 10, version 1809.
``` syntax
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
index 6f359562af..b0bf8c6cf3 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 08/02/2018
+ms.date: 09/10/2018
---
# WindowsDefenderApplicationGuard CSP
@@ -14,7 +14,7 @@ ms.date: 08/02/2018
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in the Application Guard. This CSP was added in Windows 10, version 1709.
+The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Windows Defender Application Guard. This CSP was added in Windows 10, version 1709.
The following diagram shows the WindowsDefenderApplicationGuard configuration service provider in tree format.
@@ -107,7 +107,7 @@ Placeholder for future use. Do not use in production code.
Placeholder for future use. Do not use in production code.
**Settings/CertificateThumbprints**
-Added in Windows 10, next major version. This policy setting allows certain Root Certificates to be shared with the Windows Defender Application Guard container.
+Added in Windows 10, version 1809. This policy setting allows certain Root Certificates to be shared with the Windows Defender Application Guard container.
Value type is string. Supported operations are Add, Get, Replace, and Delete.
@@ -118,7 +118,7 @@ Example: b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a
If you disable or don’t configure this setting, certificates are not shared with the Windows Defender Application Guard container.
**Settings/AllowCameraMicrophoneRedirection**
-Added in Windows 10, next major version. The policy allows you to determine whether applications inside Windows Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device.
+Added in Windows 10, version 1809. The policy allows you to determine whether applications inside Windows Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device.
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
@@ -132,12 +132,12 @@ If you disable or don't configure this policy, applications inside Windows Defen
**Status**
Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Value type is integer. Supported operation is Get.
-Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode
-Bit 1 - Set to 1 when the client machine is Hyper-V capable
-Bit 2 - Set to 1 when the client machine has a valid OS license and SKU
-Bit 3 - Set to 1 when WDAG installed on the client machine
-Bit 4 - Set to 1 when required Network Isolation Policies are configured
-Bit 5 - Set to 1 when the client machine meets minimum hardware requirements
+- Bit 0 - Set to 1 when WDAG is enabled into enterprise manage mode
+- Bit 1 - Set to 1 when the client machine is Hyper-V capable
+- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU
+- Bit 3 - Set to 1 when WDAG installed on the client machine
+- Bit 4 - Set to 1 when required Network Isolation Policies are configured
+- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements
**InstallWindowsDefenderApplicationGuard**
Initiates remote installation of Application Guard feature. Supported operations are Get and Execute.
diff --git a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
index dfda523b86..eff9174d89 100644
--- a/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
+++ b/windows/client-management/mdm/windowsdefenderapplicationguard-ddf-file.md
@@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: MariciaAlforque
-ms.date: 08/02/2018
+ms.date: 09/10/2018
---
# WindowsDefenderApplicationGuard DDF file
@@ -18,9 +18,9 @@ This topic shows the OMA DM device description framework (DDF) for the **Windows
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-This XML is for Windows 10, next major version.
+This XML is for Windows 10, version 1809.
-``` syntax
+```xml
**SMode/SwitchingPolicy**
-Added in Windows 10, next major version. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete)
+Added in Windows 10, version 1809. Determines whether a consumer can switch the device out of S mode. This setting is only applicable to devices available in S mode. For examples, see [Add S mode SwitchingPolicy](#smode-switchingpolicy-add), [Get S mode SwitchingPolicy](#smode-switchingpolicy-get), [Replace S mode SwitchingPolicy](#smode-switchingpolicy-replace) and [Delete S mode SwitchingPolicy](#smode-switchingpolicy-delete)
Value type is integer. Supported operations are Add, Get, Replace, and Delete.
@@ -173,12 +173,12 @@ Supported values:
- 1 - User Blocked: The admin has blocked the user from switching their device out of S mode. Only the admin can switch the device out of S mode through the SMode/SwitchFromSMode node.
**SMode/SwitchFromSMode**
-Added in Windows 10, next major version. Switches a device out of S mode if possible. Does not reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute)
+Added in Windows 10, version 1809. Switches a device out of S mode if possible. Does not reboot. For an example, see [Execute SwitchFromSMode](#smode-switchfromsmode-execute)
Supported operation is Execute.
**SMode/Status**
-Added in Windows 10, next major version. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example)
+Added in Windows 10, version 1809. Returns the status of the latest SwitchFromSMode set request. For an example, see [Get S mode status](#smode-status-example)
Value type is integer. Supported operation is Get.
diff --git a/windows/client-management/mdm/windowslicensing-ddf-file.md b/windows/client-management/mdm/windowslicensing-ddf-file.md
index 8da5c10b5c..c96286763c 100644
--- a/windows/client-management/mdm/windowslicensing-ddf-file.md
+++ b/windows/client-management/mdm/windowslicensing-ddf-file.md
@@ -19,7 +19,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Windows
Looking for the DDF XML files? See [CSP DDF files download](configuration-service-provider-reference.md#csp-ddf-files-download).
-The XML below is for Windows 10, next major version.
+The XML below is for Windows 10, version 1809.
``` syntax
diff --git a/windows/client-management/mdm/wirednetwork-csp.md b/windows/client-management/mdm/wirednetwork-csp.md
index 6a06c59879..641b29babc 100644
--- a/windows/client-management/mdm/wirednetwork-csp.md
+++ b/windows/client-management/mdm/wirednetwork-csp.md
@@ -14,7 +14,7 @@ ms.date: 06/27/2018
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet. This CSP was added in Windows 10, next major version.
+The WiredNetwork configuration service provider (CSP) is used by the enterprise to configure wired Internet on devices that do not have GP to enable them to access corporate Internet over ethernet. This CSP was added in Windows 10, version 1809.
The following diagram shows the WiredNetwork configuration service provider in tree format.
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
index f0a6f2503a..af4f71427d 100644
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@@ -7,6 +7,7 @@
### [Set up a single-app kiosk](kiosk-single-app.md)
### [Set up a multi-app kiosk](lock-down-windows-10-to-specific-apps.md)
### [More kiosk methods and reference information](kiosk-additional-reference.md)
+#### [Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md)
#### [Validate your kiosk configuration](kiosk-validate.md)
#### [Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md)
#### [Policies enforced on kiosk devices](kiosk-policies.md)
@@ -26,18 +27,17 @@
### [Product IDs in Windows 10 Mobile](mobile-devices/product-ids-in-windows-10-mobile.md)
### [Start layout XML for mobile editions of Windows 10 (reference)](mobile-devices/start-layout-xml-mobile.md)
## [Configure cellular settings for tablets and PCs](provisioning-apn.md)
-## [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md)
-### [Configure Windows Spotlight on the lock screen](windows-spotlight.md)
-### [Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions](manage-tips-and-suggestions.md)
-### [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
-#### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
-#### [Customize and export Start layout](customize-and-export-start-layout.md)
-#### [Add image for secondary tiles](start-secondary-tiles.md)
-#### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
-#### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
-#### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
-#### [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
-#### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
+## [Configure Windows Spotlight on the lock screen](windows-spotlight.md)
+## [Manage Windows 10 and Microsoft Store tips, "fun facts", and suggestions](manage-tips-and-suggestions.md)
+## [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md)
+### [Configure Windows 10 taskbar](configure-windows-10-taskbar.md)
+### [Customize and export Start layout](customize-and-export-start-layout.md)
+### [Add image for secondary tiles](start-secondary-tiles.md)
+### [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md)
+### [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md)
+### [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md)
+### [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
+### [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md)
## [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md)
### [Testing scenarios using Cortana in your business or organization](cortana-at-work/cortana-at-work-testing-scenarios.md)
#### [Test scenario 1 - Sign-in to Azure AD and use Cortana to manage the notebook](cortana-at-work/cortana-at-work-scenario-1.md)
@@ -69,10 +69,10 @@
### [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-packages/provisioning-powershell.md)
### [Windows Configuration Designer command-line interface (reference)](provisioning-packages/provisioning-command-line.md)
### [Windows Configuration Designer provisioning settings (reference)](wcd/wcd.md)
+#### [Changes to settings in Windows Configuration Designer](wcd/wcd-changes.md)
#### [AccountManagement](wcd/wcd-accountmanagement.md)
#### [Accounts](wcd/wcd-accounts.md)
#### [ADMXIngestion](wcd/wcd-admxingestion.md)
-#### [ApplicationManagement](wcd/wcd-applicationmanagement.md)
#### [AssignedAccess](wcd/wcd-assignedaccess.md)
#### [AutomaticTime](wcd/wcd-automatictime.md)
#### [Browser](wcd/wcd-browser.md)
@@ -98,8 +98,10 @@
#### [Folders](wcd/wcd-folders.md)
#### [HotSpot](wcd/wcd-hotspot.md)
#### [InitialSetup](wcd/wcd-initialsetup.md)
-#### [InternetExplorer](wcd/wcd-internetexplorer.md)
-#### [Licensing](wcd/wcd-licensing.md)
+#### [InternetExplorer](wcd/wcd-internetexplorer.md)
+#### [KioskBrowser](wcd/wcd-kioskbrowser.md)
+#### [Licensing](wcd/wcd-licensing.md)
+#### [Location](wcd/wcd-location.md)
#### [Maps](wcd/wcd-maps.md)
#### [Messaging](wcd/wcd-messaging.md)
#### [ModemConfigurations](wcd/wcd-modemconfigurations.md)
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 6ec85f01c1..3483fedd7a 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -10,13 +10,26 @@ ms.localizationpriority: medium
author: jdeckerms
ms.author: jdecker
ms.topic: article
-ms.date: 08/03/2018
+ms.date: 10/02/2018
---
# Change history for Configure Windows 10
This topic lists new and updated topics in the [Configure Windows 10](index.md) documentation for Windows 10 and Windows 10 Mobile.
+## RELEASE: Windows 10, version 1809
+
+The topics in this library have been updated for Windows 10, version 1809. The following new topic has been added:
+
+- [Changes to settings in Windows Configuration Designer](wcd/wcd-changes.md)
+
+## September 2018
+
+New or changed topic | Description
+--- | ---
+[Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) | New
+[Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) | Add required order of elements in XML.
+
## August 2018
New or changed topic | Description
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index c21dc8b651..d03fac5bee 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -30,9 +30,9 @@ To enable voice commands in Cortana
Cortana can perform actions on apps in the foreground (taking focus from Cortana) or in the background (allowing Cortana to keep focus). We recommend that you decide where an action should happen, based on what your voice command is intended to do. For example, if your voice command requires employee input, it’s best for that to happen in the foreground. However, if the app only uses basic commands and doesn’t require interaction, it can happen in the background.
- - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](https://docs.microsoft.com/cortana/voicecommands/launch-a-foreground-app-with-voice-commands-in-cortana).
+ - **Start Cortana with focus on your app, using specific voice-enabled statements.** [Activate a foreground app with voice commands through Cortana](https://docs.microsoft.com/en-us/cortana/voice-commands/launch-a-foreground-app-with-voice-commands-in-cortana).
- - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/cortana/voicecommands/launch-a-background-app-with-voice-commands-in-cortana).
+ - **Start Cortana removing focus from your app, using specific voice-enabled statements.** [Activate a background app in Cortana using voice commands](https://docs.microsoft.com/en-us/cortana/voice-commands/launch-a-background-app-with-voice-commands-in-cortana).
2. **Install the VCD file on employees' devices**. You can use System Center Configuration Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization.
@@ -61,4 +61,4 @@ While these aren't line-of-business apps, we've worked to make sure to implement
Cortana changes, letting you provide your trip details for Uber.
## See also
-- [Cortana for developers](https://go.microsoft.com/fwlink/?LinkId=717385)
\ No newline at end of file
+- [Cortana for developers](https://go.microsoft.com/fwlink/?LinkId=717385)
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 4c3a24a318..fbea8c5ef0 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -10,7 +10,7 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: medium
-ms.date: 10/16/2017
+ms.date: 09/18/2018
---
# Customize and export Start layout
@@ -132,6 +132,8 @@ When you have the Start layout that you want your users to see, use the [Export-
+3. (Optional) Edit the .xml file to add [a taskbar configuration](configure-windows-10-taskbar.md) or to [modify the exported layout](start-layout-xml-desktop.md). When you make changes to the exported layout, be aware that [the order of the elements in the .xml file are critical.](start-layout-xml-desktop.md#required-order)
+
>[!IMPORTANT]
>If the Start layout that you export contains tiles for desktop (Win32) apps or .url links, **Export-StartLayout** will use **DesktopApplicationLinkPath** in the resulting file. Use a text or XML editor to change **DesktopApplicationLinkPath** to **DesktopApplicationID**. See [Specify Start tiles](start-layout-xml-desktop.md#specify-start-tiles) for details on using the app ID in place of the link path.
diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
new file mode 100644
index 0000000000..9234ee8d90
--- /dev/null
+++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
@@ -0,0 +1,95 @@
+---
+title: Find the Application User Model ID of an installed app
+description: In order to use assigned access with Mobile Device Management (MDM), you must know the Application User Model ID (AUMID) of Microsoft Store apps installed on a device. You can find the AUMID by either using Windows PowerShell or querying the registry.
+MSHAttr:
+- 'PreferredSiteName:MSDN'
+- 'PreferredLib:/library/windows/hardware'
+ms.assetid: BD8BD003-887D-4EFD-9C7A-A68AB895D8CD
+author: alhopper-msft
+ms.author: alhopper
+ms.date: 05/02/2017
+ms.topic: article
+ms.prod: windows-hardware
+ms.technology: windows-oem
+---
+# Find the Application User Model ID of an installed app
+
+In order to use assigned access with Mobile Device Management (MDM), you must know the Application User Model ID (AUMID) of Microsoft Store apps installed on a device. You can find the AUMID by either using Windows PowerShell or querying the registry.
+
+## To identify the AUMID of an installed app by using Windows PowerShell
+
+At a Windows PowerShell command prompt, type the following commands to list the AUMIDs for all Microsoft Store apps installed for the current user on your device:
+
+```powershell
+$installedapps = get-AppxPackage
+
+$aumidList = @()
+foreach ($app in $installedapps)
+{
+ foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
+ {
+ $aumidList += $app.packagefamilyname + "!" + $id
+ }
+}
+
+$aumidList
+```
+
+You can add the –user <username> or the –allusers parameters to the get-AppxPackage cmdlet to list AUMIDs for other users. You must use an elevated Windows PowerShell prompt to use the –user or –allusers parameters.
+
+## To identify the AUMID of an installed app for the current user by using the registry
+
+Querying the registry can only return information about Microsoft Store apps that are installed for the current user, while the Windows PowerShell query can find information for any account on the device.
+
+At a command prompt, type the following command:
+
+`reg query HKEY_CURRENT_USER\Software\Classes\ActivatableClasses\Package /s /f AppUserModelID | find "REG_SZ"`
+
+## Example
+
+The following code sample creates a function in Windows PowerShell that returns an array of AUMIDs of the installed apps for the specified user.
+
+```powershell
+function listAumids( $userAccount ) {
+
+ if ($userAccount -eq "allusers")
+ {
+ # Find installed packages for all accounts. Must be run as an administrator in order to use this option.
+ $installedapps = Get-AppxPackage -allusers
+ }
+ elseif ($userAccount)
+ {
+ # Find installed packages for the specified account. Must be run as an administrator in order to use this option.
+ $installedapps = get-AppxPackage -user $userAccount
+ }
+ else
+ {
+ # Find installed packages for the current account.
+ $installedapps = get-AppxPackage
+ }
+
+ $aumidList = @()
+ foreach ($app in $installedapps)
+ {
+ foreach ($id in (Get-AppxPackageManifest $app).package.applications.application.id)
+ {
+ $aumidList += $app.packagefamilyname + "!" + $id
+ }
+ }
+
+ return $aumidList
+}
+```
+
+The following Windows PowerShell commands demonstrate how you can call the listAumids function after you have created it.
+
+```powershell
+# Get a list of AUMIDs for the current account:
+listAumids
+
+# Get a list of AUMIDs for an account named “CustomerAccount”:
+listAumids(“CustomerAccount”)
+
+# Get a list of AUMIDs for all accounts on the device:
+listAumids(“allusers”)
+```
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index eff3c3a789..06a64d0755 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -9,7 +9,7 @@ author: jdeckerms
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
-ms.date: 08/15/2018
+ms.date: 10/02/2018
---
# Guidelines for choosing an app for assigned access (kiosk mode)
@@ -43,17 +43,19 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
## Guidelines for web browsers
-In Windows 10, version 1803, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website.
+In Windows 10, version 1809, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy)
+
+In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website.
>[!NOTE]
->Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser.
+>Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs.
**Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education).
1. [Get **Kiosk Browser** in Microsoft Store for Business with offline license type.](https://docs.microsoft.com/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
2. [Deploy **Kiosk Browser** to kiosk devices.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps)
-3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](provisioning-packages/provisioning-create-package.md).
+3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](provisioning-packages/provisioning-create-package.md). In Windows Configuration Designer, the settings are located in **Policies > KioskBrowser** when you select advanced provisioning for Windows desktop editions.
>[!NOTE]
>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE).
@@ -134,8 +136,6 @@ Entry | Result
### Other browsers
->[!NOTE]
->Microsoft Edge and any third-party web browsers that can be set as a default browser have special permissions beyond that of most Windows apps. Microsoft Edge is not currently supported for assigned access.
You can create your own web browser Windows app by using the WebView class. Learn more about developing your own web browser app:
diff --git a/windows/configuration/index.md b/windows/configuration/index.md
index 11ec530a2c..b64b47fabf 100644
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@@ -26,7 +26,9 @@ Enterprises often need to apply custom configurations to devices for their users
| [Configure kiosk and digital signage devices running Windows 10 desktop editions](kiosk-methods.md) | These topics help you configure Windows 10 devices to run as a kiosk device. |
| [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app. |
| [Configure cellular settings for tablets and PCs](provisioning-apn.md) | Enterprises can provision cellular settings for tablets and PC with built-in cellular modems or plug-in USB modem dongles. |
-| [Configure Start, taskbar, and lock screen](start-taskbar-lockscreen.md) | A standard, customized Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. Configuring the taskbar allows the organization to pin useful apps for their employees and to remove apps that are pinned by default. |
+| [Windows Spotlight on the lock screen](windows-spotlight.md) | Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.**Note:** You can also use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images. |
+| [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage the tips, tricks, and suggestions offered by Windows and Microsoft Store. |
+| [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Pro, Enterprise, or Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. |
| [Cortana integration in your business or enterprise](cortana-at-work/cortana-at-work-overview.md) | The world’s first personal digital assistant helps users get things done, even at work. Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments. |
| [Configure access to Microsoft Store](stop-employees-from-using-the-windows-store.md) | IT Pros can configure access to Microsoft Store for client computers in their organization. For some organizations, business policies require blocking access to Microsoft Store. |
| [Accessibility information for IT Pros](windows-10-accessibility-for-ITPros.md) | Windows 10 includes accessibility features that benefit all users. These features make it easier to customize the computer and give users with different abilities options to improve their experience with Windows. This topic helps IT administrators learn about built-in accessibility features. |
diff --git a/windows/configuration/kiosk-additional-reference.md b/windows/configuration/kiosk-additional-reference.md
index 8260c569cf..9675c42d2c 100644
--- a/windows/configuration/kiosk-additional-reference.md
+++ b/windows/configuration/kiosk-additional-reference.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 07/30/2018
+ms.date: 09/13/2018
---
# More kiosk methods and reference information
@@ -23,7 +23,8 @@ ms.date: 07/30/2018
Topic | Description
--- | ---
-[Validate your kiosk configuration](kiosk-validate.md) | This topic explain what to expect on a multi-app kiosk.
+[Find the Application User Model ID of an installed app](find-the-application-user-model-id-of-an-installed-app.md) | This topic explains how to get the AUMID for an app.
+[Validate your kiosk configuration](kiosk-validate.md) | This topic explains what to expect on a multi-app kiosk.
[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | These guidelines will help you choose an appropriate Windows app for your assigned access experience.
[Policies enforced on kiosk devices](kiosk-policies.md) | Learn about the policies enforced on a device when you configure it as a kiosk.
[Assigned access XML reference](kiosk-xml.md) | The XML and XSD for kiosk device configuration.
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index 1a38681d7c..346ce64c96 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 07/30/2018
+ms.date: 10/02/2018
---
# Prepare a device for kiosk configuration
@@ -28,7 +28,8 @@ For a more secure kiosk experience, we recommend that you make the following con
Recommendation | How to
--- | ---
-Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`[Learn how to modify the Windows registry](https://go.microsoft.com/fwlink/p/?LinkId=615002)You must restart the device after changing the registry.
+Hide update notifications (New in Windows 10, version 1809) | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications** -or- Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel) -or- Add the following registry keys as DWORD (32-bit) type:`HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\UpdateNotificationLevel` with a value of `1`, and `HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\SetUpdateNotificationLevel` with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
+Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:`HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled`
Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
Hide **Ease of access** feature on the sign-in screen. | Go to **Control Panel** > **Ease of Access** > **Ease of Access Center**, and turn off all accessibility tools.
Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
@@ -37,6 +38,8 @@ Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, a
Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
+## Automatic logon
+
In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in.
>[!TIP]
@@ -74,7 +77,151 @@ In addition to the settings in the table, you may want to set up **automatic log
>You can also configure automatic sign-in [using the Autologon tool from Sysinternals](https://docs.microsoft.com/sysinternals/downloads/autologon).
-
+## Interactions and interoperability
+
+The following table describes some features that have interoperability issues we recommend that you consider when running assigned access.
+
+> [!Note]
+> Where applicable, the table notes which features are optional that you can configure for assigned access.
+
+
+
+
+
+
+
+
+
Feature
+
Description
+
+
+
+
+
Accessibility
+
Assigned access does not change Ease of Access settings.
+
We recommend that you use [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features:
+
+
+
+
+
+
+
+
Key combination
+
Blocked behavior
+
+
+
+
+
Left Alt+Left Shift+Print Screen
+
Open High Contrast dialog box.
+
+
+
Left Alt+Left Shift+Num Lock
+
Open Mouse Keys dialog box.
+
+
+
Windows logo key+U
+
Open Ease of Access Center.
+
+
+
+
+
+
+
Assigned access Windows PowerShell cmdlets
+
In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](https://docs.microsoft.com/powershell/module/assignedaccess/?view=win10-ps).
+
+
+
Key sequences blocked by assigned access
+
When in assigned access, some key combinations are blocked for assigned access users.
+
Alt+F4, Alt+Shift+TaB, Alt+Tab are not blocked by Assigned Access, it is recommended you use [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations.
+
Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](https://docs.microsoft.com/windows-hardware/customize/enterprise/wekf-settings).
+
+
+
+
+
+
+
+
Key combination
+
Blocked behavior for assigned access users
+
+
+
+
+
Alt+Esc
+
Cycle through items in the reverse order from which they were opened.
+
+
+
Ctrl+Alt+Esc
+
Cycle through items in the reverse order from which they were opened.
+
+
+
Ctrl+Esc
+
Open the Start screen.
+
+
+
Ctrl+F4
+
Close the window.
+
+
+
Ctrl+Shift+Esc
+
Open Task Manager.
+
+
+
Ctrl+Tab
+
Switch windows within the application currently open.
+
+
+
LaunchApp1
+
Open the app that is assigned to this key.
+
+
+
LaunchApp2
+
Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator.
+
+
+
LaunchMail
+
Open the default mail client.
+
+
+
Windows logo key
+
Open the Start screen.
+
+
+
+
+
Keyboard Filter settings apply to other standard accounts.
+
+
+
Key sequences blocked by [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter)
+
If Keyboard Filter is turned ON then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) reference topic.
+
[Keyboard Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows 10 Enterprise or Windows 10 Education.
+
+
+
+
Power button
+
Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it is in assigned access.
+
For more information on removing the power button or disabling the physical power button, see [Custom Logon](https://docs.microsoft.com/windows-hardware/customize/enterprise/custom-logon).
+
+
+
Unified Write Filter (UWF)
+
UWFsettings apply to all users, including those with assigned access.
+
For more information, see [Unified Write Filter](https://docs.microsoft.com/windows-hardware/customize/enterprise/unified-write-filter).
+
+
+
WEDL_AssignedAccess class
+
Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead.
+
If you need to use assigned access API, see [WEDL_AssignedAccess](whttps://docs.microsoft.com/windows-hardware/customize/enterprise/wedl-assignedaccess).
+
+
+
Welcome Screen
+
Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.
+
For more information, see [Custom Logon](https://docs.microsoft.com/windows-hardware/customize/enterprise/custom-logon).
+
+
+
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index 30bb50f7de..e8e0ea4793 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 07/30/2018
+ms.date: 10/01/2018
---
# Use Shell Launcher to create a Windows 10 kiosk
@@ -25,11 +25,19 @@ ms.date: 07/30/2018
Using Shell Launcher, you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on.
>[!NOTE]
+>Using the Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components.
+>
+>Methods of controlling access to other desktop applications and system components can be used in addition to using the Shell Launcher. These methods include, but are not limited to:
+>- [Group Policy](https://www.microsoft.com/download/details.aspx?id=25250) - example: Prevent access to registry editing tools
+>- [AppLocker](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies
+>- [Mobile Device Management](https://docs.microsoft.com/windows/client-management/mdm) - Enterprise management of device security policies
+>
>You can also configure a kiosk device that runs a Windows desktop application by using the [Provision kiosk devices wizard](#wizard).
>[!WARNING]
->- Windows 10 doesn’t support setting a custom shell prior to OOBE. If you do, you won’t be able to deploy the resulting image.
->- Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell.
+>Windows 10 doesn’t support setting a custom shell prior to the out-of-box-experience (OOBE). If you do, you won’t be able to deploy the resulting image.
+>
+>Shell Launcher doesn't support a custom shell with an application that launches a different process and exits. For example, you cannot specify **write.exe** in Shell Launcher. Shell Launcher launches a custom shell and monitors the process to identify when the custom shell exits. **Write.exe** creates a 32-bit wordpad.exe process and exits. Because Shell Launcher is not aware of the newly created wordpad.exe process, Shell Launcher will take action based on the exit code of **Write.exe**, such as restarting the custom shell.
### Requirements
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index dc55bd5004..9f16d7bc3b 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 07/30/2018
+ms.date: 10/02/2018
---
# Set up a single-app kiosk
@@ -28,7 +28,7 @@ You have several options for configuring your single-app kiosk.
Method | Description
--- | ---
-[Assigned access in Settings](#local) | The **Assigned Access** option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.
This method is supported on Windows 10 Pro, Enterprise, and Education.
+[Locally, in Settings](#local) | The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account.
This method is supported on Windows 10 Pro, Enterprise, and Education.
[PowerShell](#powershell) | You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.
This method is supported on Windows 10 Pro, Enterprise, and Education.
[The kiosk wizard in Windows Configuration Designer](#wizard) | Windows Configuration Designer is a tool that produces a *provisioning package*, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.
This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education.
[Microsoft Intune or other mobile device management (MDM) provider](#mdm) | For managed devices, you can use MDM to set up a kiosk configuration.
This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education.
@@ -48,7 +48,45 @@ Method | Description
>
>Account type: Local standard user
-You can use **Settings** to quickly configure one or a few devices as a kiosk. When you set up a kiosk (also known as *assigned access*) in **Settings**, you must select a local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
+You can use **Settings** to quickly configure one or a few devices as a kiosk.
+
+When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
+
+- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do.
+
+- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
+
+
+
+### Instructions for Windows 10, version 1809
+
+When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1809, you create the kiosk user account at the same time.
+
+**To set up assigned access in PC settings**
+
+1. Go to **Start** > **Settings** > **Accounts** > **Other users**.
+
+2. Select **Set up a kiosk > Assigned access**, and then select **Get started**.
+
+3. Enter a name for the new account.
+
+ >[!NOTE]
+ >If there are any local standard user accounts on the device already, the **Create an account** page will offer the option to **Choose an existing account**.
+
+4. Choose the app that will run when the kiosk account signs in. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md). If you select **Microsoft Edge** as the kiosk app, you configure the following options:
+
+ - Whether Microsoft Edge should display your website full-screen (digital sign) or with some browser controls available (public browser)
+ - Which URL should be displayed when the kiosk accounts signs in
+ - When Microsoft Edge should restart after a period of inactivity (if you select to run as a public browser)
+
+5. Select **Close**.
+
+To remove assigned access, select the account tile on the **Set up a kiosk** page, and then select **Remove kiosk**.
+
+
+### Instructions for Windows 10, version 1803 and earlier
+
+When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
@@ -56,7 +94,7 @@ You can use **Settings** to quickly configure one or a few devices as a kiosk.
1. Go to **Start** > **Settings** > **Accounts** > **Other people**.
-2. Choose **Set up assigned access**.
+2. Select **Set up assigned access**.
3. Choose an account.
@@ -66,13 +104,7 @@ You can use **Settings** to quickly configure one or a few devices as a kiosk.
To remove assigned access, choose **Turn off assigned access and sign out of the selected account**.
-When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
-- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do.
-
-- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
-
-
diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md
index 9be99277a6..414773196e 100644
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 07/30/2018
+ms.date: 10/02/2018
ms.author: jdecker
ms.topic: article
---
@@ -24,11 +24,14 @@ ms.topic: article
## Full XML sample
>[!NOTE]
->Updated for Windows 10, version 1803.
+>Updated for Windows 10, version 1809.
```xml
-
+
@@ -44,6 +47,9 @@ ms.topic: article
+
+
+
@@ -80,7 +86,7 @@ ms.topic: article
-
+
@@ -117,7 +123,7 @@ ms.topic: article
-
+
@@ -134,7 +140,6 @@ ms.topic: article
-
```
## Kiosk only sample XML
@@ -142,6 +147,7 @@ ms.topic: article
@@ -161,7 +167,7 @@ ms.topic: article
## XSD for AssignedAccess configuration XML
>[!NOTE]
->Updated for Windows 10, version 1803.
+>Updated for Windows 10, version 1809.
```xml
@@ -170,136 +176,206 @@ ms.topic: article
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:default="http://schemas.microsoft.com/AssignedAccess/2017/config"
+ xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
>
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+```
-
-
-
-
-
-
-
-
-
-
-
-
+## XSD schema for new elements in Windows 10, version 1809
-
-
-
-
-
-
-
-
-
-
+```xml
+
+
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
-
-
-
-
+
+
+
-
-
-
+
+
+
+
+
-
-
-
+
-
-
-
-
-
+
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
```
\ No newline at end of file
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 7793d23b83..46423972f4 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: edu, security
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 07/30/2018
+ms.date: 10/02/2018
ms.author: jdecker
ms.topic: article
---
@@ -22,13 +22,17 @@ ms.topic: article
- Windows 10 Pro, Enterprise, and Education
-A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. In Windows 10, version 1803, you can also:
+A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access.
+
+The following table lists changes to multi-app kiosk in recent updates.
+
+New features and improvements | In update
+--- | ---
+- Configure [a single-app kiosk profile](#profile) in your XML file
- Assign [group accounts to a config profile](#config-for-group-accounts)
- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803
+- Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)
- [Automatically launch an app](#allowedapps) when the user signs in
- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809
**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `http://schemas.microsoft.com/AssignedAccess/201810/config`.
+
-- Configure [a single-app kiosk profile](#profile) in your XML file.
-- Assign [group accounts to a config profile](#config-for-group-accounts).
-- Configure [an account to sign in automatically](#config-for-autologon-account).
-The benefit of a kiosk with desktop that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access.
>[!WARNING]
>The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
@@ -100,11 +104,14 @@ Let's start by looking at the basic structure of the XML file.
-You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic.
+You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md)
```xml
-
+
@@ -136,6 +143,8 @@ A lockdown profile section in the XML has the following entries:
- [**AllowedApps**](#allowedapps)
+- [**FileExplorerNamespaceRestrictions**](#fileexplorernamespacerestrictions)
+
- [**StartLayout**](#startlayout)
- [**Taskbar**](#taskbar)
@@ -160,22 +169,22 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
##### AllowedApps
-**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications.
+**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. In Windows 10, version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in.
-Based on the purpose of the kiosk device, define the list of applications that are allowed to run. This list can contain both UWP apps and desktop apps. When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration.
->[!NOTE]
->You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.
- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout).
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
+- To configure the app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
-Here are the predefined assigned access AppLocker rules for **UWP apps**:
+When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:
1. Default rule is to allow all users to launch the signed package apps.
2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list.
>[!NOTE]
+ >You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.
+ >
>Multi-app kiosk mode doesn’t block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.
Here are the predefined assigned access AppLocker rules for **desktop apps**:
@@ -184,8 +193,9 @@ Here are the predefined assigned access AppLocker rules for **desktop apps**:
2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration.
3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list.
-The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device.
+The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in.
+
```xml
@@ -195,11 +205,41 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula
-
+
```
+##### FileExplorerNamespaceRestrictions
+
+Starting in Windows 10, version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported.
+
+The following example shows how to allow user access to the Downloads folder in the common file dialog box.
+
+```xml
+
+
+
+
+
+ ...
+
+
+
+
+
+
+ ...
+
+
+
+
+
+```
+
##### StartLayout
After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.
@@ -297,7 +337,8 @@ You can assign:
When you use `` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart.
-On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).)
+
+The following example shows how to specify an account to sign in automatically.
```xml
@@ -308,8 +349,22 @@ On domain-joined devices, local user accounts aren't shown on the sign-in screen
```
+In Windows 10, version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World".
+
+```xml
+
+
+
+
+
+
+```
+
+On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).)
+
+
>[!IMPORTANT]
->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).
+>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).
##### Config for individual accounts
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index 4783fe006b..a4e515d653 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -9,7 +9,7 @@ author: jdeckerms
ms.author: jdecker
ms.topic: article
ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 10/02/2018
---
# Set up a shared or guest PC with Windows 10
@@ -76,6 +76,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
| Customization: SetPowerPolicies | When set as **True**: - Prevents users from changing power settings - Turns off hibernate - Overrides all power state transitions to sleep (e.g. lid close) |
| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. |
| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
+[Policies: Authentication](wcd/wcd-policies.md#authentication) (optional related setting) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts.
##Configuring shared PC mode on Windows
diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md
index d5ea73a4a8..0b0e15e263 100644
--- a/windows/configuration/setup-digital-signage.md
+++ b/windows/configuration/setup-digital-signage.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: jdeckerms
ms.localizationpriority: medium
-ms.date: 08/03/2018
+ms.date: 10/02/2018
---
# Set up digital signs on Windows 10
@@ -20,7 +20,7 @@ ms.date: 08/03/2018
Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed.
-For digital signage, simply select a digital sign player as your kiosk app. You can also use the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content.
+For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content.
>[!TIP]
>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
diff --git a/windows/configuration/start-layout-xml-desktop.md b/windows/configuration/start-layout-xml-desktop.md
index b75768d432..e95d1cc298 100644
--- a/windows/configuration/start-layout-xml-desktop.md
+++ b/windows/configuration/start-layout-xml-desktop.md
@@ -8,7 +8,7 @@ ms.sitesec: library
author: jdeckerms
ms.author: jdecker
ms.topic: article
-ms.date: 01/02/2018
+ms.date: 10/02/2018
ms.localizationpriority: medium
---
@@ -39,6 +39,24 @@ On Windows 10 for desktop editions, the customized Start works by:
IT admins can provision the Start layout using a LayoutModification.xml file. This file supports several mechanisms to modify or replace the default Start layout and its tiles. The easiest method for creating a LayoutModification.xml file is by using the Export-StartLayout cmdlet; see [Customize and export Start layout](customize-and-export-start-layout.md) for instructions.
+### Required order
+
+The XML schema for `LayoutModification.xml` requires the following order for tags directly under the LayoutModificationTemplate node:
+
+1. LayoutOptions
+1. DefaultLayoutOverride
+1. RequiredStartGroupsCollection
+1. AppendDownloadOfficeTile –OR– AppendOfficeSuite (only one Office option can be used at a time)
+1. AppendOfficeSuiteChoice
+1. TopMFUApps
+1. CustomTaskbarLayoutCollection
+1. InkWorkspaceTopApps
+
+Comments are not supported in the `LayoutModification.xml` file.
+
+
+### Supported elements and attributes
+
>[!NOTE]
>To make sure the Start layout XML parser processes your file correctly, follow these guidelines when working with your LayoutModification.xml file:
>- Do not leave spaces or white lines in between each element.
@@ -55,6 +73,7 @@ The following table lists the supported elements and attributes for the LayoutMo
| [RequiredStartGroups](#requiredstartgroups)Parent:RequiredStartGroupsCollection | Region | Use to contain the AppendGroup tags, which represent groups that can be appended to the default Start layout |
| [AppendGroup](#appendgroup)Parent:RequiredStartGroups | Name | Use to specify the tiles that need to be appended to the default Start layout |
| [start:Tile](#specify-start-tiles)Parent:AppendGroup | AppUserModelIDSizeRowColumn | Use to specify any of the following:- A Universal Windows app- A Windows 8 or Windows 8.1 appNote that AppUserModelID is case-sensitive. |
+start:Folder
Parent: start:Group | Name (in Windows 10, version 1809 and later only) Size Row Column LocalizedNameResourcetag | Use to specify a folder of icons; can include [Tile](#start-tile), [SecondaryTile](#start-secondarytile), and [DesktopApplicationTile](#start-desktopapplicationtile).
| start:DesktopApplicationTileParent:AppendGroup | DesktopApplicationIDDesktopApplicationLinkPathSizeRowColumn | Use to specify any of the following:- A Windows desktop application with a known AppUserModelID- An application in a known folder with a link in a legacy Start Menu folder- A Windows desktop application link in a legacy Start Menu folder- A Web link tile with an associated .url file that is in a legacy Start Menu folder |
| start:SecondaryTileParent:AppendGroup | AppUserModelIDTileIDArgumentsDisplayNameSquare150x150LogoUriShowNameOnSquare150x150LogoShowNameOnWide310x150LogoWide310x150LogoUriBackgroundColorForegroundTextIsSuggestedAppSizeRowColumn | Use to pin a Web link through a Microsoft Edge secondary tile. Note that AppUserModelID is case-sensitive. |
| TopMFUAppsParent:LayoutModificationTemplate | n/a | Use to add up to 3 default apps to the frequently used apps section in the system area.**Note**: Only applies to versions of Windows 10 earlier than version 1709. In Windows 10, version 1709, you can no longer pin apps to the Most Frequently Used apps list in Start. |
diff --git a/windows/configuration/start-taskbar-lockscreen.md b/windows/configuration/start-taskbar-lockscreen.md
deleted file mode 100644
index 083777bcdd..0000000000
--- a/windows/configuration/start-taskbar-lockscreen.md
+++ /dev/null
@@ -1,30 +0,0 @@
----
-title: Configure Start layout, taskbar, and lock screen for Windows 10 PCs (Windows 10)
-description:
-ms.prod: w10
-ms.mktglfcycl: manage
-ms.sitesec: library
-ms.pagetype: security
-ms.localizationpriority: medium
-author: jdeckerms
-ms.author: jdecker
-ms.topic: article
-ms.date: 07/27/2017
----
-
-# Configure Start layout, taskbar, and lock screen for Windows 10 PCs
-
-
-
-## In this section
-
-| Topic | Description |
-| --- | --- |
-| [Windows Spotlight on the lock screen](windows-spotlight.md) | Windows Spotlight is an option for the lock screen background that displays different background images and occasionally offers suggestions on the lock screen.**Note:** You can also use the [Personalization CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/personalization-csp) settings to set lock screen and desktop background images. |
-| [Manage Windows 10 and Microsoft Store tips, tricks, and suggestions](manage-tips-and-suggestions.md) | Options to manage the tips, tricks, and suggestions offered by Windows and Microsoft Store. |
-| [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Organizations might want to deploy a customized Start screen and menu to devices running Windows 10 Pro, Enterprise, or Education. A standard Start layout can be useful on devices that are common to multiple users and devices that are locked down for specialized purposes. |
-
-
-## Related topics
-
-- [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-applicationmanagement.md b/windows/configuration/wcd/wcd-applicationmanagement.md
deleted file mode 100644
index 058450c727..0000000000
--- a/windows/configuration/wcd/wcd-applicationmanagement.md
+++ /dev/null
@@ -1,73 +0,0 @@
----
-title: ApplicationManagement (Windows 10)
-description: This section describes the ApplicationManagement settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-author: jdeckerMS
-ms.localizationpriority: medium
-ms.author: jdecker
-ms.topic: article
-ms.date: 09/12/2017
----
-
-# ApplicationManagement (Windows Configuration Designer reference)
-
-Use these settings to manage app installation and management.
-
->[!NOTE]
->ApplicationManagement settings are not available in Windows 10, version 1709, and later.
-
-## Applies to
-
-| Settings | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
-| --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAllTrustedApps](#allowalltrustedapps) | | | | | X |
-| [AllowAppStoreAutoUpdate](#allowappstoreautoupdate) | | | | | X |
-| [RestrictAppDataToSystemVolume](#restrictappdatatosystemvolume) | | | | | X |
-| [RestrictAppToSystemVolume](#restrictapptosystemvolume) | | | | | X |
-
-## AllowAllTrustedApps
-
-Specifies whether non-Microsoft Store apps are allowed.
-
-| Value | Description |
-| --- | --- |
-| No | Only Microsoft Store apps are allowed |
-| Yes | Non-Microsoft Store apps are allowed |
-
-## AllowAppStoreAutoUpdate
-
-Specifies whether automatic update of apps from Microsoft Store are allowed
-
-| Value | Description |
-| --- | --- |
-| Disallowed | Automatic update of apps is not allowed |
-| Allowed | Automatic update of apps is allowed |
-
-
-## RestrictAppDataToSystemVolume
-
-Specifies whether application data is restricted to the system drive.
-
-| Value | Description |
-| --- | --- |
-| 0 | Not restricted |
-| 1 | Restricted |
-
-
-## RestrictAppToSystemVolume
-
-Specifies whether the installation of applications is restricted to the system drive.
-
-| Value | Description |
-| --- | --- |
-| 0 | Not restricted |
-| 1 | Restricted |
-
-## Related topics
-
-- [Policy configuration service provider (CSP): ApplicationManagement/AllowAllTrustedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps)
-- [Policy CSP: ApplicationManagement/AllowAppStoreAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate)
-- [Policy CSP: ApplicationManagement/RestrictAppDataToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume)
-- [Policy CSP: ApplicationManagement/RestrictAppToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume)
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md
index 3ed958488d..c7cd5a030f 100644
--- a/windows/configuration/wcd/wcd-browser.md
+++ b/windows/configuration/wcd/wcd-browser.md
@@ -8,7 +8,7 @@ author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
-ms.date: 04/30/2018
+ms.date: 10/02/2018
---
# Browser (Windows Configuration Designer reference)
@@ -19,10 +19,32 @@ Use to configure browser settings that should only be set by OEMs who are part o
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
+| [AllowPrelaunch](#allowprelaunch) | | | X | | |
+| [FavoriteBarItems](#favoritebaritems) | X | | | | |
| [Favorites](#favorites) | | X | | | |
| [PartnerSearchCode](#partnersearchcode) | X | X | X | | |
| [SearchProviders](#searchproviders) | | X | | | |
+
+## AllowPrelaunch
+
+Use this setting to allow Microsoft Edge to pre-launch during Windows sign-in, when the system is idle, and each time that Microsoft Edge is closed. Pre-launch minimizes the amount of time required to start Microsoft Edge.
+
+Select between **Prevent Pre-launching** and **Allow Pre-launching**.
+
+## FavoriteBarItems
+
+Use to add items to the Favorites Bar in Microsoft Edge.
+
+1. Enter a name for the item, and select **Add**. (The name you enter here is only used to distinguish the group of settings, and is not shown on the device when the settings are applied.)
+2. In **Available customizations**, select the item that you added, and then configure the following settings for that item:
+
+Setting | Description
+--- | ---
+ItemFavIconFile | Enter the path to the icon file, local to the device where the browser will run. The icon file must be added to the device to the specified path.
+ItemName | Enter the name for the item, which will be displayed on the Favorites Bar.
+ItemUrl | Enter the target URL for the item.
+
## Favorites
Use to configure the default list of Favorites that show up in the browser.
diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md
index 66fd0b6bc1..b7b52b37af 100644
--- a/windows/configuration/wcd/wcd-cellcore.md
+++ b/windows/configuration/wcd/wcd-cellcore.md
@@ -8,11 +8,13 @@ author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
-ms.date: 04/30/2018
+ms.date: 10/02/2018
---
# CellCore (Windows Configuration Designer reference)
+>Setting documentation is provided for Windows 10, version 1803 and earlier. CellCore is not available in Windows 10, version 1809.
+
Use to configure settings for cellular data.
>[!IMPORTANT]
diff --git a/windows/configuration/wcd/wcd-cellular.md b/windows/configuration/wcd/wcd-cellular.md
index 290e3f52cb..f6c9545c4a 100644
--- a/windows/configuration/wcd/wcd-cellular.md
+++ b/windows/configuration/wcd/wcd-cellular.md
@@ -8,7 +8,7 @@ author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
-ms.date: 09/21/2017
+ms.date: 10/02/2018
---
# Cellular (Windows Configuration Designer reference)
@@ -24,39 +24,54 @@ Use to configure settings for cellular connections.
| --- | :---: | :---: | :---: | :---: | :---: |
| All settings | X | | | | |
+## PerDevice
+See [SignalBarMappingTable](#signalbarmappingtable)
+
+## PerSimSettings
To begin, enter a SIM integrated circuit card identifier (**SimIccid**), and click **Add**. In the **Customizations** pane, select the SimIccid that you just entered and configure the following settings for it.
-## AccountExperienceURL
+### AccountExperienceURL
Enter the URL for the mobile operator's web page.
-## AppID
+### AppID
Enter the AppID for the mobile operator's app in Microsoft Store.
-## BrandingIcon
+### BrandingIcon
Browse to and select an .ico file.
-## BrandingIconPath
+### BrandingIconPath
Enter the destination path for the BrandingIcon .ico file.
-## BrandingName
+### BrandingName
Enter the service provider name for the mobile operator.
-## NetworkBlockList
-
-Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
-
-## SIMBlockList
+### NetworkBlockList
Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
-## UseBrandingNameOnRoaming
+### SignalBarMappingTable
+
+>[!NOTE]
+>SignalBarMappingTable can be configured per device or per sim.
+
+Use the **SignalBarMappingTable** settings to customize the number of bars displayed based on signal strength. Set a signal strength minimum for each bar number.
+
+1. Expand **SignalBarMappingTable**, select a bar number in **SignalForBars**, and select **Add**.
+2. Select the signal bar number in **Available customizations**, and enter a minimum signal strength value, between 0 and 31.
+
+### SIMBlockList
+
+Enter a comma-separated list of mobile country code (MCC) and mobile network code (MCC) pairs (MCC:MNC).
+
+
+### UseBrandingNameOnRoaming
Select an option for displaying the BrandingName when the device is roaming.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-changes.md b/windows/configuration/wcd/wcd-changes.md
new file mode 100644
index 0000000000..b51c2ab60e
--- /dev/null
+++ b/windows/configuration/wcd/wcd-changes.md
@@ -0,0 +1,83 @@
+---
+title: Changes to settings in Windows Configuration Designer (Windows 10)
+description: This section describes the changes to settings in Windows Configuration Designer in Windows 10, version 1809.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.topic: article
+ms.date: 10/02/2018
+---
+
+# Changes to settings in Windows Configuration Designer
+
+Settings added in Windows 10, version 1809
+
+
+- [Browser > AllowPrelaunch](wcd-browser.md#allowprelaunch)
+- [Browser > FavoriteBarItems](wcd-browser.md#favoritebaritems)
+- [Cellular > SignalBarMappingTable](wcd-cellular.md#signalbarmappingtable)
+- [KioskBrowser](wcd-kioskbrowser.md)
+- [Location](wcd-location.md)
+- [Policies > ApplicationManagement > LaunchAppAfterLogOn](wcd-policies.md#applicationmanagement)
+- [Policies > Authentication:](wcd-policies.md#authentication)
+ - EnableFastFirstSignin
+ - EnableWebSignin
+ - PreferredAadTenantDomainName
+- [Policies > Browser:](wcd-policies.md#browser)
+ - AllowFullScreenMode
+ - AllowPrelaunch
+ - AllowPrinting
+ - AllowSavingHistory
+ - AllowSideloadingOfExtensions
+ - AllowTabPreloading
+ - AllowWebContentOnNewTabPage
+ - ConfigureFavoritesBar
+ - ConfigureHomeButton
+ - ConfigureKioskMode
+ - ConfigureKioskResetAfterIdleTimer
+ - ConfigureOpenMicrosoftEdgeWith
+ - ConfigureTelemetryForMicrosoft365
+ - FirstRunURL
+ - PreventCertErrorOverrides
+ - PreventTurningOffRequiredExtensions
+ - SetHomeButtonURL
+ - SetNewTabPageURL
+ - UnlockHomeButton
+- [Policies > DeliveryOptimization:](wcd-policies.md#deliveryoptimization)
+ - DODelayBackgroundDownloadFromHttp
+ - DODelayForegroundDownloadFromHttp
+ - DOGroupIdSource
+ - DOPercentageMaxBackDownloadBandwidth
+ - DOPercentageMaxForeDownloadBandwidth
+ - DORestrictPeerSelectionsBy
+ - DOSetHoursToLimitBackgroundDownloadBandwidth
+ - DOSetHoursToLimitForegroundDownloadBandwidth
+- [Policies > KioskBrowser](wcd-policies.md#kioskbrowser) > EnableEndSessionButton
+- [Policies > Search](wcd-policies.md#search) > DoNotUseWebResults
+- [Policies > System:](wcd-policies.md#system)
+ - DisableDeviceDelete
+ - DisableDiagnosticDataViewer
+- [Policies > Update:](wcd-policies.md#update)
+ - AutoRestartDeadlinePeriodInDaysForFeatureUpdates
+ - EngagedRestartDeadlineForFeatureUpdates
+ - EngagedRestartSnoozeScheduleForFeatureUpdates
+ - EngagedRestartTransitionScheduleForFeatureUpdates
+ - ExcludeWUDriversInQualityUpdate
+ - SetDisablePauseUXAccess
+ - SetDisableUXWUAccess
+ - UpdateNotificationLevel
+- [UnifiedWriteFilter > OverlayFlags](wcd-unifiedwritefilter.md#overlayflags)
+- [UnifiedWriteFilter > ResetPersistentState](wcd-unifiedwritefilter.md#resetpersistentstate)
+- [WindowsHelloForBusiness](wcd-windowshelloforbusiness.md)
+
+
+Settings removed in Windows 10, version 1809
+
+- [CellCore](wcd-cellcore.md)
+- [Policies > Browser:](wcd-policies.md#browser)
+ - AllowBrowser
+ - PreventTabReloading
+
diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md
index b797544274..38bdf81ca7 100644
--- a/windows/configuration/wcd/wcd-connectivityprofiles.md
+++ b/windows/configuration/wcd/wcd-connectivityprofiles.md
@@ -19,12 +19,12 @@ Use to configure profiles that a user will connect with, such as an email accoun
| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
-| [Email](#email) | X | X | X | | X |
-| [Exchange](#exchange) | X | X | X | | X |
-| [KnownAccounts](#knownaccounts) | X | X | X | | X |
-| [VPN](#vpn) | X | X | X | X | X |
-| [WiFiSense](#wifisense) | X | X | X | | X |
-| [WLAN](#wlan) | X | X | X | X | X |
+| [Email](#email) | X | X | X | | |
+| [Exchange](#exchange) | X | X | X | | |
+| [KnownAccounts](#knownaccounts) | X | X | X | | |
+| [VPN](#vpn) | X | X | X | X | |
+| [WiFiSense](#wifisense) | X | X | X | | |
+| [WLAN](#wlan) | X | X | X | X | |
## Email
diff --git a/windows/configuration/wcd/wcd-kioskbrowser.md b/windows/configuration/wcd/wcd-kioskbrowser.md
new file mode 100644
index 0000000000..29f19e45e4
--- /dev/null
+++ b/windows/configuration/wcd/wcd-kioskbrowser.md
@@ -0,0 +1,44 @@
+---
+title: KioskBrowser (Windows 10)
+description: This section describes the KioskBrowser settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.topic: article
+ms.date: 10/02/2018
+---
+
+# KioskBrowser (Windows Configuration Designer reference)
+
+Use KioskBrowser settings to configure Internet sharing.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| All settings | | | | | X |
+
+>[!NOTE]
+>To configure Kiosk Browser settings for desktop editions, go to [Policies > KioskBrowser](wcd-policies.md#kioskbrowser).
+
+Kiosk Browser settings | Use this setting to
+--- | ---
+Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.
For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs.
+Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.
If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list.
+Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL.
+Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL.
+Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser.
+Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction.
+
+>[!IMPORTANT]
+>To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in Windows Configuration Designer:
+>
+> 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer.
+>2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18).
+>3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com).
+>4. Save the XML file.
+>5. Open the project again in Windows Configuration Designer.
+>6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed.
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-location.md b/windows/configuration/wcd/wcd-location.md
new file mode 100644
index 0000000000..f54b9343b1
--- /dev/null
+++ b/windows/configuration/wcd/wcd-location.md
@@ -0,0 +1,26 @@
+---
+title: Location (Windows 10)
+description: This section describes the Location settings that you can configure in provisioning packages for Windows 10 using Windows Configuration Designer.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: jdeckerMS
+ms.localizationpriority: medium
+ms.author: jdecker
+ms.topic: article
+ms.date: 10/02/2018
+---
+
+# Location (Windows Configuration Designer reference)
+
+Use Location settings to configure location services.
+
+## Applies to
+
+| Setting groups | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
+| --- | :---: | :---: | :---: | :---: | :---: |
+| [EnableLocation](#enablelocation) | | | | | X |
+
+## EnableLocation
+
+Use this setting to enable or disable location services for the device.
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index e533cd7b14..9e65e7f7e7 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -8,35 +8,35 @@ author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
-ms.date: 08/03/2018
+ms.date: 10/02/2018
---
# Policies (Windows Configuration Designer reference)
-This section describes the **Policies** settings that you can configure in [provisioning packages](../provisioning-packages/provisioning-packages.md) for Windows 10 using Windows Configuration Designer. Each setting below links to its supported values, as documented in the [Policy configuration service provider (CSP)](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider).
+This section describes the **Policies** settings that you can configure in [provisioning packages](../provisioning-packages/provisioning-packages.md) for Windows 10 using Windows Configuration Designer. Each setting below links to its supported values, as documented in the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider).
## AboveLock
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowActionCenterNotifications](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | X | | | |
-| [AllowToasts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | X | X | | | |
+| [AllowActionCenterNotifications](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowactioncenternotifications) | Allow Action Center notifications above the device lock screen. | | X | | | |
+| [AllowToasts](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#abovelock-allowtoasts) | Allow toast notifications above the device lock screen. | X | X | | | |
## Accounts
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAddingNonMicrosoftAccountManually](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | X | X | | | |
-| [AllowMicrosoftAccountConnection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | X | X | | X | |
-| [AllowMicrosoftAccountSigninAssistant](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | X | X | | | |
-| [DomainNamesForEmailSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | X | X | | | |
+| [AllowAddingNonMicrosoftAccountManually](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowaddingnonmicrosoftaccountsmanually) | Whether users can add non-Microsoft email accounts | X | X | | | |
+| [AllowMicrosoftAccountConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountconnection) | Whether users can use a Microsoft account for non-email-related connection authentication and services | X | X | | X | |
+| [AllowMicrosoftAccountSigninAssistant](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#accounts-allowmicrosoftaccountsigninassistant) | Disable the **Microsoft Account Sign-In Assistant** (wlidsvc) NT service | X | X | | | |
+| [DomainNamesForEmailSync](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#accounts-domainnamesforemailsync) | List of domains that are allowed to sync email on the devices | X | X | | | |
## ApplicationDefaults
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [DefaultAssociationsConfiguration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | X | | | | |
+| [DefaultAssociationsConfiguration](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationdefaults-defaultassociationsconfiguration) | Set default file type and protocol associations | X | | | | |
##ApplicationManagement
@@ -44,15 +44,16 @@ This section describes the **Policies** settings that you can configure in [prov
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAllTrustedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | X | X | | | |
-| [AllowAppStoreAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | X | X | | | |
-| [AllowDeveloperUnlock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | X | X | X | X | X |
-| [AllowGameDVR](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | X | | | | |
-| [AllowSharedUserAppData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | X | X | | | |
-| [AllowStore](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | X | | | |
-| [ApplicationRestrictions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | x | | | |
-| [RestrictAppDataToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | X | X | | | |
-| [RestrictAppToSystemVolume](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | X | X | | | |
+| [AllowAllTrustedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowalltrustedapps) | Whether non-Microsoft Store apps are allowed | X | X | | | X |
+| [AllowAppStoreAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowappstoreautoupdate) | Whether automatic update of apps from Microsoft Store is allowed | X | X | | | X |
+| [AllowDeveloperUnlock](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowdeveloperunlock) | Whether developer unlock of device is allowed | X | X | X | X | X |
+| [AllowGameDVR](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowgamedvr) |Whether DVR and broadcasting is allowed | X | | | | |
+| [AllowSharedUserAppData](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowshareduserappdata) | Whether multiple users of the same app can share data | X | X | | | |
+| [AllowStore](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-allowstore) | Whether app store is allowed at device | | X | | | |
+| [ApplicationRestrictions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-applicationrestrictions) | An XML blob that specifies app restrictions, such as an allow list, disallow list, etc. | | x | | | |
+| [LaunchAppAfterLogOn](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-launchappafterlogon) |Whether to launch an app or apps when the user signs in. | X | | | | |
+| [RestrictAppDataToSystemVolume](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictappdatatosystemvolume) | Whether app data is restricted to the system drive | X | X | | | X |
+| [RestrictAppToSystemVolume](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#applicationmanagement-restrictapptosystemvolume) | Whether the installation of apps is restricted to the system drive | X | X | | | X |
@@ -61,94 +62,115 @@ This section describes the **Policies** settings that you can configure in [prov
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowFastReconnect](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | X | X | X | X | X |
+| [AllowFastReconnect](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-authentication#authentication-allowfastreconnect) | Allows EAP Fast Reconnect from being attempted for EAP Method TLS. | X | X | X | X | X |
+| [EnableFastFirstSignin](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-authentication#authentication-enablefastfirstsignin) | Enables a quick first sign-in experience for a user by automatically connecting new non-admin Azure AD accounts to the pre-configured candidate local accounts. | X | X | X | | X |
+| [EnableWebSignin](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-authentication#authentication-enablewebsignin) | Enables Windows logon support for non-ADFS federated providers (e.g. SAML). | X | X | X | | X |
+| [PreferredAadTenantDomainName](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-authentication#authentication-preferredaadtenantdomainname) | Specifies the preferred domain among available domains in the Azure AD tenant. | X | X | X | | X |
## BitLocker
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [EncryptionMethod](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | X | X | | | |
+| [EncryptionMethod](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bitlocker-encryptionmethod) | Specify BitLocker drive encryption method and cipher strength | X | X | | | |
## Bluetooth
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAdvertising](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | X | X | X | X | X |
-| [AllowDiscoverableMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | X | X | X | X | X |
-| [AllowPrepairing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | | X |
+| [AllowAdvertising](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowadvertising) | Whether the device can send out Bluetooth advertisements | X | X | X | X | X |
+| [AllowDiscoverableMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowdiscoverablemode) | Whether other Bluetooth-enabled devices can discover the device | X | X | X | X | X |
+| [AllowPrepairing](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-allowprepairing) | Whether to allow specific bundled Bluetooth peripherals to automatically pair with the host device | X | X | X | X | X |
| AllowPromptedProximalConnections | Whether Windows will prompt users when Bluetooth devices that are connectable are in range of the user's device | X | X | X | X | X |
-| [LocalDeviceName](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | X | X |
-| [ServicesAllowedList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | X | X | |
+| [LocalDeviceName](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-localdevicename) | Set the local Bluetooth device name | X | X | X | X | X |
+| [ServicesAllowedList](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#bluetooth-servicesallowedlist) | Set a list of allowable services and profiles | X | X | X | X | X |
## Browser
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAddressBarDropdown](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | X | | | | |
-| [AllowAutofill](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | X | X | X | X | |
-| [AllowBrowser](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device. | X | | | | |
-[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | X | | | | |
-| [AllowCookies](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | X | X | X | X | |
-| [AllowDeveloperTools](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | X | | | | |
-| [AllowDoNotTrack](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | X | X | X | X | |
-| [AllowExtensions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | X | | | | |
-| [AllowFlash](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | X | | | | |
-| [AllowFlashClickToRun](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | X | | | | |
-| [AllowInPrivate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | X | X | X | X | |
-| [AllowMicrosoftCompatibilityList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | X | X | X | | |
-| [AllowPasswordManager](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | X | X | X | X | |
-| [AllowPopups](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | X | | | X | |
-| [AllowSearchEngineCustomization](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | X | | | | |
-| [AllowSearchSuggestionsinAddressBar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | X | X | X | X | |
-| [AllowSmartScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | X | X | X | X | |
-[AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | X | | | | |
-| [ClearBrowsingDataOnExit](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | X | | | | |
-| [ConfigureAdditionalSearchEngines](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 addtional search engines for MDM-enrolled devices. | X | X | X | | |
-| [DisableLockdownOfStartPages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | X | | | | |
-[EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | X | | | | |
-| [EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | X | | | | |
-| [EnterpriseSiteListServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | |
-| [FirstRunURL](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | | X | | | |
-| [HomePages](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | X | | | | |
-[LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | X | | | | |
-| [PreventAccessToAboutFlagsInMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | X | X | X | | |
-| [PreventFirstRunPage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | X | | | | |
-| [PreventLiveTileDataCollection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | X | X | X | | |
-| [PreventSmartScreenPromptOverride](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. | X | X | X | | |
-| [PreventSmartScreenPromptOverrideForFiles](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. | X | X | X | | |
-PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. | X | | | | |
-| [PreventUsingLocalHostIPAddressForWebRTC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | X | X | X | | |
-[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | X | | | | |
-| [SendIntranetTraffictoInternetExplorer ](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | X | | | | |
-| [SetDefaultSearchEngine](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | X | X | X | | |
-| [ShowMessageWhenOpeningSitesInInternetExplorer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | X | | | | |
-| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | X | | | | |
-[UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | X | | | | |
+| [AllowAddressBarDropdown](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowaddressbardropdown) | Specify whether to allow the address bar drop-down functionality in Microsoft Edge. If you want to minimize network connections from Microsoft Edge to Microsoft services, we recommend disabling this functionality. | X | | | | |
+| [AllowAutofill](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowautofill) | Specify whether autofill on websites is allowed. | X | X | X | | X |
+| [AllowBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowbrowser) | Specify whether the browser is allowed on the device (for Windows 10, version 1803 and earlier only). | X | X | | | |
+[AllowConfigurationUpdateForBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) | Specify whether Microsoft Edge can automatically update the configuration data for the Books Library. | X | X | | | |
+| [AllowCookies](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowcookies) | Specify whether cookies are allowed. | X | X | X | | X |
+| [AllowDeveloperTools](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdevelopertools) | Specify whether employees can use F12 Developer Tools on Microsoft Edge. | X | | | | |
+| [AllowDoNotTrack](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowdonottrack) | Specify whether Do Not Track headers are allowed. | X | X | X | | X |
+| [AllowExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowextensions) | Specify whether Microsoft Edge extensions are allowed. | X | | | | |
+| [AllowFlash](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflash) | Specify whether Adobe Flash can run in Microsoft Edge. | X | | | | |
+| [AllowFlashClickToRun](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowflashclicktorun) | Specify whether users must take an action, such as clicking the content or a Click-to-Run button, before seeing content in Adobe Flash. | X | | | | |
+| [AllowFullScreenMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowfullscreenmode) | Specify whether full-screen mode is allowed. | X | X | X | | X |
+| [AllowInPrivate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowinprivate) | Specify whether InPrivate browsing is allowed on corporate networks. | X | X | X | | X |
+| [AllowMicrosoftCompatibilityList](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowmicrosoftcompatibilitylist) | Specify whether to use the Microsoft compatibility list in Microsoft Edge. | X | X | X | | X |
+| [AllowPasswordManager](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpasswordmanager) | Specify whether saving and managing passwords locally on the device is allowed. | X | X | X | | X |
+| [AllowPopups](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowpopups) | Specify whether pop-up blocker is allowed or enabled. | X | | | X | |
+| [AllowPrelaunch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprelaunch) | Specify whether Microsoft Edge can pre-launch as a background process during Windows startup when the system is idle waiting to be launched by the user. | X | | | | |
+| [AllowPrinting](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowprinting) | Specify whether users can print web content in Microsoft Edge. | X | X | X | | X |
+| [AllowSavingHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsavinghistory) | Specify whether Microsoft Edge saves the browsing history. | X | | | | |
+| [AllowSearchEngineCustomization](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchenginecustomization) | Allow search engine customization for MDM-enrolled devices. | X | X | X | | X |
+| [AllowSearchSuggestionsinAddressBar](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsearchsuggestionsinaddressbar) | Specify whether search suggestions are allowed in the address bar. | X | X | X | | X |
+| [AllowSideloadingOfExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowsideloadingofextensions) | Specify whether extensions can be sideloaded in Microsoft Edge. | X | | | | |
+| [AllowSmartScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-allowsmartscreen) | Specify whether Windows Defender SmartScreen is allowed. | X | X | X | X | X |
+| [AllowTabPreloading](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowtabpreloading) | Specify whether preloading the Start and New tab pages during Windows sign-in is allowed. | X | | | | |
+| [AllowWebContentOnNewTabPage](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-allowwebcontentonnewtabpage) | Specify whether a New tab page opens with the default content or a blank page. | X | X | X | | X |
+[AlwaysEnableBooksLibrary](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-alwaysenablebookslibrary) | Always show the Books Library in Microsoft Edge. | X | X | | | |
+| [ClearBrowsingDataOnExit](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-clearbrowsingdataonexit) | Specify whether to clear browsing data when exiting Microsoft Edge. | X | | | | |
+| [ConfigureAdditionalSearchEngines](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-configureadditionalsearchengines) | Allows you to add up to 5 addtional search engines for MDM-enrolled devices. | X | X | X | | X |
+| [ConfigureFavoritesBar](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurefavoritesbar) | Specify whether the Favorites bar is shown or hidden on all pages. | X | | | | |
+| [ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) | Configure whether the Home button will be shown, and what should happen when it is selected. You should also configure the [SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) setting. To configure this setting and also allow users to make changes to the Home button, see the [UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) setting. | X | | | | |
+| [ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode) | Configure how Microsoft Edge operates when it's running in kiosk mode, either as a single-app kiosk or as one of multiple apps running on the kiosk device. | X | | | | |
+| [ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout) | Specify the time, in minutes, after which Microsoft Edge running in kiosk mode resets to the default kiosk configuration. | X | | | | |
+| [ConfigureOpenMicrosoftEdgeWith](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configureopenmicrosoftedgewith) | Specify which pages should load when Microsoft Edge opens. You should also configure the [ConfigureStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurestartpages) setting and [DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) setting. | X | | | | |
+| [ConfigureTelemetryForMicrosoft365Analytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configuretelemetryformicrosoft365analytics) | Specify whether to send Microsoft Edge browsing history data to Microsoft 365 Analytics. | X | | | | |
+| [DisableLockdownOfStartPages](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-disablelockdownofstartpages) | Specify whether the lockdown on the Start pages is disabled. | X | | | | |
+[EnableExtendedBooksTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) | Enable this setting to send additional diagnostic data, on top of the basic diagnostic data, from the Books tab. | X | X | | | |
+| [EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist) | Allow the user to specify a URL of an enterprise site list. | X | | | | |
+| [EnterpriseSiteListServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-enterprisesitelistserviceurl) | This policy (introduced in Windows 10, version 1507) was deprecated in Windows 10, version 1511 by [Browser/EnterpriseModeSiteList](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-enterprisemodesitelist). | X | | | | |
+| [FirstRunURL](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-firstrunurl) | Specify the URL that Microsoft Edge will use when it is opened for the first time. | X | X | | | |
+| [HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-homepages) | Specify your Start pages for MDM-enrolled devices. | X | | | | |
+[LockdownFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-lockdownfavorites) | Configure whether employees can add, import, sort, or edit the Favorites list in Microsoft Edge. | X | X | | | |
+| [PreventAccessToAboutFlagsInMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventaccesstoaboutflagsinmicrosoftedge) | Specify whether users can access the **about:flags** page, which is used to change developer settings and to enable experimental features. | X | X | X | | X |
+| [PreventCertErrorOverrides](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-preventcerterroroverrides) | Specify whether to override security warnings about sites that have SSL errors. | X | X | X | | X |
+| [PreventFirstRunPage](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventfirstrunpage) | Specify whether to enable or disable the First Run webpage. | X | | | | |
+| [PreventLiveTileDataCollection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventlivetiledatacollection) | Specify whether Microsoft can collect information to create a Live Tile when pinning a site to Start from Microsoft Edge. | X | X | X | | X |
+| [PreventSmartScreenPromptOverride](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverride) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about potentially malicious websites. | X | X | X | | X |
+| [PreventSmartScreenPromptOverrideForFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventsmartscreenpromptoverrideforfiles) | Specify whether users can override the Windows Defender SmartScreen Filter warnings about downloading unverified files. | X | X | X | | X |
+PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Start and New Tab page at Windows startup and each time Microsoft Edge is closed. Applies to Windows 10, version 1803 and earlier only. | X | | | | |
+| [PreventTurningOffRequiredExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-forceenabledextensions) | Enter a list of extensions in Microsoft Edge that users cannot turn off, using a semi-colon delimited list of extension package family names. | X | | | | |
+| [PreventUsingLocalHostIPAddressForWebRTC](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-preventusinglocalhostipaddressforwebrtc) | Specify whether a user's localhost IP address is displayed while making phone calls using the WebRTC protocol. | X | X | X | | X |
+[ProvisionFavorites](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-provisionfavorites) | Configure a default set of favorites which will appear for employees. | X | X | | | |
+| [SendIntranetTraffictoInternetExplorer ](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-sendintranettraffictointernetexplorer) | Specify whether to send intranet traffic to Internet Explorer. | X | | | | |
+| [SetDefaultSearchEngine](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-setdefaultsearchengine) | Configure the default search engine for your employees. | X | X | X | | X |
+| [SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl) | Specify a custom URL for the Home button. You should also enable the [ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton) setting and select the **Show the home button; clicking the home button loads a specific URL** option. | X | | | | |
+| [SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl) | Specify a custom URL for a New tab page. | X | | | | |
+| [ShowMessageWhenOpeningSitesInInternetExplorer](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-showmessagewhenopeningsitesininternetexplorer) | Specify whether users should see a full interstitial page in Microsoft Edge when opening sites that are configured to open in Internet Explorer using the Enterprise Site list. | X | | | | |
+| [SyncFavoritesBetweenIEAndMicrosoftEdge](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#browser-syncfavoritesbetweenieandmicrosoftedge) | Specify whether favorites are kept in sync between Internet Explorer and Microsoft Edge. | X | | | | |
+| [UnlockHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-unlockhomebutton) | Specify whether users can make changes to the Home button. | X | | | | |
+[UseSharedFolderForBooks](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) | Specify whether organizations should use a folder shared across users to store books from the Books Library. | X | X | | | |
## Camera
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowCamera](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X | X | |
+| [AllowCamera](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#camera-allowcamera) | Disable or enable the camera. | X | X | X | X | |
## Connectivity
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowBluetooth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X | X | |
-| [AllowCellularData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | X | X | X | | |
-| [AllowCellularDataRoaming](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | X | X | X | | |
-| [AllowConnectedDevices](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | X | X | X | | |
-| [AllowNFC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | X | | | |
-| [AllowUSBConnection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | X | | | |
-| [AllowVPNOverCellular](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlyinng connections VPN is allowed to use. |X | X | X | | |
-| [AllowVPNRoamingOverCellular](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | X | X | X | | |
-| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | X | X | X | | |
-| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | X | X | X | | |
+| [AllowBluetooth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowbluetooth) | Allow the user to enable Bluetooth or restrict access. | X | X | X | X | X |
+| [AllowCellularData](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardata) | Allow the cellular data channel on the device. | X | X | X | | X |
+| [AllowCellularDataRoaming](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowcellulardataroaming) | Allow or disallow cellular data roaming on the device. | X | X | X | | X |
+| [AllowConnectedDevices](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowconnecteddevices) | Allows IT admins the ability to disable the Connected Devices Platform component. | X | X | X | | X |
+| [AllowNFC](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allownfc) | Allow or disallow near field communication (NFC) on the device. | | X | | | X |
+| [AllowUSBConnection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowusbconnection) | Enable USB connection between the device and a computer to sync files with the device or to use developer tools or to deploy or debug applications. | | X | | | X |
+| [AllowVPNOverCellular](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnovercellular) | Specify what type of underlyinng connections VPN is allowed to use. |X | X | X | | X |
+| [AllowVPNRoamingOverCellular](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#connectivity-allowvpnroamingovercellular) | Prevent the device from connecting to VPN when the device roams over cellular networks. | X | X | X | | X |
+| HideCellularConnectionMode | Hide the checkbox that lets the user change the connection mode. | X | X | X | | X |
+| HideCellularRoamingOption | Hide the dropdown menu that lets the user change the roaming preferences. | X | X | X | | X |
## CredentialProviders
@@ -160,60 +182,68 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowFipsAlgorithmPolicy](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | X | X | | | |
-| [TLSCiperSuites](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | X | X | | | |
+| [AllowFipsAlgorithmPolicy](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#cryptography-allowfipsalgorithmpolicy) | Allow or disallow the Federal Information Processing Standard (FIPS) policy. | X | X | | | |
+| [TLSCiperSuites](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#cryptography-tlsciphersuites) | List the Cryptographic Cipher Algorithms allowed for SSL connections. Format is a semicolon delimited list. Last write win. | X | X | | | |
## Defender
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowArchiveScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | X | | | | |
-| [AllowBehaviorMonitoring](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | X | | | | |
-| [AllowCloudProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | X | | | | |
-| [AllowEmailScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | X | | | | |
-| [AllowFullScanOnMappedNetworkDrives](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | X | | | | |
-| [AllowFullScanRemovableDriveScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | X | | | | |
-| [AllowIntrusionPreventionSystem](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | X | | | | |
-| [AllowIOAVProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | X | | | | |
-| [AllowOnAccessProtection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | X | | | | |
-| [AllowRealtimeMonitoring](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | X | | | | |
-| [AllowScanningNetworkFiles](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | X | | | | |
-| [AllowScriptScanning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | X | | | | |
-| [AllowUserUIAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | X | | | | |
-| [AvgCPULoadFactor](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defeder scan (in percent). | X | | | | |
-| [DaysToRetainCleanedMalware](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | X | | | | |
-| [ExcludedExtensions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore durinng a scan. Separate each file type in the list by using \|. | X | | | | |
-| [ExcludedPaths](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | X | | | | |
-| [ExcludedProcesses](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore durinng a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | X | | | | |
-| [RealTimeScanDirection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | X | | | | |
-| [ScanParameter](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | X | | | | |
-| [ScheduleQuickScanTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | X | | | | |
-| [ScheduleScanDay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | X | | | | |
-| [ScheduleScanTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | X | | | | |
-| [SignatureUpdateInterval](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | X | | | | |
-| [SubmitSamplesConsent](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | X | | | | |
-| [ThreatSeverityDefaultAction](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | X | | | | |
+| [AllowArchiveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowarchivescanning) | Allow or disallow scanning of archives. | X | | | | |
+| [AllowBehaviorMonitoring](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowbehaviormonitoring) | Allow or disallow Windows Defender Behavior Monitoring functionality. | X | | | | |
+| [AllowCloudProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowcloudprotection) | To best protect your PC, Windows Defender will send information to Microsoft about any problems it finds. Microsoft will analyze that information, learn more about problems affecting you and other customers, and offer improved solutions. | X | | | | |
+| [AllowEmailScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowemailscanning) | Allow or disallow scanning of email. | X | | | | |
+| [AllowFullScanOnMappedNetworkDrives](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanonmappednetworkdrives) | Allow or disallow a full scan of mapped network drives. | X | | | | |
+| [AllowFullScanRemovableDriveScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowfullscanremovabledrivescanning) | Allow or disallow a full scan of removable drives. | X | | | | |
+| [AllowIntrusionPreventionSystem](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowintrusionpreventionsystem) | Allow or disallow Windows Defender Intrusion Prevention functionality. | X | | | | |
+| [AllowIOAVProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowioavprotection) | Allow or disallow Windows Defender IOAVP Protection functionality. | X | | | | |
+| [AllowOnAccessProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowonaccessprotection) | Allow or disallow Windows Defender On Access Protection functionality. | X | | | | |
+| [AllowRealtimeMonitoring](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowrealtimemonitoring) | Allow or disallow Windows Defender Realtime Monitoring functionality. | X | | | | |
+| [AllowScanningNetworkFiles](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscanningnetworkfiles) | Allow or disallow scanning of network files. | X | | | | |
+| [AllowScriptScanning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowscriptscanning) | Allow or disallow Windows Defender Script Scanning functionality. | X | | | | |
+| [AllowUserUIAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-allowuseruiaccess) | Allow or disallow user access to the Windows Defender UI. | X | | | | |
+| [AvgCPULoadFactor](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-avgcpuloadfactor) | Represents the average CPU load factor for the Windows Defeder scan (in percent). | X | | | | |
+| [DaysToRetainCleanedMalware](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-daystoretaincleanedmalware) | Specify time period (in days) that quarantine items will be stored on the system. | X | | | | |
+| [ExcludedExtensions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedextensions) | Specify a list of file type extensions to ignore durinng a scan. Separate each file type in the list by using \|. | X | | | | |
+| [ExcludedPaths](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) | Specify a list of directory paths to ignore during a scan. Separate each path in the list by using \|. | X | | | | |
+| [ExcludedProcesses](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedprocesses) | Specify a list of files opened by processes to ignore durinng a scan. Separate each file type in the list by using \|. The process itself is not excluded from the scan, but can be excluded by using the [Defender/ExcludedPaths](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-excludedpaths) policy to exclude its path. | X | | | | |
+| [RealTimeScanDirection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-realtimescandirection) | Control which sets of files should be monitored. | X | | | | |
+| [ScanParameter](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-scanparameter) | Select whether to perform a quick scan or full scan. | X | | | | |
+| [ScheduleQuickScanTime](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulequickscantime) | Specify the time of day that Windows Defender quick scan should run. | X | | | | |
+| [ScheduleScanDay](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescanday) | Select the day that Windows Defender scan should run. | X | | | | |
+| [ScheduleScanTime](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-schedulescantime) | Select the time of day that the Windows Defender scan should run. | X | | | | |
+| [SignatureUpdateInterval](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-signatureupdateinterval) | Specify the interval (in hours) that will be used to check for signatures, so instead of using the ScheduleDay and ScheduleTime the check for new signatures will be set according to the interval. | X | | | | |
+| [SubmitSamplesConsent](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-submitsamplesconsent) | Checks for the user consent level in Windows Defender to send data. | X | | | | |
+| [ThreatSeverityDefaultAction](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#defender-threatseveritydefaultaction) | Specify any valid threat severity levels and the corresponding default action ID to take. | X | | | | |
## DeliveryOptimization
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [DOAbsoluteMaxCacheSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | X | | | | |
-| [DOAllowVPNPeerCaching](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | X | | | | |
-| [DODownloadMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | X | | | | |
-| [DOGroupId](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | X | | | | |
-| [DOMaxCacheAge](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | X | | | | |
-| [DOMaxCacheSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | X | | | | |
-| [DOMaxDownloadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | X | | | | |
-| [DOMaxUploadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity usinng Delivery Optimization. | X | | | | |
-| [DOMinBackgroundQos](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | X | | | | |
-| [DOMinBatteryPercentageAllowedToUpload](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | X | | | | |
-| [DOMinDiskSizeAllowedToPeer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capabity in GB) for the device to use Peer Caching. | X | | | | |
-| [DOMinFileSizeToCache](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | X | | | | |
-| [DOMinRAMAllowedToPeer](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB requried to use Peer Caching. | X | | | | |
-| [DOModifyCacheDrive](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | X | | | | |
-| [DOMonthlyUploadDataCap](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | X | | | | |
-| [DOPercentageMaxDownloadBandwidth](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
+| [DOAbsoluteMaxCacheSize](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doabsolutemaxcachesize) | Specify the maximum size in GB of Delivery Optimization cache. | X | | | | |
+| [DOAllowVPNPeerCaching](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-doallowvpnpeercaching) | Specify whether the device is allowed to participate in Peer Caching while connected via VPN to the domain network. | X | | | | |
+| [DODelayBackgroundDownloadFromHttp](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelaybackgrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a background download that is allowed to use peer-to-peer. | X | | | | |
+| [DODelayForegroundDownloadFromHttp](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization#deliveryoptimization-dodelayforegrounddownloadfromhttp) | Allows you to delay the use of an HTTP source in a foreground (interactive) download that is allowed to use peer-to-peer. | X | | | | |
+| [DODownloadMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dodownloadmode) | Specify the download method that Delivery Optimization can use in downloads of Windows Updates, apps, and app updates. | X | | | | |
+| [DOGroupId](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupid) | Specify an arbitrary group ID that the device belongs to. | X | | | | |
+| [DOGroupIdSource](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dogroupidsource) | Set this policy to restrict peer selection to a specific source | X | | | | |
+| [DOMaxCacheAge](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcacheage) | Specify the maximum time in seconds that each file is held in the Delivery Optimization cache after downloading successfully. | X | | | | |
+| [DOMaxCacheSize](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxcachesize) | Specify the maximum cache size that Delivery Optimization can utilize, as a percentage of disk size (1-100). | X | | | | |
+| [DOMaxDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxdownloadbandwidth) | Specify the maximum download bandwidth in kilobytes/second that the device can use across all concurrent download activities using Delivery Optimization. | X | | | | |
+| [DOMaxUploadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domaxuploadbandwidth) | Specify the maximum upload bandwidth in kilobytes/second that a device will use across all concurrent upload activity usinng Delivery Optimization. | X | | | | |
+| [DOMinBackgroundQos](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbackgroundqos) | Specify the minimum download QoS (Quality of Service or speed) i kilobytes/second for background downloads. | X | | | | |
+| [DOMinBatteryPercentageAllowedToUpload](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominbatterypercentageallowedtoupload) | Specify any value between 1 and 100 (in percentage) to allow the device to upload data to LAN and group peers while on battery power. | X | | | | |
+| [DOMinDiskSizeAllowedToPeer](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domindisksizeallowedtopeer) | Specify the required minimum disk size (capabity in GB) for the device to use Peer Caching. | X | | | | |
+| [DOMinFileSizeToCache](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominfilesizetocache) | Specify the minimum content file size in MB enabled to use Peer Caching. | X | | | | |
+| [DOMinRAMAllowedToPeer](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dominramallowedtopeer) | Specify the minimum RAM size in GB requried to use Peer Caching. | X | | | | |
+| [DOModifyCacheDrive](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domodifycachedrive) | Specify the drive that Delivery Optimization should use for its cache. | X | | | | |
+| [DOMonthlyUploadDataCap](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-domonthlyuploaddatacap) | Specify the maximum total bytes in GB that Delivery Optimization is allowed to upload to Internet peers in each calendar month. | X | | | | |
+| [DOPercentageMaxBackDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxbackgroundbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
+| [DOPercentageMaxDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxdownloadbandwidth) | Specify the maximum download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
+| [DOPercentageMaxForeDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dopercentagemaxforegroundbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
+| [DORestrictPeerSelectionBy](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dorestrictpeerselectionby) | Set this policy to restrict peer selection by the selected option. | X | | | | |
+| [DOSetHoursToLimitBackgroundDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitbackgrounddownloadbandwidth) | Specify the maximum background download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
+| [DOSetHoursToLimitForegroundDownloadBandwidth](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#deliveryoptimization-dosethourstolimitforegrounddownloadbandwidth) | Specify the maximum foreground download bandwidth that Delivery Optimization uses during and outside business hours across all concurrent download activities as a percentage of available download bandwidth. | X | | | | |
## DeviceGuard
@@ -225,18 +255,18 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowIdleReturnWithoutPassword](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | X | | | |
-| [AllowScreenTimeoutWhileLockedUserConfig](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | X | | | |
-| [AllowSimpleDevicePassword](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | X | X | | X | |
-|[AlphanumericDevicePasswordRequired](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | X | X | | X | |
-| [DevicePasswordEnabled](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | X | X | | X | |
-| [DevicePasswordExpiration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | X | X | | X | |
-| [DevicePasswordHistory](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | X | X | | X | |
-| [MaxDevicePasswordFailedAttempts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | X | X | | X | |
-| [MaxInactivityTimeDeviceLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | X | X | | X | |
-| [MinDevicePasswordComplexCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | X | X | | X | |
-| [MinDevicePasswordLength](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | X | X | | X | |
-| [ScreenTimeoutWhileLocked](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | X | | | |
+| [AllowIdleReturnWithoutPassword](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowidlereturnwithoutpassword) | Specify whether the user must input a PIN or password when the device resumes from an idle state. | | X | | | |
+| [AllowScreenTimeoutWhileLockedUserConfig](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowscreentimeoutwhilelockeduserconfig) | Specify whether to show a user-configurable setting to control the screen timeout while on the lock screen. | | X | | | |
+| [AllowSimpleDevicePassword](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-allowsimpledevicepassword) | Specify whether PINs or passwords such as "1111" or "1234" are allowed. For the desktop, it also controls the use of picture passwords. | X | X | | X | |
+|[AlphanumericDevicePasswordRequired](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-alphanumericdevicepasswordrequired) | Select the type of PIN or password required. | X | X | | X | |
+| [DevicePasswordEnabled](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordenabled) | Specify whether device password is enabled. | X | X | | X | |
+| [DevicePasswordExpiration](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordexpiration) | Specify when the password expires (in days). | X | X | | X | |
+| [DevicePasswordHistory](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-devicepasswordhistory) | Specify how many passwords can be stored in the history that can't be reused. | X | X | | X | |
+| [MaxDevicePasswordFailedAttempts](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxdevicepasswordfailedattempts) | Specify the number of authentication failures allowed before the device will be wiped. | X | X | | X | |
+| [MaxInactivityTimeDeviceLock](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-maxinactivitytimedevicelock) |Specify the maximum amount of time (in minutes) allowed after the device is idle that will cause the device to become PIN or password locked. | X | X | | X | |
+| [MinDevicePasswordComplexCharacters](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordcomplexcharacters) | Specify the number of complex element types (uppercase and lowercase letters, numbers, and punctuation) required for a strong PIN or password. | X | X | | X | |
+| [MinDevicePasswordLength](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-mindevicepasswordlength) | Specify the minimum number or characters required in the PIN or password. | X | X | | X | |
+| [ScreenTimeoutWhileLocked](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#devicelock-screentimeoutwhilelocked) | Specify the duration in seconds for the screen timeout while on the lock screen. | | X | | | |
## DeviceManagement
@@ -251,24 +281,24 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowCopyPaste](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | X | | | |
-| [AllowCortana](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | X | X | | X | |
-| [AllowDeviceDiscovery](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | X | X | | | |
-| [AllowFindMyDevice](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | X | X | | | |
-| [AllowManualMDMUnenrollment](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | X | X | | X | |
-| [AllowScreenCapture](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | X | | | |
-| [AllowSIMErrorDialogPromptWhenNoSIM](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | X | | | |
-| [AllowSyncMySettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | X | | | |
-| [AllowTailoredExperiencesWithDiagnosticData](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | X | | | | |
-| [AllowTaskSwitcher](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | X | | | |
-| [AllowThirdPartySuggestionsInWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | X | | | | |
-| [AllowVoiceRecording](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | X | | | |
+| [AllowCopyPaste](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcopypaste) | Specify whether copy and paste is allowed. | | X | | | |
+| [AllowCortana](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowcortana) | Specify whether Cortana is allowed on the device. | X | X | | X | |
+| [AllowDeviceDiscovery](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowdevicediscovery) | Allow users to turn device discovery on or off in the UI. | X | X | | | |
+| [AllowFindMyDevice](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowfindmydevice) | Turn on **Find my device** feature. | X | X | | | |
+| [AllowManualMDMUnenrollment](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowmanualmdmunenrollment) | Specify whether the user is allowed to delete the workplace account. | X | X | | X | |
+| [AllowScreenCapture](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowscreencapture) | Specify whether screen capture is allowed. | | X | | | |
+| [AllowSIMErrorDialogPromptWhenNoSIM](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsimerrordialogpromptwhennosim) | Specify whether to display a dialog prompt when no SIM card is detected. | | X | | | |
+| [AllowSyncMySettings](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowsyncmysettings) | Allow or disallow all Windows sync settings on the device. | X | X | | | |
+| [AllowTailoredExperiencesWithDiagnosticData](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtailoredexperienceswithdiagnosticdata) | Prevent Windows from using diagnostic data to provide customized experiences to the user. | X | | | | |
+| [AllowTaskSwitcher](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowtaskswitcher) | Allow or disallow task switching on the device. | | X | | | |
+| [AllowThirdPartySuggestionsInWindowsSpotlight](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowthirdpartysuggestionsinwindowsspotlight) | Specify whether to allow app and content suggestions from third-party software publishers in Windows Spotlight. | X | | | | |
+| [AllowVoiceRecording](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowvoicerecording) | Specify whether voice recording is allowed for apps. | | X | | | |
| [AllowWindowsConsumerFeatures](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-experience#experience-allowwindowsconsumerfeatures) | Turn on experiences that are typically for consumers only, such as Start suggetions, membership notifications, post-OOBE app install, and redirect tiles. | X | | | | |
-| [AllowWindowsSpotlight](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | X | | | | |
-| [AllowWindowsSpotlightOnActionCenter](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | X | | | | |
-| [AllowWindowsSpotlightWindowsWelcomeExperience](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | X | | | | |
-| [AllowWindowsTips](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | X | | | | |
-| [ConfigureWindowsSpotlightOnLockScreen](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | X | | | | |
+| [AllowWindowsSpotlight](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlight) |Specify whether to turn off all Windows Spotlight features at once. | X | | | | |
+| [AllowWindowsSpotlightOnActionCenter](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightonactioncenter) | Prevent Windows Spotlight notifications from being displayed in the Action Center. | X | | | | |
+| [AllowWindowsSpotlightWindowsWelcomeExperience](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowsspotlightwindowswelcomeexperience) | Turn off the Windows Spotlight Windows welcome experience feature. | X | | | | |
+| [AllowWindowsTips](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-allowwindowstips) | Enable or disable Windows Tips. | X | | | | |
+| [ConfigureWindowsSpotlightOnLockScreen](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#experience-configurewindowsspotlightonlockscreen) | Specify whether Spotlight should be used on the user's lock screen. | X | | | | |
## ExploitGuard
@@ -281,7 +311,7 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAdvancedGamingServices](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | X | | | | |
+| [AllowAdvancedGamingServices](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#games-allowadvancedgamingservices) | Currently not supported. | X | | | | |
## KioskBrowser
@@ -293,6 +323,7 @@ These settings apply to the **Kiosk Browser** app available in Microsoft Store.
[BlockedUrlExceptions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurlexceptions) | List of exceptions to the blocked website URLs (with wildcard support). This is used to configure URLs kiosk browsers are allowed to navigate to, which are a subset of the blocked URLs. | X | | | | |
[BlockedUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-blockedurls) | List of blocked website URLs (with wildcard support). This is used to configure blocked URLs kiosk browsers cannot navigate to. | X | | | | |
[DefaultURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-defaulturl) | Configures the default URL kiosk browsers to navigate on launch and restart. | X | | | | |
+[EnableEndSessionButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enableendsessionbutton) | Enable/disable kiosk browser's end session button. | X | | | | |
[EnableHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablehomebutton) | Enable/disable kiosk browser's home button. | X | | | | |
[EnableNavigationButtons](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-enablenavigationbuttons) | Enable/disable kiosk browser's navigation buttons (forward/back). | X | | | | |
[RestartOnIdleTime](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser#kioskbrowser-restartonidletime) | Amount of time in minutes the session is idle until the kiosk browser restarts in a fresh state. The value is an int 1-1440 that specifies the amount of minutes the session is idle until the kiosk browser restarts in a fresh state. The default value is empty which means there is no idle timeout within the kiosk browser. | X | | | | |
@@ -310,15 +341,15 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [EnableLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#location-enablelocation) | Configure whether the Location Service's Device Switch is enabled or disabled for the device. | X | X | | | |
+| [EnableLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#location-enablelocation) | Configure whether the Location Service's Device Switch is enabled or disabled for the device. | X | X | | | |
## Privacy
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | X | | | |
-| [AllowInputPersonalization](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | X | X | | X | |
+| [AllowAutoAcceptPairingAndPrivacyConsentPrompts](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowautoacceptpairingandprivacyconsentprompts) | Allow or disallow the automatic acceptance of the pairing and privacy user consent dialog boxes when launching apps. | | X | | | |
+| [AllowInputPersonalization](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#privacy-allowinputpersonalization) | Allow the use of cloud-based speech services for Cortana, dictation, or Store apps. | X | X | | X | |
## Search
@@ -327,16 +358,17 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in
| --- | --- | :---: | :---: | :---: | :---: | :---: |
[AllowCloudSearch](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-search#search-allowcloudsearch) | Allow search and Cortana to search cloud sources like OneDrive and SharePoint. T | X | X | | | |
[AllowCortanaInAAD](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-search#search-allowcortanainaad) | This specifies whether the Cortana consent page can appear in the Azure Active Directory (AAD) device out-of-box-experience (OOBE) flow. | X | | | | |
-| [AllowIndexingEncryptedStoresOrItems](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | X | X | | | |
-| [AllowSearchToUseLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | X | X | | X | |
-| [AllowUsingDiacritics](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | X | X | | | |
+| [AllowIndexingEncryptedStoresOrItems](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-allowindexingencryptedstoresoritems) | Allow or disallow the indexing of items. | X | X | | | |
+| [AllowSearchToUseLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-allowsearchtouselocation) | Specify whether search can use location information. | X | X | | X | |
+| [AllowUsingDiacritics](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-allowusingdiacritics) | Allow the use of diacritics. | X | X | | | |
| [AllowWindowsIndexer](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-search#search-allowwindowsindexer) | The indexer provides fast file, email, and web history search for apps and system components including Cortana, Outlook, file explorer, and Edge. To do this, it requires access to the file system and app data stores such as Outlook OST files.- **Off** setting disables Windows indexer- **EnterpriseSecure** setting stops the indexer from indexing encrypted files or stores, and is recommended for enterprises using Windows Information Protection (WIP)- **Enterprise** setting reduces potential network loads for enterprises- **Standard** setting is appropriate for consuemrs | X | X | | | |
-| [AlwaysUseAutoLangDetection](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | X | X | | | |
-| [DisableBackoff](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | X | X | | | |
-| [DisableRemovableDriveIndexing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | X | X | | | |
-| [PreventIndexingLowDiskSpaceMB](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | X | X | | | |
-| [PreventRemoteQueries](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | X | X | | | |
-| [SafeSearchPermissions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | X | | | |
+| [AlwaysUseAutoLangDetection](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-alwaysuseautolangdetection) | Specify whether to always use automatic language detection when indexing content and properties. | X | X | | | |
+| [DoNotUseWebResults](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-donotusewebresults) | Specify whether to allow Search to perform queries on the web. | X | X | | | |
+| [DisableBackoff](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-disablebackoff) | If enabled, the search indexer backoff feature will be disabled. | X | X | | | |
+| [DisableRemovableDriveIndexing](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-disableremovabledriveindexing) | Configure whether locations on removable drives can be added to libraries. | X | X | | | |
+| [PreventIndexingLowDiskSpaceMB](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-preventindexinglowdiskspacemb) | Prevent indexing from continuing after less than the specified amount of hard drive space is left on the same drive as the index location. | X | X | | | |
+| [PreventRemoteQueries](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-preventremotequeries) | If enabled, clients will be unable to query this device's index remotely. | X | X | | | |
+| [SafeSearchPermissions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#search-safesearchpermissions) | Specify the level of safe search (filtering adult content) required. | | X | | | |
@@ -344,22 +376,22 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAddProvisioningPackage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | X | X | X | | X |
-| [AllowManualRootCertificateInstallation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | X | | | |
-| [AllowRemoveProvisioningPackage](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | X | X | X | | X |
-| [AntiTheftMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | X | | | |
-| [RequireDeviceEncryption](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | X | X | X | X | X |
-| [RequireProvisioningPackageSignature](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | X | X | X | | X |
-| [RequireRetrieveHealthCertificateOnBoot](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | X | X | | | |
+| [AllowAddProvisioningPackage](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-allowaddprovisioningpackage) | Specify whether to allow installation of provisioning packages. | X | X | X | | X |
+| [AllowManualRootCertificateInstallation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-allowmanualrootcertificateinstallation) | Specify whether the user is allowed to manually install root and intermediate CA certificates. | | X | | | |
+| [AllowRemoveProvisioningPackage](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-allowremoveprovisioningpackage) | Specify whether removal of provisioning packages is allowed. | X | X | X | | X |
+| [AntiTheftMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-antitheftmode) | Allow or disallow Anti Theft Mode on the device. | | X | | | |
+| [RequireDeviceEncryption](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-requiredeviceencryption) | Specify whether encryption is required. | X | X | X | X | X |
+| [RequireProvisioningPackageSignature](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-requireprovisioningpackagesignature) | Specify whether provisioning packages must have a certificate signed by a device-trusted authority. | X | X | X | | X |
+| [RequireRetrieveHealthCertificateOnBoot](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#security-requireretrievehealthcertificateonboot) | Specify whether to retrieve and post TCG Boot logs, and get or cache an encrypted or signed Health Attestation Report from the Microsoft Health Attestation Service when a device boots or reboots. | X | X | | | |
## Settings
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAutoPlay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | X | | | |
-| [AllowDataSense](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | X | | | |
-| [AllowVPN](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | X | | X | |
-| [ConfigureTaskbarCalendar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | X | | | | |
+| [AllowAutoPlay](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#settings-allowautoplay) | Allow the user to change AutoPlay settings. | | X | | | |
+| [AllowDataSense](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#settings-allowdatasense) | Allow the user to change Data Sense settings. | | X | | | |
+| [AllowVPN](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#settings-allowvpn) | Allow the user to change VPN settings. | | X | | X | |
+| [ConfigureTaskbarCalendar](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#settings-configuretaskbarcalendar) | Configure the default setting for showing additional calendars (besides the default calendar for the locale) in the taskbar clock and calendar flyout. | X | | | | |
[PageVisiblityList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-settings#settings-pagevisibilitylist) | Allows IT admins to prevent specific pages in the System Settings app from being visible or accessible. Pages are identified by a shortened version of their already [published URIs](https://docs.microsoft.com/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference), which is the URI minus the "ms-settings:" prefix. For example, if the URI for a settings page is "ms-settings:foo", the page identifier used in the policy will be just "foo". Multiple page identifiers are separated by semicolons. | X | | | | |
## Start
@@ -377,40 +409,42 @@ To configure multiple URLs for **Blocked URL Exceptions** or **Blocked URLs** in
| [AllowPinnedFolderSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings) | Control the visibility of the Settings shortcut on the Start menu. | X | | | | |
| [AllowPinnedFolderVideos](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos) |Control the visibility of the Videos shortcut on the Start menu. | X | | | | |
DisableContextMenus | Prevent context menus from being invoked in the Start menu. | X | | | | |
-| [ForceStartSize](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | X | | | | |
-| [HideAppList](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | X | | | | |
-| [HideChangeAccountSettings](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | X | | | | |
-| [HideFrequentlyUsedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | X | | | | |
-| [HideHibernate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | X | | | | |
-| [HideLock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | X | | | | |
+| [ForceStartSize](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-forcestartsize) | Force the size of the Start screen. | X | | | | |
+| [HideAppList](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hideapplist) | Collapse or remove the all apps list. | X | | | | |
+| [HideChangeAccountSettings](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidechangeaccountsettings) | Hide **Change account settings** from appearing in the user tile. | X | | | | |
+| [HideFrequentlyUsedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidefrequentlyusedapps) | Hide **Most used** section of Start. | X | | | | |
+| [HideHibernate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidehibernate) | Prevent **Hibernate** option from appearing in the Power button. | X | | | | |
+| [HideLock](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidelock) | Prevent **Lock** from appearing in the user tile. | X | | | | |
| HidePeopleBar | Remove the people icon from the taskbar, as well as the corresponding settings toggle. It also prevents users from pinning people to the taskbar. | X | | | | |
-| [HidePowerButton](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | X | | | | |
-| [HideRecentJumplists](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | X | | | | |
-| [HideRecentlyAddedApps](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | X | | | | |
-| [HideRestart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | X | | | | |
-| [HideShutDown](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | X | | | | |
-| [HideSignOut](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | X | | | | |
-| [HideSleep](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | X | | | | |
-| [HideSwitchAccount](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | X | | | | |
-| [HideUserTile](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | X | | | | |
-| [ImportEdgeAssets](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/windows/configuration/start-secondary-tiles). | X | | | | |
-| [NoPinningToTaskbar](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | X | | | | |
-| [StartLayout](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd) | X | | | | |
+| [HidePowerButton](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidepowerbutton) | Hide the **Power** button. | X | | | | |
+| [HideRecentJumplists](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentjumplists) | Hide jumplists of recently opened items. | X | | | | |
+| [HideRecentlyAddedApps](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hiderecentlyaddedapps) | Hide **Recently added** section of Start. | X | | | | |
+| [HideRestart](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hiderestart) | Prevent **Restart** and **Update and restart** from appearing in the Power button. | X | | | | |
+| [HideShutDown](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hideshutdown) | Prevent **Shut down** and **Update and shut down** from appearing in the Power button. | X | | | | |
+| [HideSignOut](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidesignout) | Prevent **Sign out** from appearing in the user tile. | X | | | | |
+| [HideSleep](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hidesleep) | Prevent **Sleep** from appearing in the Power button. | X | | | | |
+| [HideSwitchAccount](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hideswitchaccount) | Prevent **Switch account** from appearing in the user tile. | X | | | | |
+| [HideUserTile](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-hideusertile) | Hide the user tile. | X | | | | |
+| [ImportEdgeAssets](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-importedgeassets) | Import Edge assets for secondary tiles. For more information, see [Add image for secondary Microsoft Edge tiles](https://docs.microsoft.com/windows/configuration/start-secondary-tiles). | X | | | | |
+| [NoPinningToTaskbar](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-nopinningtotaskbar) | Prevent users from pinning and unpinning apps on the taskbar. | X | | | | |
+| [StartLayout](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#start-startlayout) | Apply a custom Start layout. For more information, see [Customize Windows 10 Start and taskbar with provisioning packages](https://docs.microsoft.com/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd) | X | | | | |
## System
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowBuildPreview](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | X | X | | | |
-| [AllowEmbeddedMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | X | X | X | | X |
-| [AllowExperimentation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | X | X | | | |
-| [AllowLocation](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | X | X | X | X | X |
-| [AllowStorageCard](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | X | X | X | | X |
-| [AllowTelemetry](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | X | X | | X | |
-| [AllowUserToResetPhone](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X | | | |
+| [AllowBuildPreview](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowbuildpreview) | Specify whether users can access the Insider build controls in the **Advanced Options** for Windows Update. | X | X | | | |
+| [AllowEmbeddedMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowembeddedmode) | Specify whether to set general purpose device to be in embedded mode. | X | X | X | | X |
+| [AllowExperimentation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowexperimentation) | Determine the level that Microsoft can experiment with the product to study user preferences or device behavior. | X | X | | | |
+| [AllowLocation](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowlocation) | Specify whether to allow app access to the Location service. | X | X | X | X | X |
+| [AllowStorageCard](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowstoragecard) | Specify whether the user is allowed to use the storage card for device storage. | X | X | X | | X |
+| [AllowTelemetry](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowtelemetry) | Allow the device to send diagnostic and usage data. | X | X | | X | |
+| [AllowUserToResetPhone](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-allowusertoresetphone) | Allow the user to factory reset the phone. | X | X | | | |
ConfigureTelemetryOptInChangeNotification | This policy setting determines whether a device shows notifications about telemetry levels to people on first sign-in or when changes occur in Settings. | X | X | | | |
ConfigureTelemetryOptInSettingsUx | This policy setting determines whether people can change their own telemetry levels in Settings | X | X | | | |
-| [DisableOneDriveFileSync](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X | | | | |
+| DisableDeviceDelete | Specify whether the delete diagnostic data is enabled in the Diagnostic & Feedback Settings page. | X | X | | | |
+| DisableDataDiagnosticViewer | Configure whether users can enable and launch the Diagnostic Data Viewer from the Diagnostic & Feedback Settings page. | X | X | | | |
+| [DisableOneDriveFileSync](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#system-disableonedrivefilesync) | Prevent apps and features from working with files on OneDrive. | X | | | | |
| [LimitEnhancedDiagnosticDataWindowsAnalytics](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics) | This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. To enable this behavior you must enable this policy setting, and set Allow Telemetry to level 2 (Enhanced). When you configure these policy settings, a basic level of diagnostic data plus additional events that are required for Windows Analytics are sent to Microsoft. These events are documented in [Windows 10, version 1703 basic level Windows diagnostic events and fields](https://go.microsoft.com/fwlink/?linkid=847594). Enabling enhanced diagnostic data in the System/AllowTelemetry policy in combination with not configuring this policy will also send the required events for Windows Analytics, plus additional enhanced level diagnostic data. This setting has no effect on computers configured to send full, basic or security level diagnostic data to Microsoft. If you disable or do not configure this policy setting, then the level of diagnostic data sent to Microsoft is determined by the System/AllowTelemetry policy. | X | X | | | |
@@ -418,98 +452,106 @@ ConfigureTelemetryOptInSettingsUx | This policy setting determines whether peopl
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowIMELogging](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | X | | | | |
-| [AllowIMENetworkAccess](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | X | | | | |
-| [AllowInputPanel](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | X | | | | |
-| [AllowJapaneseIMESurrogatePairCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | X | | | | |
-| [AllowJapaneseIVSCharacters](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | X | | | | |
-| [AllJapaneseNonPublishingStandardGlyph](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | X | | | | |
-| [AllowJapaneseUserDictionary](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | X | | | | |
-| [AllowKeyboardTextSuggestions](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | X | | | | |
-| [AllowLanguageFeaturesUninstall](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | X | | | | |
-| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | | |
-| [ExcludeJapaneseIMEExceptISO208](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | |
-| [ExcludeJapaneseIMEExceptISO208andEUDC](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | |
-| [ExcludeJapaneseIMEExceptShiftJIS](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | |
+| [AllowIMELogging](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimelogging) | Allow the user to turn on and off the logging for incorrect conversion and saving auto-tuning result to a file and history-based predictive input. | X | | | | |
+| [AllowIMENetworkAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowimenetworkaccess) | Allow the user to turn on Open Extended Dictionary, Internet search integration, or cloud candidate features to provide input suggestions that do not exist in the device's local dictionary. | X | | | | |
+| [AllowInputPanel](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowinputpanel) | Disable the touch/handwriting keyboard. | X | | | | |
+| [AllowJapaneseIMESurrogatePairCharacters](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseimesurrogatepaircharacters) | Allow the Japanese IME surrogate pair characters. | X | | | | |
+| [AllowJapaneseIVSCharacters](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseivscharacters) | Allow Japanese Ideographic Variation Sequence (IVS) characters. | X | | | | |
+| [AllJapaneseNonPublishingStandardGlyph](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapanesenonpublishingstandardglyph) | All the Japanese non-publishing standard glyph. | X | | | | |
+| [AllowJapaneseUserDictionary](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowjapaneseuserdictionary) | Allow the Japanese user dictionary. | X | | | | |
+| [AllowKeyboardTextSuggestions](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowkeyboardtextsuggestions) | Specify whether text prediction is enabled or disabled for the on-screen keyboard, touch keyboard, and handwriting recognition tool. | X | | | | |
+| [AllowLanguageFeaturesUninstall](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-allowlanguagefeaturesuninstall) | All language features to be uninstalled. | X | | | | |
+| AllowUserInputsFromMiracastRecevier | Do not use. Instead, use [WirelessDisplay](#wirelessdisplay)/[AllowUserInputFromWirelessDisplayReceiver](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | | | | | |
+| [ExcludeJapaneseIMEExceptISO208](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | |
+| [ExcludeJapaneseIMEExceptISO208andEUDC](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptjis0208andeudc) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | |
+| [ExcludeJapaneseIMEExceptShiftJIS](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#textinput-excludejapaneseimeexceptshiftjis) | Allow users to restrict character code range of conversion by setting the character filter. | X | | | | |
## TimeLanguageSettings
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowSet24HourClock](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | X | | | |
+| [AllowSet24HourClock](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#timelanguagesettings-allowset24hourclock) | Configure the default clock setting to be the 24 hour format. | | X | | | |
## Update
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [ActiveHoursEnd](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | | X |
-| [ActiveHoursMaxRange](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | | X |
-| [ActiveHoursStart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | | X |
-| [AllowAutoUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X |
+| [ActiveHoursEnd](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursend) | Use with **Update/ActiveHoursStart** to manage the range of active hours where update rboots are not scheduled. | X | X | X | | X |
+| [ActiveHoursMaxRange](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursmaxrange) | Specify the maximum active hours range. | X | X | X | | X |
+| [ActiveHoursStart](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-activehoursstart) | Use with **Update/ActiveHoursEnd** to manage the range of active hours where update reboots are not scheduled. | X | X | X | | X |
+| [AllowAutoUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allowautoupdate) | Configure automatic update behavior to scan, download, and install updates. | X | X | X | X | X |
| [AllowAutoWindowsUpdateDownloadOverMeteredNetwork](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-allowautowindowsupdatedownloadovermeterednetwork)| Option to download updates automatically over metered connections (off by default). Enter `0` for not allowed, or `1` for allowed. | X | X | X | | X |
-| [AllowMUUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X |
-| [AllowNonMicrosoftSignedUpdate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | | X |
-| [AllowUpdateService](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | X | X | X | X | X |
+| [AllowMUUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allowmuupdateservice) | Manage whether to scan for app updates from Microsoft Update. | X | X | X | X | X |
+| [AllowNonMicrosoftSignedUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allownonmicrosoftsignedupdate) | Manage whether Automatic Updates accepts updates signed by entities other than Microsoft when the update is found at the UpdateServiceUrl location. | X | X | X | | X |
+| [AllowUpdateService](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-allowupdateservice) | Specify whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store. | X | X | X | X | X |
| [AutoRestartDeadlinePeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindays) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | | X |
-| [AutoRestartNotificationSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | | X |
-| [AutoRestartRequiredNotificationDismissal](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | | X |
-| [BranchReadinessLevel](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X |
-| [DeferFeatureUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | | X |
-| [DeferQualityUpdatesPeriodInDays](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | | X |
+| [AutoRestartDeadlinePeriodInDaysForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-autorestartdeadlineperiodindaysforfeatureupdates) | Specify number of days (between 2 and 30) after which a forced restart will occur outside of active hours when restart is pending. | X | X | X | | X |
+| [AutoRestartNotificationSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartnotificationschedule) | Specify the period for auto-restart reminder notifications. | X | X | X | | X |
+| [AutoRestartRequiredNotificationDismissal](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-autorestartrequirednotificationdismissal) | Specify the method by which the auto-restart required notification is dismissed. | X | X | X | | X |
+| [BranchReadinessLevel](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-branchreadinesslevel) | Select which branch a device receives their updates from. | X | X | X | X | X |
+| [DeferFeatureUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-deferfeatureupdatesperiodindays) | Defer Feature Updates for the specified number of days. | X | X | X | | X |
+| [DeferQualityUpdatesPeriodInDays](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-deferqualityupdatesperiodindays) | Defer Quality Updates for the specified number of days. | X | X | X | | X |
| [DeferUpdatePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupdateperiod) | Specify update delays for up to 4 weeks. | X | X | X | X | X |
| [DeferUpgradePeriod](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-deferupgradeperiod) |Specify upgrade delays for up to 8 months. | X | X | X | X | X |
-| [DetectionFrequency](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X |
+| [DetectionFrequency](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-detectionfrequency) | Specify the frequency to scan for updates, from every 1-22 hours. | X | X | X | X | X |
| [DisableDualScan](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-disabledualscan) | Do not allow update deferral policies to cause scans against Windows Update. | X | X | X | | X |
-| [EngagedRestartDeadline](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X |
-| [EngagedRestartSnoozeSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X |
-| [EngagedRestartTransitionSchedule](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X |
-| [FillEmptyContentUrls](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | | X |
+| [EngagedRestartDeadline](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadline) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X |
+| [EngagedRestartDeadlineForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartdeadlineforfeatureupdates) | Specify the deadline in days before automatically scheduling and executing a pending restart outside of active hours. | X | X | X | | X |
+| [EngagedRestartSnoozeSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozeschedule) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X |
+| [EngagedRestartSnoozeScheduleForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestartsnoozescheduleforfeatureupdates) | Specify the number of days a user can snooze Engaged restart reminder notifications. | X | X | X | | X |
+| [EngagedRestartTransitionSchedule](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionschedule) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X |
+| [EngagedRestartTransitionScheduleForFeatureUpdates](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-engagedrestarttransitionscheduleforfeatureupdates) | Specify the timing before transitioning from Auto restarts scheduled outside of active hours to Engaged restart, which requires the user to schedule. | X | X | X | | X |
+| [ExcludeWUDriversInQualityUpdate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-excludewudriversinqualityupdate) | Exclude Windws Update (WU) drivers during quality updates. | X | | X | | X |
+| [FillEmptyContentUrls](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-fillemptycontenturls) | Allow Windows Update Agent to determine the download URL when it is missing from the metadata. | X | X | X | | X |
| ManagePreviewBuilds | Use to enable or disable preview builds. | X | X | X | X | X |
| PhoneUpdateRestrictions | Deprecated | | X | | | |
-| [RequireDeferUpgrade](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X |
-| [ScheduledInstallDay](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | X | X | X | X | X |
+| [RequireDeferUpgrade](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-requiredeferupgrade) | Configure device to receive updates from Current Branch for Business (CBB). | X | X | X | X | X |
+| [ScheduledInstallDay](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstallday) | Schedule the day for update installation. | X | X | X | X | X |
| [ScheduledInstallEveryWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstalleveryweek) | To schedule update installation every week, set the value as `1`. | X | X | X | X | X |
| [ScheduledInstallFirstWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfirstweek) | To schedule update installation the first week of the month, see the value as `1`. | X | X | X | X | X |
| [ScheduledInstallFourthWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallfourthweek) | To schedule update installation the fourth week of the month, see the value as `1`. | X | X | X | X | X |
| [ScheduledInstallSecondWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallsecondweek) | To schedule update installation the second week of the month, see the value as `1`. | X | X | X | X | X |
| [ScheduledInstallThirdWeek](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-update#update-scheduledinstallthirdweek) | To schedule update installation the third week of the month, see the value as `1`. | X | X | X | X | X |
-| [ScheduledInstallTime](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X |
-| [ScheduleImminentRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | | X ||
-| [ScheduleRestartWarning](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | | X |
-| [SetAutoRestartNotificationDisable](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | X | X | X | | X |
-| [SetEDURestart](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | X | X | X | | X |
-| [UpdateServiceUrl](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | X | X | X | X | X |
-| [UpdateServiceUrlAlternate](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | X | X | X | X | X |
+| [ScheduledInstallTime](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-scheduledinstalltime) | Schedule the time for update installation. | X | X | X | X | X |
+| [ScheduleImminentRestartWarning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-scheduleimminentrestartwarning) | Specify the period for auto-restart imminent warning notifications. | X | X | X | | X ||
+| [ScheduleRestartWarning](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-schedulerestartwarning) | Specify the period for auto-restart warning reminder notifications. | X | X | X | | X |
+| [SetAutoRestartNotificationDisable](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setautorestartnotificationdisable) | Disable auto-restart notifications for update installations. | X | X | X | | X |
+| [SetDisablePauseUXAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setdisablepauseuxaccess) | Disable access to scan Windows Update. | X | X | X | | X |
+| [SetDisableUXWUAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setdisableuxwuaccess) | Disable the **Pause updates** feature. | X | X | X | | X |
+| [SetEDURestart](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-setedurestart) | Skip the check for battery level to ensure that the reboot will happen at ScheduledInstallTime. | X | X | X | | X |
+| UpdateNotificationLevel | Specify whether to enable or disable Windows Update notifications, including restart warnings. | X | X | X | | X |
+| [UpdateServiceUrl](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurl) | Configure the device to check for updates from a WSUS server instead of Microsoft Update. | X | X | X | X | X |
+| [UpdateServiceUrlAlternate](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#update-updateserviceurlalternate) | Specify an alternate intranet server to host updates from Microsoft Update. | X | X | X | X | X |
## WiFi
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowAutoConnectToWiFiSenseHotspots](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | X | X | | | |
-| [AllowInternetSharing](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | X | X | | | |
-| [AllowManualWiFiConfiguration](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | X | | | |
-| [AllowWiFi](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | X | | | |
-| [WLANScanMode](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | X | X | X | X | X |
+| [AllowAutoConnectToWiFiSenseHotspots](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowautoconnecttowifisensehotspots) | Allow the device to connect automatically to Wi-Fi hotspots. | X | X | | | |
+| [AllowInternetSharing](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowinternetsharing) | Allow Internet sharing. | X | X | | | |
+| [AllowManualWiFiConfiguration](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowmanualwificonfiguration) | Allow connecting to Wi-Fi outside of MDM server-installed networks. | | X | | | |
+| [AllowWiFi](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-allowwifi) | Allow Wi-Fi connections. | | X | | | |
+| [WLANScanMode](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wifi-wlanscanmode) | Configure the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi-Fi networks to get devices connected. | X | X | X | X | X |
## WindowsInkWorkspace
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowSuggestedAppsInWindowsInkWorkspace](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | X | | | | |
-| [AllowWindowsInkWorkspace](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | X | | | | |
+| [AllowSuggestedAppsInWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowsuggestedappsinwindowsinkworkspace) | Show recommended app suggestions in the ink workspace. | X | | | | |
+| [AllowWindowsInkWorkspace](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#windowsinkworkspace-allowwindowsinkworkspace) | Specify whether to allow the user to access the ink workspace. | X | | | | |
## WindowsLogon
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [HideFastUserSwitching](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | X | | | | |
+| [HideFastUserSwitching](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#windowslogon-hidefastuserswitching) | Hide the **Switch account** button on the sign-in screen, Start, and the Task Manager. | X | | | | |
## WirelessDisplay
| Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | --- | :---: | :---: | :---: | :---: | :---: |
-| [AllowUserInputFromWirelessDisplayReceiver](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | X | X | | | |
\ No newline at end of file
+| [AllowUserInputFromWirelessDisplayReceiver](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider#wirelessdisplay-allowuserinputfromwirelessdisplayreceiver) | This policy controls whether or not the wireless display can send input (keyboard, mouse, pen, and touch, dependent upon display support) back to the source device. For example, a Surface Laptop is projecting wirelessly to a Surface Hub. If input from the wireless display receiver is allowed, users can draw with a pen on the Surface Hub. | X | X | | | |
\ No newline at end of file
diff --git a/windows/configuration/wcd/wcd-sharedpc.md b/windows/configuration/wcd/wcd-sharedpc.md
index 8cc91e3ca4..73739a9e70 100644
--- a/windows/configuration/wcd/wcd-sharedpc.md
+++ b/windows/configuration/wcd/wcd-sharedpc.md
@@ -16,7 +16,6 @@ ms.date: 10/16/2017
Use SharedPC settings to optimize Windows 10 for shared use scenarios, such as touchdown spaces in an enterprise and temporary customer use in retail.
-
## Applies to
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md
index 3eb2ee43c6..436c29160d 100644
--- a/windows/configuration/wcd/wcd-tabletmode.md
+++ b/windows/configuration/wcd/wcd-tabletmode.md
@@ -19,7 +19,7 @@ Use TabletMode to configure settings related to tablet mode.
| Setting | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
| --- | :---: | :---: | :---: | :---: | :---: |
-| All settings | X | X | X | | X |
+| All settings | X | X | X | | |
## ConvertibleSlateModePromptPreference
diff --git a/windows/configuration/wcd/wcd-unifiedwritefilter.md b/windows/configuration/wcd/wcd-unifiedwritefilter.md
index 9102c70cbe..7ca1ec138a 100644
--- a/windows/configuration/wcd/wcd-unifiedwritefilter.md
+++ b/windows/configuration/wcd/wcd-unifiedwritefilter.md
@@ -8,7 +8,7 @@ author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
-ms.date: 09/06/2017
+ms.date: 10/02/2018
---
# UnifiedWriteFilter (reference)
@@ -39,6 +39,13 @@ The overlay does not mirror the entire volume, but dynamically grows to keep tra
Set to **True** to enable UWF.
+## OverlayFlags
+
+OverlayFlags specifies whether to allow writes to unused space on the volume to pass through, and not be redirected to the overlay file. Enabling this setting helps conserve space on the overlay file.
+
+- Value `0` (default value when [OverlayType](#overlaytype) is not **Disk**): writes are redirected to the overlay file
+- Value `1`(default value when [OverlayType](#overlaytype) is **Disk**): writes to unused space on the volume are allowed to pass through without being redirected to the overlay file.
+
## OverlaySize
Enter the maximum overlay size, in megabytes (MB), for the UWF overlay. The minimum value for maximum overlay size is 1024.
@@ -58,6 +65,10 @@ Use **Add** to add a registry entry to the exclusion list after you restart the
Use **Remove** to remove a registry entry from the exclusion list after you restart the device.
+## ResetPersistentState
+
+Set to **True** to reset UWF settings to the original state that was captured at installation time.
+
## Volumes
Enter a drive letter for a volume to be protected by UWF.
diff --git a/windows/configuration/wcd/wcd-windowshelloforbusiness.md b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
index 0a2c9c16eb..d5455b7f01 100644
--- a/windows/configuration/wcd/wcd-windowshelloforbusiness.md
+++ b/windows/configuration/wcd/wcd-windowshelloforbusiness.md
@@ -8,14 +8,11 @@ author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
-ms.date: 07/19/2018
+ms.date: 10/02/2018
---
# WindowsHelloForBusiness (Windows Configuration Designer reference)
->[!WARNING]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
-
Use WindowsHelloForBusiness settings to specify whether [FIDO2 security keys for Windows Hello](https://blogs.windows.com/business/2018/04/17/windows-hello-fido2-security-keys/) can be used to sign in to Windows on a device configured for [Shared PC mode](wcd-sharedpc.md).
diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md
index 546e98f694..1064831115 100644
--- a/windows/configuration/wcd/wcd-wlan.md
+++ b/windows/configuration/wcd/wcd-wlan.md
@@ -8,7 +8,7 @@ author: jdeckerMS
ms.localizationpriority: medium
ms.author: jdecker
ms.topic: article
-ms.date: 04/30/2018
+ms.date: 10/02/2018
---
# WLAN (reference)
diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md
index 57c84d177d..6ddc8bd462 100644
--- a/windows/configuration/wcd/wcd.md
+++ b/windows/configuration/wcd/wcd.md
@@ -22,7 +22,6 @@ This section describes the settings that you can configure in [provisioning pack
[AccountManagement](wcd-accountmanagement.md) | | | | X | |
| [Accounts](wcd-accounts.md) | X | X | X | X | X |
| [ADMXIngestion](wcd-admxingestion.md) | X | | | | |
-| [ApplicationManagement](wcd-applicationmanagement.md) | | | | | X |
| [AssignedAccess](wcd-assignedaccess.md) | X | | | X | |
| [AutomaticTime](wcd-automatictime.md) | | X | | | |
| [Browser](wcd-browser.md) | X | X | X | X | |
@@ -33,7 +32,7 @@ This section describes the settings that you can configure in [provisioning pack
| [Certificates](wcd-certificates.md) | X | X | X | X | X |
| [CleanPC](wcd-cleanpc.md) | X | | | | |
| [Connections](wcd-connections.md) | X | X | X | X | |
-| [ConnectivityProfiles](wcd-connectivityprofiles.md) | X | X | X | X | X |
+| [ConnectivityProfiles](wcd-connectivityprofiles.md) | X | X | X | X | |
| [CountryAndRegion](wcd-countryandregion.md) | X | X | X | X | |
| [DesktopBackgroundAndColors](wcd-desktopbackgroundandcolors.md) | X | | | | |
| [DeveloperSetup](wcd-developersetup.md) | | | | X | |
@@ -49,7 +48,9 @@ This section describes the settings that you can configure in [provisioning pack
| [HotSpot](wcd-hotspot.md) | X | X | X | X | X |
| [InitialSetup](wcd-initialsetup.md) | | X | | | |
| [InternetExplorer](wcd-internetexplorer.md) | | X | | | |
+| [KioskBrowser](wcd-kioskbrowser.md) | | | | | X |
| [Licensing](wcd-licensing.md) | X | | | | |
+| [Location](wcd-location.md) | | | | | X |
| [Maps](wcd-maps.md) |X | X | X | X | |
| [Messaging](wcd-messaging.md) | | X | | | |
| [ModemConfigurations](wcd-modemconfigurations.md) | | X | | | |
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index d51cb7fd9d..00f8037780 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -116,7 +116,7 @@ The new taskbar layout for upgrades to Windows 10, version 1607 or later, will a
If your Start layout customization is not applied as expected, open **Event Viewer** and navigate to **Applications and Services Log** > **Microsoft** > **Windows** > **ShellCommon-StartLayoutPopulation** > **Operational**, and check for one of the following events:
- **Event 22** is logged when the xml is malformed, meaning the specified file simply isn’t valid xml. This can occur if the file has extra spaces or unexpected characters, or if the file is not saved in the UTF8 format.
-- **Event 64** is logged when the xml is valid, but has unexpected values. This can happen when the desired configuration is not understood or source is not found such as a missing or misspelled .lnk.
+- **Event 64** is logged when the xml is valid, but has unexpected values. This can happen when the desired configuration is not understood, elements are not in [the required order](start-layout-xml-desktop.md#required-order), or source is not found, such as a missing or misspelled .lnk.
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index fdb33ba268..6577188cbc 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -20,7 +20,8 @@
## [Deploy Windows 10](deploy.md)
### [Overview of Windows Autopilot](windows-autopilot/windows-autopilot.md)
-### [Windows 10 in S mode](windows-10-pro-in-s-mode.md)
+### [Windows 10 in S mode](s-mode.md)
+#### [Switch to Windows 10 Pro/Enterprise from S mode](windows-10-pro-in-s-mode.md)
### [Windows 10 upgrade paths](upgrade/windows-10-upgrade-paths.md)
### [Windows 10 edition upgrade](upgrade/windows-10-edition-upgrades.md)
### [Windows 10 volume license media](windows-10-media.md)
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index 8cde17231e..7c7f1d1ff8 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -7,7 +7,7 @@ ms.localizationpriority: medium
ms.prod: w10
ms.sitesec: library
ms.pagetype: deploy
-ms.date: 09/19/2017
+ms.date: 09/12/2018
author: greg-lindsay
---
@@ -25,6 +25,12 @@ This topic provides an overview of new solutions and online content related to d
- For a detailed list of changes to Windows 10 ITPro TechNet library content, see [Online content change history](#online-content-change-history).
+## Windows 10 servicing and support
+
+Microsoft is [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Office 365 ProPlus will continue to be supported for 18 months (there is no change for these editions). These support policies are summarized in the table below.
+
+
+
## Windows 10 Enterprise upgrade
Windows 10 version 1703 includes a Windows 10 Enterprise E3 and E5 benefit to Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA). These customers can now subscribe users to Windows 10 Enterprise E3 or E5 and activate their subscriptions on up to five devices. Virtual machines can also be activated. For more information, see [Windows 10 Enterprise Subscription Activation](windows-10-enterprise-subscription-activation.md).
diff --git a/windows/deployment/images/CreateSolution-Part1-Marketplace.png b/windows/deployment/images/CreateSolution-Part1-Marketplace.png
new file mode 100644
index 0000000000..25793516c2
Binary files /dev/null and b/windows/deployment/images/CreateSolution-Part1-Marketplace.png differ
diff --git a/windows/deployment/images/CreateSolution-Part2-Create.png b/windows/deployment/images/CreateSolution-Part2-Create.png
new file mode 100644
index 0000000000..ec63f20402
Binary files /dev/null and b/windows/deployment/images/CreateSolution-Part2-Create.png differ
diff --git a/windows/deployment/images/CreateSolution-Part3-Workspace.png b/windows/deployment/images/CreateSolution-Part3-Workspace.png
new file mode 100644
index 0000000000..1d74aa39d0
Binary files /dev/null and b/windows/deployment/images/CreateSolution-Part3-Workspace.png differ
diff --git a/windows/deployment/images/CreateSolution-Part4-WorkspaceSelected.png b/windows/deployment/images/CreateSolution-Part4-WorkspaceSelected.png
new file mode 100644
index 0000000000..7a3129f467
Binary files /dev/null and b/windows/deployment/images/CreateSolution-Part4-WorkspaceSelected.png differ
diff --git a/windows/deployment/images/CreateSolution-Part5-GoToResource.png b/windows/deployment/images/CreateSolution-Part5-GoToResource.png
new file mode 100644
index 0000000000..c3cb382097
Binary files /dev/null and b/windows/deployment/images/CreateSolution-Part5-GoToResource.png differ
diff --git a/windows/deployment/images/UR-Azureportal1.PNG b/windows/deployment/images/UR-Azureportal1.PNG
new file mode 100644
index 0000000000..2a3f8f1b73
Binary files /dev/null and b/windows/deployment/images/UR-Azureportal1.PNG differ
diff --git a/windows/deployment/images/UR-Azureportal2.PNG b/windows/deployment/images/UR-Azureportal2.PNG
new file mode 100644
index 0000000000..e7db8b3787
Binary files /dev/null and b/windows/deployment/images/UR-Azureportal2.PNG differ
diff --git a/windows/deployment/images/UR-Azureportal3.PNG b/windows/deployment/images/UR-Azureportal3.PNG
new file mode 100644
index 0000000000..6fae2e1738
Binary files /dev/null and b/windows/deployment/images/UR-Azureportal3.PNG differ
diff --git a/windows/deployment/images/UR-Azureportal4.PNG b/windows/deployment/images/UR-Azureportal4.PNG
new file mode 100644
index 0000000000..3087797a46
Binary files /dev/null and b/windows/deployment/images/UR-Azureportal4.PNG differ
diff --git a/windows/deployment/images/autopilotworkflow.png b/windows/deployment/images/autopilotworkflow.png
new file mode 100644
index 0000000000..a79609f6f7
Binary files /dev/null and b/windows/deployment/images/autopilotworkflow.png differ
diff --git a/windows/deployment/images/s-mode-flow-chart.png b/windows/deployment/images/s-mode-flow-chart.png
new file mode 100644
index 0000000000..c3c43cc027
Binary files /dev/null and b/windows/deployment/images/s-mode-flow-chart.png differ
diff --git a/windows/deployment/images/smodeconfig.PNG b/windows/deployment/images/smodeconfig.PNG
new file mode 100644
index 0000000000..2ab1fc0813
Binary files /dev/null and b/windows/deployment/images/smodeconfig.PNG differ
diff --git a/windows/deployment/images/support-cycle.png b/windows/deployment/images/support-cycle.png
new file mode 100644
index 0000000000..3f4b4e87c0
Binary files /dev/null and b/windows/deployment/images/support-cycle.png differ
diff --git a/windows/deployment/planning/TOC.md b/windows/deployment/planning/TOC.md
index 7c0ba92950..cf1fef543a 100644
--- a/windows/deployment/planning/TOC.md
+++ b/windows/deployment/planning/TOC.md
@@ -3,6 +3,7 @@
## [Windows 10 deployment considerations](windows-10-deployment-considerations.md)
## [Windows 10 compatibility](windows-10-compatibility.md)
## [Windows 10 infrastructure requirements](windows-10-infrastructure-requirements.md)
+## [Windows 10, version 1809 - Features removed or planned for replacement](windows-10-1809-removed-features.md)
## [Windows 10, version 1803 - Features removed or planned for replacement](windows-10-1803-removed-features.md)
## [Fall Creators update (version 1709) - deprecated features](windows-10-fall-creators-deprecation.md)
## [Creators update (version 1703) - deprecated features](windows-10-creators-update-deprecation.md)
diff --git a/windows/deployment/planning/windows-10-1803-removed-features.md b/windows/deployment/planning/windows-10-1803-removed-features.md
index d3f6b8dab2..60147ba008 100644
--- a/windows/deployment/planning/windows-10-1803-removed-features.md
+++ b/windows/deployment/planning/windows-10-1803-removed-features.md
@@ -7,7 +7,7 @@ ms.localizationpriority: medium
ms.sitesec: library
author: lizap
ms.author: elizapo
-ms.date: 06/01/2018
+ms.date: 08/16/2018
---
# Features removed or planned for replacement starting with Windows 10, version 1803
@@ -34,6 +34,7 @@ We've removed the following features and functionalities from the installed prod
|**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).|
|XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer.
However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.|
+
## Features we’re no longer developing
We are no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources.
@@ -48,5 +49,5 @@ If you have feedback about the proposed replacement of any of these features, yo
|Contacts feature in File Explorer|We're no longer developing the Contacts feature or the corresponding [Windows Contacts API](https://msdn.microsoft.com/library/ff800913.aspx). Instead, you can use the People app in Windows 10 to maintain your contacts.|
|Phone Companion|Use the **Phone** page in the Settings app. In Windows 10, version 1709, we added the new **Phone** page to help you sync your mobile phone with your PC. It includes all the Phone Companion features.|
|IPv4/6 Transition Technologies (6to4, ISATAP, and Direct Tunnels)|6to4 has been disabled by default since Windows 10, version 1607 (the Anniversary Update), ISATAP has been disabled by default since Windows 10, version 1703 (the Creators Update), and Direct Tunnels has always been disabled by default. Please use native IPv6 support instead.|
-|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. Installed Layered Service Providers are not migrated when you upgrade to Windows 10, version 1803; you'll need to re-install them after upgrading.|
+|[Layered Service Providers](https://msdn.microsoft.com/library/windows/desktop/bb513664)|Layered Service Providers have been deprecated since Windows 8 and Windows Server 2012. Use the [Windows Filtering Platform](https://msdn.microsoft.com/library/windows/desktop/aa366510) instead. When you upgrade from an older version of Windows, any layered service providers you're using aren't migrated; you'll need to re-install them after upgrading.|
|Business Scanning, also called Distributed Scan Management (DSM) **(Added 05/03/2018)**|The [Scan Management functionality](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd759124\(vs.11\)) was introduced in Windows 7 and enabled secure scanning and the management of scanners in an enterprise. We're no longer investing in this feature, and there are no devices available that support it.|
diff --git a/windows/deployment/planning/windows-10-1809-removed-features.md b/windows/deployment/planning/windows-10-1809-removed-features.md
new file mode 100644
index 0000000000..6d5df32e07
--- /dev/null
+++ b/windows/deployment/planning/windows-10-1809-removed-features.md
@@ -0,0 +1,50 @@
+---
+title: Windows 10, version 1809 - Features that have been removed
+description: Learn about features that will be removed or deprecated in Windows 10, version 1809, or a future release
+ms.prod: w10
+ms.mktglfcycl: plan
+ms.localizationpriority: medium
+ms.sitesec: library
+author: lizap
+ms.author: elizapo
+ms.date: 08/31/2018
+---
+# Features removed or planned for replacement starting with Windows 10, version 1809
+
+> Applies to: Windows 10, version 1809
+
+Each release of Windows 10 adds new features and functionality; we also occasionally remove features and functionality, usually because we've added a better option. Here are the details about the features and functionalities that we removed in Windows 10, version 1809.
+
+> [!TIP]
+> - You can get early access to Windows 10 builds by joining the [Windows Insider program](https://insider.windows.com) - this is a great way to test feature changes.
+> - Have questions about other releases? Check out the information for [Windows 10, version 1803](windows-10-1803-removed-features.md), [Windows 10, version 1709](windows-10-fall-creators-deprecation.md), and [Windows 10, version 1703](windows-10-creators-update-deprecation.md).
+
+**The list is subject to change and might not include every affected feature or functionality.**
+
+## Features we removed in this release
+
+We're removing the following features and functionalities from the installed product image in Windows 10, version 1809. Applications or code that depend on these features won't function in this release unless you use an alternate method.
+
+|Feature |Instead you can use...|
+|-----------|--------------------
+|Business Scanning, also called Distributed Scan Management (DSM)|We're removing this secure scanning and scanner management capability - there are no devices that support this feature.|
+|[FontSmoothing setting](https://docs.microsoft.com/windows-hardware/customize/desktop/unattend/microsoft-windows-shell-setup-visualeffects-fontsmoothing) in unattend.xml|The FontSmoothing setting let you specify the font antialiasing strategy to use across the system. We've changed Windows 10 to use [ClearType](https://docs.microsoft.com/en-us/typography/cleartype/) by default, so we're removing this setting as it is no longer necessary. If you include this setting in the unattend.xml file, it'll be ignored.|
+|Hologram app|We've replaced the Hologram app with the [Mixed Reality Viewer](https://support.microsoft.com/help/4041156/windows-10-mixed-reality-help). If you would like to create 3D word art, you can still do that in Paint 3D and view your art in VR or Hololens with the Mixed Reality Viewer.|
+|limpet.exe|We're releasing the limpet.exe tool, used to access TPM for Azure connectivity, as open source.|
+|Phone Companion|When you update to Windows 10, version 1809, the Phone Companion app will be removed from your PC. Use the **Phone** page in the Settings app to sync your mobile phone with your PC. It includes all the Phone Companion features.|
+|Trusted Platform Module (TPM) management console|The information previously available in the TPM management console is now available on the [**Device security**](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security) page in the [Windows Defender Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center).|
+|Future updates through [Windows Embedded Developer Update](https://docs.microsoft.com/previous-versions/windows/embedded/ff770079\(v=winembedded.60\)) for Windows Embedded Standard 8 and Windows Embedded 8 Standard|We’re no longer publishing new updates to the WEDU server. Instead, you may secure any new updates from the [Microsoft Update Catalog](http://www.catalog.update.microsoft.com/Home.aspx).|
+
+## Features we’re no longer developing
+
+We're no longer actively developing these features and may remove them from a future update. Some features have been replaced with other features or functionality, while others are now available from different sources.
+
+If you have feedback about the proposed replacement of any of these features, you can use the [Feedback Hub app](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub-app).
+
+|Feature |Instead you can use...|
+|-----------|---------------------|
+|Companion device dynamic lock APIS|The companion device framework (CDF) APIs enable wearables and other devices to unlock a PC. In Windows 10, version 1709, we introduced [Dynamic Lock](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#dynamic-lock), including an inbox method using Bluetooth to detect whether a user is present and lock or unlock the PC. Because of this, and because third party partners didn't adopt the CDF method, we're no longer developing CDF Dynamic Lock APIs.|
+|OneSync service|The OneSync service synchronizes data for the Mail, Calendar, and People apps. We've added a sync engine to the Outlook app that provides the same synchronization.|
+|Snipping Tool|The Snipping Tool is an application included in Windows 10 that is used to capture screenshots, either the full screen or a smaller, custom "snip" of the screen. In Windows 10, version 1809, we're [introducing a new universal app, Snip & Sketch](https://blogs.windows.com/windowsexperience/2018/05/03/announcing-windows-10-insider-preview-build-17661/#8xbvP8vMO0lF20AM.97), that provides the same screen snipping abilities, as well as additional features. You can launch Snip & Sketch directly and start a snip from there, or just press WIN + Shift + S. Snip & Sketch can also be launched from the “Screen snip” button in the Action Center. We're no longer developing the Snipping Tool as a separate app but are instead consolidating its functionality into Snip & Sketch.|
+
+
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
new file mode 100644
index 0000000000..de261b876c
--- /dev/null
+++ b/windows/deployment/s-mode.md
@@ -0,0 +1,45 @@
+---
+title: Windows 10 Pro in S mode
+description: Overview of Windows 10 Pro/Enterprise in S mode. What is S mode for Enterprise customers?
+keywords: Windows 10 S, S mode, Windows S mode, Windows 10 S mode, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Enterprise in S mode, Windows 10 Pro/Enterprise in S mode
+ms.mktglfcycl: deploy
+ms.localizationpriority: medium
+ms.prod: w10
+ms.sitesec: library
+ms.pagetype: deploy
+ms.date: 10/02/2018
+author: Mikeblodge
+---
+
+# Windows 10 in S mode - What is it?
+S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS.
+
+
+
+## S mode key features
+**Microsoft-verified security**
+
+With Windows 10 in S mode, you’ll find your favorite applications, such as Office, Evernote, and Spotify in the Microsoft Store where they’re Microsoft-verified for security. You can also feel secure when you’re online. Microsoft Edge, your default browser, gives you protection against phishing and socially-engineered malware.
+
+**Performance that lasts**
+
+Start-ups are quick, and S mode is built to keep them that way. With Microsoft Edge as your browser, your online experience is fast and secure. Plus, you’ll enjoy a smooth, responsive experience, whether you’re streaming HD video, opening apps, or being productive on the go.
+
+**Choice and flexibility**
+
+Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](https://docs.microsoft.com/en-us/windows/deployment/windows-10-pro-in-s-mode) at any time and search the web for more choices.
+
+
+
+
+## Deployment
+Windows 10 S mode is built for [Modern Management](https://docs.microsoft.com/en-us/windows/client-management/manage-windows-10-in-your-organization-modern-management) which means using [Windows Auto Pilot](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/windows-10-autopilot). The best way to start using an S mode device is to embrace Modern Management fully when designing the deployment plan. Windows Auto Pilot allows you to deploy the deivce directly to the employee without having to touch the physical device. Instead of manually deploying a custom image to a machine, Windows Auto Pilot will start with a generic PC that can only be used to join the company domain; Polices are then deployed automatically through Modern Device Management.
+
+
+
+## Related links
+
+- [Consumer applications for S mode](https://www.microsoft.com/en-us/windows/s-mode)
+- [S mode devices](https://www.microsoft.com/en-us/windows/view-all-devices)
+- [Windows Defender Application Control deployment guide](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide)
+- [Windows Defender Advanced Threat Protection](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp)
diff --git a/windows/deployment/update/change-history-for-update-windows-10.md b/windows/deployment/update/change-history-for-update-windows-10.md
index e76b08389c..b9e3e2cb31 100644
--- a/windows/deployment/update/change-history-for-update-windows-10.md
+++ b/windows/deployment/update/change-history-for-update-windows-10.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: DaniHalfin
ms.author: daniha
-ms.date: 10/17/2017
+ms.date: 09/18/2018
---
# Change history for Update Windows 10
@@ -15,6 +15,13 @@ This topic lists new and updated topics in the [Update Windows 10](index.md) doc
>If you're looking for **update history** for Windows 10, see [Windows 10 and Windows Server 2016 update history](https://support.microsoft.com/help/12387/windows-10-update-history).
+## September 2018
+
+| New or changed topic | Description |
+| --- | --- |
+| [Get started with Windows Update](windows-update-overview.md) | New |
+
+
## RELEASE: Windows 10, version 1709
The topics in this library have been updated for Windows 10, version 1709 (also known as the Fall Creators Update).
@@ -38,6 +45,5 @@ All topics were updated to reflect the new [naming changes](waas-overview.md#nam
## RELEASE: Windows 10, version 1703
The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added:
-* [Windows Insider Program for Business](waas-windows-insider-for-business.md)
-* [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md)
-* [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md)
\ No newline at end of file
+* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-get-started)
+* [Windows Insider Program for Business](https://docs.microsoft.com/windows-insider/at-work-pro/wip-4-biz-register)
diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md
index 3121b56334..5ae3940112 100644
--- a/windows/deployment/update/device-health-get-started.md
+++ b/windows/deployment/update/device-health-get-started.md
@@ -1,11 +1,11 @@
---
title: Get started with Device Health
-description: Configure Device Health in OMS to see statistics on frequency and causes of crashes of devices in your network.
-keywords: Device Health, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers
+description: Configure Device Health in Azure Log Analytics to monitor health (such as crashes and sign-in failures) for your Windows 10 devices.
+keywords: Device Health, oms, operations management suite, prerequisites, requirements, monitoring, crash, drivers, azure
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.date: 08/21/2018
+ms.date: 09/11/2018
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
@@ -14,74 +14,59 @@ ms.localizationpriority: medium
# Get started with Device Health
->[!IMPORTANT]
->**The OMS portal has been deprecated; you should start using the [Azure portal](https://portal.azure.com) instead as soon as possible.** Many experiences are the same in the two portals, but there are some key differences. See [Windows Analytics in the Azure Portal](windows-analytics-azure-portal.md) for steps to use Windows Analytics in the Azure portal. For much more information about the transition from OMS to Azure, see [OMS portal moving to Azure](https://docs.microsoft.com/azure/log-analytics/log-analytics-oms-portal-transition).
+This topic explains the steps necessary to configure your environment for Windows Analytics Device Health.
-This topic explains the steps necessary to configure your environment for Windows Analytics: Device Health.
-
-Steps are provided in sections that follow the recommended setup process:
-
-1. [Add Device Health](#add-device-health-to-microsoft-operations-management-suite) to Microsoft Operations Management Suite.
-2. [Enroll devices in Windows Analytics](#deploy-your-commercial-id-to-your-windows-10-devices) to your organization’s devices.
-3. [Use Device Health to monitor frequency and causes of device crashes](#use-device-health-to-monitor-frequency-and-causes-of-device-crashes) once your devices are enrolled.
+- [Get started with Device Health](#get-started-with-device-health)
+ - [Add the Device Health solution to your Azure subscription](#add-the-device-health-solution-to-your-azure-subscription)
+ - [Enroll devices in Windows Analytics](#enroll-devices-in-windows-analytics)
+ - [Use Device Health to monitor device crashes, app crashes, sign-in failures, and more](#use-device-health-to-monitor-device-crashes-app-crashes-sign-in-failures-and-more)
+ - [Related topics](#related-topics)
-## Add Device Health to Microsoft Operations Management Suite or Azure Log Analytics
+## Add the Device Health solution to your Azure subscription
-Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud-based servicing for monitoring and automating your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/).
+Device Health is offered as a *solution* which you link to a new or existing [Azure Log Analytics](https://azure.microsoft.com/services/log-analytics/) *workspace* within your Azure *subscription*. To configure this, follows these steps:
-**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. Find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
+1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal.
+
+ >[!NOTE]
+ > Device Health is included at no additional cost with Windows 10 [education and enterprise licensing](https://docs.microsoft.com/en-us/windows/deployment/update/device-health-monitor#device-health-licensing). An Azure subscription is required for managing and using Device Health, but no Azure charges are expected to accrue to the subscription as a result of using Device Health.
->[!NOTE]
->If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=DeviceHealthProd) to go directly to the Device Health solution and add it to your workspace.
+2. In the Azure portal select **Create a resource**, search for "Device Health", and then select **Create** on the **Device Health** solution.
+ 
-**If you are not yet using Windows Analytics or Azure Log Analytics**, follow these steps to subscribe:
-
-1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
- [](images/uc-02.png)
-
-
-2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
- [](images/uc-03.png)
-
-
-3. Create a new OMS workspace.
-
- [](images/uc-04.png)
-
-4. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Click **Create**.
-
- [](images/uc-05.png)
-
-5. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. If you do not yet have an Azure subscription, follow [this guide](https://blogs.technet.microsoft.com/upgradeanalytics/2016/11/08/linking-operations-management-suite-workspaces-to-microsoft-azure/) to create and link an Azure subscription to an OMS workspace.
-
- [](images/uc-06.png)
-
-6. To add Update Readiness to your workspace, go to the Solution Gallery, Select the **Update Readiness** tile and then select **Add** on the solution's detail page.
-
- [](images/solution-bundle.png)
-
-7. Click the **Update Readiness** tile to configure the solution. The **Settings Dashboard** opens. In this example, both Upgrade Readiness and Device Health solutions have been added.
-
- [](images/OMS-after-adding-solution.jpg)
-
-
-
-After you have added Device Health and devices have a Commercial ID, you will begin receiving data. It will typically take 24-48 hours for the first data to begin appearing. The following section explains how to deploy your Commercial ID to your Windows 10 devices.
-
->[!NOTE]
->You can unsubscribe from the Device Health solution if you no longer want to monitor your organization’s devices. User device data will continue to be shared with Microsoft while the opt-in keys are set on user devices and the proxy allows traffic.
+ 
+3. Choose an existing workspace or create a new workspace to host the Device Health solution.
+ 
+ - If you are using other Windows Analytics solutions (Upgrade Readiness or Update Compliance) you should add Device Health to the same workspace.
+ - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started:
+ - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*.
+ - For the resource group setting select **Create new** and use the same name you chose for your new workspace.
+ - For the location setting, choose the Azure region where you would prefer the data to be stored.
+ - For the pricing tier select **Free**.
+4. Now that you have selected a workspace, you can go back to the Device Health blade and select **Create**.
+ 
+5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.DeviceHealth' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear.
+ 
+ - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Device Health solution.
+ - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour.
## Enroll devices in Windows Analytics
-Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
+Once you've added Device Health to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For Device Health there are two key steps for enrollment:
+1. Deploy your CommercialID (from Device Health Settings page) to your Windows 10 devices (typically using Group Policy or similar)
+2. Ensure the Windows Diagnostic Data setting on devices is set to Enhanced or Full (typically using Group Policy or similar). Note that the [Limit Enhanced](https://docs.microsoft.com/en-us/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields) policy can substantially reduce the amount of diagnostic data shared with Microsoft while still allowing Device Health to function.
+For full enrollment instructions and troubleshooting, see [Enrolling devices in Windows Analytics](windows-analytics-get-started.md).
+After enrolling your devices (by deploying your CommercialID and Windows Diagnostic Data settings), it may take 48-72 hours for the first data to appear in the solution. Until then, the Device Health tile will show "Performing Assessment."
-## Use Device Health to monitor frequency and causes of device crashes
+## Use Device Health to monitor device crashes, app crashes, sign-in failures, and more
-Once your devices are enrolled, you can move on to [Using Device Health](device-health-using.md).
+Once your devices are enrolled and data is flowing, you can move on to [Using Device Health](device-health-using.md).
+>[!NOTE]
+>You can remove the Device Health solution from your workspace if you no longer want to monitor your organization’s devices. Windows diagnostic data will continue to be shared with Microsoft as normal as per the diagnostic data sharing settings on the devices.
## Related topics
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
new file mode 100644
index 0000000000..b073e9cd2f
--- /dev/null
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -0,0 +1,142 @@
+---
+title: How Windows Update works
+description: Learn how Windows Update works, including architecture and troubleshooting
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: elizapo
+ms.date: 09/18/2018
+---
+
+# How does Windows Update work?
+
+>Applies to: Windows 10
+
+The Windows Update workflow has four core areas of functionality:
+
+### Scan
+
+1. Orchestrator schedules the scan.
+2. Orchestrator vertifies admin approvals and policies for download.
+
+
+### Download
+1. Orchestrator initiates downloads.
+2. Windows Update downloads manifest files and provides them to the arbiter.
+3. The arbiter evaluates the manifest and tells the Windows Update client to download files.
+4. Windows Update client downloads files in a temporary folder.
+5. The arbiter stages the downloaded files.
+
+
+### Install
+1. Orchestrator initates the installation.
+2. The arbiter calls the installer to install the package.
+
+
+### Commit
+1. Orchestrator initiates a restart.
+2. The arbiter finalizes before the restart.
+
+
+## How updating works
+During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does this automatically, according to your settings, and in a silent manner that doesn’t disrupt your computer usage.
+
+## Scanning updates
+
+
+The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently.
+
+When checking for updates, the Windows Update Orchestrator evaluates whether the update is appropriate for your computer using guidelines defined by the publisher of the update, for example, Microsoft Office including enterprise group policies.
+
+Make sure you're familiar with the following terminology related to Windows Update scan:
+
+|Term|Definition|
+|----|----------|
+|Update|We use this term to mean a lot of different things, but in this context it's the actual patch or change.|
+|Bundle update|An update that contains 1-N child updates; doesn't contain payload itself.|
+|Child update|Leaf update that's bundled by another update; contains payload.|
+|Detectoid update|A special 'update' that contains "IsInstalled" applicability rule only and no payload. Used for prereq evaluation.|
+|Category update|A special 'detectoid' that has always true IsInstalled rule. Used for grouping updates and for client to filter updates. |
+|Full scan|Scan with empty datastore.|
+|Delta scan|Scan with updates from previous scan already cached in datastore.|
+|Online scan|Scan that hits network and goes against server on cloud. |
+|Offline scan|Scan that doesn't hit network and goes against local datastore. Only useful if online scan has been performed before. |
+|CatScan|Category scan where caller can specify a categoryId to get updates published under the categoryId.|
+|AppCatScan|Category scan where caller can specify an AppCategoryId to get apps published under the appCategoryId.|
+|Software sync|Part of the scan that looks at software updates only (OS and apps).|
+|Driver sync|Part of the scan that looks at Driver updates only. This is run after Software sync and is optional.|
+|ProductSync|Attributes based sync, where client provides a list of device, product and caller attributes ahead of time to allow service to evaluate applicability in the cloud. |
+
+### How Windows Update scanning works
+
+Windows Update takes the following sets of actions when it runs a scan.
+
+#### Starts the scan for updates
+When users start scanning in Windows Update through the Settings panel, the following occurs:
+
+- The scan first generates a “ComApi” message. The caller (Windows Defender Antivirus) tells the WU engine to scan for updates.
+- "Agent" messages: queueing the scan, then actually starting the work:
+ - Updates are identified by the different IDs ("Id = 10", "Id = 11") and from the different thread ID numbers.
+ - Windows Update uses the thread ID filtering to concentrate on one particular task.
+
+ 
+
+#### Identifies service IDs
+
+- Service IDs indicate which update source is being scanned.
+ Note The next screen shot shows Microsoft Update and the Flighting service.
+
+- The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates.
+ 
+- Common service IDs
+
+ >[!IMPORTANT]
+ >ServiceId here identifies a client abstraction, not any specific service in the cloud. No assumption should be made of which server a serviceId is pointing to, it's totally controlled by the SLS responses.
+
+|Service|ServiceId|
+|-------|---------|
+|Unspecified / Default|WU, MU or WSUS 00000000-0000-0000-0000-000000000000 |
+|WU|9482F4B4-E343-43B6-B170-9A65BC822C77|
+|MU|7971f918-a847-4430-9279-4a52d1efe18d|
+|Store|855E8A7C-ECB4-4CA3-B045-1DFA50104289|
+|OS Flighting|8B24B027-1DEE-BABB-9A95-3517DFB9C552|
+|WSUS or SCCM|Via ServerSelection::ssManagedServer 3DA21691-E39D-4da6-8A4B-B43877BCB1B7 |
+|Offline scan service|Via IUpdateServiceManager::AddScanPackageService|
+
+#### Finds network faults
+Common update failure is caused due to network issues. To find the root of the issue:
+
+- Look for "ProtocolTalker" messages to see client-server sync network traffic.
+- "SOAP faults" can be either client- or server-side issues; read the message.
+- The WU client uses SLS (Service Locator Service) to discover the configurations and endpoints of Microsoft network update sources – WU, MU, Flighting.
+
+ >[!NOTE]
+ >Warning messages for SLS can be ignored if the search is against WSUS/SCCM.
+
+- On sites that only use WSUS/SCCM, the SLS may be blocked at the firewall. In this case the SLS request will fail, and can’t scan against Windows Update or Microsoft Update but can still scan against WSUS/SCCM, since it’s locally configured.
+ 
+
+## Downloading updates
+
+
+Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does this in the background without interrupting your normal use of the computer.
+
+To ensure that your other downloads aren’t affected or slowed down because updates are downloading, Windows Update uses the Delivery Optimization (DO) technology which downloads updates and reduces bandwidth consumption.
+
+For more information see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md).
+
+## Installing updates
+
+
+When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list".
+
+The action list describes all the files needed from WU, and what the install agent (such as CBS or Setup) should do with them. The action list is provided to the install agent along with the payload to begin the installation.
+
+## Committing Updates
+
+
+When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the PC for you after installing the updates. This is necessary because your PC may be insecure, or not fully updated, until a restart is completed. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed.
+
+For more information see [Manage device restarts after updates](waas-restart.md).
\ No newline at end of file
diff --git a/windows/deployment/update/images/CreateSolution-Part1-Marketplace.png b/windows/deployment/update/images/CreateSolution-Part1-Marketplace.png
new file mode 100644
index 0000000000..25793516c2
Binary files /dev/null and b/windows/deployment/update/images/CreateSolution-Part1-Marketplace.png differ
diff --git a/windows/deployment/update/images/CreateSolution-Part2-Create.png b/windows/deployment/update/images/CreateSolution-Part2-Create.png
new file mode 100644
index 0000000000..ec63f20402
Binary files /dev/null and b/windows/deployment/update/images/CreateSolution-Part2-Create.png differ
diff --git a/windows/deployment/update/images/CreateSolution-Part3-Workspace.png b/windows/deployment/update/images/CreateSolution-Part3-Workspace.png
new file mode 100644
index 0000000000..1d74aa39d0
Binary files /dev/null and b/windows/deployment/update/images/CreateSolution-Part3-Workspace.png differ
diff --git a/windows/deployment/update/images/CreateSolution-Part4-WorkspaceSelected.png b/windows/deployment/update/images/CreateSolution-Part4-WorkspaceSelected.png
new file mode 100644
index 0000000000..7a3129f467
Binary files /dev/null and b/windows/deployment/update/images/CreateSolution-Part4-WorkspaceSelected.png differ
diff --git a/windows/deployment/update/images/CreateSolution-Part5-GoToResource.png b/windows/deployment/update/images/CreateSolution-Part5-GoToResource.png
new file mode 100644
index 0000000000..c3cb382097
Binary files /dev/null and b/windows/deployment/update/images/CreateSolution-Part5-GoToResource.png differ
diff --git a/windows/deployment/update/images/update-commit-step.png b/windows/deployment/update/images/update-commit-step.png
new file mode 100644
index 0000000000..d9b3d0cd2d
Binary files /dev/null and b/windows/deployment/update/images/update-commit-step.png differ
diff --git a/windows/deployment/update/images/update-component-name.png b/windows/deployment/update/images/update-component-name.png
new file mode 100644
index 0000000000..79152f5aeb
Binary files /dev/null and b/windows/deployment/update/images/update-component-name.png differ
diff --git a/windows/deployment/update/images/update-download-step.png b/windows/deployment/update/images/update-download-step.png
new file mode 100644
index 0000000000..a7e8f1a3e5
Binary files /dev/null and b/windows/deployment/update/images/update-download-step.png differ
diff --git a/windows/deployment/update/images/update-inconsistent.png b/windows/deployment/update/images/update-inconsistent.png
new file mode 100644
index 0000000000..ac0768471a
Binary files /dev/null and b/windows/deployment/update/images/update-inconsistent.png differ
diff --git a/windows/deployment/update/images/update-install-step.png b/windows/deployment/update/images/update-install-step.png
new file mode 100644
index 0000000000..896535b52e
Binary files /dev/null and b/windows/deployment/update/images/update-install-step.png differ
diff --git a/windows/deployment/update/images/update-process-id.png b/windows/deployment/update/images/update-process-id.png
new file mode 100644
index 0000000000..4045f4ee7e
Binary files /dev/null and b/windows/deployment/update/images/update-process-id.png differ
diff --git a/windows/deployment/update/images/update-scan-log-1.png b/windows/deployment/update/images/update-scan-log-1.png
new file mode 100644
index 0000000000..69691066ac
Binary files /dev/null and b/windows/deployment/update/images/update-scan-log-1.png differ
diff --git a/windows/deployment/update/images/update-scan-log-2.png b/windows/deployment/update/images/update-scan-log-2.png
new file mode 100644
index 0000000000..7b059f7011
Binary files /dev/null and b/windows/deployment/update/images/update-scan-log-2.png differ
diff --git a/windows/deployment/update/images/update-scan-log-3.png b/windows/deployment/update/images/update-scan-log-3.png
new file mode 100644
index 0000000000..e6abcd1024
Binary files /dev/null and b/windows/deployment/update/images/update-scan-log-3.png differ
diff --git a/windows/deployment/update/images/update-scan-step.png b/windows/deployment/update/images/update-scan-step.png
new file mode 100644
index 0000000000..b603de2625
Binary files /dev/null and b/windows/deployment/update/images/update-scan-step.png differ
diff --git a/windows/deployment/update/images/update-terminology.png b/windows/deployment/update/images/update-terminology.png
new file mode 100644
index 0000000000..803c35d447
Binary files /dev/null and b/windows/deployment/update/images/update-terminology.png differ
diff --git a/windows/deployment/update/images/update-time-log.png b/windows/deployment/update/images/update-time-log.png
new file mode 100644
index 0000000000..4b311c1ce8
Binary files /dev/null and b/windows/deployment/update/images/update-time-log.png differ
diff --git a/windows/deployment/update/images/update-update-id.png b/windows/deployment/update/images/update-update-id.png
new file mode 100644
index 0000000000..efcf6b09a8
Binary files /dev/null and b/windows/deployment/update/images/update-update-id.png differ
diff --git a/windows/deployment/update/images/windows-update-workflow.png b/windows/deployment/update/images/windows-update-workflow.png
new file mode 100644
index 0000000000..e597eaec2a
Binary files /dev/null and b/windows/deployment/update/images/windows-update-workflow.png differ
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index 23321eb5ad..ae2fc715ad 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: Jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.date: 05/29/2018
+ms.date: 09/24/2018
---
# Servicing stack updates
@@ -22,12 +22,20 @@ The "servicing stack" is the code that installs other operating system updates.
## Why should servicing stack updates be installed and kept up to date?
-Having the latest servicing stack update is a prerequisite to reliably installing the latest quality updates and feature updates.
+Having the latest servicing stack update is a prerequisite to reliably installing the latest quality updates and feature updates. Servicing stack updates improve the reliability and performance of the update process.
## When are they released?
Currently, the servicing stack update releases are aligned with the monthly quality update release date, though sometimes they are released on a separate date if required.
+## What's the difference between a servicing stack update and a cumulative update?
+
+Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
+
+However, there are some operating system fixes that aren’t included in a cumulative update but are still pre-requisites for the cumulative update. That is, the component that performs the actual updates sometimes itself requires an update. Those fixes are available in a servicing stack update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update.
+
+If a given cumulative update required a servicing stack update, you'll see that information in the release notes for the update. **If you try to install the cumulative update without installing the servicing stack update, you'll get an error.**
+
## Is there any special guidance?
Typically, the improvements are reliability, security, and performance improvements that do not require any specific special guidance. If there is any significant impact, it will be present in the release notes.
diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md
index 831d0da5ff..8446553143 100644
--- a/windows/deployment/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@@ -7,7 +7,7 @@ ms.sitesec: library
author: DaniHalfin
ms.localizationpriority: medium
ms.author: daniha
-ms.date: 07/27/2017
+ms.date: 09/24/2018
---
# Optimize Windows 10 update delivery
@@ -38,7 +38,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
| Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager |
| --- | --- | --- | --- | --- |
-| Delivery Optimization |  |  |  |  |
+| Delivery Optimization |  |  |  |  |
| BranchCache |  |  | |  |
>[!NOTE]
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index 74fdfc0efd..9cfb7ab6bf 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -8,7 +8,7 @@ ms.sitesec: library
author: Jaimeo
ms.localizationpriority: medium
ms.author: jaimeo
-ms.date: 06/01/2018
+ms.date: 09/24/2018
---
# Overview of Windows as a service
@@ -121,7 +121,12 @@ Once the latest release went through pilot deployment and testing, you choose th
When Microsoft officially releases a feature update for Windows 10, it is made available to any PC not configured to defer feature updates so that those devices can immediately install it. Organizations that use Windows Server Update Services (WSUS), Microsoft System Center Configuration Manager, or Windows Update for Business, however, can defer feature updates to selective devices by withholding their approval and deployment. In this scenario, the content available for the Semi-Annual Channel will be available but not necessarily immediately mandatory, depending on the policy of the management system. For more details about Windows 10 servicing tools, see [Servicing tools](#servicing-tools).
-Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases, while after about 4 months, we will announce broad deployment readiness, indicating that Microsoft, independent software vendors (ISVs), partners, and customers believe that the release is ready for broad deployment. Each feature update release will be supported and updated for 18 months from the time of its release
+
+Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases. All customers, independent software vendors (ISVs), and partners should use this time for testing and piloting within their environments. After 2-4 months, we will transition to broad deployment and encourage customers and partners to expand and accelerate the deployment of the release. For customers using Windows Update for Business, the Semi-Annual Channel provides three months of additional total deployment time before being required to update to the next release.
+
+>[!NOTE]
+All releases of Windows 10 have 18 months of servicing for all editions--these updates provide security and feature updates for the release. Customers running Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. These versions include Enterprise and Education editions for Windows 10, versions 1607, 1703, 1709 and 1803. Starting in October 2018, all Semi-Annual Channel releases in the September/October timeframe will also have the additional 12 months of servicing for a total of 30 months from the initial release. The Semi-Annual Channel versions released in March/April timeframe will continue to have an 18 month lifecycle.
+
>[!NOTE]
>Organizations can electively delay feature updates into as many phases as they wish by using one of the servicing tools mentioned in the section Servicing tools.
@@ -138,10 +143,9 @@ Specialized systems—such as PCs that control medical equipment, point-of-sale
Microsoft never publishes feature updates through Windows Update on devices that run Windows 10 Enterprise LTSB. Instead, it typically offers new LTSC releases every 2–3 years, and organizations can choose to install them as in-place upgrades or even skip releases over a 10-year life cycle.
>[!NOTE]
->Windows 10 LTSB will support the currently released silicon at the time of release of the LTSB. As future silicon generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products).
+>Windows 10 LTSB will support the currently released processors and chipsets at the time of release of the LTSB. As future CPU generations are released, support will be created through future Windows 10 LTSB releases that customers can deploy for those systems. For more information, see **Supporting the latest processor and chipsets on Windows** in [Lifecycle support policy FAQ - Windows Products](https://support.microsoft.com/help/18581/lifecycle-support-policy-faq-windows-products).
-The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This build of Windows doesn’t contain many in-box applications, such as Microsoft Edge, Microsoft Store, Cortana (limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. Since these apps aren’t included then not supported in Windows 10 Enterprise LTSB edition, including the case of the in-box application sideloading.
-Therefore, it’s important to remember that Microsoft has positioned the LTSC model primarily for specialized devices.
+The Long-term Servicing Channel is available only in the Windows 10 Enterprise LTSB edition. This edition of Windows doesn’t include a number of applications, such as Microsoft Edge, Microsoft Store, Cortana (though limited search capabilities remain available), Microsoft Mail, Calendar, OneNote, Weather, News, Sports, Money, Photos, Camera, Music, and Clock. These apps are not supported in Windows 10 Enterprise LTSB edition, even of you install by using sideloading.
>[!NOTE]
>If an organization has devices currently running Windows 10 Enterprise LTSB that it would like to change to the Semi-Annual Channel, it can make the change without losing user data. Because LTSB is its own SKU, however, an upgrade is required from Windows 10 Enterprise LTSB to Windows 10 Enterprise, which supports the Semi-Annual Channel.
diff --git a/windows/deployment/update/windows-analytics-azure-portal.md b/windows/deployment/update/windows-analytics-azure-portal.md
index d9296cb710..34fd777734 100644
--- a/windows/deployment/update/windows-analytics-azure-portal.md
+++ b/windows/deployment/update/windows-analytics-azure-portal.md
@@ -5,7 +5,7 @@ keywords: Device Health, oms, Azure, portal, operations management suite, add, m
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.date: 08/21/2018
+ms.date: 09/12/2018
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
@@ -35,7 +35,7 @@ To check the Log Analytics workspaces you can access, select **Log Analytics**.
If you do not see your workspace in this view, you do not have access to the underlying Azure subscription. To view and assign permissions for a workspace, select its name and then, in the flyout that opens, select **Access control (IAM)**. You can view and assign permissions for a subscription similarly by selecting the subscription name and selecting **Access control (IAM)**.
-Both the workspace and Azure subscription require at least "read" permissions. To make changes (for example, to set app importantance in Upgrade Readiness), both the subscription and workspace require "contributor" permissions. You can view your current role and make changes in other roles by using the **Access control (IAM)** tab in Azure.
+The Azure subscription requires at least "Log Analytics Reader" permission. Making changes (for example, to set app importance in Upgrade Readiness) requires "Log Analytics Contributor" permission. You can view your current role and make changes in other roles by using the Access control (IAM) tab in Azure. These permissions will be inherited by Azure Log Analytics.
When permissions are configured, you can select the workspace and then select **Workspace summary** to see information similar to what was shown in the OMS overview page.
diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md
index 294030a5a5..9539a482fc 100644
--- a/windows/deployment/update/windows-analytics-get-started.md
+++ b/windows/deployment/update/windows-analytics-get-started.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
-ms.date: 08/01/2018
+ms.date: 10/01/2018
ms.localizationpriority: medium
---
@@ -48,6 +48,7 @@ To enable data sharing, configure your proxy sever to whitelist the following en
| `https://v10.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with Windows 10, version 1803|
| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier |
| `https://vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for operating systems older than Windows 10 |
+| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for use with Windows versions that have KB4458469 installed |
| `https://settings-win.data.microsoft.com` | Enables the compatibility update to send data to Microsoft.
| `http://adl.windows.com` | Allows the compatibility update to receive the latest compatibility data from Microsoft. |
| `https://watson.telemetry.microsoft.com` | Windows Error Reporting (WER); required for Device Health and Update Compliance AV reports. Not used by Upgrade Readiness. |
diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md
new file mode 100644
index 0000000000..d507deedb3
--- /dev/null
+++ b/windows/deployment/update/windows-update-error-reference.md
@@ -0,0 +1,362 @@
+---
+title: Windows Update error code list by component
+description: Reference information for Windows Update error codes
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: elizapo
+ms.date: 09/18/2018
+---
+
+# Windows Update error codes by component
+
+>Applies to: Windows 10
+
+
+This section lists the error codes for Microsoft Windows Update.
+
+## Automatic Update Errors
+
+|Error code|Message|Description|
+|-|-|-|
+|0x80243FFF|WU_E_AUCLIENT_UNEXPECTED|There was a user interface error not covered by another WU_E_AUCLIENT_* error code.|
+|0x8024A000|WU_E_AU_NOSERVICE|Automatic Updates was unable to service incoming requests. |
+|0x8024A002|WU_E_AU_NONLEGACYSERVER|The old version of the Automatic Updates client has stopped because the WSUS server has been upgraded.|
+|0x8024A003 |WU_E_AU_LEGACYCLIENTDISABLED| The old version of the Automatic Updates client was disabled.|
+|0x8024A004|WU_E_AU_PAUSED|Automatic Updates was unable to process incoming requests because it was paused.|
+|0x8024A005|WU_E_AU_NO_REGISTERED_SERVICE| No unmanaged service is registered with AU.|
+|0x8024AFFF|WU_E_AU_UNEXPECTED| An Automatic Updates error not covered by another WU_E_AU * code.|
+
+## Windows Update UI errors
+
+|Error code|Message|Description|
+|-|-|-|
+|0x80243001|WU_E_INSTALLATION_RESULTS_UNKNOWN_VERSION|The results of download and installation could not be read from the registry due to an unrecognized data format version.|
+|0x80243002|WU_E_INSTALLATION_RESULTS_INVALID_DATA|The results of download and installation could not be read from the registry due to an invalid data format.|
+|0x80243003|WU_E_INSTALLATION_RESULTS_NOT_FOUND |The results of download and installation are not available; the operation may have failed to start.|
+|0x80243004| WU_E_TRAYICON_FAILURE| A failure occurred when trying to create an icon in the taskbar notification area.|
+|0x80243FFD| WU_E_NON_UI_MODE| Unable to show UI when in non-UI mode; WU client UI modules may not be installed. |
+|0x80243FFE| WU_E_WUCLTUI_UNSUPPORTED_VERSION| Unsupported version of WU client UI exported functions. |
+|0x80243FFF| WU_E_AUCLIENT_UNEXPECTED| There was a user interface error not covered by another WU_E_AUCLIENT_* error code. |
+
+## Inventory errors
+
+|Error code|Message|Description|
+|-|-|-|
+|0x80249001| WU_E_INVENTORY_PARSEFAILED| Parsing of the rule file failed. |
+|0x80249002| WU_E_INVENTORY_GET_INVENTORY_TYPE_FAILED | Failed to get the requested inventory type from the server. |
+|0x80249003| WU_E_INVENTORY_RESULT_UPLOAD_FAILED| Failed to upload inventory result to the server. |
+|0x80249004| WU_E_INVENTORY_UNEXPECTED| There was an inventory error not covered by another error code.|
+|0x80249005| WU_E_INVENTORY_WMI_ERROR| A WMI error occurred when enumerating the instances for a particular class. |
+
+## Expression evaluator errors
+
+|Error code|Message|Description|
+|-|-|-|
+|0x8024E001 | WU_E_EE_UNKNOWN_EXPRESSION | An expression evaluator operation could not be completed because an expression was unrecognized.|
+|0x8024E002| WU_E_EE_INVALID_EXPRESSION| An expression evaluator operation could not be completed because an expression was invalid. |
+|0x8024E003| WU_E_EE_MISSING_METADATA| An expression evaluator operation could not be completed because an expression contains an incorrect number of metadata nodes. |
+|0x8024E004| WU_E_EE_INVALID_VERSION| An expression evaluator operation could not be completed because the version of the serialized expression data is invalid. |
+| 0x8024E005| WU_E_EE_NOT_INITIALIZED| The expression evaluator could not be initialized.|
+| 0x8024E006| WU_E_EE_INVALID_ATTRIBUTEDATA | An expression evaluator operation could not be completed because there was an invalid attribute.|
+| 0x8024E007| WU_E_EE_CLUSTER_ERROR | An expression evaluator operation could not be completed because the cluster state of the computer could not be determined. |
+| 0x8024EFFF| WU_E_EE_UNEXPECTED| There was an expression evaluator error not covered by another WU_E_EE_* error code. |
+
+## Reporter errors
+
+|Error code|Message|Description|
+|-|-|-|
+| 0x80247001| WU_E_OL_INVALID_SCANFILE | An operation could not be completed because the scan package was invalid.|
+|0x80247002| WU_E_OL_NEWCLIENT_REQUIRED| An operation could not be completed because the scan package requires a greater version of the Windows Update Agent.|
+| 0x80247FFF| WU_E_OL_UNEXPECTED| Search using the scan package failed. |
+| 0x8024F001| WU_E_REPORTER_EVENTCACHECORRUPT| The event cache file was defective. |
+| 0x8024F002 | WU_E_REPORTER_EVENTNAMESPACEPARSEFAILED | The XML in the event namespace descriptor could not be parsed.|
+| 0x8024F003| WU_E_INVALID_EVENT| The XML in the event namespace descriptor could not be parsed.|
+| 0x8024F004| WU_E_SERVER_BUSY| The server rejected an event because the server was too busy.|
+| 0x8024FFFF| WU_E_REPORTER_UNEXPECTED| There was a reporter error not covered by another error code. |
+
+## Redirector errors
+The components that download the Wuredir.cab file and then parse the Wuredir.cab file generate the following errors.
+
+|Error code|Message|Description |
+|-|-|-|
+| 0x80245001| WU_E_REDIRECTOR_LOAD_XML| The redirector XML document could not be loaded into the DOM class. |
+| 0x80245002| WU_E_REDIRECTOR_S_FALSE| The redirector XML document is missing some required information. |
+| 0x80245003| WU_E_REDIRECTOR_ID_SMALLER| The redirectorId in the downloaded redirector cab is less than in the cached cab. |
+| 0x80245FFF| WU_E_REDIRECTOR_UNEXPECTED| The redirector failed for reasons not covered by another WU_E_REDIRECTOR_* error code. |
+
+## Protocol Talker errors
+The following errors map to SOAPCLIENT_ERRORs through the Atlsoap.h file. These errors are obtained when the CClientWebService object calls the GetClientError() method.
+
+|Error code|Message|Description|
+|-|-|-|
+| 0x80244000| WU_E_PT_SOAPCLIENT_BASE| WU_E_PT_SOAPCLIENT_* error codes map to the SOAPCLIENT_ERROR enum of the ATL Server Library.|
+|0x80244001| WU_E_PT_SOAPCLIENT_INITIALIZE| Same as SOAPCLIENT_INITIALIZE_ERROR - initialization of the SOAP client failed possibly because of an MSXML installation failure. |
+| 0x80244002| WU_E_PT_SOAPCLIENT_OUTOFMEMORY| Same as SOAPCLIENT_OUTOFMEMORY - SOAP client failed because it ran out of memory. |
+| 0x80244003| WU_E_PT_SOAPCLIENT_GENERATE| Same as SOAPCLIENT_GENERATE_ERROR - SOAP client failed to generate the request.|
+| 0x80244004| WU_E_PT_SOAPCLIENT_CONNECT| Same as SOAPCLIENT_CONNECT_ERROR - SOAP client failed to connect to the server. |
+| 0x80244005| WU_E_PT_SOAPCLIENT_SEND| Same as SOAPCLIENT_SEND_ERROR - SOAP client failed to send a message for reasons of WU_E_WINHTTP_* error codes.|
+| 0x80244006| WU_E_PT_SOAPCLIENT_SERVER| Same as SOAPCLIENT_SERVER_ERROR - SOAP client failed because there was a server error. |
+| 0x80244007| WU_E_PT_SOAPCLIENT_SOAPFAULT| Same as SOAPCLIENT_SOAPFAULT - SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_* error codes.|
+| 0x80244008| WU_E_PT_SOAPCLIENT_PARSEFAULT| Same as SOAPCLIENT_PARSEFAULT_ERROR - SOAP client failed to parse a SOAP fault.|
+| 0x80244009| WU_E_PT_SOAPCLIENT_READ| Same as SOAPCLIENT_READ_ERROR - SOAP client failed while reading the response from the server.|
+| 0x8024400A| WU_E_PT_SOAPCLIENT_PARSE| Same as SOAPCLIENT_PARSE_ERROR - SOAP client failed to parse the response from the server. |
+
+
+
+## Other Protocol Talker errors
+The following errors map to SOAP_ERROR_CODEs from the Atlsoap.h file. These errors are obtained from the m_fault.m_soapErrCode member of the CClientWebService object when GetClientError() returns SOAPCLIENT_SOAPFAULT.
+
+|Error code|Message|Description|
+|-|-|-|
+| 0x8024400B| WU_E_PT_SOAP_VERSION| Same as SOAP_E_VERSION_MISMATCH - SOAP client found an unrecognizable namespace for the SOAP envelope.|
+| 0x8024400C| WU_E_PT_SOAP_MUST_UNDERSTAND| Same as SOAP_E_MUST_UNDERSTAND - SOAP client was unable to understand a header. |
+| 0x8024400D| WU_E_PT_SOAP_CLIENT| Same as SOAP_E_CLIENT - SOAP client found the message was malformed; fix before resending. |
+| 0x8024400E| WU_E_PT_SOAP_SERVER| Same as SOAP_E_SERVER - The SOAP message could not be processed due to a server error; resend later. |
+| 0x8024400F| WU_E_PT_WMI_ERROR| There was an unspecified Windows Management Instrumentation (WMI) error.|
+| 0x80244010| WU_E_PT_EXCEEDED_MAX_SERVER_TRIPS| The number of round trips to the server exceeded the maximum limit. |
+| 0x80244011| WU_E_PT_SUS_SERVER_NOT_SET| WUServer policy value is missing in the registry. |
+| 0x80244012| WU_E_PT_DOUBLE_INITIALIZATION| Initialization failed because the object was already initialized. |
+| 0x80244013| WU_E_PT_INVALID_COMPUTER_NAME| The computer name could not be determined. |
+| 0x80244015| WU_E_PT_REFRESH_CACHE_REQUIRED| The reply from the server indicates that the server was changed or the cookie was invalid; refresh the state of the internal cache and retry.|
+| 0x80244016| WU_E_PT_HTTP_STATUS_BAD_REQUEST| Same as HTTP status 400 - the server could not process the request due to invalid syntax. |
+| 0x80244017| WU_E_PT_HTTP_STATUS_DENIED| Same as HTTP status 401 - the requested resource requires user authentication. |
+| 0x80244018| WU_E_PT_HTTP_STATUS_FORBIDDEN| Same as HTTP status 403 - server understood the request but declined to fulfill it.|
+| 0x80244019| WU_E_PT_HTTP_STATUS_NOT_FOUND| Same as HTTP status 404 - the server cannot find the requested URI (Uniform Resource Identifier). |
+| 0x8024401A| WU_E_PT_HTTP_STATUS_BAD_METHOD| Same as HTTP status 405 - the HTTP method is not allowed. |
+| 0x8024401B| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ| Same as HTTP status 407 - proxy authentication is required. |
+| 0x8024401C| WU_E_PT_HTTP_STATUS_REQUEST_TIMEOUT| Same as HTTP status 408 - the server timed out waiting for the request. |
+| 0x8024401D| WU_E_PT_HTTP_STATUS_CONFLICT| Same as HTTP status 409 - the request was not completed due to a conflict with the current state of the resource. |
+| 0x8024401E| WU_E_PT_HTTP_STATUS_GONE| Same as HTTP status 410 - requested resource is no longer available at the server.|
+| 0x8024401F| WU_E_PT_HTTP_STATUS_SERVER_ERROR| Same as HTTP status 500 - an error internal to the server prevented fulfilling the request. |
+| 0x80244020| WU_E_PT_HTTP_STATUS_NOT_SUPPORTED| Same as HTTP status 500 - server does not support the functionality required to fulfill the request. |
+| 0x80244021| WU_E_PT_HTTP_STATUS_BAD_GATEWAY |Same as HTTP status 502 - the server while acting as a gateway or a proxy received an invalid response from the upstream server it accessed in attempting to fulfil the request.|
+| 0x80244022| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAIL| Same as HTTP status 503 - the service is temporarily overloaded. |
+| 0x80244023| WU_E_PT_HTTP_STATUS_GATEWAY_TIMEOUT| Same as HTTP status 503 - the request was timed out waiting for a gateway. |
+| 0x80244024| WU_E_PT_HTTP_STATUS_VERSION_NOT_SUP| Same as HTTP status 505 - the server does not support the HTTP protocol version used for the request. |
+| 0x80244025| WU_E_PT_FILE_LOCATIONS_CHANGED| Operation failed due to a changed file location; refresh internal state and resend.|
+| 0x80244026| WU_E_PT_REGISTRATION_NOT_SUPPORTED| Operation failed because Windows Update Agent does not support registration with a non-WSUS server. |
+| 0x80244027| WU_E_PT_NO_AUTH_PLUGINS_REQUESTED| The server returned an empty authentication information list. |
+| 0x80244028| WU_E_PT_NO_AUTH_COOKIES_CREATED| Windows Update Agent was unable to create any valid authentication cookies. |
+| 0x80244029| WU_E_PT_INVALID_CONFIG_PROP| A configuration property value was wrong. |
+| 0x8024402A| WU_E_PT_CONFIG_PROP_MISSING| A configuration property value was missing. |
+| 0x8024402B| WU_E_PT_HTTP_STATUS_NOT_MAPPED| The HTTP request could not be completed and the reason did not correspond to any of the WU_E_PT_HTTP_* error codes. |
+| 0x8024402C| WU_E_PT_WINHTTP_NAME_NOT_RESOLVED| Same as ERROR_WINHTTP_NAME_NOT_RESOLVED - the proxy server or target server name cannot be resolved. |
+| 0x8024402F| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS| External cab file processing completed with some errors.|
+| 0x80244030| WU_E_PT_ECP_INIT_FAILED| The external cab processor initialization did not complete. |
+| 0x80244031| WU_E_PT_ECP_INVALID_FILE_FORMAT| The format of a metadata file was invalid. |
+| 0x80244032| WU_E_PT_ECP_INVALID_METADATA| External cab processor found invalid metadata. |
+| 0x80244033| WU_E_PT_ECP_FAILURE_TO_EXTRACT_DIGEST| The file digest could not be extracted from an external cab file. |
+| 0x80244034| WU_E_PT_ECP_FAILURE_TO_DECOMPRESS_CAB_FILE| An external cab file could not be decompressed. |
+| 0x80244035| WU_E_PT_ECP_FILE_LOCATION_ERROR| External cab processor was unable to get file locations. |
+| 0x80244FFF| WU_E_PT_UNEXPECTED| A communication error not covered by another WU_E_PT_* error code. |
+| 0x8024502D| WU_E_PT_SAME_REDIR_ID| Windows Update Agent failed to download a redirector cabinet file with a new redirectorId value from the server during the recovery. |
+| 0x8024502E| WU_E_PT_NO_MANAGED_RECOVER| A redirector recovery action did not complete because the server is managed. |
+
+## Download Manager errors
+
+|Error code|Message|Description|
+|-|-|-|
+| 0x80246001| WU_E_DM_URLNOTAVAILABLE| A download manager operation could not be completed because the requested file does not have a URL. |
+| 0x80246002| WU_E_DM_INCORRECTFILEHASH| A download manager operation could not be completed because the file digest was not recognized. |
+| 0x80246003| WU_E_DM_UNKNOWNALGORITHM| A download manager operation could not be completed because the file metadata requested an unrecognized hash algorithm. |
+| 0x80246004| WU_E_DM_NEEDDOWNLOADREQUEST| An operation could not be completed because a download request is required from the download handler. |
+| 0x80246005| WU_E_DM_NONETWORK| A download manager operation could not be completed because the network connection was unavailable. |
+| 0x80246006| WU_E_DM_WRONGBITSVERSION| A download manager operation could not be completed because the version of Background Intelligent Transfer Service (BITS) is incompatible.|
+| 0x80246007| WU_E_DM_NOTDOWNLOADED| The update has not been downloaded. |
+| 0x80246008| WU_E_DM_FAILTOCONNECTTOBITS| A download manager operation failed because the download manager was unable to connect the Background Intelligent Transfer Service (BITS).|
+| 0x80246009|WU_E_DM_BITSTRANSFERERROR| A download manager operation failed because there was an unspecified Background Intelligent Transfer Service (BITS) transfer error. |
+| 0x8024600A| WU_E_DM_DOWNLOADLOCATIONCHANGED| A download must be restarted because the location of the source of the download has changed.|
+| 0x8024600B| WU_E_DM_CONTENTCHANGED| A download must be restarted because the update content changed in a new revision. |
+| 0x80246FFF| WU_E_DM_UNEXPECTED| There was a download manager error not covered by another WU_E_DM_* error code. |
+
+## Update Handler errors
+
+|Error code|Message|Description|
+|-|-|-|
+| 0x80242000| WU_E_UH_REMOTEUNAVAILABLE|9 A request for a remote update handler could not be completed because no remote process is available. |
+| 0x80242001| WU_E_UH_LOCALONLY| A request for a remote update handler could not be completed because the handler is local only. |
+| 0x80242002| WU_E_UH_UNKNOWNHANDLER| A request for an update handler could not be completed because the handler could not be recognized. |
+| 0x80242003| WU_E_UH_REMOTEALREADYACTIVE| A remote update handler could not be created because one already exists. |
+| 0x80242004| WU_E_UH_DOESNOTSUPPORTACTION| A request for the handler to install (uninstall) an update could not be completed because the update does not support install (uninstall).|
+| 0x80242005| WU_E_UH_WRONGHANDLER| An operation did not complete because the wrong handler was specified. |
+| 0x80242006| WU_E_UH_INVALIDMETADATA| A handler operation could not be completed because the update contains invalid metadata. |
+| 0x80242007| WU_E_UH_INSTALLERHUNG| An operation could not be completed because the installer exceeded the time limit. |
+| 0x80242008| WU_E_UH_OPERATIONCANCELLED| An operation being done by the update handler was cancelled. |
+| 0x80242009| WU_E_UH_BADHANDLERXML| An operation could not be completed because the handler-specific metadata is invalid. |
+| 0x8024200A| WU_E_UH_CANREQUIREINPUT| A request to the handler to install an update could not be completed because the update requires user input. |
+| 0x8024200B| WU_E_UH_INSTALLERFAILURE| The installer failed to install (uninstall) one or more updates. |
+| 0x8024200C| WU_E_UH_FALLBACKTOSELFCONTAINED| The update handler should download self-contained content rather than delta-compressed content for the update. |
+| 0x8024200D| WU_E_UH_NEEDANOTHERDOWNLOAD| The update handler did not install the update because it needs to be downloaded again. |
+| 0x8024200E| WU_E_UH_NOTIFYFAILURE| The update handler failed to send notification of the status of the install (uninstall) operation. |
+| 0x8024200F| WU_E_UH_INCONSISTENT_FILE_NAMES | The file names contained in the update metadata and in the update package are inconsistent. |
+| 0x80242010| WU_E_UH_FALLBACKERROR| The update handler failed to fall back to the self-contained content. |
+| 0x80242011| WU_E_UH_TOOMANYDOWNLOADREQUESTS| The update handler has exceeded the maximum number of download requests. |
+| 0x80242012| WU_E_UH_UNEXPECTEDCBSRESPONSE| The update handler has received an unexpected response from CBS. |
+| 0x80242013| WU_E_UH_BADCBSPACKAGEID| The update metadata contains an invalid CBS package identifier. |
+| 0x80242014| WU_E_UH_POSTREBOOTSTILLPENDING| The post-reboot operation for the update is still in progress. |
+| 0x80242015| WU_E_UH_POSTREBOOTRESULTUNKNOWN| The result of the post-reboot operation for the update could not be determined. |
+| 0x80242016| WU_E_UH_POSTREBOOTUNEXPECTEDSTATE| The state of the update after its post-reboot operation has completed is unexpected. |
+| 0x80242017| WU_E_UH_NEW_SERVICING_STACK_REQUIRED| The OS servicing stack must be updated before this update is downloaded or installed. |
+| 0x80242FFF| WU_E_UH_UNEXPECTED| An update handler error not covered by another WU_E_UH_* code. |
+
+## Data Store errors
+
+|Error code|Message|Description |
+|-|-|-|
+| 0x80248000| WU_E_DS_SHUTDOWN| An operation failed because Windows Update Agent is shutting down. |
+| 0x80248001| WU_E_DS_INUSE| An operation failed because the data store was in use.|
+| 0x80248002| WU_E_DS_INVALID| The current and expected states of the data store do not match.|
+| 0x80248003| WU_E_DS_TABLEMISSING| The data store is missing a table. |
+| 0x80248004| WU_E_DS_TABLEINCORRECT| The data store contains a table with unexpected columns. |
+| 0x80248005| WU_E_DS_INVALIDTABLENAME| A table could not be opened because the table is not in the data store. |
+| 0x80248006| WU_E_DS_BADVERSION| The current and expected versions of the data store do not match. |
+| 0x80248007| WU_E_DS_NODATA| The information requested is not in the data store. |
+| 0x80248008| WU_E_DS_MISSINGDATA| The data store is missing required information or has a NULL in a table column that requires a non-null value. |
+| 0x80248009| WU_E_DS_MISSINGREF| The data store is missing required information or has a reference to missing license terms file localized property or linked row. |
+| 0x8024800A| WU_E_DS_UNKNOWNHANDLER| The update was not processed because its update handler could not be recognized. |
+| 0x8024800B| WU_E_DS_CANTDELETE| The update was not deleted because it is still referenced by one or more services. |
+| 0x8024800C| WU_E_DS_LOCKTIMEOUTEXPIRED| The data store section could not be locked within the allotted time. |
+| 0x8024800D| WU_E_DS_NOCATEGORIES | The category was not added because it contains no parent categories and is not a top-level category itself. |
+| 0x8024800E| WU_E_DS_ROWEXISTS| The row was not added because an existing row has the same primary key. |
+| 0x8024800F| WU_E_DS_STOREFILELOCKED| The data store could not be initialized because it was locked by another process. |
+| 0x80248010| WU_E_DS_CANNOTREGISTER| The data store is not allowed to be registered with COM in the current process.
+| 0x80248011| WU_E_DS_UNABLETOSTART| Could not create a data store object in another process.
+| 0x80248013| WU_E_DS_DUPLICATEUPDATEID |The server sent the same update to the client with two different revision IDs.
+| 0x80248014 |WU_E_DS_UNKNOWNSERVICE| An operation did not complete because the service is not in the data store.
+| 0x80248015 |WU_E_DS_SERVICEEXPIRED |An operation did not complete because the registration of the service has expired.
+| 0x80248016 | WU_E_DS_DECLINENOTALLOWED | A request to hide an update was declined because it is a mandatory update or because it was deployed with a deadline.
+| 0x80248017 | WU_E_DS_TABLESESSIONMISMATCH| A table was not closed because it is not associated with the session.
+| 0x80248018 | WU_E_DS_SESSIONLOCKMISMATCH| A table was not closed because it is not associated with the session.
+| 0x80248019 | WU_E_DS_NEEDWINDOWSSERVICE| A request to remove the Windows Update service or to unregister it with Automatic Updates was declined because it is a built-in service and/or Automatic Updates cannot fall back to another service.
+| 0x8024801A | WU_E_DS_INVALIDOPERATION| A request was declined because the operation is not allowed.
+| 0x8024801B | WU_E_DS_SCHEMAMISMATCH| The schema of the current data store and the schema of a table in a backup XML document do not match.
+| 0x8024801C | WU_E_DS_RESETREQUIRED| The data store requires a session reset; release the session and retry with a new session.
+| 0x8024801D | WU_E_DS_IMPERSONATED| A data store operation did not complete because it was requested with an impersonated identity.
+| 0x80248FFF | WU_E_DS_UNEXPECTED| A data store error not covered by another WU_E_DS_* code.
+
+## Driver Util errors
+The PnP enumerated device is removed from the System Spec because one of the hardware IDs or the compatible IDs matches an installed printer driver. This is not a fatal error, and the device is merely skipped.
+
+|Error code|Message|Description
+|-|-|-|
+| 0x8024C001 | WU_E_DRV_PRUNED| A driver was skipped.
+| 0x8024C002 |WU_E_DRV_NOPROP_OR_LEGACY| A property for the driver could not be found. It may not conform with required specifications.
+| 0x8024C003 | WU_E_DRV_REG_MISMATCH| The registry type read for the driver does not match the expected type.
+| 0x8024C004 | WU_E_DRV_NO_METADATA| The driver update is missing metadata.
+| 0x8024C005 | WU_E_DRV_MISSING_ATTRIBUTE| The driver update is missing a required attribute.
+| 0x8024C006| WU_E_DRV_SYNC_FAILED| Driver synchronization failed.
+| 0x8024C007 | WU_E_DRV_NO_PRINTER_CONTENT| Information required for the synchronization of applicable printers is missing.
+| 0x8024CFFF | WU_E_DRV_UNEXPECTED| A driver error not covered by another WU_E_DRV_* code.
+
+## Windows Update error codes
+
+|Error code|Message|Description
+|-|-|-|
+| 0x80240001 | WU_E_NO_SERVICE| Windows Update Agent was unable to provide the service.
+| 0x80240002 | WU_E_MAX_CAPACITY_REACHED | The maximum capacity of the service was exceeded.
+| 0x80240003 | WU_E_UNKNOWN_ID| An ID cannot be found.
+| 0x80240004 | WU_E_NOT_INITIALIZED| The object could not be initialized.
+| 0x80240005 | WU_E_RANGEOVERLAP |The update handler requested a byte range overlapping a previously requested range.
+| 0x80240006 | WU_E_TOOMANYRANGES| The requested number of byte ranges exceeds the maximum number (2^31 - 1).
+| 0x80240007 | WU_E_INVALIDINDEX| The index to a collection was invalid.
+| 0x80240008 | WU_E_ITEMNOTFOUND| The key for the item queried could not be found.
+| 0x80240009 | WU_E_OPERATIONINPROGRESS| Another conflicting operation was in progress. Some operations such as installation cannot be performed twice simultaneously.
+| 0x8024000A | WU_E_COULDNOTCANCEL| Cancellation of the operation was not allowed.
+| 0x8024000B | WU_E_CALL_CANCELLED| Operation was cancelled.
+| 0x8024000C | WU_E_NOOP| No operation was required.
+| 0x8024000D | WU_E_XML_MISSINGDATA| Windows Update Agent could not find required information in the update's XML data.
+| 0x8024000E | WU_E_XML_INVALID| Windows Update Agent found invalid information in the update's XML data.
+| 0x8024000F | WU_E_CYCLE_DETECTED | Circular update relationships were detected in the metadata.
+| 0x80240010 | WU_E_TOO_DEEP_RELATION| Update relationships too deep to evaluate were evaluated.
+| 0x80240011 | WU_E_INVALID_RELATIONSHIP| An invalid update relationship was detected.
+| 0x80240012 | WU_E_REG_VALUE_INVALID| An invalid registry value was read.
+| 0x80240013 | WU_E_DUPLICATE_ITEM| Operation tried to add a duplicate item to a list.
+| 0x80240016 | WU_E_INSTALL_NOT_ALLOWED| Operation tried to install while another installation was in progress or the system was pending a mandatory restart.
+| 0x80240017 | WU_E_NOT_APPLICABLE| Operation was not performed because there are no applicable updates.
+| 0x80240018 | WU_E_NO_USERTOKEN| Operation failed because a required user token is missing.
+| 0x80240019 | WU_E_EXCLUSIVE_INSTALL_CONFLICT| An exclusive update cannot be installed with other updates at the same time.
+| 0x8024001A | WU_E_POLICY_NOT_SET | A policy value was not set.
+| 0x8024001B | WU_E_SELFUPDATE_IN_PROGRESS| The operation could not be performed because the Windows Update Agent is self-updating.
+| 0x8024001D | WU_E_INVALID_UPDATE| An update contains invalid metadata.
+| 0x8024001E | WU_E_SERVICE_STOP| Operation did not complete because the service or system was being shut down.
+| 0x8024001F | WU_E_NO_CONNECTION| Operation did not complete because the network connection was unavailable.
+| 0x80240020 | WU_E_NO_INTERACTIVE_USER| Operation did not complete because there is no logged-on interactive user.
+| 0x80240021 | WU_E_TIME_OUT| Operation did not complete because it timed out.
+| 0x80240022 | WU_E_ALL_UPDATES_FAILED| Operation failed for all the updates.
+| 0x80240023 | WU_E_EULAS_DECLINED| The license terms for all updates were declined.
+| 0x80240024 | WU_E_NO_UPDATE| There are no updates.
+| 0x80240025 | WU_E_USER_ACCESS_DISABLED| Group Policy settings prevented access to Windows Update.
+| 0x80240026 | WU_E_INVALID_UPDATE_TYPE| The type of update is invalid.
+| 0x80240027 | WU_E_URL_TOO_LONG| The URL exceeded the maximum length.
+| 0x80240028 | WU_E_UNINSTALL_NOT_ALLOWED| The update could not be uninstalled because the request did not originate from a WSUS server.
+| 0x80240029 | WU_E_INVALID_PRODUCT_LICENSE| Search may have missed some updates before there is an unlicensed application on the system.
+| 0x8024002A | WU_E_MISSING_HANDLER| A component required to detect applicable updates was missing.
+| 0x8024002B | WU_E_LEGACYSERVER| An operation did not complete because it requires a newer version of server.
+| 0x8024002C | WU_E_BIN_SOURCE_ABSENT| A delta-compressed update could not be installed because it required the source.
+| 0x8024002D | WU_E_SOURCE_ABSENT| A full-file update could not be installed because it required the source.
+| 0x8024002E | WU_E_WU_DISABLED| Access to an unmanaged server is not allowed.
+| 0x8024002F | WU_E_CALL_CANCELLED_BY_POLICY| Operation did not complete because the DisableWindowsUpdateAccess policy was set.
+| 0x80240030 | WU_E_INVALID_PROXY_SERVER| The format of the proxy list was invalid.
+| 0x80240031 | WU_E_INVALID_FILE| The file is in the wrong format.
+| 0x80240032 | WU_E_INVALID_CRITERIA| The search criteria string was invalid.
+| 0x80240033 | WU_E_EULA_UNAVAILABLE| License terms could not be downloaded.
+| 0x80240034 | WU_E_DOWNLOAD_FAILED| Update failed to download.
+| 0x80240035 | WU_E_UPDATE_NOT_PROCESSED| The update was not processed.
+| 0x80240036 | WU_E_INVALID_OPERATION| The object's current state did not allow the operation.
+| 0x80240037 | WU_E_NOT_SUPPORTED| The functionality for the operation is not supported.
+| 0x80240038 | WU_E_WINHTTP_INVALID_FILE| The downloaded file has an unexpected content type.
+| 0x80240039 | WU_E_TOO_MANY_RESYNC| Agent is asked by server to resync too many times.
+| 0x80240040 | WU_E_NO_SERVER_CORE_SUPPORT| WUA API method does not run on Server Core installation.
+| 0x80240041 | WU_E_SYSPREP_IN_PROGRESS| Service is not available while sysprep is running.
+| 0x80240042 | WU_E_UNKNOWN_SERVICE| The update service is no longer registered with AU.
+| 0x80240043 | WU_E_NO_UI_SUPPORT| There is no support for WUA UI.
+| 0x80240FFF | WU_E_UNEXPECTED| An operation failed due to reasons not covered by another error code.
+
+## Windows Update success codes
+
+|Error code|Message|Description
+|-|-|-|
+| 0x00240001| WU_S_SERVICE_STOP| Windows Update Agent was stopped successfully.
+| 0x00240002 | WU_S_SELFUPDATE| Windows Update Agent updated itself.
+| 0x00240003 | WU_S_UPDATE_ERROR| Operation completed successfully but there were errors applying the updates.
+| 0x00240004 | WU_S_MARKED_FOR_DISCONNECT| A callback was marked to be disconnected later because the request to disconnect the operation came while a callback was executing.
+| 0x00240005 | WU_S_REBOOT_REQUIRED| The system must be restarted to complete installation of the update.
+| 0x00240006 | WU_S_ALREADY_INSTALLED| The update to be installed is already installed on the system.
+| 0x00240007 | WU_S_ALREADY_UNINSTALLED | The update to be removed is not installed on the system.
+| 0x00240008 | WU_S_ALREADY_DOWNLOADED| The update to be downloaded has already been downloaded.
+
+## Windows Installer minor errors
+The following errors are used to indicate that part of a search fails because of Windows Installer problems. Another part of the search may successfully return updates. All Windows Installer minor codes must share the same error code range so that the caller can tell that they are related to Windows Installer.
+
+|Error code|Message|Description
+|-|-|-|
+| 0x80241001 |WU_E_MSI_WRONG_VERSION| Search may have missed some updates because the Windows Installer is less than version 3.1.
+| 0x80241002 | WU_E_MSI_NOT_CONFIGURED| Search may have missed some updates because the Windows Installer is not configured.
+| 0x80241003 | WU_E_MSP_DISABLED| Search may have missed some updates because policy has disabled Windows Installer patching.
+| 0x80241004 | WU_E_MSI_WRONG_APP_CONTEXT| An update could not be applied because the application is installed per-user.
+| 0x80241FFF | WU_E_MSP_UNEXPECTED| Search may have missed some updates because there was a failure of the Windows Installer.
+
+## Windows Update Agent update and setup errors
+
+|Error code|Message|Description
+|-|-|-|
+| 0x8024D001 | WU_E_SETUP_INVALID_INFDATA| Windows Update Agent could not be updated because an INF file contains invalid information.
+| 0x8024D002 | WU_E_SETUP_INVALID_IDENTDATA| Windows Update Agent could not be updated because the wuident.cab file contains invalid information.
+| 0x8024D003 | WU_E_SETUP_ALREADY_INITIALIZED| Windows Update Agent could not be updated because of an internal error that caused setup initialization to be performed twice.
+| 0x8024D004 | WU_E_SETUP_NOT_INITIALIZED| Windows Update Agent could not be updated because setup initialization never completed successfully.
+| 0x8024D005 | WU_E_SETUP_SOURCE_VERSION_MISMATCH| Windows Update Agent could not be updated because the versions specified in the INF do not match the actual source file versions.
+| 0x8024D006 | WU_E_SETUP_TARGET_VERSION_GREATER| Windows Update Agent could not be updated because a WUA file on the target system is newer than the corresponding source file.
+| 0x8024D007 | WU_E_SETUP_REGISTRATION_FAILED| Windows Update Agent could not be updated because regsvr32.exe returned an error.
+| 0x8024D009 | WU_E_SETUP_SKIP_UPDATE| An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.
+| 0x8024D00A | WU_E_SETUP_UNSUPPORTED_CONFIGURATION| Windows Update Agent could not be updated because the current system configuration is not supported.
+| 0x8024D00B | WU_E_SETUP_BLOCKED_CONFIGURATION| Windows Update Agent could not be updated because the system is configured to block the update.
+| 0x8024D00C | WU_E_SETUP_REBOOT_TO_FIX| Windows Update Agent could not be updated because a restart of the system is required.
+| 0x8024D00D | WU_E_SETUP_ALREADYRUNNING| Windows Update Agent setup is already running.
+| 0x8024D00E | WU_E_SETUP_REBOOTREQUIRED| Windows Update Agent setup package requires a reboot to complete installation.
+| 0x8024D00F | WU_E_SETUP_HANDLER_EXEC_FAILURE| Windows Update Agent could not be updated because the setup handler failed during execution.
+| 0x8024D010 | WU_E_SETUP_INVALID_REGISTRY_DATA| Windows Update Agent could not be updated because the registry contains invalid information.
+| 0x8024D013 | WU_E_SETUP_WRONG_SERVER_VERSION| Windows Update Agent could not be updated because the server does not contain update information for this version.
+| 0x8024DFFF | WU_E_SETUP_UNEXPECTED| Windows Update Agent could not be updated because of an error not covered by another WU_E_SETUP_* error code.
\ No newline at end of file
diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md
new file mode 100644
index 0000000000..25fd1a5279
--- /dev/null
+++ b/windows/deployment/update/windows-update-errors.md
@@ -0,0 +1,35 @@
+---
+title: Windows Update common errors and mitigation
+description: Learn about some common issues you might experience with Windows Update
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: elizapo
+ms.date: 09/18/2018
+---
+
+# Windows Update common errors and mitigation
+
+>Applies to: Windows 10
+
+The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them.
+
+|Error Code|Message|Description|Mitigation|
+|-|-|-|-|
+|0x8024402F|WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS|External cab file processing completed with some errors|One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering. The IP addresses of the computers you want to get updates successfully on, should be added to the exceptions list of Lightspeed |
+|0x80242006|WU_E_UH_INVALIDMETADATA|A handler operation could not be completed because the update contains invalid metadata.|Rename Software Redistribution Folder and attempt to download the updates again: Rename the following folders to *.BAK: - %systemroot%\system32\catroot2
To do this, type the following commands at a command prompt. Press ENTER after you type each command. - Ren %systemroot%\SoftwareDistribution\DataStore *.bak - Ren %systemroot%\SoftwareDistribution\Download *.bak Ren %systemroot%\system32\catroot2 *.bak |
+|0x80070BC9|ERROR_FAIL_REBOOT_REQUIRED|The requested operation failed. A system reboot is required to roll back changes made.|Ensure that we do not have any policies that control the start behavior for the Windows Module Installer. This service should not be hardened to any start value and should be managed by the OS.|
+|0x80200053|BG_E_VALIDATION_FAILED|NA|Ensure that there is no Firewalls that filter downloads. The Firewall filtering may lead to invalid responses being received by the Windows Update Client.
If the issue still persists, run the [WU reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). |
+|0x80072EE2|WININET_E_TIMEOUT|The operation timed out|This error message can be caused if the computer isn't connected to Internet. To fix this issue, following these steps: make sure these URLs are not blocked: http://*.update.microsoft.com https://*.update.microsoft.com http://download.windowsupdate.com
Additionally , you can take a network trace and see what is timing out. |
+|0x80072EFD 0x80072EFE 0x80D02002|TIME OUT ERRORS|The operation timed out|Make sure there are no firewall rules or proxy to block Microsoft download URLs. Take a network monitor trace to understand better. |
+|0X8007000D|ERROR_INVALID_DATA|Indicates invalid data downloaded or corruption occurred.|Attempt to re-download the update and initiate installation. |
+|0x8024A10A|USO_E_SERVICE_SHUTTING_DOWN|Indicates that the WU Service is shutting down.|This may happen due to a very long period of time of inactivity, a system hang leading to the service being idle and leading to the shutdown of the service. Ensure that the system remains active and the connections remain established to complete the upgrade. |
+|0x80240020|WU_E_NO_INTERACTIVE_USER|Operation did not complete because there is no logged-on interactive user.|Please login to the system to initiate the installation and allow the system to be rebooted. |
+|0x80242014|WU_E_UH_POSTREBOOTSTILLPENDING|The post-reboot operation for the update is still in progress.|Some Windows Updates require the system to be restarted. Reboot the system to complete the installation of the Updates. |
+|0x80246017|WU_E_DM_UNAUTHORIZED_LOCAL_USER|The download failed because the local user was denied authorization to download the content.|Ensure that the user attempting to download and install updates has been provided with sufficient privileges to install updates (Local Administrator).|
+|0x8024000B|WU_E_CALL_CANCELLED|Operation was cancelled.|This indicates that the operation was cancelled by the user/service. You may also encounter this error when we are unable to filter the results. Run the [Decline Superseded PowerShell script](https://gallery.technet.microsoft.com/scriptcenter/Cleanup-WSUS-server-4424c9d6) to allow the filtering process to complete.|
+|0x8024000E|WU_E_XML_INVALID|Windows Update Agent found invalid information in the update's XML data.|Certain drivers contain additional metadata information in the update.xml, which could lead Orchestrator to understand it as invalid data. Ensure that you have the latest Windows Update Agent installed on the machine. |
+|0x8024D009|WU_E_SETUP_SKIP_UPDATE|An update to the Windows Update Agent was skipped due to a directive in the wuident.cab file.|You may encounter this error when WSUS is not sending the Self-update to the clients.
Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue.|
+|0x80244007|WU_E_PT_SOAPCLIENT_SOAPFAULT|SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_* error codes.|This issue occurs because Windows cannot renew the cookies for Windows Update.
Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue.|
\ No newline at end of file
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
new file mode 100644
index 0000000000..b202854a46
--- /dev/null
+++ b/windows/deployment/update/windows-update-logs.md
@@ -0,0 +1,142 @@
+---
+title: Windows Update log files
+description: Learn about the Windows Update log files
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: elizapo
+ms.date: 09/18/2018
+---
+
+# Windows Update log files
+
+>Applies to: Windows 10
+
+The following table describes the log files created by Windows Update.
+
+
+|Log file|Location|Description|When to Use |
+|-|-|-|-|
+|windowsupdate.log|C:\Windows\Logs\WindowsUpdate|Starting in Windows 8.1 and continuing in Windows 10, Windows Update client uses Event Tracing for Windows (ETW) to generate diagnostic logs.|If you receive an error message when you run Windows Update (WU), you can use the information that is included in the Windowsupdate.log log file to troubleshoot the issue.|
+|UpdateSessionOrchestration.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the Update Orchestrator is responsible for sequence of downloading and installing various update types from Windows Update. And the events are logged to these etl files.|When you see that the updates are available but download is not getting triggered. When Updates are downloaded but installation is not triggered. When Updates are installed but reboot is not triggered. |
+|NotificationUxBroker.etl|C:\ProgramData\USOShared\Logs|Starting Windows 10, the notification toast or the banner is triggered by this NotificationUxBroker.exe . And the logs to check its working is this etl. |When you want to check whether the Notification was triggered or not for reboot or update availability etc. |
+|CBS.log|%systemroot%\Logs\CBS|This logs provides insight on the update installation part in the servicing stack.|To troubleshoot the issues related to WU installation.|
+
+## Generating WindowsUpdate.log
+To merge and convert WU trace files (.etl files) into a single readable WindowsUpdate.log file, see [Get-WindowsUpdateLog](https://docs.microsoft.com/powershell/module/windowsupdate/get-windowsupdatelog?view=win10-ps).
+
+>[!NOTE]
+>When you run the **Get-WindowsUpdateLog** cmdlet, an copy of WindowsUpdate.log file is created as a static log file. It does not update as the old WindowsUpate.log unless you run **Get-WindowsUpdateLog** again.
+
+### Windows Update log components
+The WU engine has different component names. The following are some of the most common components that appear in the WindowsUpdate.log file:
+
+- AGENT- Windows Update agent
+- AU - Automatic Updates is performing this task
+- AUCLNT- Interaction between AU and the logged-on user
+- CDM- Device Manager
+- CMPRESS- Compression agent
+- COMAPI- Windows Update API
+- DRIVER- Device driver information
+- DTASTOR- Handles database transactions
+- EEHNDLER- Expression handler that's used to evaluate update applicability
+- HANDLER- Manages the update installers
+- MISC- General service information
+- OFFLSNC- Detects available updates without network connection
+- PARSER- Parses expression information
+- PT- Synchronizes updates information to the local datastore
+- REPORT- Collects reporting information
+- SERVICE- Startup/shutdown of the Automatic Updates service
+- SETUP- Installs new versions of the Windows Update client when it is available
+- SHUTDWN- Install at shutdown feature
+- WUREDIR- The Windows Update redirector files
+- WUWEB- The Windows Update ActiveX control
+- ProtocolTalker - Client-server sync
+- DownloadManager - Creates and monitors payload downloads
+- Handler, Setup - Installer handlers (CBS, and so on)
+- EEHandler - Evaluating update applicability rules
+- DataStore - Caching update data locally
+- IdleTimer - Tracking active calls, stopping a service
+
+>[!NOTE]
+>Many component log messages are invaluable if you are looking for problems in that specific area. However, they can be useless if you don't filter to exclude irrelevant components so that you can focus on what’s important.
+
+### Windows Update log structure
+The Windows update log structure is separated into four main identities:
+
+- Time Stamps
+- Process ID and Thread ID
+- Component Name
+- Update Identifiers
+ - Update ID and Revision Number
+ - Revision ID
+ - Local ID
+ - Inconsistent terminology
+
+The WindowsUpdate.log structure is discussed in the following sections.
+
+#### Time stamps
+The time stamp indicates the time at which the logging occurs.
+- Messages are usually in chronological order, but there may be exceptions.
+- A pause during a sync can indicate a network problem, even if the scan succeeds.
+- A long pause near the end of a scan can indicate a supersedence chain issue.
+ 
+
+
+#### Process ID and thread ID
+The Process IDs and Thread IDs are random, and they can vary from log to log and even from service session to service session within the same log.
+- The first four hex digits are the process ID.
+- The next four hex digits are the thread ID.
+- Each component, such as the USO, WU engine, COM API callers, and WU installer handlers, has its own process ID.
+ 
+
+
+#### Component name
+Search for and identify the components that are associated with the IDs. Different parts of the WU engine have different component names. Some of them are as follows:
+
+- ProtocolTalker - Client-server sync
+- DownloadManager - Creates and monitors payload downloads
+- Handler, Setup - Installer handlers (CBS, etc.)
+- EEHandler - Evaluating update applicability rules
+- DataStore - Caching update data locally
+- IdleTimer - Tracking active calls, stopping service
+
+
+
+
+#### Update identifiers
+
+##### Update ID and revision number
+There are different identifiers for the same update in different contexts. It’s important to know the identifier schemes.
+- Update ID: A GUID (indicated in the previous screen shot) that's assigned to a given update at publication time
+- Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service
+- Revision numbers are reused from one update to another (not a unique identifier).
+- The update ID and revision number are often shown together as "{GUID}.revision."
+ 
+
+
+##### Revision ID
+- A Revision ID (do no confuse this with “revision number”) is a serial number that's issued when an update is initially published or revised on a given service.
+- An existing update that’s revised keeps the same update ID (GUID), has its revision number incremented (for example, from 100 to 101), but gets a completely new revision ID that is not related to the previous ID.
+- Revision IDs are unique on a given update source, but not across multiple sources.
+- The same update revision may have completely different revision IDs on WU and WSUS.
+- The same revision ID may represent different updates on WU and WSUS.
+
+##### Local ID
+- Local ID is a serial number issued when an update is received from a service by a given WU client
+- Usually seen in debug logs, especially involving the local cache for update info (Datastore)
+- Different client PCs will assign different Local IDs to the same update
+- You can find the local IDs that a client is using by getting the client’s %WINDIR%\SoftwareDistribution\Datastore\Datastore.edb file
+
+##### Inconsistent terminology
+- Sometimes the logs use terms inconsistently. For example, the InstalledNonLeafUpdateIDs list actually contains revision IDs, not update IDs.
+- Recognize IDs by form and context:
+
+ - GUIDs are update IDs
+ - Small integers that appear alongside an update ID are revision numbers
+ - Large integers are typically revision IDs
+ - Small integers (especially in Datastore) can be local IDs
+ 
+
diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md
new file mode 100644
index 0000000000..a89c60d9ec
--- /dev/null
+++ b/windows/deployment/update/windows-update-overview.md
@@ -0,0 +1,54 @@
+---
+title: Get started with Windows Update
+description: Learn how Windows Update works, including architecture and troubleshooting
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: elizapo
+ms.date: 09/18/2018
+---
+
+# Get started with Windows Update
+
+>Applies to: Windows 10
+
+With the release of Windows 10, we moved the update model to the Unified Update Platform. Unified Update Platform (UUP) is a single publishing, hosting, scan and download model for all types of OS updates, desktop and mobile for all Windows-based operating systems, for everything from monthly quality updates to new feature updates.
+
+Ues the following information to get started with Windows Update:
+
+- Understand the UUP architecture
+- Understand [how Windows Update works](how-windows-update-works.md)
+- Find [Windows Update log files](windows-update-logs.md)
+- Learn how to [troubleshoot Windows Update](windows-update-troubleshooting.md)
+- Review [common Windows Update errors](windows-update-errors.md) and check out the [error code reference](windows-update-error-reference.md)
+- Review [other resources](windows-update-resources.md) to help you use Windows Update
+
+## Unified Update Platform (UUP) architecture
+To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms.
+
+
+
+- **Update UI** – The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**.
+- **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update.
+
+ Update types-
+ - OS Feature updates
+ - OS Security updates
+ - Device drivers
+ - Defender definition updates
+
+ >[!NOTE]
+ > Other types of updates, like Office desktop updates, are installed if the user opts into Microsoft Update.
+ >
+ >Store apps aren't installed by USO, today they are separate.
+
+- **WU Client/ UpdateAgent** - The component running on your PC. It's essentially a DLL that is downloaded to the device when an update is applicable. It surfaces the APIs needed to perform an update, including those needed to generate a list of payloads to download, as well as starts stage and commit operations. It provides a unified interface that abstracts away the underlying update technologies from the caller.
+- **WU Arbiter handle**- Code that is included in the UpdateAgent binary. The arbiter gathers information about the device, and uses the CompDB(s) to output an action list. It is responsible for determining the final "composition state" of your device, and which payloads (like ESDs or packages) are needed to get your device up to date.
+- **Deployment Arbiter**- A deployment manager that calls different installers. For example, CBS.
+
+Additional components include the following-
+
+- **CompDB** – A generic term to refer to the XML describing information about target build composition, available diff packages, and conditional rules.
+- **Action List** – The payload and additional information needed to perform an update. The action list is consumed by the UpdateAgent, as well as other installers to determine what payload to download. It's also consumed by the "Install Agent" to determine what actions need to be taken, such as installing or removing packages.
\ No newline at end of file
diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md
new file mode 100644
index 0000000000..eeac6b3852
--- /dev/null
+++ b/windows/deployment/update/windows-update-resources.md
@@ -0,0 +1,123 @@
+---
+title: Windows Update - Additional resources
+description: Additional resources for Windows Update
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: elizapo
+ms.date: 09/18/2018
+---
+
+# Windows Update - additional resources
+
+>Applies to: Windows 10
+
+The following resources provide additional information about using Windows Update.
+
+## WSUS Troubleshooting
+
+[Troubleshooting issues with WSUS client agents](https://support.microsoft.com/help/10132/)
+
+[How to troubleshoot WSUS](https://support.microsoft.com/help/4025764/)
+
+[Error 80244007 when WSUS client scans for updates](https://support.microsoft.com/help/4096317/)
+
+[Updates may not be installed with Fast Startup in Windows 10](https://support.microsoft.com/help/4011287/)
+
+
+## How do I reset Windows Update components?
+
+[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-WindowsUpdateps1-e0c5eb78) will completely reset the Windows Update client settings. It has been tested on Windows 7, 8, 10, and Windows Server 2012 R2. It will configure the services and registry keys related to Windows Update for default settings. It will also clean up files related to Windows Update, in addition to BITS related data.
+
+
+[This script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc) allow reset the Windows Update Agent resolving issues with Windows Update.
+
+
+## Reset Windows Update components manually
+1. Open a Windows command prompt. To open a command prompt, click **Start > Run**. Copy and paste (or type) the following command and then press ENTER:
+ ```
+ cmd
+ ```
+2. Stop the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+ ```
+ net stop bits
+ net stop wuauserv
+ ```
+3. Delete the qmgr\*.dat files. To do this, type the following command at a command prompt, and then press ENTER:
+ ```
+ Del "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat"
+ ```
+4. If this is your first attempt at resolving your Windows Update issues by using the steps in this article, go to step 5 without carrying out the steps in step 4. The steps in step 4 should only be performed at this point in the troubleshooting if you cannot resolve your Windows Update issues after following all steps but step 4. The steps in step 4 are also performed by the "Aggressive" mode of the Fix it Solution above.
+ 1. Rename the following folders to *.BAK:
+ - %systemroot%\SoftwareDistribution\DataStore
+ - %systemroot%\SoftwareDistribution\Download
+ - %systemroot%\system32\catroot2
+
+ To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+ - Ren %systemroot%\SoftwareDistribution\DataStore *.bak
+ - Ren %systemroot%\SoftwareDistribution\Download *.bak
+ - Ren %systemroot%\system32\catroot2 *.bak
+ 2. Reset the BITS service and the Windows Update service to the default security descriptor. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+ - sc.exe sdset bits D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
+ - sc.exe sdset wuauserv D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;PU)
+5. Type the following command at a command prompt, and then press ENTER:
+ ```
+ cd /d %windir%\system32
+ ```
+6. Reregister the BITS files and the Windows Update files. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+ - regsvr32.exe atl.dll
+ - regsvr32.exe urlmon.dll
+ - regsvr32.exe mshtml.dll
+ - regsvr32.exe shdocvw.dll
+ - regsvr32.exe browseui.dll
+ - regsvr32.exe jscript.dll
+ - regsvr32.exe vbscript.dll
+ - regsvr32.exe scrrun.dll
+ - regsvr32.exe msxml.dll
+ - regsvr32.exe msxml3.dll
+ - regsvr32.exe msxml6.dll
+ - regsvr32.exe actxprxy.dll
+ - regsvr32.exe softpub.dll
+ - regsvr32.exe wintrust.dll
+ - regsvr32.exe dssenh.dll
+ - regsvr32.exe rsaenh.dll
+ - regsvr32.exe gpkcsp.dll
+ - regsvr32.exe sccbase.dll
+ - regsvr32.exe slbcsp.dll
+ - regsvr32.exe cryptdlg.dll
+ - regsvr32.exe oleaut32.dll
+ - regsvr32.exe ole32.dll
+ - regsvr32.exe shell32.dll
+ - regsvr32.exe initpki.dll
+ - regsvr32.exe wuapi.dll
+ - regsvr32.exe wuaueng.dll
+ - regsvr32.exe wuaueng1.dll
+ - regsvr32.exe wucltui.dll
+ - regsvr32.exe wups.dll
+ - regsvr32.exe wups2.dll
+ - regsvr32.exe wuweb.dll
+ - regsvr32.exe qmgr.dll
+ - regsvr32.exe qmgrprxy.dll
+ - regsvr32.exe wucltux.dll
+ - regsvr32.exe muweb.dll
+ - regsvr32.exe wuwebv.dll
+7. Reset Winsock. To do this, type the following command at a command prompt, and then press ENTER:
+ ```
+ netsh reset winsock
+ ```
+8. If you are running Windows XP or Windows Server 2003, you have to set the proxy settings. To do this, type the following command at a command prompt, and then press ENTER:
+ ```
+ proxycfg.exe -d
+ ```
+9. Restart the BITS service and the Windows Update service. To do this, type the following commands at a command prompt. Press ENTER after you type each command.
+ ```
+ net start bits
+
+ net start wuauserv
+ ```
+10. If you are running Windows Vista or Windows Server 2008, clear the BITS queue. To do this, type the following command at a command prompt, and then press ENTER:
+ ```
+ bitsadmin.exe /reset /allusers
+ ```
\ No newline at end of file
diff --git a/windows/deployment/update/windows-update-sources.md b/windows/deployment/update/windows-update-sources.md
deleted file mode 100644
index b87b77d354..0000000000
--- a/windows/deployment/update/windows-update-sources.md
+++ /dev/null
@@ -1,37 +0,0 @@
----
-title: Determine the source of Windows updates
-description: Determine the source that Windows Update service is currently using.
-ms.prod: w10
-ms.mktglfcycl:
-ms.sitesec: library
-author: kaushika-msft
-ms.localizationpriority: medium
-ms.author: jaimeo
-ms.date: 04/05/2018
----
-
-# Determine the source of Windows updates
-
-Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:
-
-1. Start Windows PowerShell as an administrator
-2. Run `\$MUSM = New-Object -ComObject “Microsoft.Update.ServiceManager”`.
-3. Run `\$MUSM.Services`. Check the resulting output for the **Name** and **OffersWindowsUPdates** parameters, which you can intepret according to this table:
-
-| Output | Interpretation |
-|-----------------------------------------------------|-----------------------------------|
-| - Name: **Microsoft Update** -OffersWindowsUpdates: **True** | - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered. - Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.)|
-|- Name: **DCat Flighting Prod** - OffersWindowsUpdates: **False**|- The update source is the Windows Insider Program. - Indicates that the client will not receive or is not configured to receive these updates. |
-| - Name: **Windows Store (DCat Prod)** - OffersWindowsUpdates: **False** |-The update source is Insider Updates for Store Apps. - Indicates that the client will not receive or is not configured to receive these updates.|
-|- Name: **Windows Server Update Service** - OffersWindowsUpdates: **True** |- The source is a Windows Server Updates Services server. - The client is configured to receive updates from WSUS.|
-|- Name: **Windows Update** - OffersWindowsUpdates: **True** |- The source is Windows Update. - The client is configured to receive updates from Windows Update Online.|
-
-
-
-See also:
-
-[Understanding the Windowsupdate.log file for advanced users](https://support.microsoft.com/help/4035760)
-
-[You can't install updates on a Windows-based computer](https://support.microsoft.com/help/2509997/you-can-t-install-updates-on-a-windows-based-computer)
-
-[How to read the Windowsupdate.log file on Windows 7 and earlier OS versions](https://support.microsoft.com/help/902093/how-to-read-the-windowsupdate-log-file)
diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md
new file mode 100644
index 0000000000..4c558115d6
--- /dev/null
+++ b/windows/deployment/update/windows-update-troubleshooting.md
@@ -0,0 +1,175 @@
+---
+title: Windows Update troubleshooting
+description: Learn how to troubleshoot Windows Update
+ms.prod: w10
+ms.mktglfcycl:
+ms.sitesec: library
+author: kaushika-msft
+ms.localizationpriority: medium
+ms.author: elizapo
+ms.date: 09/18/2018
+---
+
+# Windows Update troubleshooting
+
+>Applies to: Windows 10
+
+If you run into problems when using Windows Update, start with the following steps:
+
+1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**.
+2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on SSU.
+3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system:
+
+ - [Windows 10, version 1803](https://support.microsoft.com/help/4099479/windows-10-update-history)
+ - [Windows 10, version 1709](https://support.microsoft.com/help/4043454)
+ - [Windows 10, version 1703](https://support.microsoft.com/help/4018124)
+ - [Windows 10 and Windows Server 2016](https://support.microsoft.com/help/4000825/windows-10-windows-server-2016-update-history)
+ - [Windows 8.1 and Windows Server 2012 R2](https://support.microsoft.com/help/4009470/windows-8-1-windows-server-2012-r2-update-history)
+ - [Windows Server 2012](https://support.microsoft.com/help/4009471/windows-server-2012-update-history)
+ - [Windows 7 SP1 and Windows Server 2008 R2 SP1](https://support.microsoft.com/help/4009469/windows-7-sp1-windows-server-2008-r2-sp1-update-history)
+
+Advanced users can also refer to the [log](windows-update-logs.md) generated by Windows Update for further investigation.
+
+You might encounter the following scenarios when using Windows Update.
+
+## Why am I offered an older update/upgrade?
+The update that is offered to a device depends on several factors. Some of the most common attributes include the following.
+
+- OS Build
+- OS Branch
+- OS Locale
+- OS Architecture
+- Device update management configuration
+
+If the update you're offered isn't th emost current available, it might be because your device is being managed by a WSUS server, and your'e being offered the updates available on that server. It's also possible, if your device is part of a Windows as a Service deployment ring, that your admin is intentionally slowing the rollout of updates. Since the WaaS rollout is slow and measured to begin with, all devices will not receive the update on the same day.
+
+## My machine is frozen at scan. Why?
+The Settings UI is talking to the Update Orchestrator service which in turn is talking to Windows Update service. If these services stop unexpectedly then you might see this behavior. In such cases, do the following:
+1. Close the Settings app and reopen it.
+2. Launch Services.msc and check if the following services are running:
+ - Update State Orchestrator
+ - Windows Update
+
+## Issues related to HTTP/Proxy
+Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download updates and applications from Windows Update servers or on-premises WSUS servers. Because of this proxy servers configured on the network must support HTTP RANGE requests. If a proxy was configured in Internet Explorer (User level) but not in WinHTTP (System level), connections to Windows Update will fail.
+
+To fix this issue, configure a proxy in WinHTTP by using the following netsh command:
+
+```
+netsh winhttp set proxy ProxyServerName:PortNumber
+```
+
+>[!NOTE]
+> You can also import the proxy settings from Internet Explorer by using the following command: netsh winhttp import proxy source=ie
+
+If downloads through a proxy server fail with a 0x80d05001 DO_E_HTTP_BLOCKSIZE_MISMATCH error, or if you notice high CPU usage while updates are downloading, check the proxy configuration to permit HTTP RANGE requests to run.
+
+You may choose to apply a rule to permit HTTP RANGE requests for the following URLs:
+*.download.windowsupdate.com
+*.au.windowsupdate.com
+*.tlu.dl.delivery.mp.microsoft.com
+
+If you cannot permit RANGE requests, you can configure a Group Policy or MDM Policy setting that will bypass Delivery Optimization and use BITS instead.
+
+
+## The update is not applicable to your computer
+The most common reasons for this error are described in the following table:
+
+|Cause|Explanation|Resolution|
+|-----|-----------|----------|
+|Update is superseded|As updates for a component are released, the updated component will supersede an older component that is already on the system. When this occurs, the previous update is marked as superseded. If the update that you're trying to install already has a newer version of the payload on your system, you may encounter this error message.|Check that the package that you are installing contains newer versions of the binaries. Or, check that the package is superseded by another new package. |
+|Update is already installed|If the update that you're trying to install was previously installed, for example, by another update that carried the same payload, you may encounter this error message.|Verify that the package that you are trying to install was not previously installed.|
+|Wrong update for architecture|Updates are published by CPU architecture. If the update that you're trying to install does not match the architecture for your CPU, you may encounter this error message. |Verify that the package that you're trying to install matches the Windows version that you are using. The Windows version information can be found in the "Applies To" section of the article for each update. For example, Windows Server 2012-only updates cannot be installed on Windows Server 2012 R2-based computers. Also, verify that the package that you are installing matches the processor architecture of the Windows version that you are using. For example, an x86-based update cannot be installed on x64-based installations of Windows. |
+|Missing prerequisite update|Some updates require a prerequisite update before they can be applied to a system. If you are missing a prerequisite update, you may encounter this error message. For example, KB 2919355 must be installed on Windows 8.1 and Windows Server 2012 R2 computers before many of the updates that were released after April 2014 can be installed.|Check the related articles about the package in the Microsoft Knowledge Base (KB) to make sure that you have the prerequisite updates installed. For example, if you encounter the error message on Windows 8.1 or Windows Server 2012 R2, you may have to install the April 2014 update 2919355 as a prerequisite and one or more pre-requisite servicing updates (KB 2919442 and KB 3173424). Note: To determine if these prerequisite updates are installed, run the following PowerShell command: get-hotfix KB3173424,KB2919355,KB2919442 If the updates are installed, the command will return the installed date in the "InstalledOn" section of the output.
+
+## Issues related to firewall configuration
+Error that may be seen in the WU logs:
+```
+DownloadManager Error 0x800706d9 occurred while downloading update; notifying dependent calls.
+```
+Or
+```
+[DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 , error = 0x800706D9
+```
+Or
+```
+DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 , error = 0x80D0000A
+```
+
+Go to Services.msc and ensure that Windows Firewall Service is enabled. Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft. For more information , see [I need to disable Windows Firewall](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc766337\(v=ws.10\)) or [Windows Update stuck at 0 percent on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4039473/windows-update-stuck-at-0-percent-on-windows-10-and-windows-server-201).
+
+## Issues arising from configuration of conflicting policies
+Windows Update provides a wide range configuration policies to control the behavior of WU service in a managed environment. While these policies let you configure the settings at a granular level, misconfiguration or setting conflicting polices may lead to unexpected behaviors.
+
+See [How to configure automatic updates by using Group Policy or registry settings](https://support.microsoft.com/help/328010/how-to-configure-automatic-updates-by-using-group-policy-or-registry-s) for more information.
+
+
+## Updates aren't downloading from the intranet endpoint (WSUS/SCCM)
+Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:
+1. Start Windows PowerShell as an administrator
+2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager".
+3. Run \$MUSM.Services.
+
+Check the output for the Name and OffersWindowsUPdates parameters, which you can interpret according to this table.
+
+|Output|Interpretation|
+|-|-|
+|- Name: Microsoft Update -OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered. - Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) |
+|- Name: DCat Flighting Prod - OffersWindowsUpdates: False|- The update source is the Windows Insider Program. - Indicates that the client will not receive or is not configured to receive these updates. |
+|- Name: Windows Store (DCat Prod) - OffersWindowsUpdates: False |-The update source is Insider Updates for Store Apps. - Indicates that the client will not receive or is not configured to receive these updates.|
+|- Name: Windows Server Update Service - OffersWindowsUpdates: True |- The source is a Windows Server Updates Services server. - The client is configured to receive updates from WSUS. |
+|- Name: Windows Update - OffersWindowsUpdates: True|- The source is Windows Update. - The client is configured to receive updates from Windows Update Online.|
+
+## You have a bad setup in the environment
+If we look at the GPO being set through registry, the system is configured to use WSUS to download updates:
+
+```
+HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]
+"UseWUServer"=dword:00000001 ===================================> it says use WSUS server.
+```
+
+From the WU logs:
+```
+2018-08-06 09:33:31:085 480 1118 Agent ** START ** Agent: Finding updates [CallerId = OperationalInsight Id = 49]
+2018-08-06 09:33:31:085 480 1118 Agent *********
+2018-08-06 09:33:31:085 480 1118 Agent * Include potentially superseded updates
+2018-08-06 09:33:31:085 480 1118 Agent * Online = No; Ignore download priority = No
+2018-08-06 09:33:31:085 480 1118 Agent * Criteria = "IsHidden = 0 AND DeploymentAction=*"
+2018-08-06 09:33:31:085 480 1118 Agent * ServiceID = {00000000-0000-0000-0000-000000000000} Third party service
+2018-08-06 09:33:31:085 480 1118 Agent * Search Scope = {Machine}
+2018-08-06 09:33:32:554 480 1118 Agent * Found 83 updates and 83 categories in search; evaluated appl. rules of 517 out of 1473 deployed entities
+2018-08-06 09:33:32:554 480 1118 Agent *********
+2018-08-06 09:33:32:554 480 1118 Agent ** END ** Agent: Finding updates [CallerId = OperationalInsight Id = 49]
+```
+
+In the above log snippet, we see that the Criteria = "IsHidden = 0 AND DeploymentAction=*". "*" means there is nothing specified from the server. So, the scan happens but there is no direction to download or install to the agent. So it just scans the update and provides the results.
+
+Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here.
+
+```
+2018-08-06 10:58:45:992 480 5d8 Agent ** START ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57]
+2018-08-06 10:58:45:992 480 5d8 Agent *********
+2018-08-06 10:58:45:992 480 5d8 Agent * Online = Yes; Ignore download priority = No
+2018-08-06 10:58:45:992 480 5d8 Agent * Criteria = "IsInstalled=0 and DeploymentAction='Installation' or IsPresent=1 and DeploymentAction='Uninstallation' or IsInstalled=1 and DeploymentAction='Installation' and RebootRequired=1 or IsInstalled=0 and DeploymentAction='Uninstallation' and RebootRequired=1"
+
+2018-08-06 10:58:46:617 480 5d8 PT + SyncUpdates round trips: 2
+2018-08-06 10:58:47:383 480 5d8 Agent * Found 0 updates and 83 categories in search; evaluated appl. rules of 617 out of 1473 deployed entities
+2018-08-06 10:58:47:383 480 5d8 Agent Reporting status event with 0 installable, 83 installed, 0 installed pending, 0 failed and 0 downloaded updates
+2018-08-06 10:58:47:383 480 5d8 Agent *********
+2018-08-06 10:58:47:383 480 5d8 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57]
+```
+
+## High bandwidth usage on Windows 10 by Windows Update
+Users may see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that may consume bandwidth expand beyond Windows Update components.
+
+The following group policies can help mitigate this:
+
+[Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728)
+[Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183)
+[Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876)
+
+Other components that reach out to the internet:
+
+- Windows Spotlight. [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled)
+- [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled)
+- Modern App- Windows Update installation fails. [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571)
\ No newline at end of file
diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
index 3c18dab043..e5eab8199a 100644
--- a/windows/deployment/upgrade/upgrade-readiness-get-started.md
+++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: deploy
author: jaimeo
ms.author: jaimeo
-ms.date: 08/21/2018
+ms.date: 09/26/2018
ms.localizationpriority: medium
---
@@ -38,32 +38,38 @@ When you are ready to begin using Upgrade Readiness, perform the following steps
To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information.
-## Add Upgrade Readiness to Operations Management Suite or Azure Log Analytics
+## Add the Upgrade Readiness solution to your Azure subscription
-Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/documentation/articles/operations-management-suite-overview/).
+Upgrade Readiness is offered as a *solution* which you link to a new or existing [Azure Log Analytics](https://azure.microsoft.com/services/log-analytics/) *workspace* within your Azure *subscription*. To configure this, follows these steps:
->[!IMPORTANT]
->Upgrade Readiness is a free solution for Azure subscribers. When configured correctly, all data associated with the Upgrade Readiness solution are exempt from billing in both OMS and Azure. Upgrade Readiness data **do not** count toward OMS daily upload limits. The Upgrade Readiness service will ingest a full snapshot of your data into your OMS workspace on a daily basis. Each snapshot includes all of your devices that have been active within the past 30 days regardless of your OMS retention period.
+1. Sign in to the [Azure Portal](https://portal.azure.com) with your work or school account or a Microsoft account. If you don't already have an Azure subscription you can create one (including free trial options) through the portal.
+
+ >[!NOTE]
+ > Upgrade Readiness is included at no additional cost with Windows 10 [education and enterprise licensing](https://docs.microsoft.com/en-us/windows/deployment/update/device-health-monitor#device-health-licensing). An Azure subscription is required for managing and using Upgrade Readiness, but no Azure charges are expected to accrue to the subscription as a result of using Upgrade Readiness.
-If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. While you have this dialog open, you should also consider adding the [Device Health](../update/device-health-monitor.md) and [Update Compliance](../update/update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
+2. In the Azure portal select **Create a resource**, search for "Upgrade Readiness", and then select **Create** on the **Upgrade Readiness** solution.
+ 
->[!NOTE]
->If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=CompatibilityAssessment) to go directly to the Upgrade Readiness solution and add it to your workspace.
-
-If you are not using OMS or Azure Log Analytics:
-
-1. Go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it.
-2. Sign in to Operations Management Suite (OMS) or Azure Log Analytics. You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS.
-3. Create a new workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**.
-4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator.
-
- > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens.
-
-5. To add the Upgrade Readiness solution to your workspace, go to the **Solutions Gallery**. Select the **Upgrade Readiness** tile in the gallery and then select **Add** on the solution’s details page. The solution is now visible on your workspace. Note that you may need to scroll to find Upgrade Readiness.
+ 
+3. Choose an existing workspace or create a new workspace to host the Upgrade Readiness solution.
+ 
+ - If you are using other Windows Analytics solutions (Device Health or Update Compliance) you should add Upgrade Readiness to the same workspace.
+ - If you are creating a new workspace, and your organization does not have policies governing naming conventions and structure, consider the following workspace settings to get started:
+ - Choose a workspace name which reflects the scope of planned usage in your organization, for example *PC-Analytics*.
+ - For the resource group setting select **Create new** and use the same name you chose for your new workspace.
+ - For the location setting, choose the Azure region where you would prefer the data to be stored.
+ - For the pricing tier select **Free**.
+4. Now that you have selected a workspace, you can go back to the Upgrade Readiness blade and select **Create**.
+ 
+5. Watch for a Notification (in the Azure portal) that "Deployment 'Microsoft.CompatibilityAssessmentOMS' to resource group 'YourResourceGroupName' was successful." and then select **Go to resource** This might take several minutes to appear.
+ 
+ - Suggestion: Choose the **Pin to Dashboard** option to make it easy to navigate to your newly added Upgrade Readiness solution.
+ - Suggestion: If a "resource unavailable" error occurs when navigating to the solution, try again after one hour.
## Enroll devices in Windows Analytics
-Once you've added Update Compliance to Microsoft Operations Management Suite, you can now start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started).
+
+Once you've added Upgrade Readiness to a workspace in your Azure subscription, you can start enrolling the devices in your organization. For full instructions, see [Enrolling devices in Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started).
diff --git a/windows/deployment/windows-10-pro-in-s-mode.md b/windows/deployment/windows-10-pro-in-s-mode.md
index 1be1e7f1ff..992d9f7c5a 100644
--- a/windows/deployment/windows-10-pro-in-s-mode.md
+++ b/windows/deployment/windows-10-pro-in-s-mode.md
@@ -1,5 +1,5 @@
---
-title: Windows 10 Pro in S mode
+title: Switch to Windows 10 Pro/Enterprise from S mode
description: Overview of Windows 10 Pro/Enterprise in S mode. S mode switch options are also outlined in this document. Switching out of S mode is optional.
keywords: Windows 10 S switch, S mode Switch, Switch in S mode, s mode switch, Windows 10 S, S-mode, system requirements, Overview, Windows 10 Pro in S mode, Windows 10 Pro in S mode
ms.mktglfcycl: deploy
@@ -7,47 +7,17 @@ ms.localizationpriority: medium
ms.prod: w10
ms.sitesec: library
ms.pagetype: deploy
-ms.date: 04/30/2018
+ms.date: 08/30/2018
author: Mikeblodge
---
-# Windows 10 Pro/Enterprise in S mode
+# Switch to Windows 10 Pro/Enterprise from S mode
-S mode is an enhanced security mode of Windows 10. Windows 10 Pro and Enterprise in S mode powers affordable, cloud-ready devices that are simple, secure, and efficient. Users can get started quickly, thanks to self-service deployment and a familiar Windows experience. Low-price S mode devices offer tailored solutions for kiosks, digital signs, and task work. If your device is running Windows 10, version 1709, or Windows 10, version 1803, you can switch from Windows 10 in S mode to Windows 10 Pro.
-
-## Benefits of Windows 10 Pro in S mode:
-
-- **Microsoft-verified security** - It reduces risk of malware and exploitations because only Microsoft-verified apps can be installed including Windows Defender Antivirus.
-- **Performance that lasts** - Provides all-day battery life to keep workers on task and not tripping over cords. Also, verified apps won’t degrade device performance over time.
-- **Streamlined for speed** - Offers faster log-in times with Windows Hello. Plus, workers get all the exclusive Windows innovations including Cortana and Windows Ink.
-
-| |Home |S mode |Pro/Pro Education |Enterprise/Education |
-|---------|:---:|:---:|:---:|:---:|
-|Start Menu/Hello/Cortana/ Windows Ink/Microsoft Edge | X | X | X | X |
-|Store apps (including Windows desktop bridge apps) | X | X | X | X |
-|Windows Update | X | X | X | X |
-|Device Encryption | X | X | X | X |
-|BitLocker | | X | X | X |
-|Windows Update for Business | | X | X | X |
-|Microsoft Store for Education | | X | X | X |
-|Mobile Device Management and Azure AD join | | X | X | X |
-|Group Policy management and Active Directory Domain Services | | | X | X |
-|Desktop (Windows 32) Apps | X | | X | X |
-|Change App Defaults Search/Browser/Photos/etc. | X | | X | X |
-|Credential Guard | | | | X |
-|Device Guard | | | | X |
-
-## Keep Line of Business apps functioning with Desktop Bridge
-Worried about your LOB apps not working in S mode? Using Desktop Bridge will enable you to convert your Line of Business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Windows Store or existing channels.
-
-[Explore Desktop Bridge](https://docs.microsoft.com/en-us/windows/uwp/porting/desktop-to-uwp-root)
+We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store.
> [!IMPORTANT]
> While it’s free to switch to Windows 10 Pro, it’s not reversible. The only way to rollback this kind of switch is through a [bare metal recover (BMR)](https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/create-media-to-run-push-button-reset-features-s14) reset. This restores a Windows device to the factory state, even if the user needs to replace the hard drive or completely wipe the drive clean. If a device is switched out of S mode via the Microsoft Store, it will remain out of S mode even after the device is reset.
-### Windows 10 in S mode is safe, secure, and fast.
-We recommend staying in S mode. However, in some limited scenarios, you might need to switch to Windows 10 Pro. You can switch devices running Windows 10, version 1709 or later. Use the following information to switch to Windows 10 Pro through the Microsoft Store.
-
## How to switch
If you’re running Windows 10, version 1709 or version 1803, you can switch to Windows 10 Pro through the Microsoft Store. Devices running version 1803 will only be able to switch through the Store one device at a time.
@@ -56,6 +26,15 @@ If you’re running Windows 10, version 1709 or version 1803, you can switch to
3. In the offer, click **Buy**, **Get**, OR **Learn more.**
You'll be prompted to save your files before the switch starts. Follow the prompts to switch to Windows 10 Pro.
+## Keep Line of Business apps functioning with Desktop Bridge
+Worried about your LOB apps not working in S mode? Using Desktop Bridge will enable you to convert your Line of Business apps to a packaged app with UWP manifest. After testing and validating you can distribute the app through the Windows Store or existing channels.
+
+[Explore Desktop Bridge](https://docs.microsoft.com/en-us/windows/uwp/porting/desktop-to-uwp-root)
+
+## Repackage win32 apps into the MSIX format
+The MSIX Packaging Tool (Preview) is now available to install from the Microsoft Store. The MSIX Packaging Tool enables you to repackage your existing win32 applications to the MSIX format. You can run your desktop installers through this tool interactively and obtain an MSIX package that you can install on your machine and upload to the Microsoft Store.
+
+[Explore MSIX app Packaging Tool](https://docs.microsoft.com/en-us/windows/application-management/msix-app-packaging-tool)
## Related topics
diff --git a/windows/hub/TOC.md b/windows/hub/TOC.md
index 9a147ba933..6a6cc2230e 100644
--- a/windows/hub/TOC.md
+++ b/windows/hub/TOC.md
@@ -1,5 +1,4 @@
# [Windows 10 and Windows 10 Mobile](index.md)
-## [Get started](/windows/whats-new/whats-new-windows-10-version-1803)
## [What's new](/windows/whats-new)
## [Deployment](/windows/deployment)
## [Configuration](/windows/configuration)
diff --git a/windows/privacy/TOC.md b/windows/privacy/TOC.md
index 085675fdde..a229e2df1a 100644
--- a/windows/privacy/TOC.md
+++ b/windows/privacy/TOC.md
@@ -5,6 +5,7 @@
## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
## Basic level Windows diagnostic data events and fields
+### [Windows 10, version 1809 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1809.md)
### [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
### [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
### [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
index d75aa0580e..371890febb 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1703.md
@@ -1,15 +1,15 @@
---
description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
title: Windows 10, version 1703 basic diagnostic events and fields (Windows 10)
-keywords: privacy, diagnostic data
+keywords: privacy, telemetry
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: high
-author: eross-msft
-ms.author: lizross
-ms.date: 03/13/2018
+localizationpriority: high
+author: brianlic-msft
+ms.author: brianlic
+ms.date: 09/10/2018
---
@@ -19,225 +19,22 @@ ms.date: 03/13/2018
- Windows 10, version 1703
-The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information. The Basic level also helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
-Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data. You can learn more about Windows functional and diagnostic data through these articles:
+The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information.
-- [Windows 10, version 1803 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1803)
-- [Windows 10, version 1709 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709)
+The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
+
+Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data.
+
+You can learn more about Windows functional and diagnostic data through these articles:
+
+
+- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
+- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
->[!Note]
->Updated November 2017 to document new and modified events. We’ve added some new events and also added new fields to existing events to prepare for upgrades to the next release of Windows.
-## Common data extensions
-
-### Common Data Extensions.App
-
-The following fields are available:
-
-- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
-- **userId** The userID as known by the application.
-- **env** The environment from which the event was logged.
-- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
-
-
-### Common Data Extensions.CS
-
-The following fields are available:
-
-- **sig** A common schema signature that identifies new and modified event schemas.
-
-
-### Common Data Extensions.CUET
-
-The following fields are available:
-
-- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
-- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
-- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
-- **op** Represents the ETW Op Code.
-- **cat** Represents a bitmask of the ETW Keywords associated with the event.
-- **flags** Represents the bitmap that captures various Windows specific flags.
-- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
-- **tickets** A list of strings that represent entries in the HTTP header of the web request that includes this event.
-- **bseq** Upload buffer sequence number in the format \:\
-- **mon** Combined monitor and event sequence numbers in the format \:\
-
-
-### Common Data Extensions.Device
-
-
-
-The following fields are available:
-
-- **ver** Represents the major and minor version of the extension.
-- **localId** Represents a locally defined unique ID for the device, not the human readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
-- **deviceClass** Represents the classification of the device, the device “family”. For example, Desktop, Server, or Mobile.
-
-
-### Common Data Extensions.Envelope
-
-
-
-The following fields are available:
-
-- **ver** Represents the major and minor version of the extension.
-- **name** Represents the uniquely qualified name for the event.
-- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
-- **popSample** Represents the effective sample rate for this event at the time it was generated by a client.
-- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
-- **seqNum** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
-- **iKey** Represents an ID for applications or other logical groupings of events.
-- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experiences and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
-- **os** Represents the operating system name.
-- **osVer** Represents the OS version, and its format is OS dependent.
-- **appId** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
-- **appVer** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
-- **cV** Represents the Correlation Vector: A single field for tracking partial order of related diagnostic data events across component boundaries.
-
-
-### Common Data Extensions.OS
-
-
-
-The following fields are available:
-
-- **ver** Represents the major and minor version of the extension.
-- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
-- **locale** Represents the locale of the operating system.
-- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
-
-
-### Common Data Extensions.User
-
-
-
-The following fields are available:
-
-- **ver** Represents the major and minor version of the extension.
-- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
-
-
-### Common Data Extensions.XBL
-
-
-
-The following fields are available:
-
-- **nbf** Not before time
-- **expId** Expiration time
-- **sbx** XBOX sandbox identifier
-- **dty** XBOX device type
-- **did** XBOX device ID
-- **xid** A list of base10-encoded XBOX User IDs.
-- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
-
-
-### Common Data Extensions.Consent UI Event
-
-This User Account Control (UAC) diagnostic data point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
-
-The following fields are available:
-
-- **eventType** Represents the type of elevation: If it succeeded, was cancelled, or was auto-approved.
-- **splitToken** Represents the flag used to distinguish between administrators and standard users.
-- **friendlyName** Represents the name of the file requesting elevation from low IL.
-- **elevationReason** Represents the distinction between various elevation requests sources (appcompat, installer, COM, MSI and so on).
-- **exeName** Represents the name of the file requesting elevation from low IL.
-- **signatureState** Represents the state of the signature, if it signed, unsigned, OS signed and so on.
-- **publisherName** Represents the name of the publisher of the file requesting elevation from low IL.
-- **cmdLine** Represents the full command line arguments being used to elevate.
-- **Hash.Length** Represents the length of the hash of the file requesting elevation from low IL.
-- **Hash** Represents the hash of the file requesting elevation from low IL.
-- **HashAlgId** Represents the algorithm ID of the hash of the file requesting elevation from low IL.
-- **telemetryFlags** Represents the details about the elevation prompt for CEIP data.
-- **timeStamp** Represents the time stamp on the file requesting elevation.
-- **fileVersionMS** Represents the major version of the file requesting elevation.
-- **fileVersionLS** Represents the minor version of the file requesting elevation.
-
-
-## Common data fields
-
-### Common Data Fields.MS.Device.DeviceInventory.Change
-
-These fields are added whenever Ms.Device.DeviceInventoryChange is included in the event.
-
-The following fields are available:
-
-- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
-- **objectType** Indicates the object type that the event applies to.
-- **Action** The change that was invoked on a device inventory object.
-- **inventoryId** Device ID used for Compatibility testing
-
-
-### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PreUpgradeSettings
-
-These fields are added whenever PreUpgradeSettings is included in the event.
-
-The following fields are available:
-
-- **HKLM_SensorPermissionState.SensorPermissionState** The state of the Location service before the feature update completed.
-- **HKLM_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the device.
-- **HKCU_SensorPermissionState.SensorPermissionState** The state of the Location service when a user signs on before the feature update completed.
-- **HKCU_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the current user.
-- **HKLM_LocationPlatform.Status** The state of the location platform after the feature update has completed.
-- **HKLM_LocationPlatform.HRESULT** The error code returned when trying to query the location platform for the device.
-- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the device before the feature update completed.
-- **HKLM_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the device.
-- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the current user before the feature update completed.
-- **HKCU_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the current user.
-- **HKLM_AllowTelemetry.AllowTelemetry** The state of the Connected User Experiences and Telemetry component for the device before the feature update.
-- **HKLM_AllowTelemetry.HRESULT** The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
-- **HKLM_TIPC.Enabled** The state of TIPC for the device.
-- **HKLM_TIPC.HRESULT** The error code returned when trying to query TIPC for the device.
-- **HKCU_TIPC.Enabled** The state of TIPC for the current user.
-- **HKCU_TIPC.HRESULT** The error code returned when trying to query TIPC for the current user.
-- **HKLM_FlipAhead.FPEnabled** Is Flip Ahead enabled for the device before the feature update was completed?
-- **HKLM_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the device.
-- **HKCU_FlipAhead.FPEnabled** Is Flip Ahead enabled for the current user before the feature update was completed?
-- **HKCU_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the current user.
-- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled** Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
-- **HKCU_TailoredExperiences.HRESULT** The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
-- **HKLM_AdvertisingID.Enabled** Is the adverising ID enabled for the device?
-- **HKLM_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the device.
-- **HKCU_AdvertisingID.Enabled** Is the adveristing ID enabled for the current user?
-- **HKCU_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the user.
-
-
-### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PostUpgradeSettings
-
-These fields are added whenever PostUpgradeSettings is included in the event.
-
-The following fields are available:
-
-- **HKLM_SensorPermissionState.SensorPermissionState** The state of the Location service after the feature update has completed.
-- **HKLM_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the device.
-- **HKCU_SensorPermissionState.SensorPermissionState** The state of the Location service when a user signs on after a feature update has completed.
-- **HKCU_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the current user.
-- **HKLM_LocationPlatform.Status** The state of the location platform after the feature update has completed.
-- **HKLM_LocationPlatform.HRESULT** The error code returned when trying to query the location platform for the device.
-- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the device after the feature update has completed.
-- **HKLM_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the device.
-- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the current user after the feature update has completed.
-- **HKCU_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the current user.
-- **HKLM_AllowTelemetry.AllowTelemetry** The state of the Connected User Experiences and Telemetry component for the device after the feature update.
-- **HKLM_AllowTelemetry.HRESULT** The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
-- **HKLM_TIPC.Enabled** The state of TIPC for the device.
-- **HKLM_TIPC.HRESULT** The error code returned when trying to query TIPC for the device.
-- **HKCU_TIPC.Enabled** The state of TIPC for the current user.
-- **HKCU_TIPC.HRESULT** The error code returned when trying to query TIPC for the current user.
-- **HKLM_FlipAhead.FPEnabled** Is Flip Ahead enabled for the device after the feature update has completed?
-- **HKLM_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the device.
-- **HKCU_FlipAhead.FPEnabled** Is Flip Ahead enabled for the current user after the feature update has completed?
-- **HKCU_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the current user.
-- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled** Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
-- **HKCU_TailoredExperiences.HRESULT** The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
-- **HKLM_AdvertisingID.Enabled** Is the adveristing ID enabled for the device?
-- **HKLM_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the device.
-- **HKCU_AdvertisingID.Enabled** Is the adveristing ID enabled for the current user?
-- **HKCU_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the user.
## Appraiser events
@@ -248,93 +45,46 @@ This event lists the types of objects and how many of each exist on the client d
The following fields are available:
-- **DatasourceApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device. on this device.
-- **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
-- **DatasourceDriverPackage_RS3** The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
+- **DatasourceApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
+- **DatasourceDriverPackage_RS3** The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
- **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device.
-- **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device.
-- **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device.
-- **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device.
-- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device.
-- **PCFP** An ID for the system that is calculated by hashing hardware identifiers.
-- **InventoryApplicationFile** The total InventoryApplicationFile objects that are present on this device.
-- **InventoryMediaCenter** The total InventoryMediaCenter objects that are present on this device.
-- **InventoryLanguagePack** The total InventoryLanguagePack objects that are present on this device.
-- **InventoryUplevelDriverPackage** The total InventoryUplevelDriverPackage objects that are present on this device.
-- **InventorySystemBios** The total InventorySystemBios objects that are present on this device.
-- **SystemProcessorCompareExchange** The total SystemProcessorCompareExchange objects that are present on this device.
-- **SystemProcessorLahfSahf** The total SystemProcessorLahfSahf objects that are present on this device.
-- **SystemMemory** The total SystemMemory objects that are present on this device.
-- **SystemProcessorPrefetchW** The total SystemProcessorPrefetchW objects that are present on this device.
-- **SystemProcessorSse2** The total SystemProcessorSse2 objects that are present on this device.
-- **SystemProcessorNx** The total SystemProcessorNx objects that are present on this device.
-- **SystemWlan** The total SystemWlan objects that are present on this device.
-- **SystemWim** The total SystemWim objects that are present on this device
-- **SystemTouch** The total SystemTouch objects that are present on this device.
-- **SystemWindowsActivationStatus** The total SystemWindowsActivationStatus objects that are present on this device.
-- **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device.
-
-
-### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureIdHashSha256
-
-This event lists the types of objects and the hashed values of all the identifiers for each one. This allows for a more in-depth way to ensure that the records present on the server match what is present on the client.
-
-The following fields are available:
-
-- **DatasourceApplicationFile_RS3** The total DatasourceApplicationFile objects targeting the next release of Windows on this device.
-- **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
-- **DatasourceDriverPackage_RS3** The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device.
-- **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device.
-- **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device.
-- **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device.
-- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device.
-- **PCFP** An ID for the system that is calculated by hashing hardware identifiers.
-- **InventoryApplicationFile** The SHA256 hash of InventoryApplicationFile objects that are present on this device.
-- **InventoryMediaCenter** The SHA256 hash of InventoryMediaCenter objects that are present on this device.
-- **InventoryLanguagePack** The SHA256 hash of InventoryLanguagePack objects that are present on this device.
-- **InventoryUplevelDriverPackage** The SHA256 hash of InventoryUplevelDriverPackage objects that are present on this device.
-- **InventorySystemBios** The SHA256 hash of InventorySystemBios objects that are present on this device.
-- **SystemProcessorCompareExchange** The SHA256 hash of SystemProcessorCompareExchange objects that are present on this device.
-- **SystemProcessorLahfSahf** The SHA256 hash of SystemProcessorLahfSahf objects that are present on this device.
-- **SystemMemory** The SHA256 hash of SystemMemory objects that are present on this device.
-- **SystemProcessorPrefetchW** The SHA256 hash of SystemProcessorPrefetchW objects that are present on this device.
-- **SystemProcessorSse2** The SHA256 hash of SystemProcessorSse2 objects that are present on this device.
-- **SystemProcessorNx** The SHA256 hash of SystemProcessorNx objects that are present on this device.
-- **SystemWlan** The SHA256 hash of SystemWlan objects that are present on this device.
-- **SystemWim** The SHA256 hash of SystemWim objects that are present on this device.
-- **SystemTouch** The SHA256 hash of SystemTouch objects that are present on this device.
-- **SystemWindowsActivationStatus** The SHA256 hash of SystemWindowsActivationStatus objects that are present on this device.
-- **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device.
+- **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device.
+- **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **InventoryLanguagePack** The count of DecisionApplicationFile objects present on this machine targeting the next release of Windows
+- **InventorySystemBios** The count of DecisionDevicePnp objects present on this machine targeting the next release of Windows
+- **PCFP** The count of DecisionDriverPackage objects present on this machine targeting the next release of Windows
+- **SystemProcessorCompareExchange** The count of DecisionMatchingInfoBlock objects present on this machine targeting the next release of Windows
+- **SystemProcessorNx** The count of DataSourceMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows
+- **SystemProcessorSse2** The count of DecisionMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows
+- **SystemWim** The count of DecisionMediaCenter objects present on this machine targeting the next release of Windows
+- **SystemWindowsActivationStatus** The count of DecisionSystemBios objects present on this machine targeting the next release of Windows
+- **SystemWlan** The count of InventoryApplicationFile objects present on this machine.
+- **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device.
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
-This event sends compatibility information about a file to help keep Windows up-to-date.
+Represents the basic metadata about specific application files installed on the system.
The following fields are available:
- **AppraiserVersion** The version of the appraiser file that is generating the events.
-- **AvDisplayName** If it is an anti-virus app, this is its display name.
+- **AvDisplayName** If the app is an anti-virus app, this is its display name.
- **CompatModelIndex** The compatibility prediction for this file.
-- **HasCitData** Is the file present in CIT data?
-- **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file?
+- **HasCitData** Indicates whether the file is present in CIT data.
+- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file.
- **IsAv** Is the file an anti-virus reporting EXE?
-- **ResolveAttempted** This will always be an empty string when sending diagnostic data.
+- **ResolveAttempted** This will always be an empty string when sending telemetry.
- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file.
@@ -342,6 +92,8 @@ The following fields are available:
This event indicates that the DatasourceApplicationFile object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -351,6 +103,8 @@ The following fields are available:
This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -358,16 +112,18 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
-This event sends compatibility data for a PNP device, to help keep Windows up-to-date.
+This event sends compatibility data for a Plug and Play device, to help keep Windows up to date.
The following fields are available:
+- **ActiveNetworkConnection** Indicates whether the device is an active network device.
- **AppraiserVersion** The version of the appraiser file generating the events.
-- **ActiveNetworkConnection** Is the device an active network device?
-- **IsBootCritical** Is the device boot critical?
+- **IsBootCritical** Indicates whether the device boot is critical.
- **SdbEntries** An array of fields indicating the SDB entries that apply to this device.
-- **WuDriverCoverage** Is there a driver uplevel for this device according to Windows Update?
-- **WuDriverUpdateID** The Windows Update ID of the applicable uplevel driver.
+- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update.
+- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver.
+- **WuDriverUpdateID** The Update ID of the applicable uplevel driver from Windows Update.
+- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update.
- **WuPopulatedFromID** The expected uplevel driver matching ID based on driver coverage from Windows Update.
@@ -375,6 +131,8 @@ The following fields are available:
This event indicates that the DatasourceDevicePnp object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -384,6 +142,8 @@ The following fields are available:
This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -391,18 +151,19 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
-This event sends compatibility database data about driver packages to help keep Windows up-to-date.
+This event sends compatibility database data about driver packages to help keep Windows up to date.
The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
-- **SdbEntries** An array of fields indicating the SDB entries that apply to this driver package.
### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
This event indicates that the DatasourceDriverPackage object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -412,6 +173,8 @@ The following fields are available:
This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -424,13 +187,14 @@ This event sends blocking data about any compatibility blocking entries hit on t
The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
-- **SdbEntries** An array of fields indicating the SDB entries that apply to this file.
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -440,6 +204,8 @@ The following fields are available:
This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -452,13 +218,14 @@ This event sends compatibility database information about non-blocking compatibi
The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
-- **SdbEntries** An array of fields indicating the SDB entries that apply to this file.
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -468,6 +235,8 @@ The following fields are available:
This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -480,13 +249,14 @@ This event sends compatibility database information about entries requiring rein
The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
-- **SdbEntries** An array of fields indicating the SDB entries that apply to this file.
### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -496,6 +266,8 @@ The following fields are available:
This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -515,6 +287,8 @@ The following fields are available:
This event indicates that the DatasourceSystemBios object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -524,6 +298,8 @@ The following fields are available:
This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -535,9 +311,9 @@ This event sends compatibility decision data about a file to help keep Windows u
The following fields are available:
-- **AppraiserVersion** The version of the appraiser file generating the events.
+- **AppraiserVersion** The version of the appraiser file that is generating the events.
- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS.
-- **BlockingApplication** Are there any application issues that interfere with upgrade due to the file in question?
+- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question.
- **DisplayGenericMessage** Will be a generic message be shown for this file?
- **HardBlock** This file is blocked in the SDB.
- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB?
@@ -558,7 +334,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-This event indicates that the DecisionApplicationFile object is no longer present.
+This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -569,6 +347,8 @@ The following fields are available:
This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -576,16 +356,16 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
-This event sends compatibility decision data about a PNP device to help keep Windows up-to-date.
+This event sends compatibility decision data about a PNP device to help keep Windows up to date.
The following fields are available:
- **AppraiserVersion** The version of the appraiser file generating the events.
- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked?
- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked?
+- **BlockingDevice** Is this PNP device blocking upgrade?
- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS?
- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device?
-- **BlockingDevice** Is this PNP device blocking upgrade?
- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device?
- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
@@ -595,13 +375,14 @@ The following fields are available:
- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden?
-- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate?
### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
This event indicates that the DecisionDevicePnp object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -611,6 +392,8 @@ The following fields are available:
This event indicates that the DecisionDevicePnp object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -618,7 +401,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
-This event sends decision data about driver package compatibility to help keep Windows up-to-date.
+This event sends decision data about driver package compatibility to help keep Windows up to date.
The following fields are available:
@@ -634,6 +417,8 @@ The following fields are available:
This event indicates that the DecisionDriverPackage object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -643,6 +428,8 @@ The following fields are available:
This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -650,7 +437,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
-This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
The following fields are available:
@@ -667,6 +454,8 @@ The following fields are available:
This event indicates that the DecisionMatchingInfoBlock object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -676,6 +465,8 @@ The following fields are available:
This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -696,6 +487,8 @@ The following fields are available:
This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -705,6 +498,8 @@ The following fields are available:
This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -712,7 +507,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
-This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up-to-date.
+This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date.
The following fields are available:
@@ -727,6 +522,8 @@ The following fields are available:
This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -736,6 +533,8 @@ The following fields are available:
This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -743,15 +542,15 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
-This event sends decision data about the presence of Windows Media Center, to help keep Windows up-to-date.
+This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file generating the events.
- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center?
- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true?
-- **MediaCenterInUse** Is Windows Media Center actively being used?
- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use?
+- **MediaCenterInUse** Is Windows Media Center actively being used?
- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition?
- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center?
@@ -760,6 +559,8 @@ The following fields are available:
This event indicates that the DecisionMediaCenter object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -769,6 +570,8 @@ The following fields are available:
This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -776,7 +579,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
-This event sends compatibility decision data about the BIOS to help keep Windows up-to-date.
+This event sends compatibility decision data about the BIOS to help keep Windows up to date.
The following fields are available:
@@ -789,6 +592,8 @@ The following fields are available:
This event indicates that the DecisionSystemBios object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -798,6 +603,8 @@ The following fields are available:
This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -805,12 +612,12 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.EnterpriseScenarioWithDiagTrackServiceRunning
-The event that indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is installed. This event can only be sent if a special flag is used to trigger the enterprise scenario.
+This event indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is installed. This event can only be sent if a special flag is used to trigger the enterprise scenario.
The following fields are available:
-- **Time** The client time of the event.
- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **Time** The client time of the event.
### Microsoft.Windows.Appraiser.General.GatedRegChange
@@ -819,31 +626,28 @@ This event sends data about the results of running a set of quick-blocking instr
The following fields are available:
-- **Time** The client time of the event.
+- **NewData** The data in the registry value after the scan completed.
+- **OldData** The previous data in the registry value before the scan ran.
- **PCFP** An ID for the system calculated by hashing hardware identifiers.
- **RegKey** The registry key name for which a result is being sent.
- **RegValue** The registry value for which a result is being sent.
-- **OldData** The previous data in the registry value before the scan ran.
-- **NewData** The data in the registry value after the scan completed.
+- **Time** The client time of the event.
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
-This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or are part of an anti-virus program.
+This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program.
The following fields are available:
-- **AvDisplayName** If the app is an anti-virus app, this is its display name.
-- **AvProductState** Represents state of antivirus program with respect to whether it's turned on and the signatures are up-to-date.
-- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
- **CompanyName** The company name of the vendor who developed this file.
- **FileId** A hash that uniquely identifies a file.
- **FileVersion** The File version field from the file metadata under Properties -> Details.
-- **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file?
-- **IsAv** Is the file an anti-virus reporting EXE?
- **LinkDate** The date and time that this file was linked on.
- **LowerCaseLongPath** The full file path to the file that was inventoried on the device.
- **Name** The name of the file that was inventoried.
@@ -852,29 +656,13 @@ The following fields are available:
- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it.
- **Size** The size of the file (in hexadecimal bytes).
-### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
-
-This event represents the drivers that an application installs.
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory component
-- **Programids** The unique program identifier the driver is associated with.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
-
-This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory component.
-
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
This event indicates that the InventoryApplicationFile object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -882,7 +670,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -891,19 +681,21 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
-This event sends data about the number of language packs installed on the system, to help keep Windows up-to-date.
+This event sends data about the number of language packs installed on the system, to help keep Windows up to date.
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-- **HasLanguagePack** Does this device have 2 or more language packs?
-- **LanguagePackCount** How many language packs are installed?
+- **HasLanguagePack** Indicates whether this device has 2 or more language packs.
+- **LanguagePackCount** The number of language packs are installed.
### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
This event indicates that the InventoryLanguagePack object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -913,6 +705,8 @@ The following fields are available:
This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -938,6 +732,8 @@ The following fields are available:
This event indicates that the InventoryMediaCenter object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -947,6 +743,8 @@ The following fields are available:
This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -967,7 +765,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
-This event indicates that the InventorySystemBios object is no longer present.
+This event indicates that the InventorySystemBios object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -978,6 +778,8 @@ The following fields are available:
This event indicates that a new set of InventorySystemBiosAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -987,29 +789,33 @@ The following fields are available:
This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
- **BootCritical** Is the driver package marked as boot critical?
- **Build** The build value from the driver package.
- **CatalogFile** The name of the catalog file within the driver package.
-- **ClassGuid** The device class GUID from the driver package.
- **Class** The device class from the driver package.
+- **ClassGuid** The device class unique ID from the driver package.
- **Date** The date from the driver package.
-- **SignatureStatus** Indicates if the driver package is signed. Unknown:0, Unsigned:1, Signed: 2
- **Inbox** Is the driver package of a driver that is included with Windows?
+- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU.
+- **Provider** The provider of the driver package.
+- **PublishedName** The name of the INF file after it was renamed.
+- **Revision** The revision of the driver package.
+- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2.
- **VersionMajor** The major version of the driver package.
- **VersionMinor** The minor version of the driver package.
-- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU
-- **Provider** The provider of the driver package.
-- **PublishedName** The name of the INF file, post-rename.
-- **Revision** The revision of the driver package.
### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1019,60 +825,25 @@ The following fields are available:
This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-### Microsoft.Windows.Appraiser.General.IsOnlineTelemetryOutputter
-
-This event indicates if Appraiser was able to connect successfully to Windows Update to get driver availability information.
-
-The following fields are available:
-
-- **Time** The client time of the event.
-- **PCFP** A unique hardware identifier that is calculated by hashing hardware identifiers.
-- **IsOnlineRun** Was the device able to connect to Windows Update to get driver availability information?
-
-
-### Microsoft.Windows.Appraiser.General.IsOnlineWuDriverDataSource
-
-This event indicates if Appraiser was able to connect to Windows Update to gather driver coverage information.
-
-The following fields are available:
-
-- **Time** The client time of the event.
-- **PCFP** A unique hardware identifier that is calculated by hashing hardware identifiers.
-- **IsOnlineRun** Was the device able to connect to Windows Update to get driver availability information?
-- **TargetVersion** The abbreviated name for the OS version against which Windows Update was queried.
-
-
### Microsoft.Windows.Appraiser.General.RunContext
-This event indicates what should be expected in the data payload.
+This event indicates what should be expected in the data payload.
The following fields are available:
- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built.
-- **AppraiserVersion** The version of the Appraiser file generating the events.
-- **Context** Indicates what mode Appraiser is running in. Example: Setup or Diagnostic Data.
-- **Time** The client time of the event.
- **AppraiserProcess** The name of the process that launched Appraiser.
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
- **PCFP** An ID for the system calculated by hashing hardware identifiers.
-
-
-### Microsoft.Windows.Appraiser.General.SetupAdlStatus
-
-This event indicates if Appraiser used data files from the setup image or more up-to-date data files downloaded from a Microsoft server.
-
-The following fields are available:
-
- **Time** The client time of the event.
-- **PCFP** An ID for the system calculated by hashing hardware identifiers.
-- **Result** The last result of the operation to determine if there is a data file to download.
-- **OneSettingsInitialized** Was the query to OneSettings, where the information is stored on if there is a data file to download, initialized?
-- **Url** The URL of the data file to download. This will be an empty string if there is no data file to download.
-- **UsingAlternateData** Is the client using alternate data file or using the data file in the setup image?
### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
@@ -1095,6 +866,8 @@ The following fields are available:
This event that the SystemMemory object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1104,6 +877,8 @@ The following fields are available:
This event indicates that a new set of SystemMemoryAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1122,7 +897,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
-This event indicates that the SystemProcessorCompareExchange object is no longer present.
+This event indicates that the SystemProcessorCompareExchange object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -1133,6 +910,8 @@ The following fields are available:
This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1151,7 +930,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
-This event indicates that the SystemProcessorLahfSahf object is no longer present.
+This event indicates that the SystemProcessorLahfSahf object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -1162,6 +943,8 @@ The following fields are available:
This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1183,6 +966,8 @@ The following fields are available:
This event indicates that the SystemProcessorNx object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1192,6 +977,8 @@ The following fields are available:
This event indicates that a new set of SystemProcessorNxAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1199,7 +986,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
-This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
The following fields are available:
@@ -1212,6 +999,8 @@ The following fields are available:
This event indicates that the SystemProcessorPrefetchW object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1221,6 +1010,8 @@ The following fields are available:
This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1228,7 +1019,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
-This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date.
The following fields are available:
@@ -1241,6 +1032,8 @@ The following fields are available:
This event indicates that the SystemProcessorSse2 object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1250,6 +1043,8 @@ The following fields are available:
This event indicates that a new set of SystemProcessorSse2Add events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1257,7 +1052,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemTouchAdd
-This event sends data indicating whether the system supports touch, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports touch, to help keep Windows up to date.
The following fields are available:
@@ -1268,7 +1063,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemTouchRemove
-This event indicates that the SystemTouch object is no longer present.
+This event indicates that the SystemTouch object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -1279,6 +1076,8 @@ The following fields are available:
This event indicates that a new set of SystemTouchAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1286,7 +1085,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWimAdd
-This event sends data indicating whether the operating system is running from a compressed WIM file, to help keep Windows up-to-date.
+This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date.
The following fields are available:
@@ -1297,7 +1096,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWimRemove
-This event indicates that the SystemWim object is no longer present.
+This event indicates that the SystemWim object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -1308,6 +1109,8 @@ The following fields are available:
This event indicates that a new set of SystemWimAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1315,7 +1118,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
-This event sends data indicating whether the current operating system is activated, to help keep Windows up-to-date.
+This event sends data indicating whether the current operating system is activated, to help keep Windows up to date.
The following fields are available:
@@ -1328,6 +1131,8 @@ The following fields are available:
This event indicates that the SystemWindowsActivationStatus object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1337,6 +1142,8 @@ The following fields are available:
This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1359,7 +1166,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWlanRemove
-This event indicates that the SystemWlan object is no longer present.
+This event indicates that the SystemWlan object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -1370,6 +1179,8 @@ The following fields are available:
This event indicates that a new set of SystemWlanAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1377,58 +1188,62 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
-A summary event indicating the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
+This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
The following fields are available:
-- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
-- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
-- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
-- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
-- **Time** The client time of the event.
-- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
+- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built.
+- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run.
- **AppraiserProcess** The name of the process that launched Appraiser.
- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
-- **SendingUtc** Indicates if the Appraiser client is sending events during the current diagnostic data run.
+- **AuxFinal** Obsolete, always set to false.
+- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
-- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built.
-- **EnterpriseRun** Indicates if the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
-- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
-- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
-- **AuxFinal** Obsolete, always set to false
-- **StoreHandleIsNotNull** Obsolete, always set to false
-- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
-- **AppraiserDataVersion** The version of the data files being used by the Appraiser diagnostic data run.
+- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
+- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
+- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **RunDate** The date that the telemetry run was stated, expressed as a filetime.
+- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
-- **TelementrySent** Indicates if diagnostic data was successfully sent.
+- **RunResult** The hresult of the Appraiser telemetry run.
+- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run.
+- **StoreHandleIsNotNull** Obsolete, always set to false
+- **TelementrySent** Indicates if telemetry was successfully sent.
+- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **Time** The client time of the event.
+- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated.
-- **RunResult** The hresult of the Appraiser diagnostic data run.
### Microsoft.Windows.Appraiser.General.WmdrmAdd
This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BlockingApplication** Same as NeedsDismissAction.
+- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
+- **WmdrmApiResult** Raw value of the API used to gather DRM state.
- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
+- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased.
+- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed.
- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses.
- **WmdrmPurchased** Indicates if the system has any files with permanent licenses.
-- **WmdrmApiResult** Raw value of the API used to gather DRM state.
-- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed.
-- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased
-- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
-- **BlockingApplication** Same as NeedsDismissAction
### Microsoft.Windows.Appraiser.General.WmdrmRemove
This event indicates that the Wmdrm object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1438,6 +1253,8 @@ The following fields are available:
This event indicates that a new set of WmdrmAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1451,8 +1268,8 @@ This event sends version data about the Apps running on this device, to help kee
The following fields are available:
-- **IEVersion** Retrieves which version of Internet Explorer is running on this device.
- **CensusVersion** The version of Census that generated the current data for this device.
+- **IEVersion** Retrieves which version of Internet Explorer is running on this device.
### Census.Battery
@@ -1464,8 +1281,8 @@ The following fields are available:
- **InternalBatteryCapablities** Represents information about what the battery is capable of doing.
- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity to estimate the battery's wear.
- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh.
-- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance.
+- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
### Census.Camera
@@ -1484,23 +1301,22 @@ This event sends data about Azure presence, type, and cloud domain use in order
The following fields are available:
-- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false
-- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
-- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
-- **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers.
-- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
- **AzureOSIDPresent** Represents the field used to identify an Azure machine.
-- **IsDomainJoined** Indicates whether a machine is joined to a domain.
-- **HashedDomain** The hashed representation of the user domain used for login.
-- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
-- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
-- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
+- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
- **CDJType** Represents the type of cloud domain joined for the machine.
-- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption
-- **IsDERequirementMet** Represents if the device can do device encryption.
-- **IsEDPEnabled** Represents if Enterprise data protected on the device.
+- **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers.
- **ContainerType** The type of container, such as process or virtual machine hosted.
-- **EnrollmentType** Represents the type of enrollment, such as MDM or Intune, for a particular device.
+- **HashedDomain** The hashed representation of the user domain used for login.
+- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsDERequirementMet** Represents if the device can do device encryption.
+- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption
+- **IsDomainJoined** Indicates whether a machine is joined to a domain.
+- **IsEDPEnabled** Represents if Enterprise data protected on the device.
+- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
+- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
+- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise System Center Configuration Manager (SCCM) environment.
+- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier.
### Census.Firmware
@@ -1517,58 +1333,54 @@ The following fields are available:
### Census.Flighting
-This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up-to-date.
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date.
The following fields are available:
-- **FlightIds** A list of the different Windows Insider builds on this device.
-- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device.
-- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program.
-- **FlightingBranchName** The name of the Windows Insider branch currently used by the device.
-- **DeviceSampleRate** The diagnostic data sample rate assigned to the device.
+- **DeviceSampleRate** The telemetry sample rate assigned to the device.
- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device.
+- **FlightIds** A list of the different Windows Insider builds on this device.
+- **FlightingBranchName** The name of the Windows Insider branch currently used by the device.
+- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program.
+- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device.
- **SSRK** Retrieves the mobile targeting settings.
### Census.Hardware
-This event sends data about the device, including hardware type, OEM brand, model line, model, diagnostic data level setting, and TPM support, to help keep Windows up-to-date.
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date.
The following fields are available:
+- **ActiveMicCount** The number of active microphones attached to the device.
- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields.
- **DeviceColor** Indicates a color of the device.
+- **DeviceForm** Indicates the form as per the device classification.
- **DeviceName** The device name that is set by the user.
+- **DigitizerSupport** Is a digitizer supported?
+- **DUID** The device unique ID.
+- **InventoryId** The device ID used for compatibility testing.
- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device.
- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date.
-- **OEMModelNumber** The device model number.
+- **OEMModelBaseBoard** The baseboard model used by the OEM.
+- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices.
- **OEMModelName** The device model name.
+- **OEMModelNumber** The device model number.
- **OEMModelSKU** The device edition that is defined by the manufacturer.
+- **OEMModelSystemFamily** The system family set on the device by an OEM.
+- **OEMModelSystemVersion** The system model version set on the device by the OEM.
- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary.
- **OEMSerialNumber** The serial number of the device that is set by the manufacturer.
- **PhoneManufacturer** The friendly name of the phone manufacturer.
-- **SoCName** The firmware manufacturer of the device.
-- **DUID** The device unique ID.
-- **InventoryId** The device ID used for compatibility testing.
-- **VoiceSupported** Does the device have a cellular radio capable of making voice calls?
- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
-- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
+- **SoCName** The firmware manufacturer of the device.
- **StudyID** Used to identify retail and non-retail device.
-- **TelemetryLevel** The diagnostic data level the user has opted into, such as Basic or Enhanced.
-- **TelemetrySettingAuthority** Determines who set the diagnostic data level, such as GP, MDM, or the user.
-- **DeviceForm** Indicates the form as per the device classification.
-- **DigitizerSupport** Is a digitizer supported?
-- **OEMModelBaseBoard** The baseboard model used by the OEM.
-- **OEMModelSystemFamily** The system family set on the device by an OEM.
-- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices.
-- **ActiveMicCount** The number of active microphones attached to the device.
-- **OEMModelSystemVersion** The system model version set on the device by the OEM.
-- **D3DMaxFeatureLevel** The supported Direct3D version.
-- **Gyroscope** Indicates whether the device has a gyroscope.
-- **Magnetometer** Indicates whether the device has a magnetometer.
-- **NFCProximity** Indicates whether the device supports NFC.
-- **TelemetryLevelLimitEnhanced** The diagnostic data level for Windows Analytics-based solutions.
+- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced.
+- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user.
+- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
+- **VoiceSupported** Does the device have a cellular radio capable of making voice calls?
+
### Census.Memory
@@ -1586,21 +1398,21 @@ This event sends data about the mobile and cellular network used by the device (
The following fields are available:
+- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user.
+- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users.
- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US.
-- **NetworkCost** Represents the network cost associated with a connection.
-- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
-- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
-- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
-- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
-- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
-- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
-- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
-- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
-- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user.
- **NetworkAdapterGUID** The GUID of the primary network adapter.
+- **NetworkCost** Represents the network cost associated with a connection.
+- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
### Census.OS
@@ -1609,40 +1421,39 @@ This event sends data about the operating system such as the version, locale, up
The following fields are available:
+- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine.
+- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled.
+- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy.
+- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time
- **GenuineState** Retrieves the ID Value specifying the OS Genuine check.
+- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
+- **InstallLanguage** The first language installed on the user machine.
+- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode.
+- **IsEduData** Returns Boolean if the education data policy is enabled.
- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go
- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI.
-- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
+- **LanguagePacks** The list of language packages installed on the device.
+- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
+- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
+- **OSEdition** Retrieves the version of the current OS.
- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
- **OSSKU** Retrieves the Friendly Name of OS Edition.
+- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines.
+- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines.
- **OSTimeZoneBiasInMins** Retrieves the time zone set on machine.
- **OSUILocale** Retrieves the locale of the UI that is currently used by the OS.
-- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability.
-- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled.
-- **Signature** Retrieves if it is a signature machine sold by Microsoft store.
-- **IsDeviceRetailDemo** Retrieves if the device is running in demo mode.
-- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine.
-- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
-- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
-- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key.
-- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy.
-- **ServiceProductKeyID** Retrieves the License key of the KMS
-- **LanguagePacks** The list of language packages installed on the device.
-- **InstallLanguage** The first language installed on the user machine.
-- **IsEduData** Returns Boolean if the education data policy is enabled.
-- **SharedPCMode** Returns Boolean for education devices used as shared cart
-- **SLICVersion** Returns OS type/version from SLIC table.
-- **SLICStatus** Whether a SLIC table exists on the device.
-- **OSEdition** Retrieves the version of the current OS.
-- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues.
- **ProductActivationResult** Returns Boolean if the OS Activation was successful.
-- **OSSubscriptionTypeId** Returns boolean for enterprise subscription feature for selected PRO machines.
-- **OSSubscriptionStatus** Represents the existing status for enterprise subscription feature for PRO machines.
+- **ProductActivationTime** Returns the OS Activation time for tracking piracy issues.
+- **ProductKeyID2** Retrieves the License key if the machine is updated with a new license key.
+- **RACw7Id** Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability.
+- **ServiceMachineIP** Retrieves the IP address of the KMS host used for anti-piracy.
- **ServiceMachinePort** Retrieves the port of the KMS host used for anti-piracy.
-- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time
-- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy.
-- **AssignedAccessStatus** The kiosk configuration mode.
+- **ServiceProductKeyID** Retrieves the License key of the KMS
+- **SharedPCMode** Returns Boolean for education devices used as shared cart
+- **Signature** Retrieves if it is a signature machine sold by Microsoft store.
+- **SLICStatus** Whether a SLIC table exists on the device.
+- **SLICVersion** Returns OS type/version from SLIC table.
### Census.Processor
@@ -1651,19 +1462,14 @@ This event sends data about the processor (architecture, speed, number of cores,
The following fields are available:
-- **KvaShadow** Microcode info of the processor.
-- **MMSettingOverride** Microcode setting of the processor.
-- **MMSettingOverrideMask** Microcode setting override of the processor.
-- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system.
+- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system.
- **ProcessorClockSpeed** Retrieves the clock speed of the processor in MHz.
- **ProcessorCores** Retrieves the number of cores in the processor.
- **ProcessorIdentifier** The processor identifier of a manufacturer.
- **ProcessorManufacturer** Retrieves the name of the processor's manufacturer.
- **ProcessorModel** Retrieves the name of the processor model.
- **ProcessorPhysicalCores** Number of physical cores in the processor.
-- **ProcessorUpdateRevision** The microcode version.
- **SocketCount** Number of physical CPU sockets of the machine.
-- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
### Census.Speech
@@ -1672,15 +1478,15 @@ This event is used to gather basic speech settings on the device.
The following fields are available:
-- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked.
-- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities.
-- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
-- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices.
-- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
-- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities.
-- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities.
-- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
-- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device.
+- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked.
+- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities.
+- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
+- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices.
+- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
+- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities.
+- **RemotelyManaged** Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities.
+- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
+- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device.
### Census.Storage
@@ -1690,8 +1496,8 @@ This event sends data about the total capacity of the system volume and primary
The following fields are available:
- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB.
-- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB.
- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any).
+- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB.
### Census.Userdefault
@@ -1700,8 +1506,8 @@ This event sends data about the current user's default preferences for browser a
The following fields are available:
-- **DefaultBrowserProgId** The ProgramId of the current user's default browser
-- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html,.htm,.jpg,.jpeg,.png,.mp3,.mp4, .mov,.pdf
+- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
+- **DefaultBrowserProgId** The ProgramId of the current user's default browser.
### Census.UserDisplay
@@ -1718,8 +1524,8 @@ The following fields are available:
- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display.
- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
-- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine.
- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine
+- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine.
- **VRAMDedicated** Retrieves the video RAM in MB.
- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card.
- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use.
@@ -1732,10 +1538,10 @@ This event sends data about the default app language, input, and display languag
The following fields are available:
- **DefaultAppLanguage** The current user Default App Language.
-- **HomeLocation** The current user location, which is populated using GetUserGeoId() function.
- **DisplayLanguage** The current user preferred Windows Display Language.
-- **SpeechInputLanguages** The Speech Input languages installed on the device.
+- **HomeLocation** The current user location, which is populated using GetUserGeoId() function.
- **KeyboardInputLanguages** The Keyboard input languages installed on the device.
+- **SpeechInputLanguages** The Speech Input languages installed on the device.
### Census.VM
@@ -1744,13 +1550,11 @@ This event sends data indicating whether virtualization is enabled on the device
The following fields are available:
-- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware.
-- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
+- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor.
- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present.
- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors.
-- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor.
-- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within.
-- **isVDI** Is the device using Virtual Desktop Infrastructure?
+- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
+- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware.
### Census.WU
@@ -1759,29 +1563,23 @@ This event sends data about the Windows update server and other App store polici
The following fields are available:
-- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier.
-- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
-- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
-- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device.
-- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
-- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting
-- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
-- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades.
-- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS).
-- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades
-- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates
-- **WUPauseState** Retrieves WU setting to determine if updates are paused
-- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device .
-- **OSRolledBack** A flag that represents when a feature update has rolled back during setup.
-- **OSRollbackCount** The number of times feature updates have rolled back on the device.
-- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently.
- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading.
-- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it?
-- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update?
-- **OSAssessmentForQualityUpdate** Is the device on the latest quality update?
-- **OSAssessmentForSecurityUpdate** Is the device on the latest security update?
-- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it?
-- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment.
+- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
+- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
+- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting
+- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades.
+- **OSRollbackCount** The number of times feature updates have rolled back on the device.
+- **OSRolledBack** A flag that represents when a feature update has rolled back during setup.
+- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device .
+- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device.
+- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently.
+- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS).
+- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates.
+- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades.
+- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier.
+- **WUPauseState** Retrieves WU setting to determine if updates are paused.
+- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
### Census.Xbox
@@ -1790,66 +1588,211 @@ This event sends data about the Xbox Console, such as Serial Number and DeviceId
The following fields are available:
-- **XboxLiveDeviceId** Retrieves the unique device id of the console.
-- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console.
-- **XboxLiveSandboxId** Retrieves the developer sandbox id if the device is internal to MS.
- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console.
+- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console.
+- **XboxLiveDeviceId** Retrieves the unique device ID of the console.
+- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft.
-### Census.Security
-This event provides information on about security settings used to help keep Windows up-to-date and secure.
+## Common data extensions
+
+### Common Data Extensions.app
+
+Describes the properties of the running application. This extension could be populated by a client app or a web app.
+
+The following fields are available:
+
+- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
+- **env** The environment from which the event was logged.
+- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
+- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **userId** The userID as known by the application.
+- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
+
+
+### Common Data Extensions.container
+
+Describes the properties of the container for events logged within a container.
+
+The following fields are available:
+
+- **localId** The device ID as known by the client.
+- **osVer** The operating system version.
+- **type** The container type. Examples: Process or VMHost
+
+
+### Common Data Extensions.cs
+
+Describes properties related to the schema of the event.
+
+The following fields are available:
+
+- **sig** A common schema signature that identifies new and modified event schemas.
+
+
+### Common Data Extensions.device
+
+Describes the device-related fields.
+
+The following fields are available:
+
+- **deviceClass** Represents the classification of the device, the device “family”. For example, Desktop, Server, or Mobile.
+- **localId** Represents a locally defined unique ID for the device, not the human readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+
+
+### Common Data Extensions.Envelope
+
+Represents an envelope that contains all of the common data extensions.
+
+The following fields are available:
+
+- **appId** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **appVer** Represents the version number of the application. Used to understand errors by version and usage by version across an app.
+- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
+- **data** Represents the optional unique diagnostic data for a particular event schema.
+- **epoch** ID used to help distinguish events in the sequence by indicating the current boot session.
+- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp).
+- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer).
+- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs).
+- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice).
+- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos).
+- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser).
+- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc).
+- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl).
+- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **iKey** Represents an ID for applications or other logical groupings of events.
+- **name** Represents the uniquely qualified name for the event.
+- **os** The operating system name.
+- **osVer** The operating system version.
+- **popSample** Represents the effective sample rate for this event at the time it was generated by a client.
+- **seqNum** Used to track the absolute order of uploaded events.
+- **tags** A header for semi-managed extensions.
+- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
+- **ver** Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.os
+
+Describes some properties of the operating system.
+
+The following fields are available:
+
+- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
+- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
+- **locale** Represents the locale of the operating system.
+
+
+### Common Data Extensions.user
+
+Describes the fields related to a user.
+
+The following fields are available:
+
+- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token.
+- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+
+
+### Common Data Extensions.utc
+
+Describes the properties that could be populated by a logging library on Windows.
+
+The following fields are available:
+
+- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
+- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number
+- **cat** Represents a bitmask of the ETW Keywords associated with the event.
+- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
+- **flags** Represents the bitmap that captures various Windows specific flags.
+- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence
+- **op** Represents the ETW Op Code.
+- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
+- **sqmId** The Windows SQM ID.
+- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
+- **tickets** An array of strings that refer back to a key in the X-Tickets http header that the client uploaded along with a batch of events.
+
+
+### Common Data Extensions.xbl
+
+Describes the fields that are related to XBOX Live.
+
+The following fields are available:
+
+- **claims** Any additional claims whose short claim name hasn't been added to this structure.
+- **did** XBOX device ID
+- **dty** XBOX device type
+- **dvr** The version of the operating system on the device.
+- **eid** A unique ID that represents the developer entity.
+- **exp** Expiration time
+- **ip** The IP address of the client device.
+- **nbf** Not before time
+- **pid** A comma separated list of PUIDs listed as base10 numbers.
+- **sbx** XBOX sandbox identifier
+- **sid** The service instance ID.
+- **sty** The service type.
+- **tid** The XBOX Live title ID.
+- **tvr** The XBOX Live title version.
+- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
+- **xid** A list of base10-encoded XBOX User IDs.
+
+
+## Common data fields
+
+### Ms.Device.DeviceInventoryChange
+
+Describes the installation state for all hardware and software components available on a particular device.
+
+The following fields are available:
+
+- **action** The change that was invoked on a device inventory object.
+- **inventoryId** Device ID used for Compatibility testing
+- **objectInstanceId** Object identity which is unique within the device scope.
+- **objectType** Indicates the object type that the event applies to.
+- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
-- **AvailableSecurityProperties** Enumerates and reports state on the relevant security properties for Device Guard.
-- **CGRunning** Is Credential Guard running?
-- **DGState** A summary of the Device Guard state.
-- **HVCIRunning** Is HVCI running?
-- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security.
-- **SecureBootCapable** Is this device capable of running Secure Boot?
-- **VBSState** Is virtualization-based security enabled, disabled, or running?
## Diagnostic data events
### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
-This event sends data indicating that a device has undergone a change of diagnostic data opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
+This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
The following fields are available:
-- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
-- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
+- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
+- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
-- **CanCollectOsTelemetry** True if UTC is allowed to collect diagnostic data from the OS provider groups.
+- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
- **CanPerformScripting** True if UTC is allowed to perform scripting.
- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **TransitionFromEverythingOff** True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
-- **PreviousPermissions** Bitmask representing the previously configured permissions since the diagnostic data opt-in level was last changed.
+- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry opt-in level was last changed.
+- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
### TelClientSynthetic.AuthorizationInfo_Startup
-This event sends data indicating that a device has undergone a change of diagnostic data opt-in level detected at UTC startup, to help keep Windows up to date.
+This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
The following fields are available:
-- **TransitionFromEverythingOff** True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
-- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
-- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
+- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto telemetry from the OS provider groups.
+- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS telemetry. Non-OS telemetry is responsible for providing its own opt-in mechanism.
- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
-- **CanCollectOsTelemetry** True if UTC is allowed to collect diagnostic data from the OS provider groups.
-- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
-- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
+- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
+- **CanCollectOsTelemetry** True if UTC is allowed to collect telemetry from the OS provider groups (often called Microsoft Telemetry).
- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
- **CanPerformScripting** True if UTC is allowed to perform scripting.
-- **PreviousPermissions** Bitmask representing the previously configured permissions since the diagnostic data client was last started.
+- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
+- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
+- **PreviousPermissions** Bitmask representing the previously configured permissions since the telemetry client was last started.
+- **TransitionFromEverythingOff** True if this transition is moving from not allowing core telemetry to allowing core telemetry.
### TelClientSynthetic.ConnectivityHeartBeat_0
-This event sends data about the connectivity status of the Connected User Experiences and Telemetry component that uploads diagnostic data events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads telemetry events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
The following fields are available:
@@ -1857,10 +1800,10 @@ The following fields are available:
- **CensusStartTime** Returns timestamp corresponding to last successful census run.
- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine.
- **LastConnectivityLossTime** Retrieves the last time the device lost free network.
+- **LastConntectivityLossTime** Retrieves the last time the device lost free network.
- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network.
- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds.
- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds.
-- **LastConntectivityLossTime** Retrieves the last time the device lost free network.
### TelClientSynthetic.HeartBeat_5
@@ -1869,51 +1812,41 @@ This event sends data about the health and quality of the diagnostic data from t
The following fields are available:
-- **PreviousHeartBeatTime** The time of last heartbeat event. This allows chaining of events.
-- **EtwDroppedCount** The number of events dropped by the ETW layer of the diagnostic data client.
-- **ConsumerDroppedCount** The number of events dropped by the consumer layer of the diagnostic data client.
-- **DecodingDroppedCount** The number of events dropped because of decoding failures.
-- **ThrottledDroppedCount** The number of events dropped due to throttling of noisy providers.
-- **DbDroppedCount** The number of events that were dropped because the database was full.
-- **EventSubStoreResetCounter** The number of times the event database was reset.
-- **EventSubStoreResetSizeSum** The total size of the event database across all resets reports in this instance.
-- **CriticalOverflowEntersCounter** The number of times a critical overflow mode was entered into the event database.
-- **EnteringCriticalOverflowDroppedCounter** The number of events that was dropped because a critical overflow mode was initiated.
-- **UploaderDroppedCount** The number of events dropped by the uploader layer of the diagnostic data client.
-- **InvalidHttpCodeCount** The number of invalid HTTP codes received from Vortex.
-- **LastInvalidHttpCode** The last invalid HTTP code received from Vortex.
-- **MaxInUseScenarioCounter** The soft maximum number of scenarios loaded by the Connected User Experiences and Telemetry component.
-- **LastEventSizeOffender** The name of the last event that exceeded the maximum event size.
-- **SettingsHttpAttempts** The number of attempts to contact the OneSettings service.
-- **SettingsHttpFailures** The number of failures from contacting the OneSettings service.
-- **VortexHttpAttempts** The number of attempts to contact the Vortex service.
-- **EventsUploaded** The number of events that have been uploaded.
-- **DbCriticalDroppedCount** The total number of dropped critical events in the event database.
-- **VortexHttpFailures4xx** The number of 400-499 error codes received from Vortex.
-- **VortexHttpFailures5xx** The number of 500-599 error codes received from Vortex.
-- **VortexFailuresTimeout** The number of timeout failures received from Vortex.
-- **HeartBeatSequenceNumber** A monotonically increasing heartbeat counter.
-- **EtwDroppedBufferCount** The number of buffers dropped in the CUET ETW session.
-- **FullTriggerBufferDroppedCount** The number of events that were dropped because the trigger buffer was full.
-- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling.
-- **CriticalDataDbDroppedCount** The number of critical data sampled events that were dropped at the database layer.
-- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe.
- **AgentConnectionErrorsCount** The number of non-timeout errors associated with the host/agent channel.
-- **LastAgentConnectionError** The last non-timeout error that happened in the host/agent channel.
-- **Flags** Flags that indicate device state, such as network, battery, and opt-in state.
-- **CensusTaskEnabled** Indicates whether Census is enabled.
- **CensusExitCode** The last exit code of the Census task.
- **CensusStartTime** The time of the last Census run.
-
-
-### TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate
-
-This event sends basic data on privacy settings before and after a feature update. This is used to ensure that customer privacy settings are correctly migrated across feature updates.
-
-The following fields are available:
-
-- **PostUpgradeSettings** The privacy settings after a feature update.
-- **PreUpgradeSettings** The privacy settings before a feature update.
+- **CensusTaskEnabled** Indicates whether Census is enabled.
+- **ConsumerDroppedCount** The number of events dropped by the consumer layer of the telemetry client.
+- **CriticalDataDbDroppedCount** The number of critical data sampled events that were dropped at the database layer.
+- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling.
+- **CriticalOverflowEntersCounter** The number of times a critical overflow mode was entered into the event database.
+- **DbCriticalDroppedCount** The total number of dropped critical events in the event database.
+- **DbDroppedCount** The number of events that were dropped because the database was full.
+- **DecodingDroppedCount** The number of events dropped because of decoding failures.
+- **EnteringCriticalOverflowDroppedCounter** The number of events that was dropped because a critical overflow mode was initiated.
+- **EtwDroppedBufferCount** The number of buffers dropped in the CUET ETW session.
+- **EtwDroppedCount** The number of events dropped by the ETW layer of the telemetry client.
+- **EventSubStoreResetCounter** The number of times the event database was reset.
+- **EventSubStoreResetSizeSum** The total size of the event database across all resets reports in this instance.
+- **EventsUploaded** The number of events that have been uploaded.
+- **Flags** Flags that indicate device state, such as network, battery, and opt-in state.
+- **FullTriggerBufferDroppedCount** The number of events that were dropped because the trigger buffer was full.
+- **HeartBeatSequenceNumber** A monotonically increasing heartbeat counter.
+- **InvalidHttpCodeCount** The number of invalid HTTP codes received from Vortex.
+- **LastAgentConnectionError** The last non-timeout error that happened in the host/agent channel.
+- **LastEventSizeOffender** The name of the last event that exceeded the maximum event size.
+- **LastInvalidHttpCode** The last invalid HTTP code received from Vortex.
+- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe.
+- **MaxInUseScenarioCounter** The soft maximum number of scenarios loaded by the Connected User Experience and Telemetry component.
+- **PreviousHeartBeatTime** The time of last heartbeat event. This allows chaining of events.
+- **SettingsHttpAttempts** The number of attempts to contact the OneSettings service.
+- **SettingsHttpFailures** The number of failures from contacting the OneSettings service.
+- **ThrottledDroppedCount** The number of events dropped due to throttling of noisy providers.
+- **UploaderDroppedCount** The number of events dropped by the uploader layer of the telemetry client.
+- **VortexFailuresTimeout** The number of timeout failures received from Vortex.
+- **VortexHttpAttempts** The number of attempts to contact the Vortex service.
+- **VortexHttpFailures4xx** The number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx** The number of 500-599 error codes received from Vortex.
## DxgKernelTelemetry events
@@ -1924,72 +1857,80 @@ This event sends basic GPU and display driver information to keep Windows and di
The following fields are available:
-- **version** The event version.
-- **bootId** The system boot ID.
- **aiSeqId** The event sequence ID.
-- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES?
-- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
-- **InterfaceId** The GPU interface ID.
-- **GPUVendorID** The GPU vendor ID.
-- **GPUDeviceID** The GPU device ID.
-- **SubVendorID** The GPU sub vendor ID.
-- **SubSystemID** The subsystem ID.
-- **GPURevisionID** The GPU revision ID.
-- **DriverVersion** The display driver version.
+- **bootId** The system boot ID.
+- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload.
+- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes).
+- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes).
+- **DisplayAdapterLuid** The display adapter LUID.
- **DriverDate** The date of the display driver.
- **DriverRank** The rank of the display driver.
-- **IsMiracastSupported** Does the GPU support Miracast?
-- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution?
+- **DriverVersion** The display driver version.
+- **GPUDeviceID** The GPU device ID.
+- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload.
+- **GPURevisionID** The GPU revision ID.
+- **GPUVendorID** The GPU vendor ID.
+- **InterfaceId** The GPU interface ID.
+- **IsDisplayDevice** Does the GPU have displaying capabilities?
- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device?
- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device?
-- **IsMPOSupported** Does the GPU support Multi-Plane Overlays?
- **IsLDA** Is the GPU comprised of Linked Display Adapters?
+- **IsMiracastSupported** Does the GPU support Miracast?
- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor?
+- **IsMPOSupported** Does the GPU support Multi-Plane Overlays?
+- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution?
- **IsPostAdapter** Is this GPU the POST GPU in the device?
-- **IsSoftwareDevice** Is this a software implementation of the GPU?
- **IsRenderDevice** Does the GPU have rendering capabilities?
-- **IsDisplayDevice** Does the GPU have displaying capabilities?
-- **WDDMVersion** The Windows Display Driver Model version.
-- **DisplayAdapterLuid** The display adapter LUID.
-- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload.
-- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload.
-- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling)
-- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes).
-- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes).
-- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes).
+- **IsSoftwareDevice** Is this a software implementation of the GPU?
+- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES?
- **NumVidPnSources** The number of supported display output sources.
- **NumVidPnTargets** The number of supported display output targets.
+- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes).
+- **SubSystemID** The subsystem ID.
+- **SubVendorID** The GPU sub vendor ID.
+- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
+- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling)
+- **version** The event version.
+- **WDDMVersion** The Windows Display Driver Model version.
## Fault Reporting events
### Microsoft.Windows.FaultReporting.AppCrashEvent
-This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes" by a user DO NOT emit this event.
+This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes\" by a user DO NOT emit this event.
The following fields are available:
-- **ProcessId** The ID of the process that has crashed.
-- **ProcessCreateTime** The time of creation of the process that has crashed.
+- **AppName** The name of the app that has crashed.
+- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the telemetry backend.
+- **AppTimeStamp** The date/time stamp of the app.
+- **AppVersion** The version of the app that has crashed.
- **ExceptionCode** The exception code returned by the process that has crashed.
- **ExceptionOffset** The address where the exception had occurred.
-- **AppName** The name of the app that has crashed.
-- **AppVersion** The version of the app that has crashed.
-- **AppTimeStamp** The date/time stamp of the app.
+- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
- **ModName** Exception module name (e.g. bar.dll).
-- **ModVersion** The version of the module that has crashed.
- **ModTimeStamp** The date/time stamp of the module.
+- **ModVersion** The version of the module that has crashed.
- **PackageFullName** Store application identity.
- **PackageRelativeAppId** Store application identity.
- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime** The time of creation of the process that has crashed.
+- **ProcessId** The ID of the process that has crashed.
- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
-- **Flags** Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting.
-- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the diagnostic data backend.
- **TargetAppId** The kernel reported AppId of the application being reported.
- **TargetAppVer** The specific version of the application being reported
- **TargetAsId** The sequence number for the hanging process.
+## Feature update events
+
+### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked
+
+This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems.
+
+
+
## Hang Reporting events
### Microsoft.Windows.HangReporting.AppHangEvent
@@ -1999,52 +1940,110 @@ This event sends data about hangs for both native and managed applications, to h
The following fields are available:
- **AppName** The name of the app that has hung.
-- **TypeCode** Bitmap describing the hang type.
-- **ProcessId** The ID of the process that has hung.
-- **UTCReplace_TargetAppId** The kernel reported AppId of the application being reported.
-- **ProcessCreateTime** The time of creation of the process that has hung.
-- **UTCReplace_TargetAppVer** The specific version of the application being reported.
-- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application.
+- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the telemetry backend.
+- **AppVersion** The version of the app that has hung.
+- **PackageFullName** Store application identity.
- **PackageRelativeAppId** Store application identity.
- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
-- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package.
-- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting.
-- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the diagnostic data backend.
-- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
-- **PackageFullName** Store application identity.
-- **AppVersion** The version of the app that has hung.
+- **ProcessCreateTime** The time of creation of the process that has hung.
+- **ProcessId** The ID of the process that has hung.
- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
- **TargetAppId** The kernel reported AppId of the application being reported.
- **TargetAppVer** The specific version of the application being reported.
- **TargetAsId** The sequence number for the hanging process.
+- **TypeCode** Bitmap describing the hang type.
+- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application.
+- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting.
+- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
+- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package.
## Inventory events
+### ChecksumDictionary
+
+The list of values sent by each object type.
+
+The following fields are available:
+
+- **Key** The object type being described.
+- **Value** The number of objects of this type that were sent.
+
+
+### COMPID
+
+This event provides a device's internal application compatible ID, a vendor-defined identification that Windows uses to match a device to an INF file. A device can have a list of compatible IDs associated with it.
+
+The following fields are available:
+
+- **Order** The index of the array of compatible IDs for the device.
+- **Value** The array of compatible IDs for the device.
+
+
+### HWID
+
+This event provides a device's internal hardware ID, a vendor-defined identification that Windows uses to match a device to an INF file. In most cases, a device has associated with it a list of hardware IDs.
+
+The following fields are available:
+
+- **Order** The index of the array of internal hardware IDs for the device.
+- **Value** The array of internal hardware IDs for the device.
+
+
+### InstallDateArpLastModified
+
+This event indicates the date the add/remove program (ARP) entry was last modified by an update.
+
+The following fields are available:
+
+- **Order** The index of the ordered array.
+- **Value** The value contained in the ordered array.
+
+
+### InstallDateFromLinkFile
+
+This event provides the application installation date from the linked file.
+
+The following fields are available:
+
+- **Order** The index of the ordered array.
+- **Value** The value contained in the ordered array.
+
+
+### InstallDateMsi
+
+The install date from the Microsoft installer (MSI) database.
+
+The following fields are available:
+
+- **Order** The index of the ordered array.
+- **Value** The value contained in the ordered array.
+
+
### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
The following fields are available:
-- **Device** A count of device objects in cache
-- **DeviceCensus** A count of devicecensus objects in cache
-- **DriverPackageExtended** A count of driverpackageextended objects in cache
-- **File** A count of file objects in cache
-- **Generic** A count of generic objects in cache
-- **HwItem** A count of hwitem objects in cache
-- **InventoryApplication** A count of application objects in cache
-- **InventoryApplicationFile** A count of application file objects in cache
-- **InventoryDeviceContainer** A count of device container objects in cache
-- **InventoryDeviceMediaClass** A count of device media objects in cache
-- **InventoryDevicePnp** A count of devicepnp objects in cache
-- **InventoryDriverBinary** A count of driver binary objects in cache
-- **InventoryDriverPackage** A count of device objects in cache
-- **Metadata** A count of metadata objects in cache
-- **Orphan** A count of orphan file objects in cache
-- **Programs** A count of program objects in cache
-- **FileSigningInfo** A count of file signing info objects in cache.
-- **InventoryDeviceInterface** A count of inventory device interface objects in cache.
+- **Device** A count of device objects in cache.
+- **DeviceCensus** A count of devicecensus objects in cache.
+- **DriverPackageExtended** A count of driverpackageextended objects in cache.
+- **File** A count of file objects in cache.
+- **FileSigningInfo** A count of file signing objects in cache.
+- **Generic** A count of generic objects in cache.
+- **HwItem** A count of hwitem objects in cache.
+- **InventoryApplication** A count of application objects in cache.
+- **InventoryApplicationFile** A count of application file objects in cache.
+- **InventoryDeviceContainer** A count of device container objects in cache.
+- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache.
+- **InventoryDeviceMediaClass** A count of device media objects in cache.
+- **InventoryDevicePnp** A count of device Plug and Play objects in cache.
+- **InventoryDriverBinary** A count of driver binary objects in cache.
+- **InventoryDriverPackage** A count of device objects in cache.
+- **Metadata** A count of metadata objects in cache.
+- **Orphan** A count of orphan file objects in cache.
+- **Programs** A count of program objects in cache.
### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
@@ -2054,62 +2053,48 @@ This event sends inventory component versions for the Device Inventory data.
The following fields are available:
- **aeinv** The version of the App inventory component.
+- **aeinv.dll** The version of the App inventory component.
- **devinv** The file version of the Device inventory component.
+- **devinv.dll** The file version of the Device inventory component.
-### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
-This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory file generating the events
--
-### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
-
-This event sends basic metadata about the USB hubs on the device
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory file generating the events
-- **TotalUserConnectablePorts** Total number of connectable USB ports
-- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports
--
### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
This event sends basic metadata about an application on the system to help keep Windows up to date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
-- **ProgramInstanceId** A hash of the file IDs in an app.
-- **Name** The name of the application. Location pulled from depends on 'Source' field.
-- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen.
-- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field.
-- **Version** The version number of the program.
-- **Language** The language code of the program.
-- **Source** How the program was installed (ARP, MSI, Appx, etc...)
-- **MsiProductCode** A GUID that describe the MSI Product.
-- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
- **HiddenArp** Indicates whether a program hides itself from showing up in ARP.
-- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install.
-- **RootDirPath** The path to the root directory where the program was installed.
-- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics)
-- **InstallDateMsi** The install date if the application was installed via MSI. Passed as an array.
-- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array.
-- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array.
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
-- **objectInstanceId** ProgramId (a hash of Name, Version, Publisher, and Language of an application used to identify it).
-- **PackageFullName** The package full name for a Store application.
+- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics).
+- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00 See [InstallDateArpLastModified](#installdatearplastmodified).
+- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array. See [InstallDateFromLinkFile](#installdatefromlinkfile).
+- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array. See [InstallDateMsi](#installdatemsi).
- **InventoryVersion** The version of the inventory file generating the events.
+- **Language** The language code of the program.
+- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
+- **MsiProductCode** A GUID that describe the MSI Product.
+- **Name** The name of the application.
+- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install.
+- **PackageFullName** The package full name for a Store application.
+- **ProgramInstanceId** A hash of the file IDs in an app.
+- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field.
+- **RootDirPath** The path to the root directory where the program was installed.
+- **Source** How the program was installed (for example, ARP, MSI, Appx).
- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
+- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen.
+- **Version** The version number of the program.
### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2117,43 +2102,45 @@ The following fields are available:
This event indicates that a new set of InventoryApplicationAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
- **InventoryVersion** The version of the inventory file generating the events.
### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
-This event sends basic metadata about a device container (such as a monitor or printer as opposed to a PNP device) to help keep Windows up-to-date.
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **ModelName** The model name.
-- **ModelId** A model GUID.
-- **PrimaryCategory** The primary category for the device container.
- **Categories** A comma separated list of functional categories in which the container belongs.
-- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
-- **IsActive** Is the device connected, or has it been seen in the last 14 days?
-- **IsPaired** Does the device container require pairing?
-- **IsNetworked** Is this a networked device?
-- **IsMachineContainer** Is the container the root device itself?
-- **FriendlyName** The name of the device container.
- **DiscoveryMethod** The discovery method for the device container.
-- **ModelNumber** The model number for the device container.
-- **Manufacturer** The manufacturer name for the device container.
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
-- **objectInstanceId** ContainerId
+- **FriendlyName** The name of the device container.
- **InventoryVersion** The version of the inventory file generating the events.
+- **IsActive** Is the device connected, or has it been seen in the last 14 days?
+- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
+- **IsMachineContainer** Is the container the root device itself?
+- **IsNetworked** Is this a networked device?
+- **IsPaired** Does the device container require pairing?
+- **Manufacturer** The manufacturer name for the device container.
+- **ModelId** A unique model ID.
+- **ModelName** The model name.
+- **ModelNumber** The model number for the device container.
+- **PrimaryCategory** The primary category for the device container.
### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
This event indicates that the InventoryDeviceContainer object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2161,9 +2148,10 @@ The following fields are available:
This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2171,9 +2159,10 @@ The following fields are available:
This event retrieves information about what sensor interfaces are available on the device.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
-- **InventoryVersion** The version of the inventory file generating the events.
- **Accelerometer3D** Indicates if an Accelerator3D sensor is found.
- **ActivityDetection** Indicates if an Activity Detection sensor is found.
- **AmbientLight** Indicates if an Ambient Light sensor is found.
@@ -2184,6 +2173,7 @@ The following fields are available:
- **GravityVector** Indicates if a Gravity Detector sensor is found.
- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found.
- **Humidity** Indicates if a Humidity sensor is found.
+- **InventoryVersion** The version of the inventory file generating the events.
- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found.
- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found.
- **Orientation** Indicates if an Orientation sensor is found.
@@ -2192,13 +2182,14 @@ The following fields are available:
- **RelativeOrientation** Indicates if a Relative Orientation sensor is found.
- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found.
- **Temperature** Indicates if a Temperature sensor is found.
-- **EnergyMeter** Indicates if an Energy sensor is found.
### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2206,23 +2197,25 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
-This event sends additional metadata about a PNP device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
-- **InventoryVersion** The version of the inventory file generating the events.
- **Audio_CaptureDriver** The Audio device capture driver endpoint.
- **Audio_RenderDriver** The Audio device render driver endpoint.
+- **InventoryVersion** The version of the inventory file generating the events.
### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2230,56 +2223,58 @@ The following fields are available:
This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
- **InventoryVersion** The version of the inventory file generating the events.
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
-This event sends basic metadata about a PNP device and its associated driver to help keep Windows up-to-date.
+This event represents the basic metadata about a plug and play (PNP) device and its associated driver.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **HWID** A JSON array that provides the value and order of the HWID tree for the device.
-- **COMPID** A JSON array the provides the value and order of the compatible ID tree for the device.
-- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
-- **Enumerator** The bus that enumerated the device.
+- **Class** The device setup class of the driver loaded for the device
+- **ClassGuid** The device class GUID from the driver package
+- **COMPID** A JSON array the provides the value and order of the compatible ID tree for the device. See [COMPID](#compid).
- **ContainerId** A system-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the device.
-- **DeviceState** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present.
-- **ParentId** Device instance id of the parent of the device.
-- **STACKID** A JSON array that provides the value and order of the STACKID tree for the device.
-- **Description** The device description.
-- **MatchingID** Represents the hardware ID or compatible ID that Windows uses to install a device instance.
-- **Class** The device setup class of the driver loaded for the device.
-- **ClassGuid** The device setup class guid of the driver loaded for the device.
-- **Manufacturer** The device manufacturer.
-- **Model** The device model.
-- **Inf** The INF file name.
-- **DriverVerVersion** The version of the driver loaded for the device.
-- **DriverVerDate** The date of the driver loaded for the device.
-- **Provider** The device provider.
-- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage.
-- **Service** The device service name.
-- **LowerClassFilters** Lower filter class drivers IDs installed for the device.
-- **LowerFilters** Lower filter drivers IDs installed for the device.
-- **UpperClassFilters** Upper filter class drivers IDs installed for the device.
-- **UpperFilters** Upper filter drivers IDs installed for the device.
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
+- **Description** The device description
+- **DeviceState** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
- **DriverId** A unique identifier for the installed device.
- **DriverName** The name of the driver image file.
+- **DriverVerDate** The date of the driver loaded for the device
+- **DriverVerVersion** The version of the driver loaded for the device
+- **Enumerator** The bus that enumerated the device
+- **HWID** A JSON array that provides the value and order of the HWID tree for the device. See [HWID](#hwid).
+- **Inf** The INF file name.
+- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
- **InventoryVersion** The version of the inventory file generating the events.
+- **LowerClassFilters** Lower filter class drivers IDs installed for the device.
+- **LowerFilters** Lower filter drivers IDs installed for the device
+- **Manufacturer** The device manufacturer
+- **MatchingID** Represents the hardware ID or compatible ID that Windows uses to install a device instance
+- **Model** The device model
+- **ParentId** Device instance id of the parent of the device
- **ProblemCode** The current error code for the device.
+- **Provider** The device provider
+- **Service** The device service name
+- **STACKID** A JSON array that provides the value and order of the STACKID tree for the device. See [STACKID](#stackid).
+- **UpperClassFilters** Upper filter class drivers IDs installed for the device
+- **UpperFilters** Upper filter drivers IDs installed for the device
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
This event indicates that the InventoryDevicePnpRemove object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2287,45 +2282,48 @@ The following fields are available:
This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
- **InventoryVersion** The version of the inventory file generating the events.
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
-This event sends basic metadata about driver files running on the system to help keep Windows up-to-date.
+This event provides the basic metadata about driver binaries running on the system.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **DriverName** The file name of the driver.
-- **Inf** The name of the INF file.
-- **DriverPackageStrongName** The strong name of the driver package.
-- **DriverCompany** The company name that developed the driver.
- **DriverCheckSum** The checksum of the driver file.
+- **DriverCompany** The company name that developed the driver.
+- **DriverInBox** Is the driver included with the operating system?
+- **DriverIsKernelMode** Is it a kernel mode driver?
+- **DriverName** The file name of the driver.
+- **DriverPackageStrongName** The strong name of the driver package
+- **DriverSigned** The strong name of the driver package
- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file.
- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
-- **DriverInBox** Is the driver included with the operating system?
-- **DriverSigned** Is the driver signed?
-- **DriverIsKernelMode** Is it a kernel mode driver?
- **DriverVersion** The version of the driver file.
- **ImageSize** The size of the driver file.
+- **Inf** The name of the INF file.
+- **InventoryVersion** The version of the inventory file generating the events.
- **Product** The product name that is included in the driver file.
- **ProductVersion** The product version that is included in the driver file.
-- **WdfVersion** The Windows Driver Framework version.
- **Service** The name of the service that is installed for the device.
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
-- **InventoryVersion** The version of the inventory file generating the events.
+- **WdfVersion** The Windows Driver Framework version.
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
This event indicates that the InventoryDriverBinary object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2333,38 +2331,40 @@ The following fields are available:
This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
- **InventoryVersion** The version of the inventory file generating the events.
### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
-This event sends basic metadata about drive packages installed on the system to help keep Windows up-to-date.
+This event sends basic metadata about drive packages installed on the system to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **Inf** The INF name of the driver package.
-- **ClassGuid** The class GUID for the device driver.
- **Class** The class name for the device driver.
-- **Directory** The path to the driver package.
+- **ClassGuid** The class GUID for the device driver.
- **Date** The driver package date.
-- **Version** The version of the driver package.
+- **Directory** The path to the driver package.
+- **Inf** The INF name of the driver package.
+- **InventoryVersion** The version of the inventory file generating the events.
- **Provider** The provider for the driver package.
- **SubmissionId** The HLK submission ID for the driver package.
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
-- **InventoryVersion** The version of the inventory file generating the events.
-- **DriverInBox** Is the driver included with the operating system?
+- **Version** The version of the driver package.
### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
This event indicates that the InventoryDriverPackageRemove object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2372,9 +2372,10 @@ The following fields are available:
This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2384,187 +2385,83 @@ This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd e
The following fields are available:
-- **ChecksumDictionary** A count of each operating system indicator.
+- **ChecksumDictionary** A count of each operating system indicator. See [ChecksumDictionary](#checksumdictionary).
- **PCFP** Equivalent to the InventoryId field that is found in other core events.
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
-
-This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions
-
-The following fields are available:
-
-- **Design** Count of files with design issues found
-- **Design_x64** Count of files with 64 bit design issues found
-- **DuplicateVBA** Count of files with duplicate VBA code
-- **HasVBA** Count of files with VBA code
-- **Inaccessible** Count of files that were inaccessible for scanning
-- **Issues** Count of files with issues detected
-- **Issues_x64** Count of files with 64-bit issues detected
-- **IssuesNone** Count of files with no issues detected
-- **IssuesNone_x64** Count of files with no 64-bit issues detected
-- **Locked** Count of files that were locked, preventing scanning
-- **NoVBA** Count of files with no VBA inside
-- **Protected** Count of files that were password protected, preventing scanning
-- **RemLimited** Count of files that require limited remediation changes
-- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues
-- **RemSignificant** Count of files that require significant remediation changes
-- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues
-- **Score** Overall compatibility score calculated for scanned content
-- **Score_x64** Overall 64-bit compatibility score calculated for scanned content
-- **Total** Total number of files scanned
-- **Validation** Count of files that require additional manual validation
-- **Validation_x64** Count of files that require additional manual validation for 64-bit issues
-
-### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
-
-This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory file generating the events
-
-### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
-
-This event provides the basic metadata about the frameworks an application may depend on
-
-The following fields are available:
-
-- **FileId** A hash that uniquely identifies a file
-- **Frameworks** The list of frameworks this file depends on
-- **InventoryVersion** The version of the inventory file generating the events
-- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it
-
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
-These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up-to-date.
+These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
-- **IndicatorValue** The indicator value
+- **IndicatorValue** The indicator value.
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
-This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd, indicating that the item has been removed. There are no additional unique fields in this event.
+This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed.
-The following fields are available:
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
-The following fields are available:
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
-- **PartB_Ms.Device.DeviceInventoryChange** See the Common Data Fields section.
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
-This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
+### STACKID
+
+This event provides the internal compatible ID for the stack.
The following fields are available:
-- **Count** Count of total Microsoft Office VBA rule violations
+- **Order** The index of the ordered array.
+- **Value** The value contained in the ordered array.
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
-This event provides data on the installed Office Add-ins.
+## Kernel events
-- **AddInCLSID** The CLSID key office the Office addin.
-- **AddInId** The ID of the Office addin.
-- **BinFileTimestamp** The timestamp of the Office addin.
-- **BinFileVersion** The version of the Office addin.
-- **Description** The description of the Office addin.
-- **FileId** The file ID of the Office addin.
-- **FriendlyName** The friendly name of the Office addin.
-- **FullPath** The full path to the Office addin.
-- **LoadBehavior** A Uint32 that describes the load behavior.
-- **LoadTime** The load time for the Office addin.
-- **OfficeApplication** The OIffice application for this addin.
-- **OfficeArchitecture** The architecture of the addin.
-- **OfficeVersion** The Office version for this addin.
-- **OutlookCrashingAddin** A boolean value that indicates if crashes have been found for this addin.
-- **Provider** The provider name for this addin.
+### IO
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
+This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup.
-This event indicates that a new sync is being generated for this object type.
+The following fields are available:
-There are no fields in this event.
+- **BytesRead** The total number of bytes read from or read by the OS upon system startup.
+- **BytesWritten** The total number of bytes written to or written by the OS upon system startup.
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
-This event provides data on the installed Office identifiers.
+### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
-- **OAudienceData** The Office Audience descriptor.
-- **OAudienceId** The Office Audience ID.
-- **OMID** The Office machine ID.
-- **OPlatform** The Office architecture.
-- **OVersion** The Office version
-- **OTenantId** The Office 365 Tenant GUID.
-- **OWowMID** The Office machine ID.
+This event includes basic data about the Operating System, collected during Boot and used to evaluate the success of the upgrade process.
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
+The following fields are available:
-This event indicates that a new sync is being generated for this object type.
+- **BootApplicationId** This field tells us what the OS Loader Application Identifier is.
+- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system.
+- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session.
+- **BootStatusPolicy** Identifies the applicable Boot Status Policy.
+- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume").
+- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made.
+- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware.
+- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed.
+- **FirmwareResetReasonPch** Reason for system reset provided by firmware.
+- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed.
+- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware.
+- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io).
+- **LastBootSucceeded** Flag indicating whether the last boot was successful.
+- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful.
+- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.).
+- **RecoveryEnabled** Indicates whether recovery is enabled.
+- **UserInputTime** The amount of time the loader application spent waiting for user input.
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
-
-This event provides data on the installed Office-related Internet Explorer features.
-
-- **OIeFeatureAddon** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeMachineLockdown** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeMimeHandling** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeMimeSniffing** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeNoAxInstall** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeNoDownload** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeObjectCaching** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIePasswordDisable** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeSafeBind** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeSecurityBand** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeUncSaveCheck** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeValidateUrl** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeWebOcPopup** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeWinRestrict** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-- **OIeZoneElevate** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/en-us/library/ee330720.aspx).
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
-
-This event describes the Office products that are installed.
-
-- **OC2rApps** The Office Click-to-Run apps.
-- **OC2rSkus** The Office Click-to-Run products.
-- **OMsiApps** The Office MSI apps.
-- **OProductCodes** The Office MSI product code.
## OneDrive events
@@ -2575,10 +2472,10 @@ This event includes basic data about install and uninstall OneDrive API operatio
The following fields are available:
- **APIName** The name of the API.
-- **ScenarioName** The name of the scenario.
- **Duration** How long the operation took.
-- **isSuccess** Was the operation successful?
+- **IsSuccess** Was the operation successful?
- **ResultCode** The result code.
+- **ScenarioName** The name of the scenario.
### Microsoft.OneDrive.Sync.Setup.EndExperience
@@ -2588,9 +2485,9 @@ This event includes a success or failure summary of the installation.
The following fields are available:
- **APIName** The name of the API.
+- **HResult** Indicates the result code of the event
+- **IsSuccess** Was the operation successful?
- **ScenarioName** The name of the scenario.
-- **Hresult** The HResult of the operation.
-- **isSuccess** Was the operation successful?
### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
@@ -2599,14 +2496,14 @@ This event is related to the OS version when the OS is upgraded with OneDrive in
The following fields are available:
-- **HResult** The HResult of the operation.
-- **SourceOSVersion** The source version of the operating system.
-- **SourceOSBuildNumber** The source build number of the operating system.
-- **SourceOSBuildBranch** The source branch of the operating system.
-- **CurrentOSVersion** The current version of the operating system.
-- **CurrentOSBuildNumber** The current build number of the operating system.
-- **CurrentOSBuildBranch** The current branch of the operating system.
- **CurrentOneDriveVersion** The current version of OneDrive.
+- **CurrentOSBuildBranch** The current branch of the operating system.
+- **CurrentOSBuildNumber** The current build number of the operating system.
+- **CurrentOSVersion** The current version of the operating system.
+- **HResult** The HResult of the operation.
+- **SourceOSBuildBranch** The source branch of the operating system.
+- **SourceOSBuildNumber** The source build number of the operating system.
+- **SourceOSVersion** The source version of the operating system.
### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
@@ -2616,10 +2513,10 @@ This event is related to registering or unregistering the OneDrive update task.
The following fields are available:
- **APIName** The name of the API.
+- **IsSuccess** Was the operation successful?
+- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation.
- **ScenarioName** The name of the scenario.
- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation.
-- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation.
-- **isSuccess** Was the operation successful?
### Microsoft.OneDrive.Sync.Setup.SetupCommonData
@@ -2629,19 +2526,15 @@ This event contains basic OneDrive configuration data that helps to diagnose fai
The following fields are available:
- **AppVersion** The version of the app.
-- **OfficeVersion** The version of Office that is installed.
-- **BuildArch** Is the architecture x86 or x64?
-- **Market** Which market is this in?
-- **OneDriveDeviceId** The OneDrive device ID.
+- **BuildArchitecture** Is the architecture x86 or x64?
+- **Environment** Is the device on the production or int service?
- **MachineGuid** The CEIP machine ID.
-- **IsMSFTInternal** Is this an internal Microsoft device?
+- **Market** Which market is this in?
+- **MSFTInternal** Is this an internal Microsoft device?
+- **OfficeVersionString** The version of Office that is installed.
- **OSDeviceName** Only if the device is internal to Microsoft, the device name.
- **OSUserName** Only if the device is internal to Microsoft, the user name.
-- **Environment** Is the device on the production or int service?
-- **OfficeVersionString** The version of Office that is installed.
-- **BuildArchitecture** Is the architecture x86 or x64?
- **UserGuid** The CEIP user ID.
-- **MSFTInternal** Is this an internal Microsoft device?
### Microsoft.OneDrive.Sync.Updater.CommonData
@@ -2651,21 +2544,21 @@ This event contains basic OneDrive configuration data that helps to diagnose fai
The following fields are available:
- **AppVersion** The version of the app.
-- **OfficeVersion** The version of Office that is installed.
- **BuildArch** Is the architecture x86 or x64?
-- **Market** Which market is this in?
-- **OneDriveDeviceId** The OneDrive device ID.
-- **MachineGuid** The CEIP machine ID.
+- **Environment** Is the device on the production or int service?
- **IsMSFTInternal** Is this an internal Microsoft device?
+- **MachineGuid** The CEIP machine ID.
+- **Market** Which market is this in?
+- **OfficeVersion** The version of Office that is installed.
+- **OneDriveDeviceId** The OneDrive device ID.
- **OSDeviceName** Only if the device is internal to Microsoft, the device name.
- **OSUserName** Only if the device is internal to Microsoft, the user name.
-- **Environment** Is the device on the production or int service?
- **UserGuid** A unique global user identifier.
### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
-This event determines the installation state of dependent OneDrive components.
+This event includes basic data about the installation state of dependent OneDrive components.
The following fields are available:
@@ -2675,7 +2568,7 @@ The following fields are available:
### Microsoft.OneDrive.Sync.Updater.OfficeRegistration
-This event determines the status of the OneDrive integration with Microsoft Office.
+This event indicates the status of the OneDrive integration with Microsoft Office.
The following fields are available:
@@ -2716,9 +2609,9 @@ This event determines the outcome of the operation.
The following fields are available:
-- **UpdaterVersion** The version of the updater.
-- **IsLoggingEnabled** Is logging enabled?
- **hr** The HResult of the operation.
+- **IsLoggingEnabled** Is logging enabled?
+- **UpdaterVersion** The version of the updater.
### Microsoft.OneDrive.Sync.Updater.UpdateTierReg
@@ -2748,287 +2641,684 @@ The following fields are available:
- **winInetError** The HResult of the operation.
-## Remediation events
->[!NOTE]
->Events from this provider are sent with the installation of KB4023057 and any subsequent Windows update. For details, see [this support article](https://support.microsoft.com/help/4023057).
+## Remediation events
### Microsoft.Windows.Remediation.Applicable
-Reports whether a specific remediation to issues preventing security and quality updates is applicable based on detection.
+This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date.
The following fields are available:
-- **CV** Correlation vector.
-- **DetectedCondition** Boolean true if detect condition is true and perform action will be run.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system.
-- **PackageVersion** Current package version of Remediation.
-- **PluginName** Name of the remediation plugin specified for each generic plugin event.
-- **Result** Result for detection or perform action phases of the remediation system.
-- **RunAppraiserFailed** Rerun if the appraiser command line tool failed.
+- **ActionName** The name of the action to be taken by the plug-in.
+- **AppraiserBinariesValidResult** Indicates whether plug-in was appraised as valid.
+- **AppraiserDetectCondition** Indicates whether the plug-in passed the appraiser's check.
+- **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid.
+- **AppraiserTaskDisabled** Indicates the appraiser task is disabled.
+- **AppraiserTaskValidFailed** Indicates the Appraiser task did not function and requires intervention.
+- **CV** Correlation vector
+- **DateTimeDifference** The difference between local and reference clock times.
+- **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled.
+- **DaysSinceLastSIH** The number of days since the most recent SIH executed.
+- **DaysToNextSIH** The number of days until the next scheduled SIH execution.
+- **DetectedCondition** Indicates whether detect condition is true and the perform action will be run.
+- **EvalAndReportAppraiserBinariesFailed** Indicates the EvalAndReportAppraiserBinaries event failed.
+- **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
+- **EvalAndReportAppraiserRegEntriesFailed** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
+- **GlobalEventCounter** Client side counter that indicates ordering of events sent by the remediation system.
+- **HResult** The HRESULT for detection or perform action phases of the plugin.
+- **IsAppraiserLatestResult** The HRESULT from the appraiser task.
+- **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected.
+- **LastHresult** The HRESULT for detection or perform action phases of the plugin.
+- **LastRun** The date of the most recent SIH run.
+- **NextRun** Date of the next scheduled SIH run.
+- **PackageVersion** The version of the current remediation package.
+- **PluginName** Name of the plugin specified for each generic plugin event.
+- **Reload** True if SIH reload is required.
+- **RemediationNoisyHammerAcLineStatus** Event that indicates the AC Line Status of the machine.
+- **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started.
+- **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled.
+- **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists.
+- **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task.
+- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent hammer task ran.
+- **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder.
+- **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed.
+- **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run.
+- **RemediationNoisyHammerMeteredNetwork** TRUE if the machine is on a metered network.
+- **RemediationNoisyHammerTaskEnabled** Indicates whether the Update Assistant Task (Noisy Hammer) is enabled.
+- **RemediationNoisyHammerTaskExists** Indicates whether the Update Assistant Task (Noisy Hammer) exists.
+- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger.
+- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant (Noisy Hammer) task.
+- **RemediationNoisyHammerUAExitState** The code for the exit state of the Update Assistant (Noisy Hammer) task.
+- **RemediationNoisyHammerUserLoggedIn** TRUE if there is a user logged in.
+- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin.
+- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled.
+- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS.
+- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager).
+- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely.
+- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix.
+- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task.
+- **RemediationTaskHealthChkdskProactiveScan** True/False based on the health of the Check Disk task.
+- **RemediationTaskHealthDiskCleanup_SilentCleanup** True/False based on the health of the Disk Cleanup task.
+- **RemediationTaskHealthMaintenance_WinSAT** True/False based on the health of the Health Maintenance task.
+- **RemediationTaskHealthServicing_ComponentCleanupTask** True/False based on the health of the Health Servicing Component task.
+- **RemediationTaskHealthUSO_ScheduleScanTask** True/False based on the health of the USO (Update Session Orchestrator) Schedule task.
+- **RemediationTaskHealthWindowsUpdate_ScheduledStartTask** True/False based on the health of the Windows Update Scheduled Start task.
+- **RemediationTaskHealthWindowsUpdate_SihbootTask** True/False based on the health of the Sihboot task.
+- **RemediationUHServiceBitsServiceEnabled** Indicates whether BITS service is enabled.
+- **RemediationUHServiceDeviceInstallEnabled** Indicates whether Device Install service is enabled.
+- **RemediationUHServiceDoSvcServiceEnabled** Indicates whether DO service is enabled.
+- **RemediationUHServiceDsmsvcEnabled** Indicates whether DSMSVC service is enabled.
+- **RemediationUHServiceLicensemanagerEnabled** Indicates whether License Manager service is enabled.
+- **RemediationUHServiceMpssvcEnabled** Indicates whether MPSSVC service is enabled.
+- **RemediationUHServiceTokenBrokerEnabled** Indicates whether Token Broker service is enabled.
+- **RemediationUHServiceTrustedInstallerServiceEnabled** Indicates whether Trusted Installer service is enabled.
+- **RemediationUHServiceUsoServiceEnabled** Indicates whether USO (Update Session Orchestrator) service is enabled.
+- **RemediationUHServicew32timeServiceEnabled** Indicates whether W32 Time service is enabled.
+- **RemediationUHServiceWecsvcEnabled** Indicates whether WECSVC service is enabled.
+- **RemediationUHServiceWinmgmtEnabled** Indicates whether WMI service is enabled.
+- **RemediationUHServiceWpnServiceEnabled** Indicates whether WPN service is enabled.
+- **RemediationUHServiceWuauservServiceEnabled** Indicates whether WUAUSERV service is enabled.
+- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin.
+- **RunAppraiserFailed** Indicates RunAppraiser failed to run correctly.
+- **RunTask** TRUE if SIH task should be run by the plug-in.
+- **TimeServiceNTPServer** The URL for the NTP time server used by device.
+- **TimeServiceStartType** The startup type for the NTP time service.
+- **TimeServiceSyncDomainJoined** True if device domain joined and hence uses DC for clock.
+- **TimeServiceSyncType** Type of sync behavior for Date & Time service on device.
+
### Microsoft.Windows.Remediation.Completed
-Enables tracking the completion of a process that remediates issues preventing security and quality updates.
+This event enables completion tracking of a process that remediates issues preventing security and quality updates.
The following fields are available:
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system.
-- **HResult** Result of execution of the event.
-- **LatestState** Final state of the plugin component.
-- **PackageVersion** Current package version of Remediation.
-- **PluginName** Name of the specific remediation for each generic plugin event.
-- **RemediationNoisyHammerTaskKickOffIsSuccess** Event that indicates the Update Assistant task has been started successfully.
-- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+- **ActionName** Name of the action to be completed by the plug-in.
+- **AppraiserTaskCreationFailed** TRUE if the appraiser task creation failed to complete successfully.
+- **AppraiserTaskDeleteFailed** TRUE if deletion of appraiser task failed to complete successfully.
+- **AppraiserTaskExistFailed** TRUE if detection of the appraiser task failed to complete successfully.
+- **AppraiserTaskLoadXmlFailed** TRUE if the Appraiser XML Loader failed to complete successfully.
+- **AppraiserTaskMissing** TRUE if the Appraiser task is missing.
+- **AppraiserTaskTimeTriggerUpdateFailedId** TRUE if the Appraiser Task Time Trigger failed to update successfully.
+- **AppraiserTaskValidateTaskXmlFailed** TRUE if the Appraiser Task XML failed to complete successfully.
+- **CrossedDiskSpaceThreshold** Indicates if cleanup resulted in hard drive usage threshold required for feature update to be exceeded.
+- **CV** The Correlation Vector.
+- **DateTimeDifference** The difference between the local and reference clocks.
+- **DaysSinceOsInstallation** The number of days since the installation of the Operating System.
+- **DiskMbCleaned** The amount of space cleaned on the hard disk, measured in Megabytes.
+- **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes.
+- **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes.
+- **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in.
+- **GlobalEventCounter** Client-side counter that indicates ordering of events sent by the active user.
+- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes.
+- **HResult** The result of the event execution.
+- **LatestState** The final state of the plug-in component.
+- **PackageVersion** The package version for the current Remediation.
+- **PageFileCount** The number of Windows Page files.
+- **PageFileCurrentSize** The size of the Windows Page file, measured in Megabytes.
+- **PageFileLocation** The storage location (directory path) of the Windows Page file.
+- **PageFilePeakSize** The maximum amount of hard disk space used by the Windows Page file, measured in Megabytes.
+- **PluginName** The name of the plug-in specified for each generic plug-in event.
+- **RanCleanup** TRUE if the plug-in ran disk cleanup.
+- **RemediationConfigurationTroubleshooterExecuted** True/False based on whether the Remediation Configuration Troubleshooter executed successfully.
+- **RemediationConfigurationTroubleshooterIpconfigFix** TRUE if IPConfig Fix completed successfully.
+- **RemediationConfigurationTroubleshooterNetShFix** TRUE if network card cache reset ran successfully.
+- **RemediationDiskCleanSizeBtWindowsFolderInMegabytes** The size of the Windows BT folder (used to store Windows upgrade files), measured in Megabytes.
+- **RemediationDiskCleanupBTFolderEsdSizeInMB** The size of the Windows BT folder (used to store Windows upgrade files) ESD (Electronic Software Delivery), measured in Megabytes.
+- **RemediationDiskCleanupGetCurrentEsdSizeInMB** The size of any existing ESD (Electronic Software Delivery) folder, measured in Megabytes.
+- **RemediationDiskCleanupSearchFileSizeInMegabytes** The size of the Cleanup Search index file, measured in Megabytes.
+- **RemediationDiskCleanupUpdateAssistantSizeInMB** The size of the Update Assistant folder, measured in Megabytes.
+- **RemediationDoorstopChangeSucceeded** TRUE if Doorstop registry key was successfully modified.
+- **RemediationDoorstopExists** TRUE if there is a OneSettings Doorstop value.
+- **RemediationDoorstopRegkeyError** TRUE if an error occurred accessing the Doorstop registry key.
+- **RemediationDRFKeyDeleteSucceeded** TRUE if the RecoveredFrom (Doorstop) registry key was successfully deleted.
+- **RemediationDUABuildNumber** The build number of the DUA.
+- **RemediationDUAKeyDeleteSucceeded** TRUE if the UninstallActive registry key was successfully deleted.
+- **RemediationDuplicateTokenSucceeded** TRUE if the user token was successfully duplicated.
+- **RemediationImpersonateUserSucceeded** TRUE if the user was successfully impersonated.
+- **RemediationNoisyHammerTaskKickOffIsSuccess** TRUE if the NoisyHammer task started successfully.
+- **RemediationQueryTokenSucceeded** TRUE if the user token was successfully queried.
+- **RemediationRanHibernation** TRUE if the system entered Hibernation.
+- **RemediationRevertToSystemSucceeded** TRUE if reversion to the system context succeeded.
+- **RemediationUpdateServiceHealthRemediationResult** The result of the Update Service Health plug-in.
+- **RemediationUpdateTaskHealthRemediationResult** The result of the Update Task Health plug-in.
+- **RemediationUpdateTaskHealthTaskList** A list of tasks fixed by the Update Task Health plug-in.
+- **RemediationWindowsLogSpaceFound** The size of the Windows log files found, measured in Megabytes.
+- **RemediationWindowsLogSpaceFreed** The amount of disk space freed by deleting the Windows log files, measured in Megabytes.
+- **RemediationWindowsSecondaryDriveFreeSpace** The amount of free space on the secondary drive, measured in Megabytes.
+- **RemediationWindowsSecondaryDriveLetter** The letter designation of the first secondary drive with a total capacity of 10GB or more.
+- **RemediationWindowsSecondaryDriveTotalSpace** The total storage capacity of the secondary drive, measured in Megabytes.
+- **RemediationWindowsTotalSystemDiskSize** The total storage capacity of the System Disk Drive, measured in Megabytes.
+- **Result** The HRESULT for Detection or Perform Action phases of the plug-in.
+- **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in.
+- **ServiceHealthPlugin** The nae of the Service Health plug-in.
+- **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully.
+- **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes.
+- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes.
+- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes.
+- **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan.
+- **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans.
+- **usoScanIsAllowAutoUpdateKeyPresent** TRUE if the AllowAutoUpdate registry key is set.
+- **usoScanIsAllowAutoUpdateProviderSetKeyPresent** TRUE if AllowAutoUpdateProviderSet registry key is set.
+- **usoScanIsAuOptionsPresent** TRUE if Auto Update Options registry key is set.
+- **usoScanIsFeatureUpdateInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans.
+- **usoScanIsNetworkMetered** TRUE if the device is currently connected to a metered network.
+- **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present.
+- **usoScanIsUserLoggedOn** TRUE if the user is logged on.
+- **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late).
+- **usoScanType** The type of USO (Update Session Orchestrator) scan (Interactive or Background).
+- **WindowsHyberFilSysSizeInMegabytes** The size of the Windows Hibernation file, measured in Megabytes.
+- **WindowsInstallerFolderSizeInMegabytes** The size of the Windows Installer folder, measured in Megabytes.
+- **WindowsOldFolderSizeInMegabytes** The size of the Windows.OLD folder, measured in Megabytes.
+- **WindowsOldSpaceCleanedInMB** The amount of disk space freed by removing the Windows.OLD folder, measured in Megabytes.
+- **WindowsPageFileSysSizeInMegabytes** The size of the Windows Page file, measured in Megabytes.
+- **WindowsSoftwareDistributionFolderSizeInMegabytes** The size of the SoftwareDistribution folder, measured in Megabytes.
+- **WindowsSwapFileSysSizeInMegabytes** The size of the Windows Swap file, measured in Megabytes.
+- **WindowsSxsFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) folder, measured in Megabytes.
+- **WindowsSxsTempFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes.
+
### Microsoft.Windows.Remediation.DiskCleanUnExpectedErrorEvent
-Event that indicates whether an error condition occurred while trying to clean up disk space.
+This event indicates that an unexpected error occurred during an update and provides information to help address the issue.
The following fields are available:
-- **CV** Correlation vector.
-- **ErrorMessage** Description of any error that was encountered.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **HResult** Result of execution of the event.
-- **PackageVersion** Current Remediation package version.
+- **CV** The Correlation vector.
+- **ErrorMessage** A description of any errors encountered while the plug-in was running.
+- **GlobalEventCounter** The client-side counter that indicates ordering of events.
+- **Hresult** The result of the event execution.
+- **PackageVersion** The version number of the current remediation package.
+- **SessionGuid** GUID associated with a given execution of sediment pack.
+
### Microsoft.Windows.Remediation.Error
-Event for general errors in the Remediation shell.
+This event indicates a Sediment Pack error (update stack failure) has been detected and provides information to help address the issue.
The following fields are available:
-- **HResult** Return value.
-- **Message** Contains information about any error that occurred.
-- **PackageVersion** Current Remediation package version.
+- **HResult** The result of the event execution.
+- **Message** A message containing information about the error that occurred.
+- **PackageVersion** The version number of the current remediation package.
+
### Microsoft.Windows.Remediation.FallbackError
-Indicates whether an error occurs for a fallback in the plugin.
+This event indicates an error when Self Update results in a Fallback and provides information to help address the issue.
The following fields are available:
-- **S0** Fallback error level.
-- **wilResult** Result for Windows Installer Logging function.
+- **s0** Indicates the Fallback error level. See [Microsoft.Windows.Remediation.wilResult](#microsoftwindowsremediationwilresult).
+- **wilResult** The result of the Windows Installer Logging. See [wilResult](#wilresult).
-### Microsoft.Windows.Remediation.RemediationShellFailedAutomaticAppUpdateModifyEventId
-
-Event indicates that there was a failure modifying the wsautoupdate task.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **hResult** Result of the failed call.
-- **PackageVersion** Current Remediation package version.
-
-### Microsoft.Windows.Remediation.RemediationShellUnexpectedExceptionId
-
-Event fires when an unexpected error occurs in the shell routine.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **PackageVersion** Current package version of Remediation.
-- **RemediationShellUnexpectedExceptionId** Identifier of the remediation plugin.
-
-### Microsoft.Windows.Remediation.RemediationUHEnableServiceFailed
-
-Event indicates that enabling a service failed.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **hResult** Result associated with the given failure.
-- **PackageVersion** Current package version of Remediation.
-- **serviceName** ServiceName associated with the given operation.
-
-### Microsoft.Windows.Remediation.RemediationUpgradeSucceededDataEventId
-
-Event containing data about the upgrade process.
-
-The following fields are available:
-
-- **AppraiserPlugin** True or False depending on whether the Appraiser Plugin task fix was successful.
-- **ClearAUOptionsPlugin** True or False depending on whether the AU Options regkeys were successfully deleted.
-- **CV** Correlation vector.
-- **DatetimeSyncPlugin** True or False depending on whether the datetime sync plugin ran.
-- **DiskCleanupPlugin** Disk space free by disk cleanup plugin.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **NoisyHammerPlugin** True or False depending on whether the Noisy Hammer plugin was successful.
-- **PackageVersion** Current package version of Remediation.
-- **RebootRequiredPlugin** True or False depending on whether the reboot required plugin ran.
-- **RemediationNotifyUserFixIssuesPlugin** True or False depending on whether notify user fix issues plugin was successful.
-- **RemediationPostUpgradeDiskSpace** Disk space available after the upgrade.
-- **RemediationPostUpgradeHibernationSize** Size of the hibernation file after upgrade.
-- **ServiceHealthPlugin** List of services updated by the plugin.
-- **SIHHealthPlugin** True or False depending on whether the service health plugin completed successfully.
-- **StackDataResetPlugin** True or False depending on whether resetting the update stack completed successfully.
-- **TaskHealthPlugin** List of tasks updated by the plugin.
-- **UpdateApplicabilityFixerPlugin** True or False depending on whether the update applicability fixer plugin completed successfully.
-- **WindowsUpdateEndpointPlugin** True or False depending on whether the windows update endpoint was successful.
### Microsoft.Windows.Remediation.RemediationNotifyUserFixIssuesInvokeUIEvent
-Event occurs when notify users task executes.
+This event occurs when the Notify User task executes and provides information about the cause of the notification.
The following fields are available:
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **PackageVersion** Current Remediation package version.
-- **RemediationNotifyUserFixIssuesCallResult** Result of calling the USO sequence of steps.
-- **RemediationNotifyUserFixIssuesUsoDownloadCalledHr** Error code from USO start download call.
-- **RemediationNotifyUserFixIssuesUsoInitializedHr** Error code from USO initialize call.
-- **RemediationNotifyUserFixIssuesUsoProxyBlanketHr** Error code from USO proxy blanket call.
-- **RemediationNotifyUserFixIssuesUsoSetSessionHr** Error code from USO set session call.
+- **CV** The Correlation vector.
+- **GlobalEventCounter** The client-side counter that indicates ordering of events.
+- **PackageVersion** The version number of the current remediation package.
+- **RemediationNotifyUserFixIssuesCallResult** The result of calling the USO (Update Session Orchestrator) sequence steps.
+- **RemediationNotifyUserFixIssuesUsoDownloadCalledHr** The error code from the USO (Update Session Orchestrator) download call.
+- **RemediationNotifyUserFixIssuesUsoInitializedHr** The error code from the USO (Update Session Orchestrator) initialize call.
+- **RemediationNotifyUserFixIssuesUsoProxyBlanketHr** The error code from the USO (Update Session Orchestrator) proxy blanket call.
+- **RemediationNotifyUserFixIssuesUsoSetSessionHr** The error code from the USO (Update Session Orchestrator) session call.
+
+
+### Microsoft.Windows.Remediation.RemediationShellFailedAutomaticAppUpdateModifyEventId
+
+This event provides the modification of the date on which an Automatic App Update scheduled task failed and provides information about the failure.
+
+The following fields are available:
+
+- **CV** The Correlation Vector.
+- **GlobalEventCounter** The client-side counter that indicates ordering of events.
+- **hResult** The result of the event execution.
+- **PackageVersion** The version number of the current remediation package.
+
+
+### Microsoft.Windows.Remediation.RemediationShellUnexpectedExceptionId
+
+This event identifies the remediation plug-in that returned an unexpected exception and provides information about the exception.
+
+The following fields are available:
+
+- **CV** The Correlation Vector.
+- **GlobalEventCounter** The client-side counter that indicates ordering of events.
+- **PackageVersion** The version number of the current remediation package.
+- **RemediationShellUnexpectedExceptionId** The ID of the remediation plug-in that caused the exception.
+
+
+### Microsoft.Windows.Remediation.RemediationUHEnableServiceFailed
+
+This event tracks the health of key update (Remediation) services and whether they are enabled.
+
+The following fields are available:
+
+- **CV** The Correlation Vector.
+- **GlobalEventCounter** The client-side counter that indicates ordering of events.
+- **hResult** The result of the event execution.
+- **PackageVersion** The version number of the current remediation package.
+- **serviceName** The name associated with the operation.
+
+
+### Microsoft.Windows.Remediation.RemediationUpgradeSucceededDataEventId
+
+This event returns information about the upgrade upon success to help ensure Windows is up to date.
+
+The following fields are available:
+
+- **AppraiserPlugin** TRUE / FALSE depending on whether the Appraiser plug-in task fix was successful.
+- **ClearAUOptionsPlugin** TRUE / FALSE depending on whether the AU (Auto Updater) Options registry keys were successfully deleted.
+- **CV** The Correlation Vector.
+- **DatetimeSyncPlugin** TRUE / FALSE depending on whether the DateTimeSync plug-in ran successfully.
+- **DiskCleanupPlugin** TRUE / FALSE depending on whether the DiskCleanup plug-in ran successfully.
+- **GlobalEventCounter** The client-side counter that indicates ordering of events.
+- **NoisyHammerPlugin** TRUE / FALSE depending on whether the NoisyHammer plug-in ran successfully.
+- **PackageVersion** The version number of the current remediation package.
+- **RebootRequiredPlugin** TRUE / FALSE depending on whether the Reboot plug-in ran successfully.
+- **RemediationNotifyUserFixIssuesPlugin** TRUE / FALSE depending on whether the User Fix Issues plug-in ran successfully
+- **RemediationPostUpgradeDiskSpace** The amount of disk space available after the upgrade.
+- **RemediationPostUpgradeHibernationSize** The size of the Hibernation file after the upgrade.
+- **ServiceHealthPlugin** A list of services updated by the plug-in.
+- **SIHHealthPlugin** TRUE / FALSE depending on whether the SIH Health plug-in ran successfully.
+- **StackDataResetPlugin** TRUE / FALSE depending on whether the update stack completed successfully.
+- **TaskHealthPlugin** A list of tasks updated by the plug-in.
+- **UpdateApplicabilityFixerPlugin** TRUE / FALSE depending on whether the update applicability fixer plug-in completed successfully.
+- **WindowsUpdateEndpointPlugin** TRUE / FALSE depending on whether the Windows Update Endpoint was successful.
+
### Microsoft.Windows.Remediation.Started
-Enables tracking the start of a process that remediates issues preventing security and quality updates.
+This event reports whether a plug-in started, to help ensure Windows is up to date.
The following fields are available:
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system.
-- **PackageVersion** Current package version of Remediation.
-- **PluginName** Name of the specific remediation for each generic plugin event.
-- **Result** Results of the detection or perform action phases of the remediation system.
+- **CV** The Correlation Vector.
+- **GlobalEventCounter** The client-side counter that indicates ordering of events.
+- **PackageVersion** The version number of the current remediation package.
+- **PluginName** The name of the plug-in specified for each generic plug-in event.
+- **Result** The HRESULT for Detection or Perform Action phases of the plug-in.
+
### Microsoft.Windows.Remediation.wilResult
-Event containing self-update information.
+This event provides Self Update information to help keep Windows up to date.
The following fields are available:
-- **callContext** List of telemetry activities containing this error.
-- **currentContextId** Identifier for the newest telemetry activity containing this error.
-- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any).
-- **currentContextName** Name of the newest telemetry activity containing this error.
-- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
-- **failureId** Identifier assigned to this failure
-- **filename** The name of the source file where the error occurred.
-- **hresult** Failure error code.
-- **lineNumber** Line number within the source file where the error occurred.
-- **message** Custom message associated with the failure (if any).
-- **module** Name of the binary where the error occurred.
-- **originatingContextId** Identifier for the oldest telemetry activity containing this error.
-- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any).
-- **originatingContextName** Name of the oldest telemetry activity containing this error.
-- **threadId** Identifier of the thread the error occurred on.
+- **callContext** A list of diagnostic activities containing this error.
+- **currentContextId** An identifier for the newest diagnostic activity containing this error.
+- **currentContextMessage** A message associated with the most recent diagnostic activity containing this error (if any).
+- **currentContextName** Name of the most recent diagnostic activity containing this error.
+- **failureCount** Number of failures seen within the binary where the error occurred.
+- **failureId** The identifier assigned to this failure.
+- **failureType** Indicates the type of failure observed (exception, returned, error, logged error, or fail fast).
+- **fileName** The source code file name where the error occurred.
+- **function** The name of the function where the error occurred.
+- **hresult** The failure error code.
+- **lineNumber** The Line Number within the source code file where the error occurred.
+- **message** A message associated with the failure (if any).
+- **module** The name of the binary module in which the error occurred.
+- **originatingContextId** The identifier for the oldest diagnostic activity containing this error.
+- **originatingContextMessage** A message associated with the oldest diagnostic activity containing this error (if any).
+- **originatingContextName** The name of the oldest diagnostic activity containing this error.
+- **threadId** The identifier of the thread the error occurred on.
-## Sediment Service events
->[!NOTE]
->Events from this provider are sent with the installation of KB4023057 and any subsequent Windows update. For details, see [this support article](https://support.microsoft.com/help/4023057).
+## Sediment events
-### Microsoft.Windows.SedimentService.Applicable
+### Microsoft.Windows.Sediment.Info.AppraiserData
-Indicates whether a given plugin is applicable.
+This event provides data on the current Appraiser status of the device to help ensure Windows is up to date.
The following fields are available:
-- **CV** Correlation vector.
-- **DetectedCondition** Boolean true if detect condition is true and perform action will be run.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **IsSelfUpdateEnabledInOneSettings** True/False based on whether self update is enabled.
-- **IsSelfUpdateNeeded** True/False based on whether a newer version is available.
-- **PackageVersion** Version of the package.
-- **PluginName** Name of the plugin specified for each generic plugin event.
-- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+- **ErrorCode** The value of the Return Code for the registry query.
+- **GStatus** The pre-upgrade GStatus value.
+- **PayloadVersion** The version information for the remediation component.
+- **RegKeyName** The name of the registry subkey where data was found for this event.
+- **Time** The system time at which the event began.
+- **UpgEx** The pre-upgrade UpgEx value.
-### Microsoft.Windows.SedimentService.Completed
-Indicates whether a given plugin has completed its work.
+### Microsoft.Windows.Sediment.Info.BinaryInfo
+
+This event provides information about the binary returned by the Operating System Remediation System Service (OSRSS) to help ensure Windows is up to date.
The following fields are available:
-- **CV** Correlation vector.
-- **FailedReasons** String reason for any plugin failures.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **PackageVersion** Current package version of Remediation.
-- **PluginName** Name of the plugin specified for each generic plugin event.
-- **Result** Result of the service execution.
-- **SedimentServiceCheckTaskFunctional** Result of checking if the scheduled task is functional.
-- **SedimentServiceCurrentBytes** Current number of bytes the service is consuming.
-- **SedimentServiceKillService** True/False based on whether the service should be stopped.
-- **SedimentServiceMaximumBytes** Maximum bytes the service can consume.
-- **SedimentServiceRetrievedKillService** True/False whether the kill service information was retrieved.
-- **SedimentServiceStopping** True/False indicating whether the service was found to be stopping.
-- **SedimentServiceTaskFunctional** True/False if scheduled task is functional. If task is not functional this indicates plugins will be run.
-- **SedimentServiceTotalIterations** Number of iterations service will wait before running again.
+- **BinaryPath** The sanitized name of the system binary from which the data was gathered.
+- **ErrorCode** The value of the return code for querying the version from the binary.
+- **FileVerBuild** The binary’s build number.
+- **FileVerMajor** The binary’s major version number.
+- **FileVerMinor** The binary’s minor version number.
+- **FileVerRev** The binary’s revision number.
+- **PayloadVersion** The version information for the remediation component.
+- **Time** The system time at which the event began.
-### Microsoft.Windows.SedimentService.Error
-Indicates whether an error condition occurs in the plugin.
+### Microsoft.Windows.Sediment.Info.DownloadServiceError
+
+This event provides information when the Download Service returns an error. The information provided helps keep Windows up to date.
The following fields are available:
-- **Message** String message containing information from the service.
-- **PackageVersion** Version of the package.
-- **HResult** Return value from the plugin result.
+- **Architecture** The platform architecture used to identify the correct download payload.
+- **BuildNumber** The starting build number used to identify the correct download payload.
+- **Edition** The Operating System Edition used to identify the correct download payload.
+- **Error** The description of the error encountered.
+- **LanguageCode** The system User Interface Language used to identify the correct download payload.
+- **Stack** Details about the error encountered.
+- **WorkingDirectory** The folder location (path) downloader was attempting to say the payload to.
-### Microsoft.Windows.SedimentService.FallbackError
-Indicates whether an error occurs for a fallback in the plugin.
+### Microsoft.Windows.Sediment.Info.DownloadServiceProgress
+
+This event indicates the progress of the downloader in 1% increments.
The following fields are available:
-- **s0** Fallback error level.
-- **wilResult** Result for Windows Installer Logging function.
+- **Percentage** The amount successfully downloaded, measured as a percentage of the whole.
-### Microsoft.Windows.SedimentService.Information
-General information returned from the plugin.
+### Microsoft.Windows.Sediment.Info.Error
+
+This event indicates an error in the updater payload. This information assists in keeping Windows up to date.
The following fields are available:
-- **HResult** Result of the plugin execution.
-- **Message** Information collected from the plugin based on the purpose of the plugin.
-- **PackageVersion** Version of the package.
+- **FailureType** The type of error encountered.
+- **FileName** The code file in which the error occurred.
+- **HResult** The failure error code.
+- **LineNumber** The line number in the code file at which the error occurred.
+- **ReleaseVer** The version information for the component in which the error occurred.
+- **Time** The system time at which the error occurred.
-### Microsoft.Windows.SedimentService.Started
-Indicates that a given plugin has started.
+### Microsoft.Windows.Sediment.Info.PhaseChange
+
+The event indicates progress made by the updater. This information assists in keeping Windows up to date.
The following fields are available:
-- **CV** Correlation vector
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **PackageVersion** Version of the package.
-- **PluginName** Name of the plugin running.
-- **Result** Return code from the plugin result.
+- **NewPhase** The phase of progress made.
+- **ReleaseVer** The version information for the component in which the change occurred.
+- **Time** The system time at which the phase chance occurred.
-### Microsoft.Windows.SedimentService.wilResult
-Result from the windows internal library.
+### Microsoft.Windows.Sediment.Info.ServiceInfo
+
+This event provide information about the system service for which data is being gathered by the Operating System Remediation System Service (OSRSS) to help ensure Windows is up to date.
The following fields are available:
-- **callContext** List of telemetry activities containing this error.
-- **currentContextId** Identifier for the newest telemetry activity containing this error.
-- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any).
-- **currentContextName** Name of the newest telemetry activity containing this error.
-- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast.
-- **failureId** Identifier assigned to this failure.
-- **filename** The name of the source file where the error occurred.
-- **hresult** Failure error code.
-- **lineNumber** Line number within the source file where the error occurred.
-- **message** Custom message associated with the failure (if any).
-- **module** Name of the binary where the error occurred.
-- **originatingContextId** Identifier for the oldest telemetry activity containing this error.
-- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any).
-- **originatingContextName** Name of the oldest telemetry activity containing this error.
-- **threadId** Identifier of the thread the error occurred on.
+- **ErrorCode** The value returned by the error for querying the service information.
+- **PayloadVersion** The version information for the remediation component.
+- **ServiceName** The name of the system service for which data was gathered.
+- **ServiceStatus** The status of the specified service.
+- **Time** The system time at which the event occurred.
-## Sediment Launcher events
->[!NOTE]
->Events from this provider are sent with the installation of KB4023057 and any subsequent Windows update. For details, see [this support article](https://support.microsoft.com/help/4023057).
+### Microsoft.Windows.Sediment.Info.Uptime
+
+This event provides information about how long the device has been operating. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **Days** The number of days the device has been on.
+- **Hours** The number of hours the device has been on.
+- **Minutes** The number of minutes the device has been on.
+- **PayloadVersion** The version information for the remediation component.
+- **Seconds** The number of seconds the machine has been on.
+- **Ticks** The number of system clock “ticks” the device has been on.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.OSRSS.CheckingOneSettings
+
+This event indicates the parameters that the Operating System Remediation System Service (OSRSS) uses for a secure ping to Microsoft to help ensure Windows is up to date.
+
+The following fields are available:
+
+- **CustomVer** The registry value for targeting.
+- **IsMetered** TRUE if the machine is on a metered network.
+- **LastVer** The version of the last successful run.
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.OSRSS.DownloadingUrl
+
+This event provides information about the URL from which the Operating System Remediation System Service (OSRSS) is attempting to download. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **AttemptNumber** The count indicating which download attempt is starting.
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The URL from which data was downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.DownloadSuccess
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully download data from the indicated URL. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The URL from which data was downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.Error
+
+This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful.
+
+The following fields are available:
+
+- **FailureType** The type of error encountered.
+- **FileName** The code file in which the error occurred.
+- **HResult** The failure error code.
+- **LineNumber** The line number in the code file at which the error occurred.
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.OSRSS.ExeSignatureValidated
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully validated the signature of an EXE from the indicated URL. The information provided helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The URL from which the validated EXE was downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.ExtractSuccess
+
+This event indicates that the Operating System Remediation System Service (OSRSS) successfully extracted downloaded content. The information provided helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The URL from which the successfully extracted content was downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.NewUrlFound
+
+This event indicates the Operating System Remediation System Service (OSRSS) succeeded in finding a new URL to download from. This helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The new URL from which content will be downloaded.
+
+
+### Microsoft.Windows.Sediment.OSRSS.ProcessCreated
+
+This event indicates the Operating System Remediation System Service (OSRSS) created a new process to execute content downloaded from the indicated URL. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **ServiceVersionMajor** The Major version information of the component.
+- **ServiceVersionMinor** The Minor version information of the component.
+- **Time** The system time at which the event occurred.
+- **Url** The new URL from which content will be executed.
+
+
+### Microsoft.Windows.Sediment.OSRSS.UrlState
+
+This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL.
+
+The following fields are available:
+
+- **Id** A number identifying the URL
+- **ServiceVersionMajor** Version info for the component
+- **ServiceVersionMinor** Version info for the component
+- **StateData** State-specific data, such as which attempt number for the download
+- **StateNumber** A number identifying which state the URL is in (found, downloading, extracted, etc.)
+- **Time** System timestamp the event was fired
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.AttemptingUpdate
+
+This event indicates the Operating System Remediation System Service (OSRSS) installer is attempting an update to itself. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.BinaryUpdated
+
+This event indicates the Operating System Remediation System Service (OSRSS) updated installer binaries with new binaries as part of its self-update process. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.Error
+
+This event indicates an error occurred in the Operating System Remediation System Service (OSRSS). The information provided helps ensure future upgrade/update attempts are more successful.
+
+The following fields are available:
+
+- **FailureType** The type of error encountered.
+- **FileName** The code file in which the error occurred.
+- **HResult** The failure error code.
+- **InstallerVersion** The version information of the Installer component.
+- **LineNumber** The line number in the code file at which the error occurred.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.InstallerLaunched
+
+This event indicates the Operating System Remediation System Service (OSRSS) has launched. The information provided helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.ServiceInstalled
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully installed the Installer Component. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.ServiceRestarted
+
+This event indicates the Operating System Remediation System Service (OSRSS) has restarted after installing an updated version of itself. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.ServiceStarted
+
+This event indicates the Operating System Remediation System Service (OSRSS) has started after installing an updated version of itself. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.ServiceStopped
+
+This event indicates the Operating System Remediation System Service (OSRSS) was stopped by a self-updated to install an updated version of itself. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.UninstallerCompleted
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully uninstalled the installed version as part of a self-update. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.UninstallerLaunched
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully started the Uninstaller as part of a self-update. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.UpdaterCompleted
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully completed the self-update operation. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
+
+### Microsoft.Windows.Sediment.ServiceInstaller.UpdaterLaunched
+
+This event indicates the Operating System Remediation System Service (OSRSS) successfully launched the self-updater after downloading it. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **InstallerVersion** The version information of the Installer component.
+- **Time** The system time at which the event occurred.
+
### Microsoft.Windows.SedimentLauncher.Applicable
@@ -3036,14 +3326,15 @@ Indicates whether a given plugin is applicable.
The following fields are available:
-- **CV** Correlation vector.
-- **DetectedCondition** Boolean true if detect condition is true and action will be run.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **IsSelfUpdateEnabledInOneSettings** True/False based on whether self update is enabled.
-- **IsSelfUpdateNeeded** True/False based on whether a newer version is available.
-- **PackageVersion** Version of the package.
-- **PluginName** Name of the plugin specified for each generic plugin event.
-- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+- **CV** Correlation vector.
+- **DetectedCondition** Boolean true if detect condition is true and perform action will be run.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings.
+- **IsSelfUpdateNeeded** True if self update needed by device.
+- **PackageVersion** Current package version of Remediation.
+- **PluginName** Name of the plugin specified for each generic plugin event.
+- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+
### Microsoft.Windows.SedimentLauncher.Completed
@@ -3051,97 +3342,210 @@ Indicates whether a given plugin has completed its work.
The following fields are available:
-- **CV** Correlation vector.
-- **FailedReasons** String reason for any plugin failures.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **PackageVersion** Current package version of Remediation.
-- **PluginName** Name of the plugin specified for each generic plugin event.
-- **Result** Result of the service execution.
-- **SedLauncherExecutionResult** Final result of launcher running the plugins from the dll.
+- **CV** Correlation vector.
+- **FailedReasons** Concatenated list of failure reasons.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of Remediation.
+- **PluginName** Name of the plugin specified for each generic plugin event.
+- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+- **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher.
+
### Microsoft.Windows.SedimentLauncher.Error
-Error occurred during execution of the plugin.
+This event indicates an error occurred during the execution of the plug-in. The information provided helps ensure future upgrade/update attempts are more successful.
The following fields are available:
-- **Message** Information message returned from a plugin containing only information internal to plugin execution.
-- **PackageVersion** Version of the package.
-- **HResult** Return value from the plugin result.
+- **HResult** The result for the Detection or Perform Action phases of the plug-in.
+- **Message** A message containing information about the error that occurred (if any).
+- **PackageVersion** The version number of the current remediation package.
+
### Microsoft.Windows.SedimentLauncher.FallbackError
-Error occurred during execution of the plugin fallback.
+This event indicates that an error occurred during execution of the plug-in fallback.
The following fields are available:
-- **s0** Fallback error level for plugin.
-- **wilResult** Result from executing Windows Installer Logging based function.
+- **s0** Error occurred during execution of the plugin fallback. See [Microsoft.Windows.SedimentLauncher.wilResult](#microsoftwindowssedimentlauncherwilresult).
+
### Microsoft.Windows.SedimentLauncher.Information
-General information returned from the plugin.
+This event provides general information returned from the plug-in.
The following fields are available:
-- **HResult** Result of the plugin execution.
-- **Message** Information collected from the plugin based on the purpose of the plugin.
-- **PackageVersion** Version of the package.
+- **HResult** This is the HRESULT for detection or perform action phases of the plugin.
+- **Message** Information message returned from a plugin containing only information internal to the plugins execution.
+- **PackageVersion** Current package version of Remediation.
+
### Microsoft.Windows.SedimentLauncher.Started
-Indicates that a given plugin has started.
+This event indicates that a given plug-in has started.
The following fields are available:
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **PackageVersion** Version of the package.
-- **PluginName** Name of the plugin running.
-- **Result** Return code from the plugin result.
+- **CV** Correlation vector.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of Remediation.
+- **PluginName** Name of the plugin specified for each generic plugin event.
+- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+
### Microsoft.Windows.SedimentLauncher.wilResult
-Result from the windows internal library.
+This event provides the result from the Windows internal library.
The following fields are available:
-- **callContext** List of telemetry activities containing this error.
-- **currentContextId** Identifier for the newest telemetry activity containing this error.
-- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any).
-- **currentContextName** Name of the newest telemetry activity containing this error.
-- **failurecount** Number of failures seen.
-- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast.
-- **failureId** Identifier assigned to this failure.
-- **filename** The name of the source file where the error occurred.
-- **function** Name of the function where the error occurred.
-- **hresult** Failure error code.
-- **lineNumber** Line number within the source file where the error occurred.
-- **message** Custom message associated with the failure (if any).
-- **module** Name of the binary where the error occurred.
-- **originatingContextId** Identifier for the oldest telemetry activity containing this error.
-- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any).
-- **originatingContextName** Name of the oldest telemetry activity containing this error.
-- **threadId** Identifier of the thread the error occurred on.
+- **callContext** List of telemetry activities containing this error.
+- **currentContextId** Identifier for the newest telemetry activity containing this error.
+- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any).
+- **currentContextName** Name of the newest telemetry activity containing this error.
+- **failureCount** Number of failures seen within the binary where the error occurred.
+- **failureId** Identifier assigned to this failure.
+- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
+- **fileName** Source code file name where the error occurred.
+- **function** Name of the function where the error occurred.
+- **hresult** Failure error code.
+- **lineNumber** Line number within the source code file where the error occurred.
+- **message** Custom message associated with the failure (if any).
+- **module** Name of the binary where the error occurred.
+- **originatingContextId** Identifier for the oldest telemetry activity containing this error.
+- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any).
+- **originatingContextName** Name of the oldest telemetry activity containing this error.
+- **threadId** Identifier of the thread the error occurred on.
+
+
+### Microsoft.Windows.SedimentService.Applicable
+
+This event indicates whether a given plug-in is applicable.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **DetectedCondition** Determine whether action needs to run based on device properties.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **IsSelfUpdateEnabledInOneSettings** Indicates if self update is enabled in One Settings.
+- **IsSelfUpdateNeeded** Indicates if self update is needed.
+- **PackageVersion** Current package version of Remediation.
+- **PluginName** Name of the plugin.
+- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentService.Completed
+
+This event indicates whether a given plug-in has completed its work.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **FailedReasons** List of reasons when the plugin action failed.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of Remediation.
+- **PluginName** Name of the plugin specified for each generic plugin event.
+- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+- **SedimentServiceCheckTaskFunctional** True/False if scheduled task check succeeded.
+- **SedimentServiceCurrentBytes** Number of current private bytes of memory consumed by sedsvc.exe.
+- **SedimentServiceKillService** True/False if service is marked for kill (Shell.KillService).
+- **SedimentServiceMaximumBytes** Maximum bytes allowed for the service.
+- **SedimentServiceRetrievedKillService** True/False if result of One Settings check for kill succeeded - we only send back one of these indicators (not for each call).
+- **SedimentServiceStopping** True/False indicating whether the service is stopping.
+- **SedimentServiceTaskFunctional** True/False if scheduled task is functional. If task is not functional this indicates plugins will be run.
+- **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again.
+
+
+### Microsoft.Windows.SedimentService.Error
+
+This event indicates whether an error condition occurred in the plug-in.
+
+The following fields are available:
+
+- **HResult** This is the HRESULT for detection or perform action phases of the plugin.
+- **Message** Custom message associated with the failure (if any).
+- **PackageVersion** Current package version of Remediation.
+
+
+### Microsoft.Windows.SedimentService.FallbackError
+
+This event indicates whether an error occurred for a fallback in the plug-in.
+
+The following fields are available:
+
+- **s0** Event returned when an error occurs for a fallback in the plugin. See [Microsoft.Windows.SedimentService.wilResult](#microsoftwindowssedimentservicewilresult).
+
+
+### Microsoft.Windows.SedimentService.Information
+
+This event provides general information returned from the plug-in.
+
+The following fields are available:
+
+- **HResult** This is the HRESULT for detection or perform action phases of the plugin.
+- **Message** Custom message associated with the failure (if any).
+- **PackageVersion** Current package version of Remediation.
+
+
+### Microsoft.Windows.SedimentService.Started
+
+This event indicates a specified plug-in has started. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **CV** The Correlation Vector.
+- **GlobalEventCounter** The client-side counter that indicates ordering of events.
+- **PackageVersion** The version number of the current remediation package.
+- **PluginName** Name of the plugin specified for each generic plugin event.
+- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentService.wilResult
+
+This event provides the result from the Windows internal library.
+
+The following fields are available:
+
+- **callContext** List of telemetry activities containing this error.
+- **currentContextId** Identifier for the newest telemetry activity containing this error.
+- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any).
+- **currentContextName** Name of the newest telemetry activity containing this error.
+- **failureCount** Number of failures seen within the binary where the error occurred.
+- **failureId** Identifier assigned to this failure.
+- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
+- **fileName** Source code file name where the error occurred.
+- **function** Name of the function where the error occurred.
+- **hresult** Failure error code.
+- **lineNumber** Line number within the source code file where the error occurred.
+- **message** Custom message associated with the failure (if any).
+- **module** Name of the binary where the error occurred.
+- **originatingContextId** Identifier for the oldest telemetry activity containing this error.
+- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any).
+- **originatingContextName** Name of the oldest telemetry activity containing this error.
+- **threadId** Identifier of the thread the error occurred on.
+
## Setup events
### SetupPlatformTel.SetupPlatformTelActivityEvent
-This event sends a unique ID that can be used to bind Setup Platform events together, to help keep Windows up to date.
+This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up to date.
The following fields are available:
-- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
-- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
-- **Value** Retrieves the value associated with the corresponding event name. For example: For time-related events, this will include the system time.
- **ActivityId** Provides a unique Id to correlate events that occur between a activity start event, and a stop event
- **ActivityName** Provides a friendly name of the package type that belongs to the ActivityId (Setup, LanguagePack, GDR, Driver, etc.)
+- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **value** Value associated with the corresponding event name. For example, time-related events will include the system time
+- **Value** Value associated with the corresponding event name. For example, time-related events will include the system time
### SetupPlatformTel.SetupPlatformTelActivityStarted
-This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
+This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
The following fields are available:
@@ -3161,8 +3565,8 @@ This service retrieves events generated by SetupPlatform, the engine that drives
The following fields are available:
- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
-- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
## Shared PC events
@@ -3173,9 +3577,9 @@ Activity for deletion of a user account for devices set up for Shared PC mode as
The following fields are available:
-- **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager.
-- **userSid** The security identifier of the account.
- **accountType** The type of account that was deleted. Example: AD, AAD, or Local
+- **userSid** The security identifier of the account.
+- **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. See [wilActivity](#wilactivity).
### Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation
@@ -3184,9 +3588,59 @@ Activity for run of the Transient Account Manager that determines if any user ac
The following fields are available:
-- **wilActivity** Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager.
-- **totalAccountCount** The number of accounts on a device after running the Transient Account Manager policies.
- **evaluationTrigger** When was the Transient Account Manager policies ran? Example: At log off or during maintenance hours
+- **totalAccountCount** The number of accounts on a device after running the Transient Account Manager policies.
+- **wilActivity** Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager. See [wilActivity](#wilactivity).
+
+
+### wilActivity
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics.
+
+The following fields are available:
+
+- **callContext** The function where the failure occurred.
+- **currentContextId** The ID of the current call context where the failure occurred.
+- **currentContextMessage** The message of the current call context where the failure occurred.
+- **currentContextName** The name of the current call context where the failure occurred.
+- **failureCount** The number of failures for this failure ID.
+- **failureId** The ID of the failure that occurred.
+- **failureType** The type of the failure that occurred.
+- **fileName** The file name where the failure occurred.
+- **function** The function where the failure occurred.
+- **hresult** The HResult of the overall activity.
+- **lineNumber** The line number where the failure occurred.
+- **message** The message of the failure that occurred.
+- **module** The module where the failure occurred.
+- **originatingContextId** The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage** The message of the originating call context that resulted in the failure.
+- **originatingContextName** The name of the originating call context that resulted in the failure.
+- **threadId** The ID of the thread on which the activity is executing.
+
+
+### wilResult
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics.
+
+The following fields are available:
+
+- **callContext** The call context stack where failure occurred.
+- **currentContextId** The ID of the current call context where the failure occurred.
+- **currentContextMessage** The message of the current call context where the failure occurred.
+- **currentContextName** The name of the current call context where the failure occurred.
+- **failureCount** The number of failures for this failure ID.
+- **failureId** The ID of the failure that occurred.
+- **failureType** The type of the failure that occurred.
+- **fileName** The file name where the failure occurred.
+- **function** The function where the failure occurred.
+- **hresult** The HResult of the overall activity.
+- **lineNumber** The line number where the failure occurred.
+- **message** The message of the failure that occurred.
+- **module** The module where the failure occurred.
+- **originatingContextId** The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage** The message of the originating call context that resulted in the failure.
+- **originatingContextName** The name of the originating call context that resulted in the failure.
+- **threadId** The ID of the thread on which the activity is executing.
## Software update events
@@ -3197,81 +3651,80 @@ This event sends tracking data about the software distribution client check for
The following fields are available:
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
-- **EventInstanceID** A globally unique identifier for event instance.
-- **DeviceModel** What is the device model.
+- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
+- **AllowCachedResults** Indicates if the scan allowed using cached results.
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
- **BiosName** The name of the device BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **BiosSKUNumber** The sku number of the device BIOS.
- **BIOSVendor** The vendor of the BIOS.
- **BiosVersion** The version of the BIOS.
-- **BiosReleaseDate** The release date of the device BIOS.
-- **SystemBIOSMajorRelease** Major version of the BIOS.
-- **SystemBIOSMinorRelease** Minor version of the BIOS.
-- **BiosFamily** The family of the BIOS (Basic Input Output System).
-- **BiosSKUNumber** The sku number of the device BIOS.
-- **ClientVersion** The version number of the software distribution client.
-- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
-- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.).
-- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
-- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
-- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
-- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
-- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
-- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
-- **ShippingMobileOperator** The mobile operator that a device shipped on.
-- **CurrentMobileOperator** The mobile operator the device is currently connected to.
-- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
-- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
-- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
-- **SyncType** Describes the type of scan the event was
-- **IPVersion** Indicates whether the download took place over IPv4 or IPv6
-- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked
-- **ScanDurationInSeconds** The number of seconds a scan took
-- **ScanEnqueueTime** The number of seconds it took to initialize a scan
-- **NumberOfLoop** The number of round trips the scan required
-- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan
-- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan
-- **ServiceUrl** The environment URL a device is configured to scan with
-- **Online** Indicates if this was an online scan.
-- **AllowCachedResults** Indicates if the scan allowed using cached results.
-- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
-- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down.
-- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down.
-- **MSIError** The last error that was encountered during a scan for updates.
-- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered.
-- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan.
-- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
-- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated.
-- **ExtendedMetadataCabUrl** Hostname that is used to download an update.
-- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **CDNCountryCode** Two letter country abbreviation for the CDN's location.
-- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
-- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
-- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable
-- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation.
-- **DeferredUpdates** Update IDs which are currently being deferred until a later time
- **BranchReadinessLevel** The servicing branch configured on the device.
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated.
+- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **ClientVersion** The version number of the software distribution client.
+- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
+- **CurrentMobileOperator** The mobile operator the device is currently connected to.
- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
-- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days).
-- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
-- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days).
+- **DeferredUpdates** Update IDs which are currently being deferred until a later time
+- **DeviceModel** What is the device model.
+- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered.
+- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled.
+- **DriverSyncPassPerformed** Were drivers scanned this time?
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ExtendedMetadataCabUrl** Hostname that is used to download an update.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
+- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan.
- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days).
- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days).
-- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled.
-- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
-- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
-- **SearchFilter** Contains information indicating filters applied while checking for content applicable to the device. For example, to filter out all content which may require a reboot.
+- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6
+- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
+- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **MSIError** The last error that was encountered during a scan for updates.
+- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
+- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked
+- **NumberOfLoop** The number of round trips the scan required
+- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan
+- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan
+- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down.
+- **Online** Indicates if this was an online scan.
- **PausedUpdates** A list of UpdateIds which that currently being paused.
-- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
-- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
-- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
-- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
-- **DriverSyncPassPerformed** Were drivers scanned this time?
+- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days).
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days).
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **ScanDurationInSeconds** The number of seconds a scan took
+- **ScanEnqueueTime** The number of seconds it took to initialize a scan
+- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.).
+- **ServiceUrl** The environment URL a device is configured to scan with
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
+- **SyncType** Describes the type of scan the event was
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down.
+- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
### SoftwareUpdateClientTelemetry.Commit
@@ -3280,28 +3733,28 @@ This event sends data on whether the Update Service has been called to execute a
The following fields are available:
-- **EventScenario** State of call
-- **EventInstanceID** A globally unique identifier for event instance.
-- **DeviceModel** What is the device model.
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
- **BiosName** The name of the device BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **BiosSKUNumber** The sku number of the device BIOS.
- **BIOSVendor** The vendor of the BIOS.
- **BiosVersion** The version of the BIOS.
-- **BiosReleaseDate** The release date of the device BIOS.
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion** The version number of the software distribution client.
+- **DeviceModel** What is the device model.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** State of call
+- **EventType** Possible values are "Child", "Bundle", or "Driver".
+- **FlightId** The specific id of the flight the device is getting
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
+- **RevisionNumber** Unique revision number of Update
+- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Windows Store.
- **SystemBIOSMajorRelease** Major version of the BIOS.
- **SystemBIOSMinorRelease** Minor version of the BIOS.
-- **BiosFamily** The family of the BIOS (Basic Input Output System).
-- **BiosSKUNumber** The sku number of the device BIOS.
-- **ClientVersion** The version number of the software distribution client.
-- **WUDeviceID** UniqueDeviceID
-- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store.
-- **EventType** Possible values are "Child", "Bundle", or "Driver".
- **UpdateId** Unique Update ID
-- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
-- **RevisionNumber** Unique revision number of Update
-- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
-- **BundleRevisionNumber** Identifies the revision number of the content bundle
-- **FlightId** The specific id of the flight the device is getting
-- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
+- **WUDeviceID** UniqueDeviceID
### SoftwareUpdateClientTelemetry.Download
@@ -3310,82 +3763,105 @@ This event sends tracking data about the software distribution client download o
The following fields are available:
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
-- **EventInstanceID** A globally unique identifier for event instance.
-- **DeviceModel** What is the device model.
+- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
+- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded.
+- **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
- **BiosName** The name of the device BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **BiosSKUNumber** The sku number of the device BIOS.
- **BIOSVendor** The vendor of the BIOS.
- **BiosVersion** The version of the BIOS.
-- **BiosReleaseDate** The release date of the device BIOS.
-- **SystemBIOSMajorRelease** Major version of the BIOS.
-- **SystemBIOSMinorRelease** Minor version of the BIOS.
-- **BiosFamily** The family of the BIOS (Basic Input Output System).
-- **BiosSKUNumber** The sku number of the device BIOS.
-- **ClientVersion** The version number of the software distribution client.
-- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle.
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailFlag** Indicates whether this particular update bundle had previously failed to download.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **BytesDownloaded** How many bytes were downloaded for an individual piece of content (not the entire bundle).
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
-- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
-- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
-- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
-- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
-- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
-- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
-- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
-- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download.
+- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
+- **ClientManagedByWSUSServer** Indicates whether the client is managed by Windows Server Update Services (WSUS).
+- **ClientVersion** The version number of the software distribution client.
- **CurrentMobileOperator** The mobile operator the device is currently connected to.
+- **DeviceModel** What is the device model.
+- **DeviceOEM** What OEM does this device belong to.
+- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
+- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
+- **DownloadType** Differentiates the download type of SIH downloads between Metadata and Payload downloads.
+- **Edition** Indicates the edition of Windows being used.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
+- **EventType** Possible values are Child, Bundle, or Driver.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight.
+- **FlightId** The specific id of the flight (pre-release build) the device is getting.
+- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
-- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
+- **HostName** The hostname URL the content is downloading from.
- **IPVersion** Indicates whether the download took place over IPv4 or IPv6.
+- **IsAOACDevice** Is it Always On, Always Connected?
+- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update
+- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
-- **TimeToEstablishConnection** Time (in ms) it took to establish the connection prior to beginning downloaded.
-- **HostName** The hostname URL the content is downloading from.
-- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
-- **CDNCountryCode** Two letter country abbreviation for the CDN's location.
-- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
-- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update
-- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
-- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
-- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
-- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
-- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
-- **BytesDownloaded** How many bytes were downloaded for an individual piece of content (not the entire bundle).
-- **TotalExpectedBytes** The total count of bytes that the download is expected to be.
-- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
-- **EventType** Possible values are Child, Bundle, or Driver.
-- **UpdateId** An identifier associated with the specific piece of content.
-- **RevisionNumber** Identifies the revision number of this specific piece of content.
-- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
-- **BundleRevisionNumber** Identifies the revision number of the content bundle.
-- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
-- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
-- **FlightId** The specific id of the flight (pre-release build) the device is getting.
-- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
-- **UsedDO** Whether the download used the delivery optimization service.
-- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download.
-- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
-- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight.
-- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle.
-- **BundleRepeatFailFlag** Indicates whether this particular update bundle had previously failed to download.
-- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
- **PackageFullName** The package name of the content.
-- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded.
-- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
-- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
-- **DownloadType** Differentiates the download type of SIH downloads between Metadata and Payload downloads.
-- **WUSetting** Indicates the users' current updating settings.
-- **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM).
+- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
- **PlatformRole** The PowerPlatformRole as defined on MSDN
-- **IsAOACDevice** Is it Always On, Always Connected?
-- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
-- **Edition** Indicates the edition of Windows being used.
-- **DeviceOEM** What OEM does this device belong to.
-- **ClientManagedByWSUSServer** Indicates whether the client is managed by Windows Server Update Services (WSUS).
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM).
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
-- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
-- **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
+- **TimeToEstablishConnection** Time (in ms) it took to establish the connection prior to beginning downloaded.
+- **TotalExpectedBytes** The total count of bytes that the download is expected to be.
+- **UpdateId** An identifier associated with the specific piece of content.
+- **UpdateID** An identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedDO** Whether the download used the delivery optimization service.
+- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **WUSetting** Indicates the users' current updating settings.
+
+
+### SoftwareUpdateClientTelemetry.DownloadCheckpoint
+
+This event provides a checkpoint between each of the Windows Update download phases for UUP content
+
+The following fields are available:
+
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion** The version number of the software distribution client
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver"
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough
+- **FileId** A hash that uniquely identifies a file
+- **FileName** Name of the downloaded file
+- **FlightId** The unique identifier for each flight
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **RevisionNumber** Unique revision number of Update
+- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.)
+- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult)
+- **UpdateId** Unique Update ID
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
### SoftwareUpdateClientTelemetry.Install
@@ -3394,78 +3870,79 @@ This event sends tracking data about the software distribution client installati
The following fields are available:
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
-- **EventInstanceID** A globally unique identifier for event instance.
-- **DeviceModel** What is the device model.
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
- **BiosName** The name of the device BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **BiosSKUNumber** The sku number of the device BIOS.
- **BIOSVendor** The vendor of the BIOS.
- **BiosVersion** The version of the BIOS.
-- **BiosReleaseDate** The release date of the device BIOS.
-- **SystemBIOSMajorRelease** Major version of the BIOS.
-- **SystemBIOSMinorRelease** Minor version of the BIOS.
-- **BiosFamily** The family of the BIOS (Basic Input Output System).
-- **BiosSKUNumber** The sku number of the device BIOS.
-- **ClientVersion** The version number of the software distribution client.
-- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
-- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
-- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult).
-- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FlightRing** The ring that a device is on if participating in the Windows Insider Program.
-- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program.
-- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
-- **IsWUfBEnabled** Is Windows Update for Business enabled on the device?
-- **IsWUfBDualScanEnabled** Is Windows Update for Business dual scan enabled on the device?
-- **ShippingMobileOperator** The mobile operator that a device shipped on.
-- **CurrentMobileOperator** Mobile operator that device is currently connected to.
-- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
-- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced.
-- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
-- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install.
-- **EventType** Possible values are Child, Bundle, or Driver.
-- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
-- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
-- **IsFirmware** Is this update a firmware update?
-- **IsFinalOutcomeEvent** Does this event signal the end of the update/upgrade process?
-- **IsDependentSet** Is the driver part of a larger System Hardware/Firmware update?
-- **DriverPingBack** Contains information about the previous driver and system state.
-- **ExtendedErrorCode** The extended error code.
-- **CSIErrorType** The stage of CBS installation where it failed.
-- **MsiAction** The stage of MSI installation where it failed.
-- **MsiProductCode** The unique identifier of the MSI installer.
-- **TransactionCode** The ID which represents a given MSI installation
-- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
-- **IsSuccessFailurePostReboot** Did it succeed and then fail after a restart?
-- **UpdateId** Unique update ID
-- **RevisionNumber** The revision number of this specific piece of content.
-- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
-- **BundleRevisionNumber** Identifies the revision number of the content bundle.
-- **HandlerType** Indicates what kind of content is being installed. Example: app, driver, Windows update
-- **FlightId** The specific ID of the Windows Insider build the device is getting.
-- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
-- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
-- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build.
-- **BundleRepeatFailFlag** Has this particular update bundle previously failed to install?
-- **PackageFullName** The package name of the content being installed.
-- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle?
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailFlag** Has this particular update bundle previously failed to install?
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
- **CbsDownloadMethod** Was the download a full download or a partial download?
- **ClientManagedByWSUSServer** Is the client managed by Windows Server Update Services (WSUS)?
+- **ClientVersion** The version number of the software distribution client.
+- **CSIErrorType** The stage of CBS installation where it failed.
+- **CurrentMobileOperator** Mobile operator that device is currently connected to.
+- **DeviceModel** What is the device model.
- **DeviceOEM** What OEM does this device belong to.
- **DownloadPriority** The priority of the download activity.
- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
+- **DriverPingBack** Contains information about the previous driver and system state.
- **Edition** Indicates the edition of Windows being used.
+- **EventInstanceID** A globally unique identifier for event instance.
- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
-- **IsAOACDevice** Is it Always On, Always Connected? (Mobile device usage model)
-- **PlatformRole** The PowerPlatformRole as defined on MSDN.
-- **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM).
-- **RepeatSuccessInstallFlag** Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it.
-- **WUSetting** Indicates the user's current updating settings.
-- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
-- **QualityUpdatePause** Are quality OS updates paused on the device?
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **EventType** Possible values are Child, Bundle, or Driver.
+- **ExtendedErrorCode** The extended error code.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
- **FeatureUpdatePause** Are feature OS updates paused on the device?
+- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program.
+- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **FlightRing** The ring that a device is on if participating in the Windows Insider Program.
+- **HandlerType** Indicates what kind of content is being installed. Example: app, driver, Windows update
+- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IsAOACDevice** Is it Always On, Always Connected? (Mobile device usage model)
+- **IsDependentSet** Is the driver part of a larger System Hardware/Firmware update?
+- **IsFinalOutcomeEvent** Does this event signal the end of the update/upgrade process?
+- **IsFirmware** Is this update a firmware update?
+- **IsSuccessFailurePostReboot** Did it succeed and then fail after a restart?
+- **IsWUfBDualScanEnabled** Is Windows Update for Business dual scan enabled on the device?
+- **IsWUfBEnabled** Is Windows Update for Business enabled on the device?
- **MergedUpdate** Was the OS update and a BSP update merged for installation?
+- **MsiAction** The stage of MSI installation where it failed.
+- **MsiProductCode** The unique identifier of the MSI installer.
+- **PackageFullName** The package name of the content being installed.
+- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced.
+- **PlatformRole** The PowerPlatformRole as defined on MSDN.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM).
+- **QualityUpdatePause** Are quality OS updates paused on the device?
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install.
+- **RepeatSuccessInstallFlag** Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it.
+- **RevisionNumber** The revision number of this specific piece of content.
+- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult).
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TransactionCode** The ID which represents a given MSI installation
+- **UpdateId** Unique update ID
+- **UpdateID** An identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **WUSetting** Indicates the user's current updating settings.
### SoftwareUpdateClientTelemetry.SLSDiscovery
@@ -3475,13 +3952,13 @@ This event sends data about the ability of Windows to discover the location of a
The following fields are available:
- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **SusClientId** The unique device ID controlled by the software distribution client
-- **WUAVersion** The version number of the software distribution client
-- **ServiceID** An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
-- **UrlPath** Path to the SLS cab that was downloaded
- **HResult** Indicates the result code of the event (success, cancellation, failure code HResult)
- **IsBackground** Indicates whether the SLS discovery event took place in the foreground or background
- **NextExpirationTime** Indicates when the SLS cab expires
+- **ServiceID** An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
+- **SusClientId** The unique device ID controlled by the software distribution client
+- **UrlPath** Path to the SLS cab that was downloaded
+- **WUAVersion** The version number of the software distribution client
### SoftwareUpdateClientTelemetry.UpdateDetected
@@ -3490,44 +3967,13 @@ This event sends data about an AppX app that has been updated from the Microsoft
The following fields are available:
-- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
-- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable
-- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
-- **WUDeviceID** The unique device ID controlled by the software distribution client
-- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **EventInstanceID** A globally unique identifier for event instance
-- **DeviceModel** The device's model as defined in system bios
-- **BiosName** The name of the device's system bios
-- **BIOSVendor** The vendor of the device's system bios
-- **BiosVersion** The version of the device's system bios
-- **BiosReleaseDate** The release date of the device's system bios
-- **SystemBIOSMajorRelease** The major release version of the device's system bios
-- **SystemBIOSMinorRelease** The minor release version of the device's system bios
-- **BiosFamily** The device's family as defined in system bios
-- **BiosSKUNumber** The device's SKU as defined in system bios
-- **ClientVersion** The version number of the software distribution client
-- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided
-- **ServiceGuid** An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
-- **StatusCode** Indicates the result code of the event (success, cancellation, failure code HResult)
-- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode wasn't specific enough
-- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
-- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
-- **ShippingMobileOperator** The mobile operator that a device shipped on.
-- **CurrentMobileOperator** The mobile operator the device is currently connected to.
-- **HomeMobileOperator** The mobile operator that the device was originally intended to work with
-- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
-- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion
-- **SyncType** Describes the type of scan the event was
-- **IPVersion** Indicates whether the download took place over IPv4 or IPv6
-- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked
-- **ScanDurationInSeconds** The number of seconds a scan took
-- **ScanEnqueueTime** The number of seconds it took to initialize a scan
-- **NumberOfLoop** The number of round trips the scan required
-- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan
-- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan
-- **ServiceUrl** The environment URL a device is configured to scan with
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one.
+- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.).
+- **WUDeviceID** The unique device ID controlled by the software distribution client.
### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
@@ -3536,94 +3982,112 @@ This event identifies whether updates have been tampered with and protects again
The following fields are available:
+- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed.
-- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store
-- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
-- **StatusCode** The status code of the event.
- **ExtendedStatusCode** The secondary status code of the event.
-- **RevisionId** The revision ID for a specific piece of content.
-- **UpdateId** The update ID for a specific piece of content.
-- **RevisionNumber** The revision number for a specific piece of content.
-- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed.
-- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
+- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
+- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
-- **SignatureAlgorithm** The hash algorithm for the metadata signature.
-- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob.
-- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp.
-- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token.
- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable.
- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
+- **RevisionId** The revision ID for a specific piece of content.
+- **RevisionNumber** The revision number for a specific piece of content.
+- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store
- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
-- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
-- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
+- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
+- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob.
+- **SignatureAlgorithm** The hash algorithm for the metadata signature.
- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast
+- **StatusCode** The status code of the event.
+- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token.
+- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
+- **UpdateId** The update ID for a specific piece of content.
+- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp.
-## Update Assistant Orchestrator events
->[!NOTE]
->Events from this provider are sent with the installation of KB4023814. For details, see [this support article](https://support.microsoft.com/help/4023814).
+## Update Assistant events
### Microsoft.Windows.UpdateAssistant.Orchestrator.BlockingEventId
-Event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous rollbacks, or admin policies..
+The event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous rollbacks, or admin policies.
The following fields are available:
-- **ApplicabilityBlockedReason** Blocked due to an applicability issue.
-- **ClientId** Identification of the current installed version of Update Assistant.
-- **TriggerTaskSource** Describes which task launched this instance of Update Assistant.
+- **ApplicabilityBlockedReason** Blocked due to an applicability issue.
+- **BlockWuUpgrades** The upgrade assistant is currently blocked.
+- **clientID** An identification of the current release of Update Assistant.
+- **CloverTrail** This device is Clovertrail.
+- **DeviceIsMdmManaged** This device is MDM managed.
+- **IsNetworkAvailable** If the device network is not available.
+- **IsNetworkMetered** If network is metered.
+- **IsSccmManaged** This device is SCCM managed.
+- **NewlyInstalledOs** OS is newly installed quiet period.
+- **PausedByPolicy** Updates are paused by policy.
+- **RecoveredFromRS3** Previously recovered from RS3.
+- **RS1UninstallActive** Blocked due to an active RS1 uninstall.
+- **RS3RollBacks** Exceeded number of allowable RS3 rollbacks.
+- **triggerTaskSource** Describe which task launches this instance.
+- **WsusManaged** This device is WSUS managed.
+- **ZeroExhaust** This device is zero exhaust.
+
### Microsoft.Windows.UpdateAssistant.Orchestrator.DeniedLaunchEventId
-Event sends basic info on the reason the Windows 10 update was blocked or prevented.
+The event sends basic info when a device was blocked or prevented from updating to the latest Windows 10 version.
The following fields are available:
-- **ClientId** Identification of the current installed version of Update Assistant.
-- **DenyReason** Reasons why Update Assistant was prevented from launching.
-- **TriggerTaskSource** Describes which task launched this instance of Update Assistant.
+- **clientID** An identification of the current release of Update Assistant.
+- **denyReason** All the reasons why the Update Assistant was prevented from launching. Bitmask with values from UpdateAssistant.cpp eUpgradeModeReason.
+- **triggerTaskSource** Describe which task launches this instance.
+
### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedLaunchEventId
-Event sends basic info when the Windows 10 Update Assistant tool could not be launched due to an error..
+Event to mark that Update Assistant Orchestrator failed to launch Update Assistant.
The following fields are available:
-- **ClientId** Identification of the current installed version of Update Assistant.
-- **HResult** Error code of the Update Assistant Orchestrator error.
-- **TriggerTaskSource** Describes which task launched this instance of Update Assistant.
+- **clientID** An identification of the current release of Update Assistant.
+- **hResult** Error code of the Update Assistant Orchestrator failure.
+- **triggerTaskSource** Describe which task launches this instance.
+
### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedOneSettingsQueryEventId
-Event sends basic info to signal when the settings related to the Windows 10 update could not be downloaded.
+Event indicating One Settings was not queried by update assistant.
The following fields are available:
-- **ClientId** Identification of the current installed version of Update Assistant.
-- **HResult** Error code of the attempted query for the settings.
+- **clientID** An identification of the current release of Update Assistant.
+- **hResult** Error code of One Settings query failure.
+
### Microsoft.Windows.UpdateAssistant.Orchestrator.LaunchEventId
-Event sends basic info on whether the device should or should not be updated to the latest Windows 10 version.
+This event sends basic information on whether the device should be updated to the latest Windows 10 version.
The following fields are available:
-- **ClientId** Identification of the current installed version of Update Assistant.
-- **LaunchMode** Type of launch performed.
-- **LaunchTypeReason** All of the reasons for the type of launch performed.
-- **TriggerTaskSource** Describes which task launched this instance of Update Assistant.
-- **UALaunchRunCount** Total number of times Update Assistant was launched.
+- **autoStartRunCount** The auto start run count of Update Assistant.
+- **clientID** The ID of the current release of Update Assistant.
+- **launchMode** Indicates the type of launch performed.
+- **launchTypeReason** A bitmask of all the reasons for type of launch.
+- **triggerTaskSource** Indicates which task launches this instance.
+- **UALaunchRunCount** Total number of times Update Assistant launched.
+
### Microsoft.Windows.UpdateAssistant.Orchestrator.RestoreEventId
-Event sends basic info on whether the Windows 10 update notification had launched previously.
+The event sends basic info on whether the Windows 10 update notification has previously launched.
The following fields are available:
-- **ClientId** Identification of the current installed version of Update Assistant.
-- **RestoreReason** All of the reasons for being restored.
-- **TriggerTaskSource** Describes which task launched this instance of Update Assistant.
+- **clientID** ID of the current release of Update Assistant.
+- **restoreReason** All the reasons for the restore.
+- **triggerTaskSource** Indicates which task launches this instance.
+
## Update events
@@ -3633,25 +4097,25 @@ This event sends data during the download request phase of updating Windows.
The following fields are available:
+- **DeletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
- **ErrorCode** The error code returned for the current download request phase.
-- **PackageCountTotal** Total number of packages needed.
-- **PackageCountRequired** Number of required packages requested.
-- **PackageCountOptional** Number of optional packages requested.
-- **ObjectId** Unique value for each Update Agent mode.
-- **SessionId** Unique value for each Update Agent mode attempt.
-- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
-- **Result** Result of the download request phase of update.
-- **PackageSizeCanonical** Size of canonical packages in bytes
-- **PackageSizeDiff** Size of diff packages in bytes
-- **PackageSizeExpress** Size of express packages in bytes
- **FlightId** Unique ID for each flight.
-- **UpdateId** Unique ID for each update.
+- **ObjectId** Unique value for each Update Agent mode.
+- **PackageCountOptional** Number of optional packages requested.
+- **PackageCountRequired** Number of required packages requested.
+- **PackageCountTotal** Total number of packages needed.
- **PackageCountTotalCanonical** Total number of canonical packages.
- **PackageCountTotalDiff** Total number of diff packages.
- **PackageCountTotalExpress** Total number of express packages.
+- **PackageSizeCanonical** Size of canonical packages in bytes
+- **PackageSizeDiff** Size of diff packages in bytes
+- **PackageSizeExpress** Size of express packages in bytes
- **RangeRequestState** Represents the state of the download range request.
-- **DeletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Result of the download request phase of update.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId** Unique value for each Update Agent mode attempt.
+- **UpdateId** Unique ID for each update.
### Update360Telemetry.UpdateAgent_Initialize
@@ -3661,15 +4125,15 @@ This event sends data during the initialize phase of updating Windows.
The following fields are available:
- **ErrorCode** The error code returned for the current initialize phase.
-- **SessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
-- **UpdateId** Unique ID for each update.
- **FlightId** Unique ID for each flight.
- **FlightMetadata** Contains the FlightId and the build being flighted.
- **ObjectId** Unique value for each Update Agent mode.
-- **SessionId** Unique value for each Update Agent mode attempt .
-- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
- **RelatedCV** Correlation vector value generated from the latest USO scan.
- **Result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **SessionId** Unique value for each Update Agent mode attempt .
+- **UpdateId** Unique ID for each update.
### Update360Telemetry.UpdateAgent_Install
@@ -3679,12 +4143,12 @@ This event sends data during the install phase of updating Windows.
The following fields are available:
- **ErrorCode** The error code returned for the current install phase.
-- **ObjectId** Unique value for each Update Agent mode.
-- **SessionId** Unique value for each Update Agent mode attempt.
-- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **RelatedCV** Correlation vector value generated from the latest scan.
-- **Result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest scan.
+- **Result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId** Unique value for each Update Agent mode attempt.
- **UpdateId** Unique ID for each update.
@@ -3694,12 +4158,12 @@ This event sends data for the start of each mode during the process of updating
The following fields are available:
+- **FlightId** Unique ID for each flight.
- **Mode** Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
- **ObjectId** Unique value for each Update Agent mode.
-- **SessionId** Unique value for each Update Agent mode attempt.
-- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
- **RelatedCV** The correlation vector value generated from the latest scan.
-- **FlightId** Unique ID for each flight.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId** Unique value for each Update Agent mode attempt.
- **UpdateId** Unique ID for each update.
@@ -3709,101 +4173,101 @@ This event sends data during the launching of the setup box when updating Window
The following fields are available:
-- **Quiet** Indicates whether setup is running in quiet mode. 0 = false 1 = true
-- **ObjectId** Unique value for each Update Agent mode.
-- **SessionId** Unique value for each Update Agent mode attempt.
-- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **RelatedCV** Correlation vector value generated from the latest scan.
- **FlightId** Unique ID for each flight.
-- **UpdateId** Unique ID for each update.
-- **SetupMode** Setup mode 1 = predownload, 2 = install, 3 = finalize
+- **ObjectId** Unique value for each Update Agent mode.
+- **Quiet** Indicates whether setup is running in quiet mode. 0 = false 1 = true
+- **RelatedCV** Correlation vector value generated from the latest scan.
- **SandboxSize** The size of the sandbox folder on the device.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId** Unique value for each Update Agent mode attempt.
+- **SetupMode** Setup mode 1 = predownload, 2 = install, 3 = finalize
+- **UpdateId** Unique ID for each update.
## Upgrade events
### Setup360Telemetry.Downlevel
-This event sends data indicating that the device has invoked the downlevel phase of the upgrade. It's used to help keep Windows up-to-date and secure.
+This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure.
The following fields are available:
- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the downlevel OS.
+- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
-- **TestId** A string that uniquely identifies a group of events.
-- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS).
-- **HostOSBuildNumber** The build number of the downlevel OS.
-- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result** The result of Setup360. It's an HRESULT error code that can be used to diagnose errors.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Extended** More detailed information about phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback).
+- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors).
+- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT).
- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
+- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** An ID that uniquely identifies a group of events.
+- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
### Setup360Telemetry.Finalize
-This event sends data indicating that the device has invoked the finalize phase of the upgrade, to help keep Windows up-to-date.
+This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure.
The following fields are available:
- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
-- **TestId** A string to uniquely identify a group of events.
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
-- **HostOSBuildNumber** The build number of the previous OS.
-- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** ID that uniquely identifies a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
### Setup360Telemetry.OsUninstall
-The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.OSUninstall indicates the outcome of an OS uninstall.
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall.
The following fields are available:
- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **WuId** Windows Update client ID.
-- **TestId** A string to uniquely identify a group of events.
-- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
-- **HostOSBuildNumber** The build number of the previous OS.
-- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** ID that uniquely identifies a group of events.
+- **WuId** Windows Update client ID.
### Setup360Telemetry.PostRebootInstall
-This event sends data indicating that the device has invoked the postrebootinstall phase of the upgrade, to help keep Windows up-to-date.
+This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date.
The following fields are available:
- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
-- **TestId** A string to uniquely identify a group of events.
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
-- **HostOSBuildNumber** The build number of the previous OS.
-- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
- **Setup360Result** The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
### Setup360Telemetry.PreDownloadQuiet
@@ -3813,81 +4277,81 @@ This event sends data indicating that the device has invoked the predownload qui
The following fields are available:
- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
-- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
-- **TestId** A string to uniquely identify a group of events.
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
-- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system).
- **HostOSBuildNumber** The build number of the previous OS.
-- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
+- **TestId** ID that uniquely identifies a group of events.
+- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
### Setup360Telemetry.PreDownloadUX
-The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PredownloadUX indicates the outcome of the PredownloadUX portion of the update process.
+This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process.
The following fields are available:
- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous operating system.
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system).
- **InstanceId** Unique GUID that identifies each instance of setuphost.exe.
- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **WuId** Windows Update client ID.
-- **TestId** A string to uniquely identify a group of events.
-- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system).
-- **HostOSBuildNumber** The build number of the previous operating system.
-- **Setup360Scenario** The Setup360 flow type. Examplle: Boot, Media, Update, MCT
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
+- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** ID that uniquely identifies a group of events.
+- **WuId** Windows Update client ID.
### Setup360Telemetry.PreInstallQuiet
-This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up to date.
+This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date.
The following fields are available:
- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
-- **TestId** A string to uniquely identify a group of events.
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
-- **HostOSBuildNumber** The build number of the previous OS.
-- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT)
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback etc.
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT).
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
### Setup360Telemetry.PreInstallUX
-This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PreinstallUX indicates the outcome of the PreinstallUX portion of the update process.
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process.
The following fields are available:
- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **WuId** Windows Update client ID.
-- **TestId** A string to uniquely identify a group of events.
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
-- **HostOSBuildNumber** The build number of the previous OS.
-- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** Windows Update client ID.
### Setup360Telemetry.Setup360
@@ -3896,13 +4360,19 @@ This event sends data about OS deployment scenarios, to help keep Windows up-to-
The following fields are available:
+- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FieldName** Retrieves the data point.
+- **FlightData** Specifies a unique identifier for each group of Windows Insider builds.
- **InstanceId** Retrieves a unique identifier for each instance of a setup session.
- **ReportId** Retrieves the report ID.
-- **FlightData** Specifies a unique identifier for each group of Windows Insider builds.
- **ScenarioId** Retrieves the deployment scenario.
-- **FieldName** Retrieves the data point.
- **Value** Retrieves the value associated with the corresponding FieldName.
-- **ClientId** Retrieves the upgrade ID: Upgrades via Windows Update - specifies the WU clientID. All other deployment - static string.
+
+
+### Setup360Telemetry.Setup360DynamicUpdate
+
+This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date.
+
### Setup360Telemetry.UnexpectedEvent
@@ -3912,18 +4382,18 @@ This event sends data indicating that the device has invoked the unexpected even
The following fields are available:
- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
-- **TestId** A string to uniquely identify a group of events.
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
-- **HostOSBuildNumber** The build number of the previous OS.
-- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
## Windows Error Reporting events
@@ -3934,19 +4404,25 @@ This event sends binary data from the collected dump file wheneveer a bug check
The following fields are available:
-- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
+- **BootId** Uint32 identifying the boot number for this device.
- **BugCheckCode** Uint64 "bugcheck code" that identifies a proximate cause of the bug check.
- **BugCheckParameter1** Uint64 parameter providing additional information.
-- **BootId** Uint32 identifying the boot number for this device.
- **BugCheckParameter2** Uint64 parameter providing additional information.
-- **BugCheckParameter4** Uint64 parameter providing additional information.
- **BugCheckParameter3** Uint64 parameter providing additional information.
-- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise
-- **DumpFileSize** Size of the dump file
+- **BugCheckParameter4** Uint64 parameter providing additional information.
- **DumpFileAttributes** Codes that identify the type of data contained in the dump file
+- **DumpFileSize** Size of the dump file
+- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise
+- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
+
+
+## Windows Store events
+
+### Microsoft.Windows.Store.Partner.ReportApplication
+
+Report application event for Windows Store client.
-## Microsoft Store events
### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
@@ -3954,24 +4430,24 @@ This event is sent when an installation or update is canceled by a user or the s
The following fields are available:
-- **PFN** The product family name of the product being installed.
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** Number of retry attempts before it was canceled.
+- **BundleId** The Item Bundle ID.
+- **CategoryId** The Item Category ID.
- **ClientAppId** The identity of the app that initiated this operation.
- **HResult** The result code of the last action performed before this operation.
-- **IsUpdate** Flag indicating if this is an update.
-- **AttemptNumber** Number of retry attempts before it was canceled.
-- **CategoryId** The Item Category ID.
-- **ProductId** The identity of the package or packages being installed.
+- **IsBundle** Is this a bundle?
- **IsInteractive** Was this requested by a user?
-- **IsRemediation** Was this a remediation install?
-- **BundleId** The Item Bundle ID.
- **IsMandatory** Was this a mandatory update?
+- **IsRemediation** Was this a remediation install?
+- **IsRestore** Is this automatically restoring a previously acquired product?
+- **IsUpdate** Flag indicating if this is an update.
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The product family name of the product being installed.
+- **ProductId** The identity of the package or packages being installed.
- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled.
- **UserAttemptNumber** The total number of user attempts at installation before it was canceled.
-- **IsRestore** Is this automatically restoring a previously acquired product?
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **IsBundle** Is this a bundle?
-- **WUContentId** The Windows Update content ID
-- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **WUContentId** Licensing identity of this package.
### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds
@@ -3992,40 +4468,40 @@ This event is sent when an app update or installation is canceled while in inter
The following fields are available:
-- **IsInteractive** Was this requested by a user?
+- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed.
- **AttemptNumber** Total number of installation attempts.
- **BundleId** The identity of the Windows Insider build that is associated with this product.
-- **PreviousHResult** The previous HResult code.
-- **ClientAppId** The identity of the app that initiated this operation.
- **CategoryId** The identity of the package or packages being installed.
-- **PFN** The name of all packages to be downloaded and installed.
-- **ProductId** The name of the package or packages requested for installation.
-- **IsUpdate** Is this a product update?
-- **IsRemediation** Is this repairing a previous installation?
-- **RelatedCV** Correlation Vector of a previous performed action on this product.
-- **PreviousInstallState** Previous installation state before it was canceled.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Was this requested by a user?
- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this an automatic restore of a previously acquired product?
+- **IsUpdate** Is this a product update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of all packages to be downloaded and installed.
+- **PreviousHResult** The previous HResult code.
+- **PreviousInstallState** Previous installation state before it was canceled.
+- **ProductId** The name of the package or packages requested for installation.
+- **RelatedCV** Correlation Vector of a previous performed action on this product.
- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled.
- **UserAttemptNumber** Total number of user attempts to install before it was canceled.
-- **IsRestore** Is this an automatic restore of a previously acquired product?
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **IsBundle** Is this a bundle?
-- **WUContentId** The Windows Update content ID
-- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed.
+- **WUContentId** The Windows Update content ID.
### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest
-This event is sent after the app installations or updates. It's used to help keep Windows up-to-date and secure
+This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure.
The following fields are available:
+- **CatalogId** The Store Product ID of the app being installed.
+- **HResult** HResult code of the action being performed.
- **IsBundle** Is this a bundle?
+- **PackageFamilyName** The name of the package being installed.
- **ProductId** The Store Product ID of the product being installed.
- **SkuId** Specific edition of the item being installed.
-- **CatalogId** The Store Product ID of the app being installed.
-- **PackageFamilyName** The name of the package being installed.
-- **HResult** HResult code of the action being performed.
### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
@@ -4034,57 +4510,57 @@ This event is sent after the license is acquired when a product is being install
The following fields are available:
-- **PFN** Product Family Name of the product being installed.
-- **HResult** HResult code to show the result of the operation (success/failure).
-- **ProductId** The Store Product ID for the product being installed.
-- **IsInteractive** Did the user initiate the installation?
+- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set.
+- **AttemptNumber** The total number of attempts to acquire this product.
- **CategoryId** The identity of the package or packages being installed.
- **ClientAppId** The identity of the app that initiated this operation.
-- **IsRemediation** Is this repairing a previous installation?
-- **UpdateId** The update ID (if this is an update)
-- **AttemptNumber** The total number of attempts to acquire this product.
-- **IsUpdate** Is this an update?
-- **IsMandatory** Is this a mandatory update?
-- **SystemAttemptNumber** The number of attempts by the system to acquire this product.
-- **UserAttemptNumber** The number of attempts by the user to acquire this product
-- **IsRestore** Is this happening after a device restore?
+- **HResult** HResult code to show the result of the operation (success/failure).
- **IsBundle** Is this a bundle?
-- **WUContentId** The Windows Update content ID
+- **IsInteractive** Did the user initiate the installation?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this happening after a device restore?
+- **IsUpdate** Is this an update?
- **ParentBundledId** The product's parent bundle ID.
-- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set.
+- **PFN** Product Family Name of the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The number of attempts by the system to acquire this product.
+- **UpdateId** The update ID (if this is an update)
+- **UserAttemptNumber** The number of attempts by the user to acquire this product
+- **WUContentId** The Windows Update content ID.
### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
-This event happens during the app update or installation when content is being downloaded at the end of the process to report success or failure. It's used to help keep Windows up-to-date and secure.
+This event is sent after an app is downloaded to help keep Windows up-to-date and secure.
The following fields are available:
-- **PFN** The Product Family Name of the app being download.
-- **IsRemediation** Is this repairing a previous installation?
-- **DownloadSize** The total size of the download.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **CategoryId** The identity of the package or packages being installed.
-- **IsUpdate** Is this an update?
-- **HResult** The result code of the last action performed.
-- **IsInteractive** Is this initiated by the user?
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
- **AttemptNumber** Number of retry attempts before it was canceled.
- **BundleId** The identity of the Windows Insider build associated with this product.
-- **ProductId** The Store Product ID for the product being installed.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **DownloadSize** The total size of the download.
+- **ExtendedHResult** Any extended HResult error codes.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this initiated by the user?
- **IsMandatory** Is this a mandatory installation?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this a restore of a previously acquired product?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
+- **PFN** The Product Family Name of the app being download.
+- **ProductId** The Store Product ID for the product being installed.
- **SystemAttemptNumber** The number of attempts by the system to download.
- **UserAttemptNumber** The number of attempts by the user to download.
-- **IsRestore** Is this a restore of a previously acquired product?
-- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
-- **IsBundle** Is this a bundle?
- **WUContentId** The Windows Update content ID.
-- **ExtendedHResult** Any extended HResult error codes.
-- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
-This event happens when an app update requires an updated Framework package and the process starts to download it. It's used to help keep Windows up-to-date and secure.
+This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure.
The following fields are available:
@@ -4102,29 +4578,29 @@ The following fields are available:
### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
-This event is sent after a product has been installed. It's used to help keep Windows up-to-date and secure.
+This event is sent after a product has been installed to help keep Windows up-to-date and secure.
The following fields are available:
-- **BundleId** The identity of the build associated with this product.
-- **PFN** Product Family Name of the product being installed.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **CategoryId** The identity of the package or packages being installed.
-- **ProductId** The Store Product ID for the product being installed.
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
- **AttemptNumber** The number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **ExtendedHResult** The extended HResult error code.
- **HResult** The result code of the last action performed.
-- **IsRemediation** Is this repairing a previous installation?
+- **IsBundle** Is this a bundle?
- **IsInteractive** Is this an interactive installation?
-- **IsUpdate** Is this an update?
- **IsMandatory** Is this a mandatory installation?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this automatically restoring a previously acquired product?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** Product Family Name of the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
- **SystemAttemptNumber** The total number of system attempts.
- **UserAttemptNumber** The total number of user attempts.
-- **IsRestore** Is this automatically restoring a previously acquired product?
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **IsBundle** Is this a bundle?
-- **WUContentId** The Windows Update content ID
-- **ExtendedHResult** The extended HResult error code.
-- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **WUContentId** The Windows Update content ID.
### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
@@ -4133,63 +4609,63 @@ This event is sent after a scan for product updates to determine if there are pa
The following fields are available:
+- **ClientAppId** The identity of the app that initiated this operation.
- **HResult** The result code of the last action performed.
- **IsApplicability** Is this request to only check if there are any applicable packages to install?
- **IsInteractive** Is this user requested?
-- **ClientAppId** The identity of the app that initiated this operation.
- **IsOnline** Is the request doing an online check?
### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
-This event is sent after searching for update packages to install. It's used to help keep Windows up-to-date and secure.
+This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure.
The following fields are available:
-- **IsRemediation** Is this repairing a previous installation?
-- **IsUpdate** Is this an update?
-- **ClientAppId** The identity of the app that initiated this operation.
-- **HResult** The result code of the last action performed.
-- **ProductId** The Store Product ID for the product being installed.
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
- **AttemptNumber** The total number of retry attempts before it was canceled.
-- **IsInteractive** Is this user requested?
-- **PFN** The name of the package or packages requested for install.
- **BundleId** The identity of the build associated with this product.
- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **ProductId** The Store Product ID for the product being installed.
- **SystemAttemptNumber** The total number of system attempts.
- **UserAttemptNumber** The total number of user attempts.
-- **IsRestore** Is this restoring previously acquired content?
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **IsBundle** Is this a bundle?
-- **WUContentId** The Windows Update content ID
-- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **WUContentId** The Windows Update content ID.
### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
-This event is sent between download and installation to see if there is app data that needs to be restored from the cloud. It's used to keep Windows up-to-date and secure.
+This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure.
The following fields are available:
-- **IsInteractive** Is this user requested?
-- **PFN** The name of the package or packages requested for install.
-- **IsUpdate** Is this an update?
-- **CategoryId** The identity of the package or packages being installed.
-- **HResult** The result code of the last action performed.
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
- **AttemptNumber** The total number of retry attempts before it was canceled.
-- **ProductId** The Store Product ID for the product being installed.
- **BundleId** The identity of the build associated with this product.
-- **IsRemediation** Is this repairing a previous installation?
+- **CategoryId** The identity of the package or packages being installed.
- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **ProductId** The Store Product ID for the product being installed.
- **SystemAttemptNumber** The total number of system attempts.
- **UserAttemptNumber** The total number of system attempts.
-- **IsRestore** Is this restoring previously acquired content?
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **IsBundle** Is this a bundle?
-- **WUContentId** The Windows Update content ID
-- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
+- **WUContentId** The Windows Update content ID.
### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
@@ -4203,100 +4679,100 @@ The following fields are available:
### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
-This event is sent at the end of an app install or update and is used to track the very end of the install or update process.
+This event is sent at the end of an app install or update to help keep Windows up-to-date and secure.
The following fields are available:
-- **ProductId** The product ID of the app that is being updated or installed.
-- **PFN** The Package Family Name of the app that is being installed or updated.
-- **FailedRetry** Was the installation or update retry successful?
+- **FailedRetry** Indicates whether the installation or update retry was successful.
- **HResult** The HResult code of the operation.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **ProductId** The product ID of the app that is being updated or installed.
### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
-This event is sent at the beginning of an app install or update and is used to track the very beginning of the install or update process.
+This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure.
The following fields are available:
-- **ProductId** The product ID of the app that is being updated or installed.
- **PFN** The Package Family Name of the app that is being installed or updated.
+- **ProductId** The product ID of the app that is being updated or installed.
### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
-This event happens at the beginning of the install process when an app update or new app is installed. It's used to help keep Windows up-to-date and secure.
+This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure.
The following fields are available:
-- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed.
- **BundleId** The identity of the build associated with this product.
-- **SkuId** Specific edition ID being installed.
+- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed.
- **ProductId** The Store Product ID for the product being installed.
+- **SkuId** Specific edition ID being installed.
- **VolumePath** The disk path of the installation.
### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
-This event is sent when a product install or update is paused either by a user or the system. It's used to help keep Windows up-to-date and secure.
+This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure.
The following fields are available:
-- **RelatedCV** Correlation Vector of a previous performed action on this product.
-- **IsRemediation** Is this repairing a previous installation?
-- **PreviousHResult** The result code of the last action performed before this operation.
-- **ProductId** The Store Product ID for the product being installed.
-- **IsUpdate** Is this an update?
-- **PreviousInstallState** Previous state before the installation or update was paused.
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
- **CategoryId** The identity of the package or packages being installed.
- **ClientAppId** The identity of the app that initiated this operation.
-- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **IsBundle** Is this a bundle?
- **IsInteractive** Is this user requested?
-- **BundleId** The identity of the build associated with this product.
-- **PFN** The Product Full Name.
- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The Product Full Name.
+- **PreviousHResult** The result code of the last action performed before this operation.
+- **PreviousInstallState** Previous state before the installation or update was paused.
+- **ProductId** The Store Product ID for the product being installed.
+- **RelatedCV** Correlation Vector of a previous performed action on this product.
- **SystemAttemptNumber** The total number of system attempts.
- **UserAttemptNumber** The total number of user attempts.
-- **IsRestore** Is this restoring previously acquired content?
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **IsBundle** Is this a bundle?
-- **WUContentId** The Windows Update content ID
-- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **WUContentId** The Windows Update content ID.
### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
-This event happens when a product install or update is resumed either by a user or the system. It's used to help keep Windows up-to-date and secure.
+This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure.
The following fields are available:
-- **RelatedCV** Correlation Vector for the original install before it was resumed.
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
- **AttemptNumber** The number of retry attempts before it was canceled.
- **BundleId** The identity of the build associated with this product.
-- **PreviousHResult** The previous HResult error code.
-- **ClientAppId** The identity of the app that initiated this operation.
- **CategoryId** The identity of the package or packages being installed.
-- **PFN** The name of the package or packages requested for install.
-- **IsUpdate** Is this an update?
-- **PreviousInstallState** Previous state before the installation was paused.
-- **IsRemediation** Is this repairing a previous installation?
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed before this operation.
+- **IsBundle** Is this a bundle?
- **IsInteractive** Is this user requested?
-- **ProductId** The Store Product ID for the product being installed.
- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **IsUserRetry** Did the user initiate the retry?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **PreviousHResult** The previous HResult error code.
+- **PreviousInstallState** Previous state before the installation was paused.
+- **ProductId** The Store Product ID for the product being installed.
+- **RelatedCV** Correlation Vector for the original install before it was resumed.
- **SystemAttemptNumber** The total number of system attempts.
- **UserAttemptNumber** The total number of user attempts.
-- **IsRestore** Is this restoring previously acquired content?
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **IsBundle** Is this a bundle?
-- **WUContentId** The Windows Update content ID
-- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
-- **IsUserRetry** Did the user initiate the retry?
-- **HResult** The result code of the last action performed before this operation.
+- **WUContentId** The Windows Update content ID.
### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
-This event happens when a product install or update is resumed by a user and on installation retries. It's used to help keep Windows up-to-date and secure.
+This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure.
The following fields are available:
@@ -4305,22 +4781,22 @@ The following fields are available:
### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
-This event is sent when searching for update packages to install. It's used to help keep Windows up-to-date and secure.
+This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure.
The following fields are available:
+- **CatalogId** The Store Catalog ID for the product being installed.
- **ProductId** The Store Product ID for the product being installed.
- **SkuId** Specfic edition of the app being updated.
-- **CatalogId** The Store Product ID for the product being installed.
### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
-This event happens an app for a user needs to be updated. It's used to help keep Windows up-to-date and secure.
+This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure.
The following fields are available:
-- **PFamN** The name of the product that is requested for update.
+- **PFamN** The name of the app that is requested for update.
## Windows Update Delivery Optimization events
@@ -4331,22 +4807,22 @@ This event describes when a download was canceled with Delivery Optimization. It
The following fields are available:
-- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group.
-- **fileID** The ID of the file being downloaded.
-- **sessionID** The ID of the file download session.
-- **scenarioID** The ID of the scenario.
-- **bytesFromCDN** The number of bytes received from a CDN source.
-- **updateID** The ID of the update being downloaded.
- **background** Is the download being done in the background?
-- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
-- **clientTelId** A random number used for device sampling.
+- **bytesFromCDN** The number of bytes received from a CDN source.
- **bytesFromGroupPeers** The number of bytes received from a peer in the same group.
-- **errorCode** The error code that was returned.
-- **doErrorCode** The Delivery Optimization error code that was returned.
+- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group.
+- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
+- **clientTelId** A random number used for device sampling.
+- **doErrorCode** The Delivery Optimization error code that was returned.
+- **errorCode** The error code that was returned.
- **experimentId** When running a test, this is used to correlate events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
- **isVpn** Is the device connected to a Virtual Private Network?
+- **scenarioID** The ID of the scenario.
+- **sessionID** The ID of the file download session.
+- **updateID** The ID of the update being downloaded.
- **usedMemoryStream** Did the download use memory streaming?
@@ -4356,37 +4832,36 @@ This event describes when a download has completed with Delivery Optimization. I
The following fields are available:
-- **sessionID** The ID of the download session.
-- **scenarioID** The ID of the scenario.
-- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group.
-- **updateID** The ID of the update being downloaded.
-- **fileSize** The size of the file being downloaded.
-- **bytesFromCDN** The number of bytes received from a CDN source.
-- **fileID** The ID of the file being downloaded.
- **background** Is the download a background download?
-- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
-- **totalTime** How long did the download take (in seconds)?
-- **restrictedUpload** Is the upload restricted?
-- **clientTelId** A random number used for device sampling.
+- **bytesFromCDN** The number of bytes received from a CDN source.
- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group.
-- **downloadMode** The download mode used for this file download session.
-- **doErrorCode** The Delivery Optimization error code that was returned.
-- **numPeers** The total number of peers used for this download.
+- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group.
+- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
+- **bytesRequested** The total number of bytes requested for download.
- **cdnConnectionCount** The total number of connections made to the CDN.
-- **lanConnectionCount** The total number of connections made to peers in the same LAN.
-- **groupConnectionCount** The total number of connections made to peers in the same group.
-- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group.
-- **cdnIp** The IP address of the source CDN.
-- **downlinkBps** The maximum measured available download bandwidth (in bytes per second).
-- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second).
-- **downlinkUsageBps** The download speed (in bytes per second).
-- **uplinkUsageBps** The upload speed (in bytes per second).
-- **totalTimeMs** Duration of the download (in seconds).
- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
-- **bytesRequested** The total number of bytes requested for download.
+- **cdnIp** The IP address of the source CDN.
+- **clientTelId** A random number used for device sampling.
+- **doErrorCode** The Delivery Optimization error code that was returned.
+- **downlinkBps** The maximum measured available download bandwidth (in bytes per second).
+- **downlinkUsageBps** The download speed (in bytes per second).
+- **downloadMode** The download mode used for this file download session.
- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **fileSize** The size of the file being downloaded.
+- **groupConnectionCount** The total number of connections made to peers in the same group.
+- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group.
- **isVpn** Is the device connected to a Virtual Private Network?
+- **lanConnectionCount** The total number of connections made to peers in the same LAN.
+- **numPeers** The total number of peers used for this download.
+- **restrictedUpload** Is the upload restricted?
+- **scenarioID** The ID of the scenario.
+- **sessionID** The ID of the download session.
+- **totalTimeMs** Duration of the download (in seconds).
+- **updateID** The ID of the update being downloaded.
+- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second).
+- **uplinkUsageBps** The upload speed (in bytes per second).
- **usedMemoryStream** Did the download use memory streaming?
@@ -4396,48 +4871,48 @@ This event represents a temporary suspension of a download with Delivery Optimiz
The following fields are available:
-- **updateID** The ID of the update being paused.
-- **errorCode** The error code that was returned.
-- **scenarioID** The ID of the scenario.
- **background** Is the download a background download?
-- **sessionID** The ID of the download session.
- **clientTelId** A random number used for device sampling.
-- **reasonCode** The reason for pausing the download.
-- **fileID** The ID of the file being paused.
+- **errorCode** The error code that was returned.
- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID** The ID of the file being paused.
- **isVpn** Is the device connected to a Virtual Private Network?
+- **reasonCode** The reason for pausing the download.
+- **scenarioID** The ID of the scenario.
+- **sessionID** The ID of the download session.
+- **updateID** The ID of the update being paused.
### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
-This event describes the start of a new download with Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads.
The following fields are available:
-- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
-- **errorCode** The error code that was returned.
-- **doErrorCode** The Delivery Optimization error code that was returned.
-- **peerID** The ID for this Delivery Optimization client.
-- **doClientVersion** The version of the Delivery Optimization client.
-- **jobID** The ID of the Windows Update job.
-- **sessionID** The ID of the download session.
-- **updateID** The ID of the update being downloaded.
-- **scenarioID** The ID of the scenario.
-- **fileID** The ID of the file being downloaded.
-- **cdnUrl** The URL of the CDN.
-- **filePath** The path where the file will be written.
-- **groupID** ID for the group.
-- **background** Is the download a background download?
-- **downloadMode** The download mode used for this file download session.
-- **minFileSizePolicy** The minimum content file size policy to allow the download using Peering.
-- **diceRoll** The dice roll value used in sampling events.
-- **deviceProfile** Identifies the usage or form factor. Example: Desktop or Xbox
-- **isVpn** Is the device connected to a Virtual Private Network?
-- **usedMemoryStream** Did the download use memory streaming?
-- **minDiskSizePolicyEnforced** Is the minimum disk size enforced via policy?
-- **minDiskSizeGB** The minimum disk size (in GB) required for Peering.
+- **background** Indicates whether the download is happening in the background.
+- **cdnUrl** The URL of the source CDN.
- **clientTelId** A random number used for device sampling.
- **costFlags** A set of flags representing network cost.
+- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM).
+- **diceRoll** Random number used for determining if a client will use peering.
+- **doClientVersion** The version of the Delivery Optimization client.
+- **doErrorCode** The Delivery Optimization error code that was returned.
+- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100).
+- **errorCode** The error code that was returned.
+- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing.
+- **fileID** The ID of the file being downloaded.
+- **filePath** The path to where the downloaded file will be written.
+- **groupID** ID for the group.
+- **isVpn** Indicates whether the device is connected to a Virtual Private Network.
+- **jobID** The ID of the Windows Update job.
+- **minDiskSizeGB** The minimum disk size (in GB) policy set for the device to allow peering with delivery optimization.
+- **minDiskSizePolicyEnforced** Indicates whether there is an enforced minimum disk size requirement for peering.
+- **minFileSizePolicy** The minimum content file size policy to allow the download using peering with delivery optimization.
+- **peerID** The ID for this delivery optimization client.
+- **scenarioID** The ID of the scenario.
+- **sessionID** The ID for the file download session.
+- **updateID** The ID of the update being downloaded.
+- **usedMemoryStream** Indicates whether the download used memory streaming.
### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
@@ -4446,19 +4921,19 @@ This event represents a failure to download from a CDN with Delivery Optimizatio
The following fields are available:
+- **cdnHeaders** The HTTP headers returned by the CDN.
+- **cdnIp** The IP address of the CDN.
+- **cdnUrl** The URL of the CDN.
+- **clientTelId** A random number used for device sampling.
+- **errorCode** The error code that was returned.
+- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
- **fileID** The ID of the file being downloaded.
-- **errorCode** The error code that was returned.
- **httpStatusCode** The HTTP status code returned by the CDN.
-- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
-- **sessionID** The ID of the download session.
-- **cdnUrl** The URL of the CDN.
-- **cdnIp** The IP address of the CDN.
-- **cdnHeaders** The HTTP headers returned by the CDN.
-- **clientTelId** A random number used for device sampling.
- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET
- **requestSize** The size of the range requested from the CDN.
- **responseSize** The size of the range response received from the CDN.
+- **sessionID** The ID of the download session.
### Microsoft.OSG.DU.DeliveryOptClient.JobError
@@ -4467,11 +4942,11 @@ This event represents a Windows Update job error. It allows for investigation of
The following fields are available:
-- **jobID** The Windows Update job ID.
-- **fileID** The ID of the file being downloaded.
-- **errorCode** The error code returned.
- **clientTelId** A random number used for device sampling.
+- **errorCode** The error code returned.
- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **jobID** The Windows Update job ID.
## Windows Update events
@@ -4482,11 +4957,11 @@ This event sends data collected at the end of the Data Migration Framework (DMF)
The following fields are available:
-- **MigrationEndtime** A system timestamp of when the DMF migration completed.
-- **UpdateIds** A collection of GUIDs for updates that are associated with the DMF session.
-- **WuClientid** The GUID of the Windows Update client responsible for triggering the DMF migration.
-- **MigrationDurationinmilliseconds** How long the DMF migration took (in milliseconds).
+- **MigrationDurationInMilliseconds** How long the DMF migration took (in milliseconds)
+- **MigrationEndTime** A system timestamp of when the DMF migration completed.
- **RevisionNumbers** A collection of revision numbers for the updates associated with the DMF session.
+- **UpdateIds** A collection of GUIDs for updates that are associated with the DMF session.
+- **WuClientId** The GUID of the Windows Update client responsible for triggering the DMF migration
### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted
@@ -4495,12 +4970,12 @@ This event sends data collected at the beginning of the Data Migration Framework
The following fields are available:
-- **UpdateIds** A collection of GUIDs identifying the upgrades that are running.
-- **MigrationStarttime** The timestamp representing the beginning of the DMF migration.
-- **MigrationOEMphases** The number of OEM-authored migrators scheduled to be ran by DMF for this upgrade.
-- **WuClientid** The GUID of the Windows Update client invoking DMF.
-- **MigrationMicrosoftphases** The number of Microsoft-authored migrators scheduled to be ran by DMF for this upgrade.
+- **MigrationMicrosoftPhases** Revision numbers for the updates that were installed.
+- **MigrationOEMPhases** WU Update IDs for the updates that were installed.
+- **MigrationStartTime** The timestamp representing the beginning of the DMF migration
- **RevisionNumbers** A collection of the revision numbers associated with the UpdateIds.
+- **UpdateIds** A collection of GUIDs identifying the upgrades that are running.
+- **WuClientId** The GUID of the Windows Update client invoking DMF
### Microsoft.Windows.Update.DataMigrationFramework.MigratorResult
@@ -4509,42 +4984,185 @@ This event sends DMF migrator data to help keep Windows up to date.
The following fields are available:
-- **MigratorGuid** A GUID identifying the migrator that just completed.
-- **RunDurationInSeconds** The time it took for the migrator to complete.
- **CurrentStep** This is the last step the migrator reported before returning a result. This tells us how far through the individual migrator the device was before failure.
-- **MigratorName** The name of the migrator that just completed.
-- **MigratorId** A GUID identifying the migrator that just completed.
- **ErrorCode** The result (as an HRESULT) of the migrator that just completed.
+- **MigratorId** A GUID identifying the migrator that just completed.
+- **MigratorName** The name of the migrator that just completed.
+- **RunDurationInSeconds** The time it took for the migrator to complete.
- **TotalSteps** Migrators report progress in number of completed steps against the total steps. This is the total number of steps.
+### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed
+
+This event indicates that a notification dialog box is about to be displayed to user.
+
+The following fields are available:
+
+- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode.
+- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown.
+- **DeviceLocalTime** The local time on the device sending the event.
+- **EngagedModeLimit** The number of days to switch between DTE dialog boxes.
+- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode.
+- **ETag** OneSettings versioning value.
+- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device.
+- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device.
+- **NotificationUxState** Indicates which dialog box is shown.
+- **NotificationUxStateString** Indicates which dialog box is shown.
+- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced).
+- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced).
+- **RebootVersion** Version of DTE.
+- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog
+
+This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime** The local time on the device sending the event.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that user chose on this dialog box.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog
+
+This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime** The local time on the device sending the event.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that user chose in this dialog box.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedPrecursorDialog
+
+This event indicates that the Enhanced Engaged restart "forced precursor" dialog box was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime** The local time on the device sending the event.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that the user chose in this dialog box.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedWarningDialog
+
+This event indicates that the Enhanced Engaged "forced warning" dialog box was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime** The local time on the device sending the event.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that the user chose in this dialog box.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog
+
+This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime** The local time of the device sending the event.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that the user chose in this dialog box.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog
+
+This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime** Time the dialog box was shown on the local device.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that user chose in this dialog box.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootSecondReminderDialog
+
+This event indicates that the second reminder dialog box was displayed for Enhanced Engaged restart.
+
+The following fields are available:
+
+- **DeviceLocalTime** The time the dialog box was shown on the local device.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that the user chose in this dialog box.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootThirdReminderDialog
+
+This event indicates that the third reminder dialog box for Enhanced Engaged restart was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime** The time the dialog box was shown on the local device.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that the user chose in this dialog box.
+
+
### Microsoft.Windows.Update.Orchestrator.CommitFailed
-This events tracks when a device needs to restart after an update but did not.
+This event indicates that a device was unable to restart after an update.
The following fields are available:
-- **wuDeviceid** The Windows Update device GUID.
- **errorCode** The error code that was returned.
+- **wuDeviceid** The Windows Update device GUID.
### Microsoft.Windows.Update.Orchestrator.Detection
-This event sends launch data for a Windows Update scan to help keep Windows up to date.
+This event indicates that a scan for a Windows Update occurred.
The following fields are available:
-- **wuDeviceid** Unique device ID used by Windows Update.
-- **revisionNumber** Update revision number.
-- **eventScenario** End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
- **deferReason** Reason why the device could not check for updates.
- **detectionBlockreason** Reason for detection not completing.
-- **interactive** Identifies if session is User Initiated.
-- **updateId** Update ID.
- **detectionDeferreason** A log of deferral reasons for every update state.
-- **flightID** A unique update ID.
-- **updateScenarioType** The update session type.
- **errorCode** The returned error code.
+- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **flightID** The specific ID of the Windows Insider build the device is getting.
+- **interactive** Indicates whether the session was user initiated.
+- **revisionNumber** Update revision number.
+- **updateId** Update ID.
+- **updateScenarioType** The update session type.
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.Download
@@ -4553,31 +5171,31 @@ This event sends launch data for a Windows Update download to help keep Windows
The following fields are available:
+- **deferReason** Reason for download not completing.
- **detectionDeferreason** Reason for download not completing
-- **wuDeviceid** Unique device ID used by Windows Update.
-- **interactive** Identifies if session is user initiated.
+- **errorCode** An error code represented as a hexadecimal value.
+- **eventScenario** End-to-end update session ID.
+- **flightID** The specific ID of the Windows Insider build the device is getting.
+- **interactive** Indicates whether the session is user initiated.
- **revisionNumber** Update revision number.
-- **deferReason** Reason for download not completing
- **updateId** Update ID.
-- **eventScenario** End to end update session ID.
-- **errorCode** An error code represented as a hexadecimal value
-- **flightID** Unique update ID.
- **updateScenarioType** The update session type.
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
-This event sends data on whether the update was applicable to the device, to help keep Windows up to date.
+This event indicates that the update is no longer applicable to this device.
The following fields are available:
-- **updateId** Unique Update ID
-- **revisionNumber** Revision Number of the Update
-- **UpdateStatus** Integer that describes Update state
-- **EventPublishedTime** time that the event was generated
-- **wuDeviceid** Unique Device ID
-- **flightID** Unique Update ID
-- **updateScenarioType** The update session type.
+- **EventPublishedTime** Time when this event was generated.
+- **flightID** The specific ID of the Windows Insider build.
+- **revisionNumber** Update revision number.
+- **updateId** Unique Windows Update ID.
+- **updateScenarioType** Update session type.
+- **UpdateStatus** Last status of update.
+- **wuDeviceid** Unique Device ID.
### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
@@ -4586,15 +5204,15 @@ This event sends data about an Orchestrator requesting a reboot from power manag
The following fields are available:
-- **revisionNumber** Revision number of the update.
- **EventPublishedTime** Time of the event.
-- **updateId** Update ID.
-- **wuDeviceid** Unique device ID used by Windows Update.
- **flightID** Unique update ID
-- **interactive** Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
-- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action.
+- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours.
+- **revisionNumber** Revision number of the update.
+- **updateId** Update ID.
- **updateScenarioType** The update session type.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated.
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.Install
@@ -4603,59 +5221,59 @@ This event sends launch data for a Windows Update install to help keep Windows u
The following fields are available:
-- **eventScenario** End to end update session ID.
-- **deferReason** Reason for install not completing.
-- **interactive** Identifies if session is user initiated.
-- **wuDeviceid** Unique device ID used by Windows Update.
- **batteryLevel** Current battery capacity in mWh or percentage left.
-- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress.
+- **deferReason** Reason for install not completing.
- **errorCode** The error code reppresented by a hexadecimal value.
-- **updateId** Update ID.
-- **revisionNumber** Update revision number.
-- **flightID** Unique update ID
-- **installRebootinitiatetime** The time it took for a reboot to be attempted.
-- **flightUpdate** Flight update
-- **minutesToCommit** The time it took to install updates.
+- **eventScenario** End-to-end update session ID.
+- **flightID** The specific ID of the Windows Insider build the device is getting.
+- **flightUpdate** Indicates whether the update is a Windows Insider build.
- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates.
-- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress.
+- **installRebootinitiatetime** The time it took for a reboot to be attempted.
+- **interactive** Identifies if session is user initiated.
+- **minutesToCommit** The time it took to install updates.
+- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours.
+- **revisionNumber** Update revision number.
+- **updateId** Update ID.
- **updateScenarioType** The update session type.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.PostInstall
-This event sends data about lite stack devices (mobile, IOT, anything non-PC) immediately before data migration is launched to help keep Windows up to date.
+This event is sent after a Windows update install completes.
The following fields are available:
-- **wuDeviceid** Unique device ID used by Windows Update.
-- **eventScenario** End to end update session ID.
-- **sessionType** Interactive vs. Background.
-- **bundleRevisionnumber** Bundle revision number.
- **batteryLevel** Current battery capacity in mWh or percentage left.
-- **bundleId** Update grouping ID.
-- **errorCode** Hex code for the error message, to allow lookup of the specific error.
+- **bundleId** Identifier associated with the specific content bundle.
+- **bundleRevisionnumber** Identifies the revision number of the content bundle.
+- **errorCode** The error code returned for the current phase.
+- **eventScenario** State of update action.
- **flightID** Unique update ID.
+- **sessionType** The Windows Update session type (Interactive or Background).
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.RebootFailed
-This event sends information about whether an update required a reboot and reasons for failure to help keep Windows up to date.
+This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date.
The following fields are available:
-- **updateId** Update ID.
- **batteryLevel** Current battery capacity in mWh or percentage left.
-- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code.
-- **installRebootDeferreason** Reason for reboot not occurring.
-- **revisionNumber** Update revision number.
-- **EventPublishedTime** The time that the reboot failure occurred.
- **deferReason** Reason for install not completing.
-- **wuDeviceid** Unique device ID used by Windows Update.
+- **EventPublishedTime** The time that the reboot failure occurred.
- **flightID** Unique update ID.
-- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **installRebootDeferreason** Reason for reboot not occurring.
+- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours.
+- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code.
+- **revisionNumber** Update revision number.
+- **updateId** Update ID.
- **updateScenarioType** The update session type.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
@@ -4665,9 +5283,9 @@ This event sends data indicating that a reboot task is missing unexpectedly on a
The following fields are available:
- **RebootTaskRestoredTime** Time at which this reboot task was restored.
-- **wuDeviceid** Device id on which the reboot is restored
- **revisionNumber** Update revision number.
- **updateId** Update ID.
+- **wuDeviceid** Device ID for the device on which the reboot is restored.
### Microsoft.Windows.Update.Orchestrator.SystemNeeded
@@ -4676,14 +5294,14 @@ This event sends data about why a device is unable to reboot, to help keep Windo
The following fields are available:
-- **eventScenario** End to end update session ID.
-- **wuDeviceid** Unique device ID used by Windows Update.
-- **systemNeededReason** Reason ID
-- **updateId** Update ID.
+- **eventScenario** End-to-end update session ID.
+- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours.
- **revisionNumber** Update revision number.
-- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **systemNeededReason** List of apps or tasks that are preventing the system from restarting.
+- **updateId** Update ID.
- **updateScenarioType** The update session type.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
@@ -4692,11 +5310,11 @@ This event sends data on whether Update Management Policies were enabled on a de
The following fields are available:
+- **configuredPoliciescount** Number of policies on the device.
+- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight).
+- **policyCacherefreshtime** Time when policy cache was refreshed.
+- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option.
- **wuDeviceid** Unique device ID used by Windows Update.
-- **policyCacherefreshtime** Refresh time
-- **policiesNamevaluesource** Policy Name
-- **updateInstalluxsetting** This shows whether a user has set policies via UX option
-- **configuredPoliciescount** Policy Count
### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired
@@ -4705,13 +5323,13 @@ This event sends data about whether an update required a reboot to help keep Win
The following fields are available:
-- **updateId** Update ID.
+- **flightID** The specific ID of the Windows Insider build the device is getting.
+- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action.
- **revisionNumber** Update revision number.
-- **wuDeviceid** Unique device ID used by Windows Update.
-- **flightID** Unique update ID.
-- **interactive** Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
-- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateId** Update ID.
- **updateScenarioType** The update session type.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.UpdateStackServicing.CheckForUpdates
@@ -4720,18 +5338,18 @@ This event sends data about the UpdateStackServicing check for updates, to help
The following fields are available:
-- **EventScenario** The scenario of the event. Example: Started, Failed, or Succeeded
-- **StatusCode** The HRESULT code of the operation.
+- **BspVersion** The version of the BSP.
- **CallerApplicationName** The name of the USS scheduled task. Example UssScheduled or UssBoot
- **ClientVersion** The version of the client.
-- **EventInstanceID** The USS session ID.
-- **WUDeviceID** The Windows Update device ID.
-- **ServiceGuid** The GUID of the service.
-- **BspVersion** The version of the BSP.
-- **OemName** The name of the manufacturer.
-- **DeviceName** The name of the device.
- **CommercializationOperator** The name of the operator.
- **DetectionVersion** The string returned from the GetDetectionVersion export of the downloaded detection DLL.
+- **DeviceName** The name of the device.
+- **EventInstanceID** The USS session ID.
+- **EventScenario** The scenario of the event. Example: Started, Failed, or Succeeded
+- **OemName** The name of the manufacturer.
+- **ServiceGuid** The GUID of the service.
+- **StatusCode** The HRESULT code of the operation.
+- **WUDeviceID** The Windows Update device ID.
### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
@@ -4749,16 +5367,16 @@ This event sends data about a required reboot that is scheduled with no user int
The following fields are available:
-- **updateId** Update ID of the update that is getting installed with this reboot.
-- **ScheduledRebootTime** Time of the scheduled reboot.
-- **wuDeviceid** Unique device ID used by Windows Update.
-- **revisionNumber** Revision number of the update that is getting installed with this reboot.
-- **forcedreboot** True, if a reboot is forced on the device. False, otherwise.
+- **activeHoursApplicable** Indicates whether Active Hours applies on this device.
+- **forcedReboot** True, if a reboot is forced on the device. Otherwise, this is False
- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action.
-- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
-- **activeHoursApplicable** True, If Active Hours applicable on this device. False, otherwise.
- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise.
-- **rebootState** The state of the reboot.
+- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
+- **rebootState** Current state of the reboot.
+- **revisionNumber** Revision number of the OS.
+- **scheduledRebootTime** Time scheduled for the reboot.
+- **updateId** Identifies which update is being scheduled.
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.Ux.MusNotification.ToastDisplayedToScheduleReboot
@@ -4776,16 +5394,16 @@ This event sends basic information for scheduling a device restart to install se
The following fields are available:
-- **ScheduledRebootTime** The time that the device was restarted.
-- **updateId** The Windows Update device GUID.
-- **revisionNumber** The revision number of the OS being updated.
-- **wuDeviceid** The Windows Update device GUID.
-- **forcedreboot** Is the restart that's being scheduled a forced restart?
-- **rebootArgument** The arguments that are passed to the OS for the restarted.
-- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device.
- **activeHoursApplicable** Is the restart respecting Active Hours?
+- **forcedReboot** True, if a reboot is forced on the device. Otherwise, this is False
+- **rebootArgument** The arguments that are passed to the OS for the restarted.
- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours?
+- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device.
- **rebootState** The state of the restart.
+- **revisionNumber** The revision number of the OS being updated.
+- **scheduledRebootTime** Time of the scheduled reboot
+- **updateId** The Windows Update device GUID.
+- **wuDeviceid** The Windows Update device GUID.
## Winlogon events
@@ -4796,3 +5414,4 @@ This event signals the completion of the setup process. It happens only once dur
+
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
index d9719bbdd6..665450f693 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -1,27 +1,26 @@
---
-description: Learn more about the Windows diagnostic data that is gathered at the basic level.
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10)
-keywords: privacy, diagnostic data
+keywords: privacy, telemetry
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
localizationpriority: high
-author: danihalfin
-ms.author: daniha
-ms.date: 06/20/2018
+author: brianlic-msft
+ms.author: brianlic
+ms.date: 09/10/2018
---
# Windows 10, version 1709 basic level Windows diagnostic events and fields
-
**Applies to**
- Windows 10, version 1709
-The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.
+The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information.
The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
@@ -30,340 +29,315 @@ Use this article to learn about diagnostic events, grouped by event area, and th
You can learn more about Windows functional and diagnostic data through these articles:
-- [Windows 10, version 1803 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1803)
-- [Windows 10, version 1703 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
-- [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
+- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
+- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
+- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
-## Common data extensions
-
-### Common Data Extensions.App
-
-
-
-The following fields are available:
-
-- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
-- **userId** The userID as known by the application.
-- **env** The environment from which the event was logged.
-- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
-
-
-### Common Data Extensions.CS
-
-
-
-The following fields are available:
-
-- **sig** A common schema signature that identifies new and modified event schemas.
-
-
-### Common Data Extensions.CUET
-
-
-
-The following fields are available:
-
-- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
-- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
-- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
-- **op** Represents the ETW Op Code.
-- **cat** Represents a bitmask of the ETW Keywords associated with the event.
-- **flags** Represents the bitmap that captures various Windows specific flags.
-- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
-- **tickets** A list of strings that represent entries in the HTTP header of the web request that includes this event.
-- **bseq** Upload buffer sequence number in the format \:\
-- **mon** Combined monitor and event sequence numbers in the format \:\
-
-
-### Common Data Extensions.Device
-
-
-
-The following fields are available:
-
-- **ver** Represents the major and minor version of the extension.
-- **localId** Represents a locally defined unique ID for the device, not the human readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
-- **deviceClass** Represents the classification of the device, the device “family”. For example, Desktop, Server, or Mobile.
-
-
-### Common Data Extensions.Envelope
-
-
-
-The following fields are available:
-
-- **ver** Represents the major and minor version of the extension.
-- **name** Represents the uniquely qualified name for the event.
-- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
-- **popSample** Represents the effective sample rate for this event at the time it was generated by a client.
-- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
-- **seqNum** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
-- **iKey** Represents an ID for applications or other logical groupings of events.
-- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experiences and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
-- **os** Represents the operating system name.
-- **osVer** Represents the OS version, and its format is OS dependent.
-- **appId** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
-- **appVer** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
-- **cV** Represents the Correlation Vector: A single field for tracking partial order of related diagnostic data events across component boundaries.
-
-
-### Common Data Extensions.OS
-
-
-
-The following fields are available:
-
-- **ver** Represents the major and minor version of the extension.
-- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
-- **locale** Represents the locale of the operating system.
-- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
-
-
-### Common Data Extensions.User
-
-
-
-The following fields are available:
-
-- **ver** Represents the major and minor version of the extension.
-- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
-
-
-### Common Data Extensions.XBL
-
-
-
-The following fields are available:
-
-- **nbf** Not before time
-- **expId** Expiration time
-- **sbx** XBOX sandbox identifier
-- **dty** XBOX device type
-- **did** XBOX device ID
-- **xid** A list of base10-encoded XBOX User IDs.
-- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
-
-
-### Common Data Extensions.Consent UI Event
-
-This User Account Control (UAC) diagnostic data point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
-
-The following fields are available:
-
-- **eventType** Represents the type of elevation: If it succeeded, was cancelled, or was auto-approved.
-- **splitToken** Represents the flag used to distinguish between administrators and standard users.
-- **friendlyName** Represents the name of the file requesting elevation from low IL.
-- **elevationReason** Represents the distinction between various elevation requests sources (appcompat, installer, COM, MSI and so on).
-- **exeName** Represents the name of the file requesting elevation from low IL.
-- **signatureState** Represents the state of the signature, if it signed, unsigned, OS signed and so on.
-- **publisherName** Represents the name of the publisher of the file requesting elevation from low IL.
-- **cmdLine** Represents the full command line arguments being used to elevate.
-- **Hash.Length** Represents the length of the hash of the file requesting elevation from low IL.
-- **Hash** Represents the hash of the file requesting elevation from low IL.
-- **HashAlgId** Represents the algorithm ID of the hash of the file requesting elevation from low IL.
-- **telemetryFlags** Represents the details about the elevation prompt for CEIP data.
-- **timeStamp** Represents the time stamp on the file requesting elevation.
-- **fileVersionMS** Represents the major version of the file requesting elevation.
-- **fileVersionLS** Represents the minor version of the file requesting elevation.
-
-
-## Common data fields
-
-### Common Data Fields.MS.Device.DeviceInventory.Change
-
-These fields are added whenever Ms.Device.DeviceInventoryChange is included in the event.
-
-The following fields are available:
-
-- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
-- **objectType** Indicates the object type that the event applies to.
-- **Action** The change that was invoked on a device inventory object.
-- **inventoryId** Device ID used for Compatibility testing
-
-
-### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PreUpgradeSettings
-
-These fields are added whenever PreUpgradeSettings is included in the event.
-
-The following fields are available:
-
-- **HKLM_SensorPermissionState.SensorPermissionState** The state of the Location service before the feature update completed.
-- **HKLM_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the device.
-- **HKCU_SensorPermissionState.SensorPermissionState** The state of the Location service when a user signs on before the feature update completed.
-- **HKCU_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the current user.
-- **HKLM_LocationPlatform.Status** The state of the location platform after the feature update has completed.
-- **HKLM_LocationPlatform.HRESULT** The error code returned when trying to query the location platform for the device.
-- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the device before the feature update completed.
-- **HKLM_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the device.
-- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the current user before the feature update completed.
-- **HKCU_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the current user.
-- **HKLM_AllowTelemetry.AllowTelemetry** The state of the Connected User Experiences and Telemetry component for the device before the feature update.
-- **HKLM_AllowTelemetry.HRESULT** The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
-- **HKLM_TIPC.Enabled** The state of TIPC for the device.
-- **HKLM_TIPC.HRESULT** The error code returned when trying to query TIPC for the device.
-- **HKCU_TIPC.Enabled** The state of TIPC for the current user.
-- **HKCU_TIPC.HRESULT** The error code returned when trying to query TIPC for the current user.
-- **HKLM_FlipAhead.FPEnabled** Is Flip Ahead enabled for the device before the feature update was completed?
-- **HKLM_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the device.
-- **HKCU_FlipAhead.FPEnabled** Is Flip Ahead enabled for the current user before the feature update was completed?
-- **HKCU_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the current user.
-- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled** Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
-- **HKCU_TailoredExperiences.HRESULT** The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
-- **HKLM_AdvertisingID.Enabled** Is the adveristing ID enabled for the device?
-- **HKLM_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the device.
-- **HKCU_AdvertisingID.Enabled** Is the adveristing ID enabled for the current user?
-- **HKCU_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the user.
-
-
-### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PostUpgradeSettings
-
-These fields are added whenever PostUpgradeSettings is included in the event.
-
-The following fields are available:
-
-- **HKLM_SensorPermissionState.SensorPermissionState** The state of the Location service after the feature update has completed.
-- **HKLM_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the device.
-- **HKCU_SensorPermissionState.SensorPermissionState** The state of the Location service when a user signs on after a feature update has completed.
-- **HKCU_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the current user.
-- **HKLM_LocationPlatform.Status** The state of the location platform after the feature update has completed.
-- **HKLM_LocationPlatform.HRESULT** The error code returned when trying to query the location platform for the device.
-- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the device after the feature update has completed.
-- **HKLM_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the device.
-- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the current user after the feature update has completed.
-- **HKCU_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the current user.
-- **HKLM_AllowTelemetry.AllowTelemetry** The state of the Connected User Experiences and Telemetry component for the device after the feature update.
-- **HKLM_AllowTelemetry.HRESULT** The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
-- **HKLM_TIPC.Enabled** The state of TIPC for the device.
-- **HKLM_TIPC.HRESULT** The error code returned when trying to query TIPC for the device.
-- **HKCU_TIPC.Enabled** The state of TIPC for the current user.
-- **HKCU_TIPC.HRESULT** The error code returned when trying to query TIPC for the current user.
-- **HKLM_FlipAhead.FPEnabled** Is Flip Ahead enabled for the device after the feature update has completed?
-- **HKLM_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the device.
-- **HKCU_FlipAhead.FPEnabled** Is Flip Ahead enabled for the current user after the feature update has completed?
-- **HKCU_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the current user.
-- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled** Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
-- **HKCU_TailoredExperiences.HRESULT** The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
-- **HKLM_AdvertisingID.Enabled** Is the adveristing ID enabled for the device?
-- **HKLM_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the device.
-- **HKCU_AdvertisingID.Enabled** Is the adveristing ID enabled for the current user?
-- **HKCU_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the user.
-
## Appraiser events
-### Microsoft.Windows.Appraiser.General.RunContext
+### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
-This event indicates what should be expected in the data payload.
+Invalid Signature - This event is superseded by an event that contains additional fields.
The following fields are available:
-- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built.
-- **AppraiserProcess** The name of the process that launched Appraiser.
-- **AppraiserVersion** The version of the Appraiser file generating the events.
-- **Context** Indicates what mode Appraiser is running in. Example: Setup or Diagnostic Data.
-- **PCFP** An ID for the system calculated by hashing hardware identifiers.
-- **Time** The client time of the event.
+- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers.
+- **DatasourceApplicationFile_RS4** An ID for the system, calculated by hashing hardware identifiers.
+- **DatasourceDevicePnp_RS4** An ID for the system, calculated by hashing hardware identifiers.
+- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers.
+- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_RS4** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device.
+- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers.
+- **InventoryApplicationFile** The count of the number of this particular object type present on this device.
+- **InventoryLanguagePack** The count of InventoryLanguagePack objects present on this machine.
+- **InventoryMediaCenter** The count of the number of this particular object type present on this device.
+- **InventorySystemBios** The count of the number of this particular object type present on this device.
+- **InventoryTest** The count of the number of this particular object type present on this device.
+- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device.
+- **PCFP** An ID for the system, calculated by hashing hardware identifiers.
+- **SystemMemory** The count of the number of this particular object type present on this device.
+- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device.
+- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device.
+- **SystemProcessorNx** The count of the number of this particular object type present on this device.
+- **SystemProcessorPrefetchW** The count of SystemProcessorPrefetchW objects present on this machine.
+- **SystemProcessorSse2** The count of SystemProcessorSse2 objects present on this machine.
+- **SystemTouch** The count of SystemTouch objects present on this machine.
+- **SystemWim** The count of SystemWim objects present on this machine.
+- **SystemWindowsActivationStatus** The count of SystemWindowsActivationStatus objects present on this machine.
+- **SystemWlan** The count of the number of this particular object type present on this device.
+- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers.
+- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device.
-### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
-A summary event indicating the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
+Represents the basic metadata about specific application files installed on the system.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built.
-- **AppraiserDataVersion** The version of the data files being used by the Appraiser diagnostic data run.
-- **AppraiserProcess** The name of the process that launched Appraiser.
-- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
-- **AuxFinal** Obsolete, always set to false
-- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
-- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
-- **EnterpriseRun** Indicates if the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
-- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
-- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
-- **PCFP** An ID for the system calculated by hashing hardware identifiers.
-- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
-- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
-- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
-- **RunDate** The date that the diagnostic data run was stated, expressed as a filetime.
-- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
-- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
-- **RunResult** The hresult of the Appraiser diagnostic data run.
-- **SendingUtc** Indicates if the Appraiser client is sending events during the current diagnostic data run.
-- **StoreHandleIsNotNull** Obsolete, always set to false
-- **TelementrySent** Indicates if diagnostic data was successfully sent.
-- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
-- **Time** The client time of the event.
-- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
-- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated.
+- **AppraiserVersion** The version of the appraiser file that is generating the events.
+- **AvDisplayName** If the app is an anti-virus app, this is its display name.
+- **CompatModelIndex** The compatibility prediction for this file.
+- **HasCitData** Indicates whether the file is present in CIT data.
+- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file.
+- **IsAv** Is the file an anti-virus reporting EXE?
+- **ResolveAttempted** This will always be an empty string when sending telemetry.
+- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file.
-### Microsoft.Windows.Appraiser.General.EnterpriseScenarioWithDiagTrackServiceRunning
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
-The event that indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is installed. This event can only be sent if a special flag is used to trigger the enterprise scenario.
+This event indicates that the DatasourceApplicationFile object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **PCFP** An ID for the system calculated by hashing hardware identifiers.
-- **Time** The client time of the event.
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
-This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or are part of an anti-virus program.
+This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
+
+This event sends compatibility data for a Plug and Play device, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **ActiveNetworkConnection** Indicates whether the device is an active network device.
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **IsBootCritical** Indicates whether the device boot is critical.
+- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update.
+- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver.
+- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
+
+This event indicates that the DatasourceDevicePnp object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
+
+This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
+
+This event sends compatibility database data about driver packages to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
+
+This event indicates that the DatasourceDriverPackage object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
+
+This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
+
+This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
+
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
+
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
+
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
+
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
+
+This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
+
+This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file generating the events.
-- **AvDisplayName** If the app is an anti-virus app, this is its display name.
-- **AvProductState** Represents state of antivirus program with respect to whether it's turned on and the signatures are up-to-date.
-- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
-- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
-- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
-- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
-- **CompanyName** The company name of the vendor who developed this file.
-- **FileId** A hash that uniquely identifies a file.
-- **FileVersion** The File version field from the file metadata under Properties -> Details.
-- **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file?
-- **IsAv** Is the file an anti-virus reporting EXE?
-- **LinkDate** The date and time that this file was linked on.
-- **LowerCaseLongPath** The full file path to the file that was inventoried on the device.
-- **Name** The name of the file that was inventoried.
-- **ProductName** The Product name field from the file metadata under Properties -> Details.
-- **ProductVersion** The Product version field from the file metadata under Properties -> Details.
-- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it.
-- **Size** The size of the file (in hexadecimal bytes).
-### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
-This event represents the drivers that an application installs.
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
+
+This event indicates that the DatasourceSystemBios object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **InventoryVersion** The version of the inventory component
-- **Programids** The unique program identifier the driver is associated with.
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
-This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
+This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **InventoryVersion** The version of the inventory component.
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
This event sends compatibility decision data about a file to help keep Windows up-to-date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
-- **AppraiserVersion** The version of the appraiser file generating the events.
+- **AppraiserVersion** The version of the appraiser file that is generating the events.
- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS.
-- **BlockingApplication** Are there any application issues that interfere with upgrade due to the file in question?
+- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question.
- **DisplayGenericMessage** Will be a generic message be shown for this file?
- **HardBlock** This file is blocked in the SDB.
- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB?
@@ -381,93 +355,40 @@ The following fields are available:
- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
- **SoftBlock** The file is softblocked in the SDB and has a warning.
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
-This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-The following fields are available:
+This event indicates Indicates that the DecisionApplicationFile object is no longer present.
-- **AppraiserVersion** The version of the appraiser file generating the events.
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
-
-This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the appraiser file generating the events.
-- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks?
-- **DisplayGenericMessage** Will a generic message be shown for this block?
-- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block?
-- **SdbBlockUpgrade** Is a matching info block blocking upgrade?
-- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag?
-- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag?
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
-
-This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the appraiser file generating the events.
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
-
-This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks?
-- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade?
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
-This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
-The following fields are available:
-
-- **AppraiserVersion** The version of the appraiser file generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
-
-This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up-to-date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app?
-- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade?
-- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app?
-- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
-
-This event sends compatibility data for a PNP device, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **ActiveNetworkConnection** Is the device an active network device?
-- **AppraiserVersion** The version of the appraiser file generating the events.
-- **IsBootCritical** Is the device boot critical?
-- **WuDriverCoverage** Is there a driver uplevel for this device according to Windows Update?
-- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver.
-- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update.
### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
-This event sends compatibility decision data about a PNP device to help keep Windows up-to-date.
+This event sends compatibility decision data about a PNP device to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate?
- **AppraiserVersion** The version of the appraiser file generating the events.
- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked?
+- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate?
- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked?
- **BlockingDevice** Is this PNP device blocking upgrade?
- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS?
@@ -483,17 +404,33 @@ The following fields are available:
- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden?
-### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
-This event sends compatibility database data about driver packages to help keep Windows up-to-date.
+This event indicates that the DecisionDevicePnp object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **AppraiserVersion** The version of the appraiser file generating the events.
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
+
+The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
-This event sends decision data about driver package compatibility to help keep Windows up-to-date.
+This event sends decision data about driver package compatibility to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -505,188 +442,144 @@ The following fields are available:
- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
-### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
-This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+This event indicates that the DecisionDriverPackage object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-- **BiosDate** The release date of the BIOS in UTC format.
-- **BiosName** The name field from Win32_BIOS.
-- **Manufacturer** The manufacturer field from Win32_ComputerSystem.
-- **Model** The model field from Win32_ComputerSystem.
-### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
-This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file generating the events.
-- **Blocking** Is the device from upgrade due to memory restrictions?
-- **MemoryRequirementViolated** Was a memory requirement violated?
-- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes).
-- **ram** The amount of memory on the device.
-- **ramKB** The amount of memory (in KB).
-- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes).
-- **virtualKB** The amount of virtual memory (in KB).
-
-
-### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
-
-This event sends compatibility decision data about the BIOS to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file generating the events.
-- **Blocking** Is the device blocked from upgrade due to a BIOS block?
-- **HasBiosBlock** Does the device have a BIOS block?
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
-
-This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file generating the events.
-- **SdbEntries** An array of fields indicating the SDB entries that apply to this BIOS.
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
-
-This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file generating the events.
-- **Blocking** Is the upgrade blocked due to the processor?
-- **CompareExchange128Support** Does the CPU support CompareExchange128?
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
-
-This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file generating the events.
-- **Blocking** Is the upgrade blocked due to the processor?
-- **LahfSahfSupport** Does the CPU support LAHF/SAHF?
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
-
-This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-- **Blocking** Is the upgrade blocked due to the processor?
-- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support.
-- **NXProcessorSupport** Does the processor support NX?
-### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
-This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up-to-date.
+This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks?
+- **DisplayGenericMessage** Will a generic message be shown for this block?
+- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block?
+- **SdbBlockUpgrade** Is a matching info block blocking upgrade?
+- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag?
+- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
+
+This event indicates that the DecisionMatchingInfoBlock object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-- **Blocking** Is the upgrade blocked due to the processor?
-- **PrefetchWSupport** Does the processor support PrefetchW?
-### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
-This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up-to-date.
+This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-- **Blocking** Is the upgrade blocked due to the processor?
-- **SSE2ProcessorSupport** Does the processor support SSE2?
-### Microsoft.Windows.Appraiser.General.SystemWimAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
-This event sends data indicating whether the operating system is running from a compressed WIM file, to help keep Windows up-to-date.
+This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-- **IsWimBoot** Is the current operating system running from a compressed WIM file?
-- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM.
+- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks?
+- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade?
-### Microsoft.Windows.Appraiser.General.SystemTouchAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
-This event sends data indicating whether the system supports touch, to help keep Windows up-to-date.
+This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer?
-- **MaximumTouches** The maximum number of touch points supported by the device hardware.
-### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
-This event sends data indicating whether the current operating system is activated, to help keep Windows up-to-date.
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated.
-- **WindowsNotActivatedDecision** Is the current operating system activated?
-### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
-This event sends data about the number of language packs installed on the system, to help keep Windows up-to-date.
+This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-- **HasLanguagePack** Does this device have 2 or more language packs?
-- **LanguagePackCount** How many language packs are installed?
+- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app?
+- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade?
+- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app?
+- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
-### Microsoft.Windows.Appraiser.General.SystemWlanAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
-This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date.
+This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-- **Blocking** Is the upgrade blocked because of an emulated WLAN driver?
-- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block?
-- **WlanEmulatedDriver** Does the device have an emulated WLAN driver?
-- **WlanExists** Does the device support WLAN at all?
-- **WlanModulePresent** Are any WLAN modules present?
-- **WlanNativeDriver** Does the device have a non-emulated WLAN driver?
-### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
-This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date.
+This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **AppraiserVersion** The version of the Appraiser file generating the events.
-- **EverLaunched** Has Windows Media Center ever been launched?
-- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center?
-- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured?
-- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch?
-- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files?
-- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
-- **IsSupported** Does the running OS support Windows Media Center?
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
-This event sends decision data about the presence of Windows Media Center, to help keep Windows up-to-date.
+This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -699,187 +592,11 @@ The following fields are available:
- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center?
-### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
-This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client.
+This event indicates that the DecisionMediaCenter object is no longer present.
-The following fields are available:
-
-- **DatasourceApplicationFile_RS2** The total DatasourceApplicationFile objects targeting Windows 10 version 1703 present on this device.
-- **DatasourceDevicePnp_RS2** The total DatasourceDevicePnp objects targeting Windows 10 version 1703 present on this device.
-- **DatasourceDriverPackage_RS2** The total DatasourceDriverPackage objects targeting Windows 10 version 1703 present on this device.
-- **DataSourceMatchingInfoBlock_RS2** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
-- **DataSourceMatchingInfoPassive_RS2** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1703 present on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS2** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device.
-- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device.
-- **DecisionApplicationFile_RS2** The total DecisionApplicationFile objects targeting Windows 10 version 1703 present on this device.
-- **DecisionDevicePnp_RS2** The total DecisionDevicePnp objects targeting Windows 10 version 1703 present on this device.
-- **DecisionDriverPackage_RS2** The total DecisionDriverPackage objects targeting Windows 10 version 1703 present on this device.
-- **DecisionMatchingInfoBlock_RS2** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
-- **DecisionMatchingInfoPassive_RS2** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 present on this device.
-- **DecisionMatchingInfoPostUpgrade_RS2** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device.
-- **DecisionMediaCenter_RS2** The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device.
-- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 present on this device.
-- **InventoryApplicationFile** The total InventoryApplicationFile objects that are present on this device.
-- **InventoryLanguagePack** The total InventoryLanguagePack objects that are present on this device.
-- **InventoryMediaCenter** The total InventoryMediaCenter objects that are present on this device.
-- **InventorySystemBios** The total InventorySystemBios objects that are present on this device.
-- **InventoryUplevelDriverPackage** The total InventoryUplevelDriverPackage objects that are present on this device.
-- **PCFP** An ID for the system that is calculated by hashing hardware identifiers.
-- **SystemMemory** The total SystemMemory objects that are present on this device.
-- **SystemProcessorCompareExchange** The total SystemProcessorCompareExchange objects that are present on this device.
-- **SystemProcessorLahfSahf** The total SystemProcessorLahfSahf objects that are present on this device.
-- **SystemProcessorNx** The total SystemProcessorNx objects that are present on this device.
-- **SystemProcessorPrefetchW** The total SystemProcessorPrefetchW objects that are present on this device.
-- **SystemProcessorSse2** The total SystemProcessorSse2 objects that are present on this device.
-- **SystemTouch** The total SystemTouch objects that are present on this device.
-- **SystemWim** The total SystemWim objects that are present on this device
-- **SystemWindowsActivationStatus** The total SystemWindowsActivationStatus objects that are present on this device.
-- **SystemWlan** The total SystemWlan objects that are present on this device.
-- **Wmdrm_RS2** The total Wmdrm objects targeting Windows 10 version 1703 present on this device.
-- **DatasourceApplicationFile_RS3** "The total DecisionApplicationFile objects targeting the next release of Windows on this device. "
-- **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
-- **DatasourceDriverPackage_RS3** The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device.
-- **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device.
-- **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device.
-- **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device.
-- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device.
-- **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
-
-This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
-
-This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
-
-This event indicates that a new set of SystemProcessorSse2Add events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
-
-This event indicates that a new set of InventorySystemBiosAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
-
-This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
-
-This event indicates that a new set of SystemMemoryAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
-
-This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
-
-This event indicates that a new set of SystemProcessorNxAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
-
-This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemWimStartSync
-
-This event indicates that a new set of SystemWimAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
-
-This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
-
-This event indicates that a new set of SystemTouchAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageEndSync
-
-This event indicates that a full set of DatasourceDriverPackageAdd events has been sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
-
-This event indicates that a new set of SystemWlanAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
-
-This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -890,198 +607,48 @@ The following fields are available:
This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
-
-This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
-
-This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
-This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+This event sends compatibility decision data about the BIOS to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the device blocked from upgrade due to a BIOS block?
+- **HasBiosBlock** Does the device have a BIOS block?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
+
+This event indicates that the DecisionSystemBios object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
-This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
-
-This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.WmdrmStartSync
-
-This event indicates that a new set of WmdrmAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveEndSync
-
-This event indicates that a full set of DataSourceMatchingInfoPassiveAdd events have been sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
-
-This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
-
-This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
-
-This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
-
-This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
-
-This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
-
-This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
-
-This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
-
-This event indicates that the DecisionDevicePnp object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
-
-This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
-
-This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.WmdrmAdd
-
-This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-- **BlockingApplication** Same as NeedsDismissAction
-- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
-- **WmdrmApiResult** Raw value of the API used to gather DRM state.
-- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
-- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased
-- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed.
-- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses.
-- **WmdrmPurchased** Indicates if the system has any files with permanent licenses.
-
-### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
-
-This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-- **BootCritical** Is the driver package marked as boot critical?
-- **Build** The build value from the driver package.
-- **CatalogFile** The name of the catalog file within the driver package.
-- **Class** The device class from the driver package.
-- **ClassGuid** The device class GUID from the driver package.
-- **Date** The date from the driver package.
-- **Inbox** Is the driver package of a driver that is included with Windows?
-- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU
-- **Provider** The provider of the driver package.
-- **PublishedName** The name of the INF file, post-rename.
-- **Revision** The revision of the driver package.
-- **SignatureStatus** Indicates if the driver package is signed. Unknown:0, Unsigned:1, Signed: 2
-- **VersionMajor** The major version of the driver package.
-- **VersionMinor** The minor version of the driver package.
-
### Microsoft.Windows.Appraiser.General.GatedRegChange
This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date.
@@ -1096,109 +663,546 @@ The following fields are available:
- **Time** The client time of the event.
-### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
-This event indicates that the DatasourceApplicationFile object is no longer present.
+This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **AvDisplayName** If the app is an antivirus app, this is its display name.
+- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date.
+- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
+- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
+- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
+- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
+- **CompanyName** The company name of the vendor who developed this file.
+- **FileId** A hash that uniquely identifies a file.
+- **FileVersion** The File version field from the file metadata under Properties -> Details.
+- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file.
+- **IsAv** Indicates whether the file an antivirus reporting EXE.
+- **LinkDate** The date and time that this file was linked on.
+- **LowerCaseLongPath** The full file path to the file that was inventoried on the device.
+- **Name** The name of the file that was inventoried.
+- **ProductName** The Product name field from the file metadata under Properties -> Details.
+- **ProductVersion** The Product version field from the file metadata under Properties -> Details.
+- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it.
+- **Size** The size of the file (in hexadecimal bytes).
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
+
+This event indicates that the InventoryApplicationFile object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-This event indicates that the DatasourceDevicePnp object is no longer present.
+This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
-This event indicates that the DatasourceDriverPackage object is no longer present.
+This event sends data about the number of language packs installed on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **HasLanguagePack** Indicates whether this device has 2 or more language packs.
+- **LanguagePackCount** The number of language packs are installed.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
+
+This event indicates that the InventoryLanguagePack object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
-This event indicates that the SystemProcessorSse2 object is no longer present.
+This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
-This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
-
-This event indicates that the DecisionMediaCenter object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **EverLaunched** Has Windows Media Center ever been launched?
+- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center?
+- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured?
+- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch?
+- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files?
+- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
+- **IsSupported** Does the running OS support Windows Media Center?
### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
This event indicates that the InventoryMediaCenter object is no longer present.
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
-
-This event indicates that the DatasourceSystemBios object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
-This event indicates that the DecisionApplicationFile object is no longer present.
+This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
-This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
+This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BiosDate** The release date of the BIOS in UTC format.
+- **BiosName** The name field from Win32_BIOS.
+- **Manufacturer** The manufacturer field from Win32_ComputerSystem.
+- **Model** The model field from Win32_ComputerSystem.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
+
+This event indicates that the InventorySystemBios object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
+
+This event indicates that a new set of InventorySystemBiosAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
+
+This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BootCritical** Is the driver package marked as boot critical?
+- **Build** The build value from the driver package.
+- **CatalogFile** The name of the catalog file within the driver package.
+- **Class** The device class from the driver package.
+- **ClassGuid** The device class unique ID from the driver package.
+- **Date** The date from the driver package.
+- **Inbox** Is the driver package of a driver that is included with Windows?
+- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU.
+- **Provider** The provider of the driver package.
+- **PublishedName** The name of the INF file after it was renamed.
+- **Revision** The revision of the driver package.
+- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2.
+- **VersionMajor** The major version of the driver package.
+- **VersionMinor** The minor version of the driver package.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
+
+This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
+
+This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.RunContext
+
+This event indicates what should be expected in the data payload.
+
+The following fields are available:
+
+- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built.
+- **AppraiserProcess** The name of the process that launched Appraiser.
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **Time** The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
+
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the device from upgrade due to memory restrictions?
+- **MemoryRequirementViolated** Was a memory requirement violated?
+- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes).
+- **ram** The amount of memory on the device.
+- **ramKB** The amount of memory (in KB).
+- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes).
+- **virtualKB** The amount of virtual memory (in KB).
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
+
+This event that the SystemMemory object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
+
+This event indicates that a new set of SystemMemoryAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
+
+This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **CompareExchange128Support** Does the CPU support CompareExchange128?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
+
+This event indicates that the SystemProcessorCompareExchange object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
+
+This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
+
+This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **LahfSahfSupport** Does the CPU support LAHF/SAHF?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
+
+This event indicates that the SystemProcessorLahfSahf object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
+
+This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
+
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support.
+- **NXProcessorSupport** Does the processor support NX?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
+
+This event indicates that the SystemProcessorNx object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
+
+This event indicates that a new set of SystemProcessorNxAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
+
+This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **PrefetchWSupport** Does the processor support PrefetchW?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
+
+This event indicates that the SystemProcessorPrefetchW object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
+
+This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
+
+This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **SSE2ProcessorSupport** Does the processor support SSE2?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
+
+This event indicates that the SystemProcessorSse2 object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
+
+This event indicates that a new set of SystemProcessorSse2Add events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchAdd
+
+This event sends data indicating whether the system supports touch, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer?
+- **MaximumTouches** The maximum number of touch points supported by the device hardware.
### Microsoft.Windows.Appraiser.General.SystemTouchRemove
-"This event indicates that the SystemTouch object is no longer present. "
+This event indicates that the SystemTouch object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
+
+This event indicates that a new set of SystemTouchAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimAdd
+
+This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **IsWimBoot** Is the current operating system running from a compressed WIM file?
+- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimRemove
+
+This event indicates that the SystemWim object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimStartSync
+
+This event indicates that a new set of SystemWimAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
+
+This event sends data indicating whether the current operating system is activated, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated.
+- **WindowsNotActivatedDecision** Is the current operating system activated?
+
+
### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
This event indicates that the SystemWindowsActivationStatus object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
+
+This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1206,185 +1210,120 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWlanRemove
-"This event indicates that the SystemWlan object is no longer present. "
+This event indicates that the SystemWlan object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
+### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
-This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+This event indicates that a new set of SystemWlanAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
+### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
-This event indicates that the SystemProcessorNx object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
-
-This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
-
-This event indicates that the DecisionDevicePnp object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
-
-This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
-
-This event that the SystemMemory object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
-
-This event indicates that the DecisionMatchingInfoBlock object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
-
-This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
-
-This event indicates that the InventoryApplicationFile object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemWimRemove
-
-"This event indicates that the SystemWim object is no longer present. "
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
-
-"This event indicates that the InventorySystemBios object is no longer present. "
+This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built.
+- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run.
+- **AppraiserProcess** The name of the process that launched Appraiser.
+- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
+- **AuxFinal** Obsolete, always set to false.
+- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
+- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
+- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
+- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
+- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
+- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **RunDate** The date that the telemetry run was stated, expressed as a filetime.
+- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
+- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **RunResult** The hresult of the Appraiser telemetry run.
+- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run.
+- **StoreHandleIsNotNull** Obsolete, always set to false
+- **TelementrySent** Indicates if telemetry was successfully sent.
+- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **Time** The client time of the event.
+- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
+- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmAdd
+
+This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BlockingApplication** Same as NeedsDismissAction.
+- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
+- **WmdrmApiResult** Raw value of the API used to gather DRM state.
+- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
+- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased.
+- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed.
+- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses.
+- **WmdrmPurchased** Indicates if the system has any files with permanent licenses.
### Microsoft.Windows.Appraiser.General.WmdrmRemove
This event indicates that the Wmdrm object is no longer present.
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
-
-"This event indicates that the SystemProcessorLahfSahf object is no longer present. "
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
+### Microsoft.Windows.Appraiser.General.WmdrmStartSync
-This event indicates that the InventoryLanguagePack object is no longer present.
+This event indicates that a new set of WmdrmAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
-
-This event indicates that the DecisionDriverPackage object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
-
-This event indicates that the DecisionSystemBios object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
-
-"This event indicates that the SystemProcessorCompareExchange object is no longer present. "
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
-
-This event indicates that the SystemProcessorPrefetchW object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryDriverBinaryEndSync
-
-This event indicates that a full set of InventoryDriverBinaryAdd events has been sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
## Census events
+### Census.App
+
+Provides information on IE and Census versions running on the device
+
+The following fields are available:
+
+- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run.
+- **AppraiserErrorCode** The error code of the last Appraiser run.
+- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run.
+- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed.
+- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run.
+- **AppraiserTaskEnabled** Whether the Appraiser task is enabled.
+- **AppraiserTaskExitCode** The Appraiser task exist code.
+- **AppraiserTaskLastRun** The last runtime for the Appraiser task.
+- **CensusVersion** The version of Census that generated the current data for this device.
+- **IEVersion** Retrieves which version of Internet Explorer is running on this device.
+
+
### Census.Battery
This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date.
@@ -1398,6 +1337,16 @@ The following fields are available:
- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
+### Census.Camera
+
+This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0.
+- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0.
+
+
### Census.Enterprise
This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment.
@@ -1409,7 +1358,7 @@ The following fields are available:
- **CDJType** Represents the type of cloud domain joined for the machine.
- **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers.
- **ContainerType** The type of container, such as process or virtual machine hosted.
-- **EnrollmentType** Represents the type of enrollment, such as MDM or Intune, for a particular device.
+- **EnrollmentType** Defines the type of MDM enrollment on the device.
- **HashedDomain** The hashed representation of the user domain used for login.
- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false
- **IsDERequirementMet** Represents if the device can do device encryption.
@@ -1423,48 +1372,6 @@ The following fields are available:
- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
-### Census.App
-
-This event sends version data about the Apps running on this device, to help keep Windows up to date.
-
-The following fields are available:
-
-- **CensusVersion** The version of Census that generated the current data for this device.
-- **IEVersion** Retrieves which version of Internet Explorer is running on this device.
-
-
-### Census.Camera
-
-This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
-
-The following fields are available:
-
-- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0.
-- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0.
-
-
-### Census.UserDisplay
-
-This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
-
-The following fields are available:
-
-- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display.
-- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display.
-- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display.
-- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display.
-- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display.
-- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display.
-- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
-- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
-- **InternalPrimaryDisplayType** Represents the type of technology used in the monitor, such as Plasma, LED, LCOS, etc.
-- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine
-- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine.
-- **VRAMDedicated** Retrieves the video RAM in MB.
-- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card.
-- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use.
-
-
### Census.Firmware
This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
@@ -1479,11 +1386,11 @@ The following fields are available:
### Census.Flighting
-This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up-to-date.
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date.
The following fields are available:
-- **DeviceSampleRate** The diagnostic data sample rate assigned to the device.
+- **DeviceSampleRate** The telemetry sample rate assigned to the device.
- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device.
- **FlightIds** A list of the different Windows Insider builds on this device.
- **FlightingBranchName** The name of the Windows Insider branch currently used by the device.
@@ -1494,23 +1401,23 @@ The following fields are available:
### Census.Hardware
-This event sends data about the device, including hardware type, OEM brand, model line, model, diagnostic data level setting, and TPM support, to help keep Windows up-to-date.
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date.
The following fields are available:
- **ActiveMicCount** The number of active microphones attached to the device.
- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields.
-- **D3DMaxFeatureLevel** The supported Direct3D version.
+- **D3DMaxFeatureLevel** Supported Direct3D version.
- **DeviceColor** Indicates a color of the device.
- **DeviceForm** Indicates the form as per the device classification.
- **DeviceName** The device name that is set by the user.
- **DigitizerSupport** Is a digitizer supported?
- **DUID** The device unique ID.
-- **Gyroscope** Indicates whether the device has a gyroscope.
+- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation).
- **InventoryId** The device ID used for compatibility testing.
-- **Magnetometer** Indicates whether the device has a magnetometer.
-- **NFCProximity** Indicates whether the device supports NFC.
+- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass).
+- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.)
- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device.
- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date.
- **OEMModelBaseBoard** The baseboard model used by the OEM.
@@ -1526,9 +1433,9 @@ The following fields are available:
- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
- **SoCName** The firmware manufacturer of the device.
- **StudyID** Used to identify retail and non-retail device.
-- **TelemetryLevel** The diagnostic data level the user has opted into, such as Basic or Enhanced.
-- **TelemetryLevelLimitEnhanced** The diagnostic data level for Windows Analytics-based solutions.
-- **TelemetrySettingAuthority** Determines who set the diagnostic data level, such as GP, MDM, or the user.
+- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced.
+- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions.
+- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user.
- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
- **VoiceSupported** Does the device have a cellular radio capable of making voice calls?
@@ -1573,9 +1480,9 @@ This event sends data about the operating system such as the version, locale, up
The following fields are available:
- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine.
-- **AssignedAccessStatus** The kiosk configuration mode.
+- **AssignedAccessStatus** Kiosk configuration mode.
- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled.
-- **DeveloperUnlockStatus** "Represents if a device has been developer unlocked by the user or Group Policy. "
+- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy.
- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time
- **GenuineState** Retrieves the ID Value specifying the OS Genuine check.
- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
@@ -1585,10 +1492,9 @@ The following fields are available:
- **IsPortableOperatingSystem** Retrieves whether OS is running Windows-To-Go
- **IsSecureBootEnabled** Retrieves whether Boot chain is signed under UEFI.
- **LanguagePacks** The list of language packages installed on the device.
-- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the Microsoft Store.
+- **LicenseStateReason** Retrieves why (or how) a system is licensed or unlicensed. The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
- **OA3xOriginalProductKey** Retrieves the License key stamped by the OEM to the machine.
- **OSEdition** Retrieves the version of the current OS.
-- **OSInstallDateTime** Retrieves the date the OS was installed using ISO 8601 (Date part) == yyyy-mm-dd
- **OSInstallType** Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
- **OSOOBEDateTime** Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
- **OSSKU** Retrieves the Friendly Name of OS Edition.
@@ -1611,38 +1517,41 @@ The following fields are available:
### Census.Processor
-This event sends data about the processor (architecture, speed, number of cores, manufacturer, and model number), to help keep Windows up to date.
+Provides information on several important data points about Processor settings
The following fields are available:
-- **KvaShadow** Microcode info of the processor.
-- **MMSettingOverride** Microcode setting of the processor.
-- **MMSettingOverrideMask** Microcode setting override of the processor.
-- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system.
-- **ProcessorClockSpeed** Retrieves the clock speed of the processor in MHz.
-- **ProcessorCores** Retrieves the number of cores in the processor.
-- **ProcessorIdentifier** The processor identifier of a manufacturer.
-- **ProcessorManufacturer** Retrieves the name of the processor's manufacturer.
-- **ProcessorModel** Retrieves the name of the processor model.
+- **KvaShadow** Microcode info of the processor.
+- **MMSettingOverride** Microcode setting of the processor.
+- **MMSettingOverrideMask** Microcode setting override of the processor.
+- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system.
+- **ProcessorClockSpeed** Clock speed of the processor in MHz.
+- **ProcessorCores** Number of logical cores in the processor.
+- **ProcessorIdentifier** Processor Identifier of a manufacturer.
+- **ProcessorManufacturer** Name of the processor manufacturer.
+- **ProcessorModel** Name of the processor model.
- **ProcessorPhysicalCores** Number of physical cores in the processor.
-- **ProcessorUpdateRevision** The microcode version.
-- **SocketCount** Number of physical CPU sockets of the machine.
-- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
+- **ProcessorUpdateRevision** Microcode revision
+- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status
+- **SocketCount** Count of CPU sockets.
+- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
### Census.Security
-This event provides information on about security settings used to help keep Windows up-to-date and secure.
+This event provides information on about security settings used to help keep Windows up to date and secure.
-- **AvailableSecurityProperties** Enumerates and reports state on the relevant security properties for Device Guard.
-- **CGRunning** Is Credential Guard running?
-- **DGState** A summary of the Device Guard state.
-- **HVCIRunning** Is HVCI running?
-- **IsSawGuest** Describes whether the device is running as a Secure Admin Workstation Guest.
-- **IsSawHost** Describes whether the device is running as a Secure Admin Workstation Host.
-- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security.
-- **SecureBootCapable** Is this device capable of running Secure Boot?
-- **VBSState** Is virtualization-based security enabled, disabled, or running?
+The following fields are available:
+
+- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard.
+- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running.
+- **DGState** This field summarizes the Device Guard state.
+- **HVCIRunning** Is HVCI running?
+- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest.
+- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host.
+- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security.
+- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting.
+- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running.
### Census.Speech
@@ -1655,14 +1564,13 @@ The following fields are available:
- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities.
- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices.
-- **KWSEnabled** "Cortana setting that represents if a user has enabled the ""Hey Cortana"" keyword spotter (KWS)."
+- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities.
-- **RemotelyManaged** Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities.
+- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities.
- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device.
-
### Census.Storage
This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date.
@@ -1673,14 +1581,36 @@ The following fields are available:
- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any).
- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB.
+
### Census.Userdefault
This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
The following fields are available:
-- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html,.htm,.jpg,.jpeg,.png,.mp3,.mp4, .mov,.pdf
-- **DefaultBrowserProgId** The ProgramId of the current user's default browser
+- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
+- **DefaultBrowserProgId** The ProgramId of the current user's default browser.
+
+
+### Census.UserDisplay
+
+This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
+
+The following fields are available:
+
+- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display.
+- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display.
+- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
+- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
+- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine
+- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine.
+- **VRAMDedicated** Retrieves the video RAM in MB.
+- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card.
+- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use.
### Census.UserNLS
@@ -1695,26 +1625,22 @@ The following fields are available:
- **KeyboardInputLanguages** The Keyboard input languages installed on the device.
- **SpeechInputLanguages** The Speech Input languages installed on the device.
+
### Census.VM
This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
The following fields are available:
-- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within.
+- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within.
- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor.
- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present.
-- **isVDI** Is the device using Virtual Desktop Infrastructure?
-- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#HASH#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#HASH#1 Hypervisors.
+- **IsVDI** Is the device using Virtual Desktop Infrastructure?
+- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors.
- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware.
-
-
-
-
-
### Census.WU
This event sends data about the Windows update server and other App store policies, to help keep Windows up to date.
@@ -1726,25 +1652,26 @@ The following fields are available:
- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting
- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades.
-- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it?
-- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update?
-- **OSAssessmentForQualityUpdate** Is the device on the latest quality update?
-- **OSAssessmentForSecurityUpdate** Is the device on the latest security update?
-- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it?
-- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment.
+- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it?
+- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update?
+- **OSAssessmentForQualityUpdate** Is the device on the latest quality update?
+- **OSAssessmentForSecurityUpdate** Is the device on the latest security update?
+- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it?
+- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment.
- **OSRollbackCount** The number of times feature updates have rolled back on the device.
- **OSRolledBack** A flag that represents when a feature update has rolled back during setup.
- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device .
- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device.
- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently.
- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS).
-- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates
-- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades
+- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates.
+- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades.
- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier.
-- **WUPauseState** Retrieves WU setting to determine if updates are paused
+- **WUPauseState** Retrieves WU setting to determine if updates are paused.
- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
+
### Census.Xbox
This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date.
@@ -1753,349 +1680,863 @@ The following fields are available:
- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console.
- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console.
-- **XboxLiveDeviceId** Retrieves the unique device id of the console.
-- **XboxLiveSandboxId** Retrieves the developer sandbox id if the device is internal to MS.
+- **XboxLiveDeviceId** Retrieves the unique device ID of the console.
+- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft.
+## Common data extensions
+
+### Common Data Extensions.app
+
+Describes the properties of the running application. This extension could be populated by a client app or a web app.
+
+The following fields are available:
+
+- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
+- **env** The environment from which the event was logged.
+- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
+- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **userId** The userID as known by the application.
+- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
+
+
+### Common Data Extensions.container
+
+Describes the properties of the container for events logged within a container.
+
+The following fields are available:
+
+- **localId** The device ID as known by the client.
+- **osVer** The operating system version.
+- **type** The container type. Examples: Process or VMHost
+
+
+### Common Data Extensions.cs
+
+Describes properties related to the schema of the event.
+
+The following fields are available:
+
+- **sig** A common schema signature that identifies new and modified event schemas.
+
+
+### Common Data Extensions.device
+
+Describes the device-related fields.
+
+The following fields are available:
+
+- **deviceClass** Represents the classification of the device, the device “family”. For example, Desktop, Server, or Mobile.
+- **localId** Represents a locally defined unique ID for the device, not the human readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+
+
+### Common Data Extensions.Envelope
+
+Represents an envelope that contains all of the common data extensions.
+
+The following fields are available:
+
+- **appId** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **appVer** Represents the version number of the application. Used to understand errors by version and usage by version across an app.
+- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
+- **data** Represents the optional unique diagnostic data for a particular event schema.
+- **epoch** ID used to help distinguish events in the sequence by indicating the current boot session.
+- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp).
+- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer).
+- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs).
+- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice).
+- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos).
+- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser).
+- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc).
+- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl).
+- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **iKey** Represents an ID for applications or other logical groupings of events.
+- **name** Represents the uniquely qualified name for the event.
+- **os** The operating system name.
+- **osVer** The operating system version.
+- **popSample** Represents the effective sample rate for this event at the time it was generated by a client.
+- **seqNum** Used to track the absolute order of uploaded events.
+- **tags** A header for semi-managed extensions.
+- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
+- **ver** Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.os
+
+Describes some properties of the operating system.
+
+The following fields are available:
+
+- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
+- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
+- **locale** Represents the locale of the operating system.
+
+
+### Common Data Extensions.user
+
+Describes the fields related to a user.
+
+The following fields are available:
+
+- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token.
+- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+
+
+### Common Data Extensions.utc
+
+Describes the properties that could be populated by a logging library on Windows.
+
+The following fields are available:
+
+- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
+- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number
+- **cat** Represents a bitmask of the ETW Keywords associated with the event.
+- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
+- **flags** Represents the bitmap that captures various Windows specific flags.
+- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence
+- **op** Represents the ETW Op Code.
+- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
+- **sqmId** The Windows SQM ID.
+- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
+- **tickets** An array of strings that refer back to a key in the X-Tickets http header that the client uploaded along with a batch of events.
+
+
+### Common Data Extensions.xbl
+
+Describes the fields that are related to XBOX Live.
+
+The following fields are available:
+
+- **claims** Any additional claims whose short claim name hasn't been added to this structure.
+- **did** XBOX device ID
+- **dty** XBOX device type
+- **dvr** The version of the operating system on the device.
+- **eid** A unique ID that represents the developer entity.
+- **exp** Expiration time
+- **ip** The IP address of the client device.
+- **nbf** Not before time
+- **pid** A comma separated list of PUIDs listed as base10 numbers.
+- **sbx** XBOX sandbox identifier
+- **sid** The service instance ID.
+- **sty** The service type.
+- **tid** The XBOX Live title ID.
+- **tvr** The XBOX Live title version.
+- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
+- **xid** A list of base10-encoded XBOX User IDs.
+
+
+## Common data fields
+
+### Ms.Device.DeviceInventoryChange
+
+Describes the installation state for all hardware and software components available on a particular device.
+
+The following fields are available:
+
+- **action** The change that was invoked on a device inventory object.
+- **inventoryId** Device ID used for Compatibility testing
+- **objectInstanceId** Object identity which is unique within the device scope.
+- **objectType** Indicates the object type that the event applies to.
+- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
## Diagnostic data events
-### TelClientSynthetic.AuthorizationInfo_Startup
-
-This event sends data indicating that a device has undergone a change of diagnostic data opt-in level detected at UTC startup, to help keep Windows up to date.
-
-The following fields are available:
-
-- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
-- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
-- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
-- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
-- **CanCollectOsTelemetry** True if UTC is allowed to collect diagnostic data from the OS provider groups.
-- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
-- **CanPerformScripting** True if UTC is allowed to perform scripting.
-- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
-- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **PreviousPermissions** Bitmask representing the previously configured permissions since the diagnostic data client was last started.
-- **TransitionFromEverythingOff** True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
-
-
### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
-This event sends data indicating that a device has undergone a change of diagnostic data opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
-
-The following fields are available:
-
-- **CanAddMsaToMsTelemetry** True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
-- **CanCollectAnyTelemetry** True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
-- **CanCollectCoreTelemetry** True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
-- **CanCollectHeartbeats** True if UTC is allowed to collect heartbeats.
-- **CanCollectOsTelemetry** True if UTC is allowed to collect diagnostic data from the OS provider groups.
-- **CanPerformDiagnosticEscalations** True if UTC is allowed to perform all scenario escalations.
-- **CanPerformScripting** True if UTC is allowed to perform scripting.
-- **CanPerformTraceEscalations** True if UTC is allowed to perform scenario escalations with tracing actions.
-- **CanReportScenarios** True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **PreviousPermissions** Bitmask representing the previously configured permissions since the diagnostic data opt-in level was last changed.
-- **TransitionFromEverythingOff** True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
+This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
-### TelClientSynthetic.ConnectivityHeartBeat_0
-This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads diagnostic data events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+### TelClientSynthetic.AuthorizationInfo_Startup
-The following fields are available:
+This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
-- **CensusExitCode** Returns last execution codes from census client run.
-- **CensusStartTime** Returns timestamp corresponding to last successful census run.
-- **CensusTaskEnabled** Returns Boolean value for the census task (Enable/Disable) on client machine.
-- **LastConnectivityLossTime** Retrieves the last time the device lost free network.
-- **LastConntectivityLossTime** Retrieves the last time the device lost free network.
-- **NetworkState** Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network.
-- **NoNetworkTime** Retrieves the time spent with no network (since the last time) in seconds.
-- **RestrictedNetworkTime** Retrieves the time spent on a metered (cost restricted) network in seconds.
### TelClientSynthetic.HeartBeat_5
This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
-The following fields are available:
-
-- **AgentConnectionErrorsCount** The number of non-timeout errors associated with the host/agent channel.
-- **CensusExitCode** The last exit code of the Census task.
-- **CensusStartTime** The time of the last Census run.
-- **CensusTaskEnabled** Indicates whether Census is enabled.
-- **ConsumerDroppedCount** The number of events dropped by the consumer layer of the diagnostic data client.
-- **CriticalDataDbDroppedCount** The number of critical data sampled events that were dropped at the database layer.
-- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling.
-- **CriticalOverflowEntersCounter** The number of times a critical overflow mode was entered into the event database.
-- **DbCriticalDroppedCount** The total number of dropped critical events in the event database.
-- **DbDroppedCount** The number of events that were dropped because the database was full.
-- **DecodingDroppedCount** The number of events dropped because of decoding failures.
-- **EnteringCriticalOverflowDroppedCounter** The number of events that was dropped because a critical overflow mode was initiated.
-- **EtwDroppedBufferCount** The number of buffers dropped in the CUET ETW session.
-- **EtwDroppedCount** The number of events dropped by the ETW layer of the diagnostic data client.
-- **EventSubStoreResetCounter** The number of times the event database was reset.
-- **EventSubStoreResetSizeSum** The total size of the event database across all resets reports in this instance.
-- **EventsUploaded** The number of events that have been uploaded.
-- **Flags** Flags that indicate device state, such as network, battery, and opt-in state.
-- **FullTriggerBufferDroppedCount** The number of events that were dropped because the trigger buffer was full.
-- **HeartBeatSequenceNumber** A monotonically increasing heartbeat counter.
-- **InvalidHttpCodeCount** The number of invalid HTTP codes received from Vortex.
-- **LastAgentConnectionError** The last non-timeout error that happened in the host/agent channel.
-- **LastEventSizeOffender** The name of the last event that exceeded the maximum event size.
-- **LastInvalidHttpCode** The last invalid HTTP code received from Vortex.
-- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe.
-- **MaxInUseScenarioCounter** The soft maximum number of scenarios loaded by the Connected User Experiences and Telemetry component.
-- **PreviousHeartBeatTime** The time of last heartbeat event. This allows chaining of events.
-- **SettingsHttpAttempts** The number of attempts to contact the OneSettings service.
-- **SettingsHttpFailures** The number of failures from contacting the OneSettings service.
-- **ThrottledDroppedCount** The number of events dropped due to throttling of noisy providers.
-- **UploaderDroppedCount** The number of events dropped by the uploader layer of the diagnostic data client.
-- **VortexFailuresTimeout** The number of timeout failures received from Vortex.
-- **VortexHttpAttempts** The number of attempts to contact the Vortex service.
-- **VortexHttpFailures4xx** The number of 400-499 error codes received from Vortex.
-- **VortexHttpFailures5xx** The number of 500-599 error codes received from Vortex.
-### TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate
+### TelClientSynthetic.HeartBeat_Aria_5
-This event sends basic data on privacy settings before and after a feature update. This is used to ensure that customer privacy settings are correctly migrated across feature updates.
+This event is the telemetry client ARIA heartbeat.
The following fields are available:
-- **PostUpgradeSettings** The privacy settings after a feature update.
-- **PreUpgradeSettings** The privacy settings before a feature update.
-
-
-## DxgKernelTelemetry events
-
-### DxgKrnlTelemetry.GPUAdapterInventoryV2
-
-This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
-
-The following fields are available:
-
-- **aiSeqId** The event sequence ID.
-- **bootId** The system boot ID.
-- **ComputePreemptionLevel** The maximum preemption level supported by GPU for compute payload.
-- **DedicatedSystemMemoryB** The amount of system memory dedicated for GPU use (in bytes).
-- **DedicatedVideoMemoryB** The amount of dedicated VRAM of the GPU (in bytes).
-- **DisplayAdapterLuid** The display adapter LUID.
-- **DriverDate** The date of the display driver.
-- **DriverRank** The rank of the display driver.
-- **DriverVersion** The display driver version.
-- **GPUDeviceID** The GPU device ID.
-- **GPUPreemptionLevel** The maximum preemption level supported by GPU for graphics payload.
-- **GPURevisionID** The GPU revision ID.
-- **GPUVendorID** The GPU vendor ID.
-- **InterfaceId** The GPU interface ID.
-- **IsDisplayDevice** Does the GPU have displaying capabilities?
-- **IsHybridDiscrete** Does the GPU have discrete GPU capabilities in a hybrid device?
-- **IsHybridIntegrated** Does the GPU have integrated GPU capabilities in a hybrid device?
-- **IsLDA** Is the GPU comprised of Linked Display Adapters?
-- **IsMiracastSupported** Does the GPU support Miracast?
-- **IsMismatchLDA** Is at least one device in the Linked Display Adapters chain from a different vendor?
-- **IsMPOSupported** Does the GPU support Multi-Plane Overlays?
-- **IsMsMiracastSupported** Are the GPU Miracast capabilities driven by a Microsoft solution?
-- **IsPostAdapter** Is this GPU the POST GPU in the device?
-- **IsRenderDevice** Does the GPU have rendering capabilities?
-- **IsSoftwareDevice** Is this a software implementation of the GPU?
-- **MeasureEnabled** Is the device listening to MICROSOFT_KEYWORD_MEASURES?
-- **SharedSystemMemoryB** The amount of system memory shared by GPU and CPU (in bytes).
-- **SubSystemID** The subsystem ID.
-- **SubVendorID** The GPU sub vendor ID.
-- **TelemetryEnabled** Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
-- **TelInvEvntTrigger** What triggered this event to be logged? Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling)
-- **version** The event version.
-- **WDDMVersion** The Windows Display Driver Model version.
-- **NumVidPnSources** The number of supported display output sources.
-- **NumVidPnTargets** The number of supported display output targets.
-
-
-## Fault Reporting events
-
-### Microsoft.Windows.FaultReporting.AppCrashEvent
-
-"This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes"" by a user DO NOT emit this event."
-
-The following fields are available:
-
-- **AppName** The name of the app that has crashed.
-- **AppSessionGuid** GUID made up of process ID and is used as a correlation vector for process instances in the diagnostic data backend.
-- **AppTimeStamp** The date/time stamp of the app.
-- **AppVersion** The version of the app that has crashed.
-- **ExceptionCode** The exception code returned by the process that has crashed.
-- **ExceptionOffset** The address where the exception had occurred.
-- **Flags** "Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. "
-- **ModName** Exception module name (e.g. bar.dll).
-- **ModTimeStamp** The date/time stamp of the module.
-- **ModVersion** The version of the module that has crashed.
-- **PackageFullName** Store application identity.
-- **PackageRelativeAppId** Store application identity.
-- **ProcessArchitecture** Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
-- **ProcessCreateTime** The time of creation of the process that has crashed.
-- **ProcessId** The ID of the process that has crashed.
-- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
-- **TargetAppId** The kernel reported AppId of the application being reported.
-- **TargetAppVer** The specific version of the application being reported
-- **TargetAsId** The sequence number for the hanging process.
+- **CompressedBytesUploaded** Number of compressed bytes uploaded
+- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer.
+- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database.
+- **DbCriticalDroppedCount** Total number of dropped critical events in event database.
+- **DbDroppedCount** Number of events dropped at the database layer.
+- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated.
+- **EventSubStoreResetCounter** Number of times event database was reset.
+- **EventSubStoreResetSizeSum** Total size of event database across all resets reports in this instance.
+- **EventsUploaded** Number of events uploaded.
+- **InvalidHttpCodeCounter** Number of invalid HTTP codes received from contacting Vortex.
+- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex.
+- **SettingsHttpAttempts** Number of attempts to contact OneSettings service.
+- **SettingsHttpFailures** Number of failures from contacting OneSettings service.
+- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client.
+- **VortexFailuresTimeout** Number of time out failures received from Vortex.
+- **VortexHttpAttempts** Number of attempts to contact Vortex.
+- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex.
+- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event.
## Feature update events
### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed
-This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state
+This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state.
The following fields are available:
-- **failureReason** Provides data about the uninstall initialization operation failure
-- **hr** Provides the Win32 error code for the operation failure
+- **failureReason** Provides data about the uninstall initialization operation failure.
+- **hr** Provides the Win32 error code for the operation failure.
### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered
-Indicates that the uninstall was properly configured and that a system reboot was initiated
+This event indicates that the uninstall was properly configured and that a system reboot was initiated.
The following fields are available:
- **name** Name of the event
-## Hang Reporting events
+### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked
-### Microsoft.Windows.HangReporting.AppHangEvent
+This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems.
-This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
-
-The following fields are available:
-
-- **AppName** The name of the app that has hung.
-- **AppSessionGuid** GUID made up of process id used as a correlation vector for process instances in the diagnostic data backend.
-- **AppVersion** The version of the app that has hung.
-- **PackageFullName** Store application identity.
-- **PackageRelativeAppId** Store application identity.
-- **ProcessArchitecture** Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
-- **ProcessCreateTime** The time of creation of the process that has hung.
-- **ProcessId** The ID of the process that has hung.
-- **ReportId** A GUID used to identify the report. This can used to track the report across Watson.
-- **TargetAppId** The kernel reported AppId of the application being reported.
-- **TargetAppVer** The specific version of the application being reported.
-- **TargetAsId** The sequence number for the hanging process.
-- **TypeCode** Bitmap describing the hang type.
-- **WaitingOnAppName** If this is a cross process hang waiting for an application, this has the name of the application.
-- **WaitingOnAppVersion** If this is a cross process hang, this has the version of the application for which it is waiting.
-- **WaitingOnPackageFullName** If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
-- **WaitingOnPackageRelativeAppId** If this is a cross process hang waiting for a package, this has the relative application id of the package.
## Inventory events
-### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
+### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
-This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
The following fields are available:
-- **InventoryVersion** The version of the inventory file generating the events
+- **Device** A count of device objects in cache.
+- **DeviceCensus** A count of devicecensus objects in cache.
+- **DriverPackageExtended** A count of driverpackageextended objects in cache.
+- **File** A count of file objects in cache.
+- **FileSigningInfo** A count of file signing objects in cache.
+- **Generic** A count of generic objects in cache.
+- **HwItem** A count of hwitem objects in cache.
+- **InventoryApplication** A count of application objects in cache.
+- **InventoryApplicationFile** A count of application file objects in cache.
+- **InventoryDeviceContainer** A count of device container objects in cache.
+- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache.
+- **InventoryDeviceMediaClass** A count of device media objects in cache.
+- **InventoryDevicePnp** A count of device Plug and Play objects in cache.
+- **InventoryDeviceUsbHubClass** A count of device usb objects in cache
+- **InventoryDriverBinary** A count of driver binary objects in cache.
+- **InventoryDriverPackage** A count of device objects in cache.
+- **Metadata** A count of metadata objects in cache.
+- **Orphan** A count of orphan file objects in cache.
+- **Programs** A count of program objects in cache.
+
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
+
+This event sends inventory component versions for the Device Inventory data.
+
+The following fields are available:
+
+- **aeinv** The version of the App inventory component.
+- **devinv** The file version of the Device inventory component.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
+
+This event sends basic metadata about an application on the system to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **HiddenArp** Indicates whether a program hides itself from showing up in ARP.
+- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics).
+- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00
+- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array.
+- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Language** The language code of the program.
+- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
+- **MsiProductCode** A GUID that describe the MSI Product.
+- **Name** The name of the application.
+- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install.
+- **PackageFullName** The package full name for a Store application.
+- **ProgramInstanceId** A hash of the file IDs in an app.
+- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field.
+- **RootDirPath** The path to the root directory where the program was installed.
+- **Source** How the program was installed (for example, ARP, MSI, Appx).
+- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
+- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen.
+- **Version** The version number of the program.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
+
+This event represents what drivers an application installs.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory component
+- **ProgramIds** The unique program identifier the driver is associated with.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
+
+The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory component.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
+
+This event provides the basic metadata about the frameworks an application may depend on.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **FileId** A hash that uniquely identifies a file.
+- **Frameworks** The list of frameworks this file depends on.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
+
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
+
+This event indicates that a new set of InventoryApplicationAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
+
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Categories** A comma separated list of functional categories in which the container belongs.
+- **DiscoveryMethod** The discovery method for the device container.
+- **FriendlyName** The name of the device container.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **IsActive** Is the device connected, or has it been seen in the last 14 days?
+- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
+- **IsMachineContainer** Is the container the root device itself?
+- **IsNetworked** Is this a networked device?
+- **IsPaired** Does the device container require pairing?
+- **Manufacturer** The manufacturer name for the device container.
+- **ModelId** A unique model ID.
+- **ModelName** The model name.
+- **ModelNumber** The model number for the device container.
+- **PrimaryCategory** The primary category for the device container.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
+
+This event indicates that the InventoryDeviceContainer object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
+
+This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
+
+This event retrieves information about what sensor interfaces are available on the device.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Accelerometer3D** Indicates if an Accelerator3D sensor is found.
+- **ActivityDetection** Indicates if an Activity Detection sensor is found.
+- **AmbientLight** Indicates if an Ambient Light sensor is found.
+- **Barometer** Indicates if a Barometer sensor is found.
+- **Custom** Indicates if a Custom sensor is found.
+- **EnergyMeter** Indicates if an Energy sensor is found.
+- **FloorElevation** Indicates if a Floor Elevation sensor is found.
+- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found.
+- **GravityVector** Indicates if a Gravity Detector sensor is found.
+- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found.
+- **Humidity** Indicates if a Humidity sensor is found.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found.
+- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found.
+- **Orientation** Indicates if an Orientation sensor is found.
+- **Pedometer** Indicates if a Pedometer sensor is found.
+- **Proximity** Indicates if a Proximity sensor is found.
+- **RelativeOrientation** Indicates if a Relative Orientation sensor is found.
+- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found.
+- **Temperature** Indicates if a Temperature sensor is found.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
+
+This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
+
+This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Audio_CaptureDriver** The Audio device capture driver endpoint.
+- **Audio_RenderDriver** The Audio device render driver endpoint.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
+
+This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
+
+This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
+
+This event represents the basic metadata about a plug and play (PNP) device and its associated driver.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **BusReportedDescription** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.
+- **Class** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.
+- **ClassGuid** A unique identifier for the driver installed.
+- **COMPID** Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
+- **ContainerId** INF file name (the name could be renamed by OS, such as oemXX.inf)
+- **Description** The version of the inventory binary generating the events.
+- **DeviceState** The current error code for the device.
+- **DriverId** A unique identifier for the driver installed.
+- **DriverName** Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
+- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage.
+- **DriverVerDate** The date of the driver loaded for the device.
+- **DriverVerVersion** The version of the driver loaded for the device.
+- **Enumerator** The bus that enumerated the device.
+- **HWID** List of hardware ids for the device.
+- **Inf** INF file name (the name could be renamed by OS, such as oemXX.inf)
+- **InstallState** Device installation state.
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **LowerClassFilters** Lower filter class drivers IDs installed for the device.
+- **LowerFilters** Lower filter drivers IDs installed for the device.
+- **Manufacturer** The device manufacturer.
+- **MatchingID** Represents the hardware ID or compatible ID that Windows uses to install a device instance.
+- **Model** The device model.
+- **ParentId** Device instance id of the parent of the device.
+- **ProblemCode** The current error code for the device.
+- **Provider** The device provider.
+- **Service** The device service name
+- **STACKID** The device service name.
+- **UpperClassFilters** The list of hardware ids for the stack
+- **UpperFilters** Upper filter drivers IDs installed for the device
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
+
+This event indicates that the InventoryDevicePnpRemove object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
-This event sends basic metadata about the USB hubs on the device
+This event sends basic metadata about the USB hubs on the device.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **InventoryVersion** The version of the inventory file generating the events
-- **TotalUserConnectablePorts** Total number of connectable USB ports
-- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports
+- **InventoryVersion** The version of the inventory file generating the events.
+- **TotalUserConnectablePorts** Total number of connectable USB ports.
+- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports.
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
-This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
+This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **Count** Count of total Microsoft Office VBA rule violations
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
+
+This event provides the basic metadata about driver binaries running on the system.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **DriverCheckSum** The checksum of the driver file.
+- **DriverCompany** The company name that developed the driver.
+- **DriverInBox** Is the driver included with the operating system?
+- **DriverIsKernelMode** Is it a kernel mode driver?
+- **DriverName** The file name of the driver.
+- **DriverPackageStrongName** The strong name of the driver package
+- **DriverSigned** The strong name of the driver package
+- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file.
+- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
+- **DriverVersion** The version of the driver file.
+- **ImageSize** The size of the driver file.
+- **Inf** The name of the INF file.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Product** The product name that is included in the driver file.
+- **ProductVersion** The product version that is included in the driver file.
+- **Service** The name of the service that is installed for the device.
+- **WdfVersion** The Windows Driver Framework version.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
+
+This event indicates that the InventoryDriverBinary object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
+
+This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
+
+This event sends basic metadata about drive packages installed on the system to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Class** The class name for the device driver.
+- **ClassGuid** The class GUID for the device driver.
+- **Date** The driver package date.
+- **Directory** The path to the driver package.
+- **DriverInBox** Is the driver included with the operating system?
+- **Inf** The INF name of the driver package.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Provider** The provider for the driver package.
+- **SubmissionId** The HLK submission ID for the driver package.
+- **Version** The version of the driver package.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
+
+This event indicates that the InventoryDriverPackageRemove object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
+
+This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
-This event provides data on the installed Office Add-ins.
+Invalid variant - Provides data on the installed Office Add-ins
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AddinCLSID** The CLSID for the Office addin
+- **AddInCLSID** The CLSID for the Add-in
+- **AddInId** Add-In identifier
+- **AddinType** The type of the Office addin.
+- **BinFileTimestamp** Timestamp of the Office addin
+- **BinFileVersion** Version of the Office addin
+- **Description** Add-in description
+- **FileId** FileId of the Office addin
+- **FileSize** File size of the Office addin
+- **FriendlyName** Add-in friendly name
+- **FullPath** Full path to the add-in module
+- **LoadBehavior** The load behavior
+- **LoadTime** The load time for the add-in
+- **OfficeApplication** The Microsoft Office application associated with the add-in
+- **OfficeArchitecture** Architecture of the addin
+- **OfficeVersion** The Microsoft Office version installed
+- **OutlookCrashingAddin** Whether the Outlook addin is crashing
+- **ProductCompany** The name of the company associated with the Office addin
+- **ProductName** The product name associated with the Office addin
+- **ProductVersion** The version associated with the Office addin
+- **ProgramId** The unique program identifier of the Office addin
+- **Provider** Name of the provider for this addin
+- **Usage** Data regarding usage of the add-in.
-- **AddInCLSID** The CLSID key office for the Office addin.
-- **AddInId** The identifier of the Office addin.
-- **AddinType** The type of the Office addin.
-- **BinFileTimestamp** The timestamp of the Office addin.
-- **BinFileVersion** The version of the Office addin.
-- **Description** The description of the Office addin.
-- **FileId** The file ID of the Office addin.
-- **FriendlyName** The friendly name of the Office addin.
-- **FullPath** The full path to the Office addin.
-- **LoadBehavior** A Uint32 that describes the load behavior.
-- **LoadTime** The load time for the Office addin.
-- **OfficeApplication** The OIffice application for this addin.
-- **OfficeArchitecture** The architecture of the addin.
-- **OfficeVersion** The Office version for this addin.
-- **OutlookCrashingAddin** A boolean value that indicates if crashes have been found for this addin.
-- **ProductCompany** The name of the company associated with the Office addin.
-- **ProductName** The product name associated with the Office addin.
-- **ProductVersion** The version associated with the Office addin.
-- **ProgramId** The unique program identifier of the Office addin.
-- **Provider** The provider name for this addin.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
This event indicates that the particular data object represented by the objectInstanceId is no longer present.
-There are no fields in this event.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
+
+This event provides data on the Office identifiers
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device
+- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device
+- **OMID** Identifier for the Office SQM Machine
+- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit
+- **OTenantId** Unique GUID representing the Microsoft O365 Tenant
+- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000
+- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows)
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
+
+This event includes the Office-related Internet Explorer features
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature.
+- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files.
+- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
+- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag
+- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request
+- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
+- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts
+- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords
+- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control
+- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted
+- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC)
+- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL
+- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior
+- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows
+- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
-This event provides insight data on the installed Office products.
+Provides insight data on the installed Office products
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **OfficeApplication** The name of the Office application.
-- **OfficeArchitecture** The bitness of the Office application.
-- **OfficeVersion** The version of the Office application.
-- **Value** The insights collected about this entity.
+- **OfficeApplication** The name of the Office application.
+- **OfficeArchitecture** The bitness of the Office application.
+- **OfficeVersion** The version of the Office application.
+- **Value** The insights collected about this entity.
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
This event indicates that the particular data object represented by the objectInstanceId is no longer present.
-There are no fields in this event.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
-This diagnostic event indicates that a new sync is being generated for this object type.
+Diagnostic event to indicate a new sync is being generated for this object type
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
+
+This event list all installed Office products
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **OC2rApps** A GUID the describes the Office Click-To-Run apps
+- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus
+- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word
+- **OProductCodes** A GUID that describes the Office MSI products
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
-There are no fields in this event.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
-This event describes various Office settings.
+This event describes various Office settings
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **BrowserFlags** Browser flags for Office-related products.
-- **ExchangeProviderFlags** Provider policies for Office Exchange.
-- **SharedComputerLicensing** Office shared computer licensing policies.
+- **BrowserFlags** Browser flags for Office-related products
+- **ExchangeProviderFlags** Office Exchange provider policies
+- **SharedComputerLicensing** Office Shared Computer Licensing policies
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
-Diagnostic event to indicate a new sync is being generated for this object type.
+Diagnostic event to indicate a new sync is being generated for this object type
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
-There are no fields in this event.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **Design** Count of files with design issues found
@@ -2125,43 +2566,74 @@ The following fields are available:
This event indicates that the particular data object represented by the objectInstanceId is no longer present.
-There are no fields in this event.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
+
+This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Count** Count of total Microsoft Office VBA rule violations
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove
This event indicates that the particular data object represented by the objectInstanceId is no longer present.
-There are no fields in this event.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
-### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
-This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
+
+Provides data on Unified Update Platform (UUP) products and what version they are at.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **InventoryVersion** The version of the inventory file generating the events
+- **Identifier** UUP identifier
+- **LastActivatedVersion** Last activated version
+- **PreviousVersion** Previous version
+- **Source** UUP source
+- **Version** UUP version
-### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove
-This event provides the basic metadata about the frameworks an application may depend on
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
-The following fields are available:
-
-- **FileId** A hash that uniquely identifies a file
-- **Frameworks** The list of frameworks this file depends on
-- **InventoryVersion** The version of the inventory file generating the events
-- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
-### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
-These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up-to-date.
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
-The following fields are available:
+Diagnostic event to indicate a new sync is being generated for this object type
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
-- **IndicatorValue** The indicator value
-- **Value** Describes an operating system indicator that may be relevant for the device upgrade.
### Microsoft.Windows.Inventory.Indicators.Checksum
@@ -2174,627 +2646,147 @@ The following fields are available:
- **PCFP** Equivalent to the InventoryId field that is found in other core events.
-### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
-This event sends basic metadata about an application on the system to help keep Windows up to date.
+These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **HiddenArp** Indicates whether a program hides itself from showing up in ARP.
-- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics).
-- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00
-- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array.
-- **InstallDateMsi** The install date if the application was installed via MSI. Passed as an array.
-- **InventoryVersion** The version of the inventory file generating the events.
-- **Language** The language code of the program.
-- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
-- **MsiProductCode** A GUID that describe the MSI Product.
-- **Name** The name of the application
-- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install.
-- **PackageFullName** The package full name for a Store application.
-- **ProgramInstanceId** A hash of the file IDs in an app.
-- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field.
-- **RootDirPath** The path to the root directory where the program was installed.
-- **Source** How the program was installed (ARP, MSI, Appx, etc...)
-- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
-- **Type** "One of (""Application"", ""Hotfix"", ""BOE"", ""Service"", ""Unknown""). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen."
-- **Version** The version number of the program.
+- **IndicatorValue** The indicator value.
-### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
-
-This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
-
-This event indicates that a new set of InventoryApplicationAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
-
-This event indicates that the InventoryDeviceContainer object is no longer present.
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
-
-This event sends basic metadata about drive packages installed on the system to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **Class** The class name for the device driver.
-- **ClassGuid** The class GUID for the device driver.
-- **Date** The driver package date.
-- **Directory** The path to the driver package.
-- **DriverInBox** Is the driver included with the operating system?
-- **Inf** The INF name of the driver package.
-- **InventoryVersion** The version of the inventory file generating the events.
-- **Provider** The provider for the driver package.
-- **SubmissionId** The HLK submission ID for the driver package.
-- **Version** The version of the driver package.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
-
-This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
-
-This event indicates that the InventoryDriverBinary object is no longer present.
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
-
-This event indicates that the InventoryDriverPackageRemove object is no longer present.
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
-
-This event indicates that the InventoryDevicePnpRemove object is no longer present.
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
-
-This event sends basic metadata about a device container (such as a monitor or printer as opposed to a PNP device) to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **Categories** A comma separated list of functional categories in which the container belongs.
-- **DiscoveryMethod** The discovery method for the device container.
-- **FriendlyName** The name of the device container.
-- **InventoryVersion** The version of the inventory file generating the events.
-- **IsActive** Is the device connected, or has it been seen in the last 14 days?
-- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
-- **IsMachineContainer** Is the container the root device itself?
-- **IsNetworked** Is this a networked device?
-- **IsPaired** Does the device container require pairing?
-- **Manufacturer** The manufacturer name for the device container.
-- **ModelId** A model GUID.
-- **ModelName** The model name.
-- **ModelNumber** The model number for the device container.
-- **PrimaryCategory** The primary category for the device container.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
-
-This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
-
-This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
-
-This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
-
-This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
-
-This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
-
-This event sends additional metadata about a PNP device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
-
-The following fields are available:
-
-- **Audio_CaptureDriver** The Audio device capture driver endpoint.
-- **Audio_RenderDriver** The Audio device render driver endpoint.
-- **InventoryVersion** The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
-
-This event represents the basic metadata about a PNP device and its associated driver
-
-The following fields are available:
-
-- **class** The device setup class of the driver loaded for the device
-- **classGuid** The device class GUID from the driver package
-- **COMPID** A JSON array the provides the value and order of the compatible ID tree for the device.
-- **ContainerId** A system-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the device.
-- **description** The device description
-- **deviceState** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
-- **DriverId** A unique identifier for the installed device.
-- **DriverName** The name of the driver image file.
-- **driverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage.
-- **driverVerDate** The date of the driver loaded for the device
-- **driverVerVersion** The version of the driver loaded for the device
-- **enumerator** The bus that enumerated the device
-- **HWID** A JSON array that provides the value and order of the HWID tree for the device.
-- **Inf** The INF file name.
-- **installState** The device installation state. One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
-- **InventoryVersion** The version of the inventory file generating the events.
-- **lowerClassFilters** Lower filter class drivers IDs installed for the device.
-- **lowerFilters** Lower filter drivers IDs installed for the device
-- **manufacturer** The device manufacturer
-- **matchingID** Represents the hardware ID or compatible ID that Windows uses to install a device instance
-- **model** The device model
-- **parentId** Device instance id of the parent of the device
-- **ProblemCode** The current error code for the device.
-- **provider** The device provider
-- **service** The device service name#N##N##N##N##N#
-- **STACKID** A JSON array that provides the value and order of the STACKID tree for the device.
-- **upperClassFilters** Upper filter class drivers IDs installed for the device
-- **upperFilters** Upper filter drivers IDs installed for the device
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
-
-This event provides the basic metadata about driver binaries running on the system
-
-The following fields are available:
-
-- **DriverCheckSum** The checksum of the driver file.
-- **DriverCompany** The company name that developed the driver.
-- **driverInBox** Is the driver included with the operating system?
-- **driverIsKernelMode** Is it a kernel mode driver?
-- **DriverName** The file name of the driver.
-- **driverPackageStrongName** The strong name of the driver package
-- **driverSigned** The strong name of the driver package
-- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file.
-- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
-- **DriverVersion** The version of the driver file.
-- **ImageSize** The size of the driver file.
-- **Inf** The name of the INF file.
-- **InventoryVersion** The version of the inventory file generating the events.
-- **Product** The product name that is included in the driver file.
-- **ProductVersion** The product version that is included in the driver file.
-- **service** The device service name
-- **WdfVersion** The Windows Driver Framework version.
-
-
-### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicator
-
-This event sends value data about the markers on custom devices, to help keep Windows up to date. The formal name for markers is UEX Indicators. See marker list for definitions.
-
-The following fields are available:
-
-- **IndicatorValue** Value of the marker/indicator
-- **Key** Name of the marker/indicator
-
-
-### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
-
-This event sends inventory component versions for the Device Inventory data.
-
-The following fields are available:
-
-- **aeinv** The version of the App inventory component.
-- **devinv** The file version of the Device inventory component.
-
-
-### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
-
-This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
-
-The following fields are available:
-
-- **Device** A count of device objects in cache
-- **DeviceCensus** A count of devicecensus objects in cache
-- **DriverPackageExtended** A count of driverpackageextended objects in cache
-- **File** A count of file objects in cache
-- **FileSigningInfo** A count of file signing info objects in cache.
-- **Generic** A count of generic objects in cache
-- **HwItem** A count of hwitem objects in cache
-- **InventoryApplication** A count of application objects in cache
-- **InventoryApplicationFile** A count of application file objects in cache
-- **InventoryDeviceContainer** A count of device container objects in cache
-- **InventoryDeviceInterface** A count of inventory device interface objects in cache.
-- **InventoryDeviceMediaClass** A count of device media objects in cache
-- **InventoryDevicePnp** A count of devicepnp objects in cache
-- **InventoryDriverBinary** A count of driver binary objects in cache
-- **InventoryDriverPackage** A count of device objects in cache
-- **Metadata** A count of metadata objects in cache
-- **Orphan** A count of orphan file objects in cache
-- **Programs** A count of program objects in cache
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
-
-This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion** The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
-
-This event retrieves information about what sensor interfaces are available on the device.
-
-The following fields are available:
-
-- **Accelerometer3D** Indicates if an Accelerator3D sensor is found.
-- **ActivityDetection** Indicates if an Activity Detection sensor is found.
-- **AmbientLight** Indicates if an Ambient Light sensor is found.
-- **Barometer** Indicates if a Barometer sensor is found.
-- **Custom** Indicates if a Custom sensor is found.
-- **EnergyMeter** Indicates if an Energy sensor is found.
-- **FloorElevation** Indicates if a Floor Elevation sensor is found.
-- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found.
-- **GravityVector** Indicates if a Gravity Detector sensor is found.
-- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found.
-- **Humidity** Indicates if a Humidity sensor is found.
-- **InventoryVersion** The version of the inventory file generating the events.
-- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found.
-- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found.
-- **Orientation** Indicates if an Orientation sensor is found.
-- **Pedometer** Indicates if a Pedometer sensor is found.
-- **Proximity** Indicates if a Proximity sensor is found.
-- **RelativeOrientation** Indicates if a Relative Orientation sensor is found.
-- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found.
-- **Temperature** Indicates if a Temperature sensor is found.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
-
-This event provides data on the installed Office identifiers.
-
-- **OAudienceData** The Office Audience descriptor.
-- **OAudienceId** The Office Audience ID.
-- **OMID** The Office machine ID.
-- **OPlatform** The Office architecture.
-- **OVersion** The Office version
-- **OTenantId** The Office 365 Tenant GUID.
-- **OWowMID** The Office machine ID.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
-
-This event provides data on the installed Office-related Internet Explorer features.
-
-- **OIeFeatureAddon** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeMachineLockdown** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeMimeHandling** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeMimeSniffing** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeNoAxInstall** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeNoDownload** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeObjectCaching** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIePasswordDisable** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeSafeBind** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeSecurityBand** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeUncSaveCheck** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeValidateUrl** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeWebOcPopup** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeWinRestrict** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeZoneElevate** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
-
-This event describes the Office products that are installed.
-
-- **OC2rApps** The Office Click-to-Run apps.
-- **OC2rSkus** The Office Click-to-Run products.
-- **OMsiApps** The Office MSI apps.
-- **OProductCodes** The Office MSI product code.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
-
-This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed.
-
-There are no fields in this event.
-
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
-There are no fields in this event.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
-## OneDrive events
-### Microsoft.OneDrive.Sync.Updater.OfficeRegistration
-This event determines the status of the OneDrive integration with Microsoft Office.
+## Kernel events
+
+### IO
+
+This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup.
The following fields are available:
-- **isValid** Is the Microsoft Office registration valid?
+- **BytesRead** The total number of bytes read from or read by the OS upon system startup.
+- **BytesWritten** The total number of bytes written to or written by the OS upon system startup.
-### Microsoft.OneDrive.Sync.Updater.UpdateTierReg
+### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
-This event determines status of the update tier registry values.
+OS information collected during Boot, used to evaluate the success of the upgrade process.
The following fields are available:
-- **regReadEnterpriseHr** The HResult of the enterprise reg read value.
-- **regReadTeamHr** The HResult of the team reg read value.
-
-
-### Microsoft.OneDrive.Sync.Updater.RepairResult
-
-The event determines the result of the installation repair.
-
-The following fields are available:
-
-- **hr** The HResult of the operation.
-
-
-### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
-
-This event determines the status when downloading the OneDrive update configuration file.
-
-The following fields are available:
-
-- **hr** The HResult of the operation.
-
-
-### Microsoft.OneDrive.Sync.Updater.SetupBinaryDownloadHResult
-
-This event indicates the status when downloading the OneDrive setup file.
-
-The following fields are available:
-
-- **hr** The HResult of the operation.
-
-
-### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
-
-This event determines the outcome of the operation.
-
-The following fields are available:
-
-- **hr** The HResult of the operation.
-- **IsLoggingEnabled** Is logging enabled?
-- **UpdaterVersion** The version of the updater.
-
-
-### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
-
-This event determines the error code that was returned when verifying Internet connectivity.
-
-The following fields are available:
-
-- **winInetError** The HResult of the operation.
-
-
-### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
-
-This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
-
-The following fields are available:
-
-- **32bit** The status of the OneDrive overlay icon on a 32-bit operating system.
-- **64bit** The status of the OneDrive overlay icon on a 64-bit operating system.
-- **SixtyFourBit** The status of the OneDrive overlay icon on a 32-bit operating system.
-- **ThirtyTwoBit** The status of the OneDrive overlay icon on a 64-bit operating system.
-
-
-### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
-
-This event determines the installation state of dependent OneDrive components.
-
-The following fields are available:
-
-- **ComponentName** The name of the dependent component.
-- **isInstalled** Is the dependent component installed?
-
-
-### Microsoft.OneDrive.Sync.Updater.CommonData
-
-This event contains basic OneDrive configuration data that helps to diagnose failures.
-
-The following fields are available:
-
-- **AppVersion** The version of the app.
-- **BuildArch** Is the architecture x86 or x64?
-- **Environment** Is the device on the production or int service?
-- **IsMSFTInternal** Is this an internal Microsoft device?
-- **MachineGuid** The CEIP machine ID.
-- **Market** Which market is this in?
-- **OfficeVersion** The version of Office that is installed.
-- **OneDriveDeviceId** The OneDrive device ID.
-- **OSDeviceName** Only if the device is internal to Microsoft, the device name.
-- **OSUserName** Only if the device is internal to Microsoft, the user name.
-- **UserGuid** A unique global user identifier.
-
-
-### Microsoft.OneDrive.Sync.Setup.APIOperation
-
-This event includes basic data about install and uninstall OneDrive API operations.
-
-The following fields are available:
-
-- **APIName** The name of the API.
-- **Duration** How long the operation took.
-- **IsSuccess** Was the operation successful?
-- **ResultCode** The result code.
-- **ScenarioName** The name of the scenario.
-
-
-### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
-
-This event is related to registering or unregistering the OneDrive update task.
-
-The following fields are available:
-
-- **APIName** The name of the API.
-- **IsSuccess** Was the operation successful?
-- **RegisterNewTaskResult** The HResult of the RegisterNewTask operation.
-- **ScenarioName** The name of the scenario.
-- **UnregisterOldTaskResult** The HResult of the UnregisterOldTask operation.
-
-
-### Microsoft.OneDrive.Sync.Setup.EndExperience
-
-This event includes a success or failure summary of the installation.
-
-The following fields are available:
-
-- **APIName** The name of the API.
-- **HResult** Indicates the result code of the event
-- **IsSuccess** Was the operation successful?
-- **ScenarioName** The name of the scenario.
-
-
-### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
-
-This event is related to the OS version when the OS is upgraded with OneDrive installed.
-
-The following fields are available:
-
-- **CurrentOneDriveVersion** The current version of OneDrive.
-- **CurrentOSBuildBranch** The current branch of the operating system.
-- **CurrentOSBuildNumber** The current build number of the operating system.
-- **CurrentOSVersion** The current version of the operating system.
-- **HResult** The HResult of the operation.
-- **SourceOSBuildBranch** The source branch of the operating system.
-- **SourceOSBuildNumber** The source build number of the operating system.
-- **SourceOSVersion** The source version of the operating system.
-
-
-### Microsoft.OneDrive.Sync.Setup.SetupCommonData
-
-This event contains basic OneDrive configuration data that helps to diagnose failures.
-
-The following fields are available:
-
-- **AppVersion** The version of the app.
-- **BuildArchitecture** Is the architecture x86 or x64?
-- **Environment** Is the device on the production or int service?
-- **MachineGuid** The CEIP machine ID.
-- **Market** Which market is this in?
-- **MSFTInternal** Is this an internal Microsoft device?
-- **OfficeVersionString** The version of Office that is installed.
-- **OSDeviceName** Only if the device is internal to Microsoft, the device name.
-- **OSUserName** Only if the device is internal to Microsoft, the user name.
-- **UserGuid** The CEIP user ID.
+- **BootApplicationId** This field tells us what the OS Loader Application Identifier is.
+- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system.
+- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session.
+- **BootStatusPolicy** Identifies the applicable Boot Status Policy.
+- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume").
+- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made.
+- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware.
+- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed.
+- **FirmwareResetReasonPch** Reason for system reset provided by firmware.
+- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed.
+- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware.
+- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io).
+- **LastBootSucceeded** Flag indicating whether the last boot was successful.
+- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful.
+- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.).
+- **RecoveryEnabled** Indicates whether recovery is enabled.
+- **UserInputTime** The amount of time the loader application spent waiting for user input.
## Remediation events
->[!NOTE]
->Events from this provider are sent with the installation of KB4023057 and any subsequent Windows update. For details, see [this support article](https://support.microsoft.com/help/4023057).
-
### Microsoft.Windows.Remediation.Applicable
-Reports whether a specific remediation to issues preventing security and quality updates is applicable based on detection.
+This event indicates a remedial plug-in is applicable if/when such a plug-in is detected. This is used to ensure Windows is up to date.
The following fields are available:
-- **CV** Correlation vector.
-- **DetectedCondition** Boolean true if detect condition is true and perform action will be run.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system.
-- **PackageVersion** Current package version of Remediation.
-- **PluginName** Name of the remediation plugin specified for each generic plugin event.
-- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated is disabled.
-- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS.
-- **RemediationShellDeviceSccm** TRUE if the device is SCCM managed.
-- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely.
-- **Result** Result for detection or perform action phases of the remediation system.
+- **ActionName** The name of the action to be taken by the plug-in.
+- **AppraiserBinariesValidResult** Indicates whether plug-in was appraised as valid.
+- **AppraiserDetectCondition** Indicates whether the plug-in passed the appraiser's check.
+- **AppraiserRegistryValidResult** Indicates whether the registry entry checks out as valid.
+- **AppraiserTaskDisabled** Indicates the appraiser task is disabled.
+- **AppraiserTaskValidFailed** Indicates the Appraiser task did not function and requires intervention.
+- **CV** Correlation vector
+- **DateTimeDifference** The difference between local and reference clock times.
+- **DateTimeSyncEnabled** Indicates whether the datetime sync plug-in is enabled.
+- **DaysSinceLastSIH** The number of days since the most recent SIH executed.
+- **DaysToNextSIH** The number of days until the next scheduled SIH execution.
+- **DetectedCondition** Indicates whether detect condition is true and the perform action will be run.
+- **EvalAndReportAppraiserBinariesFailed** Indicates the EvalAndReportAppraiserBinaries event failed.
+- **EvalAndReportAppraiserRegEntries** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
+- **EvalAndReportAppraiserRegEntriesFailed** Indicates the EvalAndReportAppraiserRegEntriesFailed event failed.
+- **GlobalEventCounter** Client side counter that indicates ordering of events sent by the remediation system.
+- **HResult** The HRESULT for detection or perform action phases of the plugin.
+- **IsAppraiserLatestResult** The HRESULT from the appraiser task.
+- **IsConfigurationCorrected** Indicates whether the configuration of SIH task was successfully corrected.
+- **LastHresult** The HRESULT for detection or perform action phases of the plugin.
+- **LastRun** The date of the most recent SIH run.
+- **NextRun** Date of the next scheduled SIH run.
+- **PackageVersion** The version of the current remediation package.
+- **PluginName** Name of the plugin specified for each generic plugin event.
+- **Reload** True if SIH reload is required.
+- **RemediationNoisyHammerAcLineStatus** Event that indicates the AC Line Status of the machine.
+- **RemediationNoisyHammerAutoStartCount** The number of times hammer auto-started.
+- **RemediationNoisyHammerCalendarTaskEnabled** Event that indicates Update Assistant Calendar Task is enabled.
+- **RemediationNoisyHammerCalendarTaskExists** Event that indicates an Update Assistant Calendar Task exists.
+- **RemediationNoisyHammerCalendarTaskTriggerEnabledCount** Event that indicates calendar triggers are enabled in the task.
+- **RemediationNoisyHammerDaysSinceLastTaskRunTime** The number of days since the most recent hammer task ran.
+- **RemediationNoisyHammerGetCurrentSize** Size in MB of the $GetCurrent folder.
+- **RemediationNoisyHammerIsInstalled** TRUE if the noisy hammer is installed.
+- **RemediationNoisyHammerLastTaskRunResult** The result of the last hammer task run.
+- **RemediationNoisyHammerMeteredNetwork** TRUE if the machine is on a metered network.
+- **RemediationNoisyHammerTaskEnabled** Indicates whether the Update Assistant Task (Noisy Hammer) is enabled.
+- **RemediationNoisyHammerTaskExists** Indicates whether the Update Assistant Task (Noisy Hammer) exists.
+- **RemediationNoisyHammerTaskTriggerEnabledCount** Indicates whether counting is enabled for the Update Assistant (Noisy Hammer) task trigger.
+- **RemediationNoisyHammerUAExitCode** The exit code of the Update Assistant (Noisy Hammer) task.
+- **RemediationNoisyHammerUAExitState** The code for the exit state of the Update Assistant (Noisy Hammer) task.
+- **RemediationNoisyHammerUserLoggedIn** TRUE if there is a user logged in.
+- **RemediationNoisyHammerUserLoggedInAdmin** TRUE if there is the user currently logged in is an Admin.
+- **RemediationShellDeviceManaged** TRUE if the device is WSUS managed or Windows Updated disabled.
+- **RemediationShellDeviceNewOS** TRUE if the device has a recently installed OS.
+- **RemediationShellDeviceSccm** TRUE if the device is managed by SCCM (Microsoft System Center Configuration Manager).
+- **RemediationShellDeviceZeroExhaust** TRUE if the device has opted out of Windows Updates completely.
+- **RemediationTargetMachine** Indicates whether the device is a target of the specified fix.
+- **RemediationTaskHealthAutochkProxy** True/False based on the health of the AutochkProxy task.
+- **RemediationTaskHealthChkdskProactiveScan** True/False based on the health of the Check Disk task.
+- **RemediationTaskHealthDiskCleanup_SilentCleanup** True/False based on the health of the Disk Cleanup task.
+- **RemediationTaskHealthMaintenance_WinSAT** True/False based on the health of the Health Maintenance task.
+- **RemediationTaskHealthServicing_ComponentCleanupTask** True/False based on the health of the Health Servicing Component task.
+- **RemediationTaskHealthUSO_ScheduleScanTask** True/False based on the health of the USO (Update Session Orchestrator) Schedule task.
+- **RemediationTaskHealthWindowsUpdate_ScheduledStartTask** True/False based on the health of the Windows Update Scheduled Start task.
+- **RemediationTaskHealthWindowsUpdate_SihbootTask** True/False based on the health of the Sihboot task.
+- **RemediationUHServiceBitsServiceEnabled** Indicates whether BITS service is enabled.
+- **RemediationUHServiceDeviceInstallEnabled** Indicates whether Device Install service is enabled.
+- **RemediationUHServiceDoSvcServiceEnabled** Indicates whether DO service is enabled.
+- **RemediationUHServiceDsmsvcEnabled** Indicates whether DSMSVC service is enabled.
+- **RemediationUHServiceLicensemanagerEnabled** Indicates whether License Manager service is enabled.
+- **RemediationUHServiceMpssvcEnabled** Indicates whether MPSSVC service is enabled.
+- **RemediationUHServiceTokenBrokerEnabled** Indicates whether Token Broker service is enabled.
+- **RemediationUHServiceTrustedInstallerServiceEnabled** Indicates whether Trusted Installer service is enabled.
+- **RemediationUHServiceUsoServiceEnabled** Indicates whether USO (Update Session Orchestrator) service is enabled.
+- **RemediationUHServicew32timeServiceEnabled** Indicates whether W32 Time service is enabled.
+- **RemediationUHServiceWecsvcEnabled** Indicates whether WECSVC service is enabled.
+- **RemediationUHServiceWinmgmtEnabled** Indicates whether WMI service is enabled.
+- **RemediationUHServiceWpnServiceEnabled** Indicates whether WPN service is enabled.
+- **RemediationUHServiceWuauservServiceEnabled** Indicates whether WUAUSERV service is enabled.
+- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin.
+- **RunAppraiserFailed** Indicates RunAppraiser failed to run correctly.
+- **RunTask** TRUE if SIH task should be run by the plug-in.
+- **TimeServiceNTPServer** The URL for the NTP time server used by device.
+- **TimeServiceStartType** The startup type for the NTP time service.
+- **TimeServiceSyncDomainJoined** True if device domain joined and hence uses DC for clock.
+- **TimeServiceSyncType** Type of sync behavior for Date & Time service on device.
+
### Microsoft.Windows.Remediation.ChangePowerProfileDetection
@@ -2802,166 +2794,181 @@ Indicates whether the remediation system can put in a request to defer a system-
The following fields are available:
-- **ActionName** A descriptive name for the plugin action.
-- **CurrentPowerPlanGUID** The ID of the current power plan configured on the device.
-- **CV** Correlation vector.
-- **GlobalEventCounter** Counter that indicates the ordering of events on the device.
-- **PackageVersion** Current package version of remediation service.
-- **RemediationBatteryPowerBatteryLevel** Integer between 0 and 100 indicating % battery power remaining (if not on battery, expect 0).
-- **RemediationFUInProcess** Result that shows whether the device is currently installing a feature update.
-- **RemediationScanInProcess** Result that shows whether the device is currently scanning for updates.
-- **RemediationTargetMachine** Result that shows whether this device is a candidate for remediation(s) that will fix update issues.
-- **SetupMutexAvailable** Result that shows whether setup mutex is available or not.
-- **SysPowerStatusAC** Result that shows whether system is on AC power or not.
+- **ActionName** A descriptive name for the plugin action
+- **CurrentPowerPlanGUID** The ID of the current power plan configured on the device
+- **CV** Correlation vector
+- **GlobalEventCounter** Counter that indicates the ordering of events on the device
+- **PackageVersion** Current package version of remediation service
+- **RemediationBatteryPowerBatteryLevel** Integer between 0 and 100 indicating % battery power remaining (if not on battery, expect 0)
+- **RemediationFUInProcess** Result that shows whether the device is currently installing a feature update
+- **RemediationFURebootRequred** Indicates that a feature update reboot required was detected so the plugin will exit.
+- **RemediationScanInProcess** Result that shows whether the device is currently scanning for updates
+- **RemediationTargetMachine** Result that shows whether this device is a candidate for remediation(s) that will fix update issues
+- **SetupMutexAvailable** Result that shows whether setup mutex is available or not
+- **SysPowerStatusAC** Result that shows whether system is on AC power or not
+
### Microsoft.Windows.Remediation.Completed
-Enables tracking the completion of a process that remediates issues preventing security and quality updates.
+This event enables completion tracking of a process that remediates issues preventing security and quality updates.
The following fields are available:
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system.
-- **PackageVersion** Current package version of Remediation.
-- **PluginName** Name of the specific remediation for each generic plugin event.
-- **RemediationNoisyHammerTaskKickOffIsSuccess** Event that indicates the Update Assistant task has been started successfully.
-- **Result** Indicates whether the remediation has completed.
+- **ActionName** Name of the action to be completed by the plug-in.
+- **AppraiserTaskCreationFailed** TRUE if the appraiser task creation failed to complete successfully.
+- **AppraiserTaskDeleteFailed** TRUE if deletion of appraiser task failed to complete successfully.
+- **AppraiserTaskExistFailed** TRUE if detection of the appraiser task failed to complete successfully.
+- **AppraiserTaskLoadXmlFailed** TRUE if the Appraiser XML Loader failed to complete successfully.
+- **AppraiserTaskMissing** TRUE if the Appraiser task is missing.
+- **AppraiserTaskTimeTriggerUpdateFailedId** TRUE if the Appraiser Task Time Trigger failed to update successfully.
+- **AppraiserTaskValidateTaskXmlFailed** TRUE if the Appraiser Task XML failed to complete successfully.
+- **branchReadinessLevel** Branch readiness level policy.
+- **cloudControlState** Value indicating whether the shell is enabled on the cloud control settings.
+- **CrossedDiskSpaceThreshold** Indicates if cleanup resulted in hard drive usage threshold required for feature update to be exceeded.
+- **CV** The Correlation Vector.
+- **DateTimeDifference** The difference between the local and reference clocks.
+- **DaysSinceOsInstallation** The number of days since the installation of the Operating System.
+- **DiskMbCleaned** The amount of space cleaned on the hard disk, measured in Megabytes.
+- **DiskMbFreeAfterCleanup** The amount of free hard disk space after cleanup, measured in Megabytes.
+- **DiskMbFreeBeforeCleanup** The amount of free hard disk space before cleanup, measured in Megabytes.
+- **ForcedAppraiserTaskTriggered** TRUE if Appraiser task ran from the plug-in.
+- **GlobalEventCounter** Client-side counter that indicates ordering of events sent by the active user.
+- **HandlerCleanupFreeDiskInMegabytes** The amount of hard disk space cleaned by the storage sense handlers, measured in Megabytes.
+- **hasRolledBack** Indicates whether the client machine has rolled back.
+- **hasUninstalled** Indicates whether the client machine has uninstalled a later version of the OS.
+- **hResult** The result of the event execution.
+- **HResult** The result of the event execution.
+- **installDate** The value of installDate registry key. Indicates the install date.
+- **isNetworkMetered** Indicates whether the client machine has uninstalled a later version of the OS.
+- **LatestState** The final state of the plug-in component.
+- **MicrosoftCompatibilityAppraiser** The name of the component targeted by the Appraiser plug-in.
+- **PackageVersion** The package version for the current Remediation.
+- **PageFileCount** The number of Windows Page files.
+- **PageFileCurrentSize** The size of the Windows Page file, measured in Megabytes.
+- **PageFileLocation** The storage location (directory path) of the Windows Page file.
+- **PageFilePeakSize** The maximum amount of hard disk space used by the Windows Page file, measured in Megabytes.
+- **PluginName** The name of the plug-in specified for each generic plug-in event.
+- **RanCleanup** TRUE if the plug-in ran disk cleanup.
+- **RemediationBatteryPowerBatteryLevel** Indicates the battery level at which it is acceptable to continue operation.
+- **RemediationBatteryPowerExitDueToLowBattery** True when we exit due to low battery power.
+- **RemediationBatteryPowerOnBattery** True if we allow execution on battery.
+- **RemediationConfigurationTroubleshooterExecuted** True/False based on whether the Remediation Configuration Troubleshooter executed successfully.
+- **RemediationConfigurationTroubleshooterIpconfigFix** TRUE if IPConfig Fix completed successfully.
+- **RemediationConfigurationTroubleshooterNetShFix** TRUE if network card cache reset ran successfully.
+- **RemediationDiskCleanSizeBtWindowsFolderInMegabytes** The size of the Windows BT folder (used to store Windows upgrade files), measured in Megabytes.
+- **RemediationDiskCleanupBTFolderEsdSizeInMB** The size of the Windows BT folder (used to store Windows upgrade files) ESD (Electronic Software Delivery), measured in Megabytes.
+- **RemediationDiskCleanupGetCurrentEsdSizeInMB** The size of any existing ESD (Electronic Software Delivery) folder, measured in Megabytes.
+- **RemediationDiskCleanupSearchFileSizeInMegabytes** The size of the Cleanup Search index file, measured in Megabytes.
+- **RemediationDiskCleanupUpdateAssistantSizeInMB** The size of the Update Assistant folder, measured in Megabytes.
+- **RemediationDoorstopChangeSucceeded** TRUE if Doorstop registry key was successfully modified.
+- **RemediationDoorstopExists** TRUE if there is a One Settings Doorstop value.
+- **RemediationDoorstopRegkeyError** TRUE if an error occurred accessing the Doorstop registry key.
+- **RemediationDRFKeyDeleteSucceeded** TRUE if the RecoveredFrom (Doorstop) registry key was successfully deleted.
+- **RemediationDUABuildNumber** The build number of the DUA.
+- **RemediationDUAKeyDeleteSucceeded** TRUE if the UninstallActive registry key was successfully deleted.
+- **RemediationDuplicateTokenSucceeded** TRUE if the user token was successfully duplicated.
+- **remediationExecution** Remediation shell is in "applying remediation" state.
+- **RemediationHibernationMigrated** TRUE if hibernation was migrated.
+- **RemediationHibernationMigrationSucceeded** TRUE if hibernation migration succeeded.
+- **RemediationImpersonateUserSucceeded** TRUE if the user was successfully impersonated.
+- **RemediationNoisyHammerTaskKickOffIsSuccess** TRUE if the NoisyHammer task started successfully.
+- **RemediationQueryTokenSucceeded** TRUE if the user token was successfully queried.
+- **RemediationRanHibernation** TRUE if the system entered Hibernation.
+- **RemediationRevertToSystemSucceeded** TRUE if reversion to the system context succeeded.
+- **RemediationShellHasUpgraded** TRUE if the device upgraded.
+- **RemediationShellMinimumTimeBetweenShellRuns** Indicates the time between shell runs exceeded the minimum required to execute plugins.
+- **RemediationShellRunFromService** TRUE if the shell driver was run from the service.
+- **RemediationShellSessionIdentifier** Unique identifier tracking a shell session.
+- **RemediationShellSessionTimeInSeconds** Indicates the time the shell session took in seconds.
+- **RemediationShellTaskDeleted** Indicates that the shell task has been deleted so no additional sediment pack runs occur for this installation.
+- **RemediationUpdateServiceHealthRemediationResult** The result of the Update Service Health plug-in.
+- **RemediationUpdateTaskHealthRemediationResult** The result of the Update Task Health plug-in.
+- **RemediationUpdateTaskHealthTaskList** A list of tasks fixed by the Update Task Health plug-in.
+- **RemediationWindowsLogSpaceFound** The size of the Windows log files found, measured in Megabytes.
+- **RemediationWindowsLogSpaceFreed** The amount of disk space freed by deleting the Windows log files, measured in Megabytes.
+- **RemediationWindowsSecondaryDriveFreeSpace** The amount of free space on the secondary drive, measured in Megabytes.
+- **RemediationWindowsSecondaryDriveLetter** The letter designation of the first secondary drive with a total capacity of 10GB or more.
+- **RemediationWindowsSecondaryDriveTotalSpace** The total storage capacity of the secondary drive, measured in Megabytes.
+- **RemediationWindowsTotalSystemDiskSize** The total storage capacity of the System Disk Drive, measured in Megabytes.
+- **Result** The HRESULT for Detection or Perform Action phases of the plug-in.
+- **RunResult** The HRESULT for Detection or Perform Action phases of the plug-in.
+- **ServiceHealthPlugin** The nae of the Service Health plug-in.
+- **StartComponentCleanupTask** TRUE if the Component Cleanup task started successfully.
+- **systemDriveFreeDiskSpace** Indicates the free disk space on system drive in MBs.
+- **systemUptimeInHours** Indicates the amount of time the system in hours has been on since the last boot.
+- **TotalSizeofOrphanedInstallerFilesInMegabytes** The size of any orphaned Windows Installer files, measured in Megabytes.
+- **TotalSizeofStoreCacheAfterCleanupInMegabytes** The size of the Windows Store cache after cleanup, measured in Megabytes.
+- **TotalSizeofStoreCacheBeforeCleanupInMegabytes** The size of the Windows Store cache (prior to cleanup), measured in Megabytes.
+- **uninstallActive** TRUE if previous uninstall has occurred for current OS
+- **usoScanDaysSinceLastScan** The number of days since the last USO (Update Session Orchestrator) scan.
+- **usoScanInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans.
+- **usoScanIsAllowAutoUpdateKeyPresent** TRUE if the AllowAutoUpdate registry key is set.
+- **usoScanIsAllowAutoUpdateProviderSetKeyPresent** TRUE if AllowAutoUpdateProviderSet registry key is set.
+- **usoScanIsAuOptionsPresent** TRUE if Auto Update Options registry key is set.
+- **usoScanIsFeatureUpdateInProgress** TRUE if a USO (Update Session Orchestrator) scan is in progress, to prevent multiple simultaneous scans.
+- **usoScanIsNetworkMetered** TRUE if the device is currently connected to a metered network.
+- **usoScanIsNoAutoUpdateKeyPresent** TRUE if no Auto Update registry key is set/present.
+- **usoScanIsUserLoggedOn** TRUE if the user is logged on.
+- **usoScanPastThreshold** TRUE if the most recent USO (Update Session Orchestrator) scan is past the threshold (late).
+- **usoScanType** The type of USO (Update Session Orchestrator) scan (Interactive or Background).
+- **windows10UpgraderBlockWuUpdates** Event to report the value of Windows 10 Upgrader BlockWuUpdates Key.
+- **windowsEditionId** Event to report the value of Windows Edition ID.
+- **WindowsHyberFilSysSizeInMegabytes** The size of the Windows Hibernation file, measured in Megabytes.
+- **WindowsInstallerFolderSizeInMegabytes** The size of the Windows Installer folder, measured in Megabytes.
+- **WindowsOldFolderSizeInMegabytes** The size of the Windows.OLD folder, measured in Megabytes.
+- **WindowsOldSpaceCleanedInMB** The amount of disk space freed by removing the Windows.OLD folder, measured in Megabytes.
+- **WindowsPageFileSysSizeInMegabytes** The size of the Windows Page file, measured in Megabytes.
+- **WindowsSoftwareDistributionFolderSizeInMegabytes** The size of the SoftwareDistribution folder, measured in Megabytes.
+- **WindowsSwapFileSysSizeInMegabytes** The size of the Windows Swap file, measured in Megabytes.
+- **WindowsSxsFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) folder, measured in Megabytes.
+- **WindowsSxsTempFolderSizeInMegabytes** The size of the WinSxS (Windows Side-by-Side) Temp folder, measured in Megabytes.
+- **windowsUpgradeRecoveredFromRs4** Event to report the value of the Windows Upgrade Recovered key.
+
### Microsoft.Windows.Remediation.RemediationShellMainExeEventId
-Enables tracking the ID of a process that remediates issues preventing security and quality updates.
+Enables tracking of completion of process that remediates issues preventing security and quality updates.
The following fields are available:
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system.
-- **PackageVersion** Current package version of Remediation.
-- **RemediationShellCanAcquireSedimentMutex** True if the remediation was able to acquire the sediment mutex. False if it is already running.
-- **RemediationShellExecuteShellResult** Indicates if the remediation system completed without errors.
-- **RemediationShellFoundDriverDll** Indicates whether the remediation system found its component files to run properly.
-- **RemediationShellLoadedShellDriver** Indicates whether the remediation system loaded its component files to run properly.
-- **RemediationShellLoadedShellFunction** Indicates whether the remediation system loaded the functions from its component files to run properly.
+- **CV** Client side counter which indicates ordering of events sent by the remediation system.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system.
+- **PackageVersion** Current package version of Remediation.
+- **RemediationShellCanAcquireSedimentMutex** True if the remediation was able to acquire the sediment mutex. False if it is already running.
+- **RemediationShellExecuteShellResult** Indicates if the remediation system completed without errors.
+- **RemediationShellFoundDriverDll** Result whether the remediation system found its component files to run properly.
+- **RemediationShellLoadedShellDriver** Result whether the remediation system loaded its component files to run properly.
+- **RemediationShellLoadedShellFunction** Result whether the remediation system loaded the functions from its component files to run properly.
+
### Microsoft.Windows.Remediation.Started
-Enables tracking the start of a process that remediates issues preventing security and quality updates.
+This event reports whether a plug-in started, to help ensure Windows is up to date.
The following fields are available:
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by the remediation system.
-- **PackageVersion** Current package version of Remediation.
-- **PluginName** Name of the specific remediation for each generic plugin event.
-- **Result** Results of the detection or perform action phases of the remediation system.
+- **CV** Correlation vector.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of Remediation.
+- **PluginName** Name of the plugin specified for each generic plugin event.
+- **Result** This is the HRESULT for detection or perform action phases of the plugin.
-## Sediment Service events
->[!NOTE]
->Events from this provider are sent with the installation of KB4023057 and any subsequent Windows update. For details, see [this support article](https://support.microsoft.com/help/4023057).
+## Sediment events
-### Microsoft.Windows.SedimentService.Applicable
+### Microsoft.Windows.Sediment.OSRSS.UrlState
-Indicates whether a given plugin is applicable.
+This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL.
The following fields are available:
-- **CV** Correlation vector.
-- **DetectedCondition** Boolean true if detect condition is true and perform action will be run.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **IsSelfUpdateEnabledInOneSettings** True/False based on whether self update is enabled.
-- **IsSelfUpdateNeeded** True/False based on whether a newer version is available.
-- **PackageVersion** Version of the package.
-- **PluginName** Name of the plugin specified for each generic plugin event.
-- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+- **Id** A number identifying the URL
+- **ServiceVersionMajor** Version info for the component
+- **ServiceVersionMinor** Version info for the component
+- **StateData** State-specific data, such as which attempt number for the download
+- **StateNumber** A number identifying which state the URL is in (found, downloading, extracted, etc.)
+- **Time** System timestamp the event was fired
-### Microsoft.Windows.SedimentService.Completed
-
-Indicates whether a given plugin has completed its work.
-
-The following fields are available:
-
-- **CV** Correlation vector.
-- **FailedReasons** String reason for any plugin failures.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **PackageVersion** Current package version of Remediation.
-- **PluginName** Name of the plugin specified for each generic plugin event.
-- **Result** Result of the service execution.
-- **SedimentServiceCheckTaskFunctional** Result of checking if the scheduled task is functional.
-- **SedimentServiceCurrentBytes** Current number of bytes the service is consuming.
-- **SedimentServiceKillService** True/False based on whether the service should be stopped.
-- **SedimentServiceMaximumBytes** Maximum bytes the service can consume.
-- **SedimentServiceRetrievedKillService** True/False whether the kill service information was retrieved.
-- **SedimentServiceStopping** True/False indicating whether the service was found to be stopping.
-- **SedimentServiceTaskFunctional** True/False if scheduled task is functional. If task is not functional this indicates plugins will be run.
-- **SedimentServiceTotalIterations** Number of iterations service will wait before running again.
-
-### Microsoft.Windows.SedimentService.Error
-
-Indicates whether an error condition occurs in the plugin.
-
-The following fields are available:
-
-- **Message** String message containing information from the service.
-- **PackageVersion** Version of the package.
-- **HResult** Return value from the plugin result.
-
-### Microsoft.Windows.SedimentService.FallbackError
-
-Indicates whether an error occurs for a fallback in the plugin.
-
-The following fields are available:
-
-- **s0** Fallback error level.
-- **wilResult** Result for Windows Installer Logging function.
-
-### Microsoft.Windows.SedimentService.Information
-
-General information returned from the plugin.
-
-The following fields are available:
-
-- **HResult** Result of the plugin execution.
-- **Message** Information collected from the plugin based on the purpose of the plugin.
-- **PackageVersion** Version of the package.
-
-### Microsoft.Windows.SedimentService.Started
-
-Indicates that a given plugin has started.
-
-The following fields are available:
-
-- **CV** Correlation vector
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **PackageVersion** Version of the package.
-- **PluginName** Name of the plugin running.
-- **Result** Return code from the plugin result.
-
-### Microsoft.Windows.SedimentService.wilResult
-
-Result from the windows internal library.
-
-The following fields are available:
-
-- **callContext** List of telemetry activities containing this error.
-- **currentContextId** Identifier for the newest telemetry activity containing this error.
-- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any).
-- **currentContextName** Name of the newest telemetry activity containing this error.
-- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast.
-- **failureId** Identifier assigned to this failure.
-- **filename** The name of the source file where the error occurred.
-- **hresult** Failure error code.
-- **lineNumber** Line number within the source file where the error occurred.
-- **message** Custom message associated with the failure (if any).
-- **module** Name of the binary where the error occurred.
-- **originatingContextId** Identifier for the oldest telemetry activity containing this error.
-- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any).
-- **originatingContextName** Name of the oldest telemetry activity containing this error.
-- **threadId** Identifier of the thread the error occurred on.
-
-## Sediment Launcher events
-
->[!NOTE]
->Events from this provider are sent with the installation of KB4023057 and any subsequent Windows update. For details, see [this support article](https://support.microsoft.com/help/4023057).
### Microsoft.Windows.SedimentLauncher.Applicable
@@ -2969,14 +2976,15 @@ Indicates whether a given plugin is applicable.
The following fields are available:
-- **CV** Correlation vector.
-- **DetectedCondition** Boolean true if detect condition is true and action will be run.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **IsSelfUpdateEnabledInOneSettings** True/False based on whether self update is enabled.
-- **IsSelfUpdateNeeded** True/False based on whether a newer version is available.
-- **PackageVersion** Version of the package.
-- **PluginName** Name of the plugin specified for each generic plugin event.
-- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+- **CV** Correlation vector.
+- **DetectedCondition** Boolean true if detect condition is true and perform action will be run.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **IsSelfUpdateEnabledInOneSettings** True if self update enabled in Settings.
+- **IsSelfUpdateNeeded** True if self update needed by device.
+- **PackageVersion** Current package version of Remediation.
+- **PluginName** Name of the plugin specified for each generic plugin event.
+- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+
### Microsoft.Windows.SedimentLauncher.Completed
@@ -2984,13 +2992,14 @@ Indicates whether a given plugin has completed its work.
The following fields are available:
-- **CV** Correlation vector.
-- **FailedReasons** String reason for any plugin failures.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **PackageVersion** Current package version of Remediation.
-- **PluginName** Name of the plugin specified for each generic plugin event.
-- **Result** Result of the service execution.
-- **SedLauncherExecutionResult** Final result of launcher running the plugins from the dll.
+- **CV** Correlation vector.
+- **FailedReasons** Concatenated list of failure reasons.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of Remediation.
+- **PluginName** Name of the plugin specified for each generic plugin event.
+- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+- **SedLauncherExecutionResult** HRESULT for one execution of the Sediment Launcher.
+
### Microsoft.Windows.SedimentLauncher.Error
@@ -2998,89 +3007,180 @@ Error occurred during execution of the plugin.
The following fields are available:
-- **Message** Information message returned from a plugin containing only information internal to plugin execution.
-- **PackageVersion** Version of the package.
-- **HResult** Return value from the plugin result.
+- **HResult** The result for the Detection or Perform Action phases of the plug-in.
+- **Message** A message containing information about the error that occurred (if any).
+- **PackageVersion** The version number of the current remediation package.
+
### Microsoft.Windows.SedimentLauncher.FallbackError
-Error occurred during execution of the plugin fallback.
+This event indicates that an error occurred during execution of the plug-in fallback.
The following fields are available:
-- **s0** Fallback error level for plugin.
-- **wilResult** Result from executing Windows Installer Logging based function.
+- **s0** Error occurred during execution of the plugin fallback. See [Microsoft.Windows.SedimentLauncher.wilResult](#microsoftwindowssedimentlauncherwilresult).
+- **wilResult** Result from executing wil based function. See [wilResult](#wilresult).
+
### Microsoft.Windows.SedimentLauncher.Information
-General information returned from the plugin.
+This event provides general information returned from the plug-in.
The following fields are available:
-- **HResult** Result of the plugin execution.
-- **Message** Information collected from the plugin based on the purpose of the plugin.
-- **PackageVersion** Version of the package.
+- **HResult** This is the HRESULT for detection or perform action phases of the plugin.
+- **Message** Information message returned from a plugin containing only information internal to the plugins execution.
+- **PackageVersion** Current package version of Remediation.
+
### Microsoft.Windows.SedimentLauncher.Started
-Indicates that a given plugin has started.
+This event indicates that a given plug-in has started.
The following fields are available:
-- **CV** Correlation vector.
-- **GlobalEventCounter** Client side counter which indicates ordering of events.
-- **PackageVersion** Version of the package.
-- **PluginName** Name of the plugin running.
-- **Result** Return code from the plugin result.
+- **CV** Correlation vector.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of Remediation.
+- **PluginName** Name of the plugin specified for each generic plugin event.
+- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+
### Microsoft.Windows.SedimentLauncher.wilResult
-Result from the windows internal library.
+This event provides the result from the Windows internal library.
The following fields are available:
-- **callContext** List of telemetry activities containing this error.
-- **currentContextId** Identifier for the newest telemetry activity containing this error.
-- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any).
-- **currentContextName** Name of the newest telemetry activity containing this error.
-- **failurecount** Number of failures seen.
-- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast.
-- **failureId** Identifier assigned to this failure.
-- **filename** The name of the source file where the error occurred.
-- **function** Name of the function where the error occurred.
-- **hresult** Failure error code.
-- **lineNumber** Line number within the source file where the error occurred.
-- **message** Custom message associated with the failure (if any).
-- **module** Name of the binary where the error occurred.
-- **originatingContextId** Identifier for the oldest telemetry activity containing this error.
-- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any).
-- **originatingContextName** Name of the oldest telemetry activity containing this error.
-- **threadId** Identifier of the thread the error occurred on.
+- **callContext** List of telemetry activities containing this error.
+- **currentContextId** Identifier for the newest telemetry activity containing this error.
+- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any).
+- **currentContextName** Name of the newest telemetry activity containing this error.
+- **failureCount** Number of failures seen within the binary where the error occurred.
+- **failureId** Identifier assigned to this failure.
+- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
+- **fileName** Source code file name where the error occurred.
+- **function** Name of the function where the error occurred.
+- **hresult** Failure error code.
+- **lineNumber** Line number within the source code file where the error occurred.
+- **message** Custom message associated with the failure (if any).
+- **module** Name of the binary where the error occurred.
+- **originatingContextId** Identifier for the oldest telemetry activity containing this error.
+- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any).
+- **originatingContextName** Name of the oldest telemetry activity containing this error.
+- **threadId** Identifier of the thread the error occurred on.
+
+
+### Microsoft.Windows.SedimentService.Applicable
+
+This event indicates whether a given plug-in is applicable.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **DetectedCondition** Determine whether action needs to run based on device properties.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **IsSelfUpdateEnabledInOneSettings** Indicates if self update is enabled in One Settings.
+- **IsSelfUpdateNeeded** Indicates if self update is needed.
+- **PackageVersion** Current package version of Remediation.
+- **PluginName** Name of the plugin.
+- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentService.Completed
+
+This event indicates whether a given plug-in has completed its work.
+
+The following fields are available:
+
+- **CV** Correlation vector.
+- **FailedReasons** List of reasons when the plugin action failed.
+- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user.
+- **PackageVersion** Current package version of Remediation.
+- **PluginName** Name of the plugin specified for each generic plugin event.
+- **Result** This is the HRESULT for detection or perform action phases of the plugin.
+- **SedimentServiceCheckTaskFunctional** True/False if scheduled task check succeeded.
+- **SedimentServiceCurrentBytes** Number of current private bytes of memory consumed by sedsvc.exe.
+- **SedimentServiceKillService** True/False if service is marked for kill (Shell.KillService).
+- **SedimentServiceMaximumBytes** Maximum bytes allowed for the service.
+- **SedimentServiceRetrievedKillService** True/False if result of One Settings check for kill succeeded - we only send back one of these indicators (not for each call).
+- **SedimentServiceStopping** True/False indicating whether the service is stopping.
+- **SedimentServiceTaskFunctional** True/False if scheduled task is functional. If task is not functional this indicates plugins will be run.
+- **SedimentServiceTotalIterations** Number of 5 second iterations service will wait before running again.
+
+
+### Microsoft.Windows.SedimentService.Error
+
+This event indicates whether an error condition occurred in the plug-in.
+
+The following fields are available:
+
+- **HResult** This is the HRESULT for detection or perform action phases of the plugin.
+- **Message** Custom message associated with the failure (if any).
+- **PackageVersion** Current package version of Remediation.
+
+
+### Microsoft.Windows.SedimentService.FallbackError
+
+This event indicates whether an error occurred for a fallback in the plug-in.
+
+The following fields are available:
+
+- **s0** Event returned when an error occurs for a fallback in the plugin. See [Microsoft.Windows.SedimentService.wilResult](#microsoftwindowssedimentservicewilresult).
+- **wilResult** Result for wil based function. See [wilResult](#wilresult).
+
+
+### Microsoft.Windows.SedimentService.Information
+
+This event provides general information returned from the plug-in.
+
+The following fields are available:
+
+- **HResult** This is the HRESULT for detection or perform action phases of the plugin.
+- **Message** Custom message associated with the failure (if any).
+- **PackageVersion** Current package version of Remediation.
+
+
+### Microsoft.Windows.SedimentService.Started
+
+This event indicates a specified plug-in has started. This information helps ensure Windows is up to date.
+
+The following fields are available:
+
+- **CV** The Correlation Vector.
+- **GlobalEventCounter** The client-side counter that indicates ordering of events.
+- **PackageVersion** The version number of the current remediation package.
+- **PluginName** Name of the plugin specified for each generic plugin event.
+- **Result** This is the HRESULT for Detection or Perform Action phases of the plugin.
+
+
+### Microsoft.Windows.SedimentService.wilResult
+
+This event provides the result from the Windows internal library.
+
+The following fields are available:
+
+- **callContext** List of telemetry activities containing this error.
+- **currentContextId** Identifier for the newest telemetry activity containing this error.
+- **currentContextMessage** Custom message associated with the newest telemetry activity containing this error (if any).
+- **currentContextName** Name of the newest telemetry activity containing this error.
+- **failureCount** Number of failures seen within the binary where the error occurred.
+- **failureId** Identifier assigned to this failure.
+- **failureType** Indicates what type of failure was observed (exception, returned error, logged error or fail fast).
+- **fileName** Source code file name where the error occurred.
+- **function** Name of the function where the error occurred.
+- **hresult** Failure error code.
+- **lineNumber** Line number within the source code file where the error occurred.
+- **message** Custom message associated with the failure (if any).
+- **module** Name of the binary where the error occurred.
+- **originatingContextId** Identifier for the oldest telemetry activity containing this error.
+- **originatingContextMessage** Custom message associated with the oldest telemetry activity containing this error (if any).
+- **originatingContextName** Name of the oldest telemetry activity containing this error.
+- **threadId** Identifier of the thread the error occurred on.
+
## Setup events
-### SetupPlatformTel.SetupPlatformTelActivityStarted
-
-This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date.
-
-The following fields are available:
-
-- **Name** The name of the dynamic update type. Example: GDR driver
-
-
-### SetupPlatformTel.SetupPlatformTelActivityEvent
-
-This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up-to-date
-
-The following fields are available:
-
-- **ActivityId** Provides a unique Id to correlate events that occur between a activity start event, and a stop event
-- **ActivityName** Provides a friendly name of the package type that belongs to the ActivityId (Setup, LanguagePack, GDR, Driver, etc.)
-- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
-- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
-- **value** Value associated with the corresponding event name. For example, time-related events will include the system time
-
-
### SetupPlatformTel.SetupPlatformTelEvent
This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
@@ -3088,21 +3188,22 @@ This service retrieves events generated by SetupPlatform, the engine that drives
The following fields are available:
- **FieldName** Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
-- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
- **GroupName** Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **Value** Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
## Shared PC events
### Microsoft.Windows.SharedPC.AccountManager.DeleteUserAccount
-Activity for deletion of a user account for devices set up for Shared PC mode as part of the Transient Account Manager to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space to improve Windows Update success rates.
+Activity for deletion of a user account for devices set up for Shared PC mode as part of the Transient Account Manager to help keep Windows up to date. Deleting un-used user accounts on Education/Shared PCs frees up disk space to improve Windows Update success rates.
The following fields are available:
- **accountType** The type of account that was deleted. Example: AD, AAD, or Local
+- **deleteState** Whether the attempted deletion of the user account was successful.
- **userSid** The security identifier of the account.
-- **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager.
+- **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. See [wilActivity](#wilactivity).
### Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation
@@ -3111,129 +3212,232 @@ Activity for run of the Transient Account Manager that determines if any user ac
The following fields are available:
-- **wilActivity** Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager.
-- **totalAccountCount** The number of accounts on a device after running the Transient Account Manager policies.
- **evaluationTrigger** When was the Transient Account Manager policies ran? Example: At log off or during maintenance hours
+- **totalAccountCount** The number of accounts on a device after running the Transient Account Manager policies.
+- **wilActivity** Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager. See [wilActivity](#wilactivity).
+
+
+### wilActivity
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics.
+
+The following fields are available:
+
+- **callContext** The function where the failure occurred.
+- **currentContextId** The ID of the current call context where the failure occurred.
+- **currentContextMessage** The message of the current call context where the failure occurred.
+- **currentContextName** The name of the current call context where the failure occurred.
+- **failureCount** The number of failures for this failure ID.
+- **failureId** The ID of the failure that occurred.
+- **failureType** The type of the failure that occurred.
+- **fileName** The file name where the failure occurred.
+- **function** The function where the failure occurred.
+- **hresult** The HResult of the overall activity.
+- **lineNumber** The line number where the failure occurred.
+- **message** The message of the failure that occurred.
+- **module** The module where the failure occurred.
+- **originatingContextId** The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage** The message of the originating call context that resulted in the failure.
+- **originatingContextName** The name of the originating call context that resulted in the failure.
+- **threadId** The ID of the thread on which the activity is executing.
+
+
+### wilResult
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics.
+
+The following fields are available:
+
+- **callContext** The call context stack where failure occurred.
+- **currentContextId** The ID of the current call context where the failure occurred.
+- **currentContextMessage** The message of the current call context where the failure occurred.
+- **currentContextName** The name of the current call context where the failure occurred.
+- **failureCount** The number of failures for this failure ID.
+- **failureId** The ID of the failure that occurred.
+- **failureType** The type of the failure that occurred.
+- **fileName** The file name where the failure occurred.
+- **function** The function where the failure occurred.
+- **hresult** The HResult of the overall activity.
+- **lineNumber** The line number where the failure occurred.
+- **message** The message of the failure that occurred.
+- **module** The module where the failure occurred.
+- **originatingContextId** The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage** The message of the originating call context that resulted in the failure.
+- **originatingContextName** The name of the originating call context that resulted in the failure.
+- **threadId** The ID of the thread on which the activity is executing.
+
+
+## SIH events
+
+### SIHEngineTelemetry.EvalApplicability
+
+This event is sent when targeting logic is evaluated to determine if a device is eligible a given action.
+
+The following fields are available:
+
+- **ActionReasons** If an action has been assessed as inapplicable, the additional logic prevented it.
+- **CachedEngineVersion** The engine DLL version that is being used.
+- **EventInstanceID** A unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **HandlerReasons** If an action has been assessed as inapplicable, the installer technology-specific logic prevented it.
+- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.)
+- **StandardReasons** If an action has been assessed as inapplicable, the standard logic the prevented it.
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UpdateID** A unique identifier for the action being acted upon.
+- **WUDeviceID** The unique identifier controlled by the software distribution client.
+
+
+### SIHEngineTelemetry.ExecuteAction
+
+This event is triggered with SIH attempts to execute (e.g. install) the update or action in question. Includes important information like if the update required a reboot.
+
+The following fields are available:
+
+- **CachedEngineVersion** The engine DLL version that is being used.
+- **EventInstanceID** A unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **RebootRequired** Indicates if a reboot was required to complete the action.
+- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UpdateID** A unique identifier for the action being acted upon.
+- **WUDeviceID** The unique identifier controlled by the software distribution client.
+
+
+### SIHEngineTelemetry.PostRebootReport
+
+This event reports the status of an action following a reboot, should one have been required.
+
+The following fields are available:
+
+- **CachedEngineVersion** The engine DLL version that is being used.
+- **EventInstanceID** A unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UpdateID** A unique identifier for the action being acted upon.
+- **WUDeviceID** The unique identifier controlled by the software distribution client.
+
+
+### SIHEngineTelemetry.ServiceStateChange
+
+This event reports the status of attempts to stop or start a service as part of executing an action.
+
+The following fields are available:
+
+- **CachedEngineVersion** The engine DLL version that is being used.
+- **EventInstanceID** A unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event, whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **Service** The service that is being stopped/started.
+- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.).
+- **StateChange** The service operation (stop/start) is being attempted.
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **UpdateID** A unique identifier for the action being acted upon.
+- **WUDeviceID** The unique identifier controlled by the software distribution client.
+
+
+### SIHEngineTelemetry.SLSActionData
+
+This event reports if the SIH client was able to successfully parse the manifest describing the actions to be evaluated.
+
+The following fields are available:
+
+- **CachedEngineVersion** The engine DLL version that is being used.
+- **EventInstanceID** A unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **FailedParseActions** The list of actions that were not successfully parsed.
+- **ParsedActions** The list of actions that were successfully parsed.
+- **ServiceGuid** A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.)
+- **WUDeviceID** The unique identifier controlled by the software distribution client.
## Software update events
-### SoftwareUpdateClientTelemetry.UpdateDetected
+### SoftwareUpdateClientTelemetry.CheckForUpdates
-This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
+Scan process event on Windows Update client (see eventscenario field for specifics, e.g.: started/failed/succeeded)
The following fields are available:
+- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
+- **AllowCachedResults** Indicates if the scan allowed using cached results.
- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable
-- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
-- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
-- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
-- **WUDeviceID** The unique device ID controlled by the software distribution client
-- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
-- **ServiceGuid** An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
-
-
-### SoftwareUpdateClientTelemetry.SLSDiscovery
-
-This event sends data about the ability of Windows to discover the location of a backend server with which it must connect to perform updates or content acquisition, in order to determine disruptions in availability of update services and provide context for Windows Update errors.
-
-The following fields are available:
-
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **HResult** Indicates the result code of the event (success, cancellation, failure code HResult)
-- **IsBackground** Indicates whether the SLS discovery event took place in the foreground or background
-- **NextExpirationTime** Indicates when the SLS cab expires
-- **ServiceID** An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
-- **SusClientId** The unique device ID controlled by the software distribution client
-- **UrlPath** Path to the SLS cab that was downloaded
-- **WUAVersion** The version number of the software distribution client
-
-
-### SoftwareUpdateClientTelemetry.Commit
-
-This event sends data on whether the Update Service has been called to execute an upgrade, to help keep Windows up to date.
-
-The following fields are available:
-
- **BiosFamily** The family of the BIOS (Basic Input Output System).
- **BiosName** The name of the device BIOS.
- **BiosReleaseDate** The release date of the device BIOS.
- **BiosSKUNumber** The sku number of the device BIOS.
- **BIOSVendor** The vendor of the BIOS.
- **BiosVersion** The version of the BIOS.
-- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BranchReadinessLevel** The servicing branch configured on the device.
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated.
+- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
- **ClientVersion** The version number of the software distribution client.
+- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
+- **CurrentMobileOperator** The mobile operator the device is currently connected to.
+- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
+- **DeferredUpdates** Update IDs which are currently being deferred until a later time
- **DeviceModel** What is the device model.
+- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered.
+- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled.
+- **DriverSyncPassPerformed** Were drivers scanned this time?
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventScenario** State of call
-- **EventType** "Possible values are ""Child"", ""Bundle"", or ""Driver""."
-- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
-- **RevisionNumber** Unique revision number of Update
-- **ServerId** Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ExtendedMetadataCabUrl** Hostname that is used to download an update.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
+- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan.
+- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days).
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days).
+- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6
+- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
+- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device.
+- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **MSIError** The last error that was encountered during a scan for updates.
+- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
+- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked
+- **NumberOfLoop** The number of round trips the scan required
+- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan
+- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan
+- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down.
+- **Online** Indicates if this was an online scan.
+- **PausedUpdates** A list of UpdateIds which that currently being paused.
+- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days).
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days).
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **ScanDurationInSeconds** The number of seconds a scan took
+- **ScanEnqueueTime** The number of seconds it took to initialize a scan
+- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.).
+- **ServiceUrl** The environment URL a device is configured to scan with
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
+- **SyncType** Describes the type of scan the event was
- **SystemBIOSMajorRelease** Major version of the BIOS.
- **SystemBIOSMinorRelease** Minor version of the BIOS.
-- **UpdateId** Unique Update ID
-- **WUDeviceID** UniqueDeviceID
-- **BundleRevisionNumber** Identifies the revision number of the content bundle
-- **FlightId** The specific id of the flight the device is getting
-- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
-
-
-### SoftwareUpdateClientTelemetry.DownloadCheckpoint
-
-This event provides a checkpoint between each of the Windows Update download phases for UUP content
-
-The following fields are available:
-
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough
-- **FileId** A hash that uniquely identifies a file
-- **FileName** Name of the downloaded file
-- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
-- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult)
-- **EventType** "Possible values are ""Child"", ""Bundle"", ""Relase"" or ""Driver"""
-- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
-- **ClientVersion** The version number of the software distribution client
-- **FlightId** The unique identifier for each flight
-- **RevisionNumber** Unique revision number of Update
-- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.)
-- **UpdateId** Unique Update ID
-- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
-
-
-### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
-
-This event identifies whether updates have been tampered with and protects against man-in-the-middle attacks.
-
-The following fields are available:
-
-- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed.
-- **ExtendedStatusCode** The secondary status code of the event.
-- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed.
-- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
-- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
-- **RevisionId** The revision ID for a specific piece of content.
-- **RevisionNumber** The revision number for a specific piece of content.
-- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store
-- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
-- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob.
-- **SignatureAlgorithm** The hash algorithm for the metadata signature.
-- **StatusCode** The status code of the event.
-- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
-- **UpdateId** The update ID for a specific piece of content.
-- **TimestampTokenCertThumbprint** "The thumbprint of the encoded timestamp token. "
-- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp.
-- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
-- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable.
-- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
-- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
-- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
-- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast
+- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down.
+- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
### SoftwareUpdateClientTelemetry.Download
-This event sends tracking data about the software distribution client download of the content for that update, to help keep Windows up to date.
+Download process event for target update on Windows Update client (see eventscenario field for specifics, e.g.: started/failed/succeeded)
The following fields are available:
@@ -3254,19 +3458,15 @@ The following fields are available:
- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download.
-- **CDNCountryCode** Two letter country abbreviation for the CDN's location.
+- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
-- **ClientManagedByWSUSServer** Indicates whether the client is managed by Windows Server Update Services (WSUS).
- **ClientVersion** The version number of the software distribution client.
- **CurrentMobileOperator** The mobile operator the device is currently connected to.
- **DeviceModel** What is the device model.
-- **DeviceOEM** What OEM does this device belong to.
- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
- **DownloadType** Differentiates the download type of SIH downloads between Metadata and Payload downloads.
-- **Edition** Indicates the edition of Windows being used.
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
- **EventType** Possible values are Child, Bundle, or Driver.
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
@@ -3280,22 +3480,19 @@ The following fields are available:
- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
- **HostName** The hostname URL the content is downloading from.
- **IPVersion** Indicates whether the download took place over IPv4 or IPv6.
-- **IsAOACDevice** Is it Always On, Always Connected?
- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update
- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
-- **NetworkRestrictionStatus** "More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be ""metered."""
+- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
- **PackageFullName** The package name of the content.
- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
-- **PlatformRole** The PowerPlatformRole as defined on MSDN
- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM).
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
- **RevisionNumber** Identifies the revision number of this specific piece of content.
-- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
- **ShippingMobileOperator** The mobile operator that a device shipped on.
- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
@@ -3308,93 +3505,65 @@ The following fields are available:
- **TimeToEstablishConnection** Time (in ms) it took to establish the connection prior to beginning downloaded.
- **TotalExpectedBytes** The total count of bytes that the download is expected to be.
- **UpdateId** An identifier associated with the specific piece of content.
+- **UpdateID** An identifier associated with the specific piece of content.
- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
- **UsedDO** Whether the download used the delivery optimization service.
- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **WUSetting** Indicates the users' current updating settings.
-### SoftwareUpdateClientTelemetry.CheckForUpdates
+### SoftwareUpdateClientTelemetry.DownloadCheckpoint
-This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date
+This event provides a checkpoint between each of the Windows Update download phases for UUP content
The following fields are available:
-- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
-- **AllowCachedResults** Indicates if the scan allowed using cached results.
-- **BiosFamily** The family of the BIOS (Basic Input Output System).
-- **BiosName** The name of the device BIOS.
-- **BiosReleaseDate** The release date of the device BIOS.
-- **BiosSKUNumber** The sku number of the device BIOS.
-- **BIOSVendor** The vendor of the BIOS.
-- **BiosVersion** The version of the BIOS.
-- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
-- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated.
-- **CDNCountryCode** Two letter country abbreviation for the CDN's location.
-- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **ClientVersion** The version number of the software distribution client.
-- **CurrentMobileOperator** The mobile operator the device is currently connected to.
-- **DeviceModel** What is the device model.
-- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered.
-- **EventInstanceID** A globally unique identifier for event instance.
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
-- **ExtendedMetadataCabUrl** Hostname that is used to download an update.
-- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
-- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan.
-- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
-- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
-- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
-- **IPVersion** Indicates whether the download took place over IPv4 or IPv6
-- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
-- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
-- **MSIError** The last error that was encountered during a scan for updates.
-- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
-- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked
-- **NumberOfLoop** The number of round trips the scan required
-- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan
-- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan
-- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down.
-- **Online** Indicates if this was an online scan.
-- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
-- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion** The version number of the software distribution client
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver"
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough
+- **FileId** A hash that uniquely identifies a file
+- **FileName** Name of the downloaded file
+- **FlightId** The unique identifier for each flight
- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
-- **ScanDurationInSeconds** The number of seconds a scan took
-- **ScanEnqueueTime** The number of seconds it took to initialize a scan
-- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.).
-- **ServiceUrl** The environment URL a device is configured to scan with
-- **ShippingMobileOperator** The mobile operator that a device shipped on.
-- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
-- **SyncType** Describes the type of scan the event was
-- **SystemBIOSMajorRelease** Major version of the BIOS.
-- **SystemBIOSMinorRelease** Minor version of the BIOS.
-- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down.
-- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable
-- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
-- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation.
-- **BranchReadinessLevel** The servicing branch configured on the device.
-- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
-- **DeferredUpdates** Update IDs which are currently being deferred until a later time
-- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled.
-- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days).
-- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
-- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days).
-- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days).
-- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
-- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days).
-- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
-- **PausedUpdates** A list of UpdateIds which that currently being paused.
-- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
-- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
-- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
-- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
-- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
-- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
-- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
-- **DriverSyncPassPerformed** Were drivers scanned this time?
+- **RevisionNumber** Unique revision number of Update
+- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.)
+- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult)
+- **UpdateId** Unique Update ID
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
+### SoftwareUpdateClientTelemetry.DownloadHeartbeat
+
+This event allows tracking of ongoing downloads and contains data to explain the current state of the download
+
+The following fields are available:
+
+- **BundleID** Identifier associated with the specific content bundle. If this value is found, it shouldn't report as all zeros
+- **BytesTotal** Total bytes to transfer for this content
+- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat
+- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion** The version number of the software distribution client
+- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat
+- **CurrentError** Last (transient) error encountered by the active download
+- **DownloadFlags** Flags indicating if power state is ignored
+- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing)
+- **EventType** Possible values are "Child", "Bundle", or "Driver"
+- **FlightId** The unique identifier for each flight
+- **IsNetworkMetered** Indicates whether Windows considered the current network to be ?metered"
+- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any
+- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any
+- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
+- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one
+- **ResumeCount** Number of times this active download has resumed from a suspended state
+- **RevisionNumber** Identifies the revision number of this specific piece of content
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
+- **ServiceID** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
+- **SuspendCount** Number of times this active download has entered a suspended state
+- **SuspendReason** Last reason for why this active download entered a suspended state
+- **UpdateId** Identifier associated with the specific piece of content
+- **WUDeviceID** Unique device id controlled by the software distribution client
### SoftwareUpdateClientTelemetry.Install
@@ -3409,30 +3578,22 @@ The following fields are available:
- **BiosSKUNumber** The sku number of the device BIOS.
- **BIOSVendor** The vendor of the BIOS.
- **BiosVersion** The version of the BIOS.
-- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle?
- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
- **BundleRepeatFailFlag** Has this particular update bundle previously failed to install?
- **BundleRevisionNumber** Identifies the revision number of the content bundle.
- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
-- **CbsDownloadMethod** Was the download a full download or a partial download?
-- **ClientManagedByWSUSServer** Is the client managed by Windows Server Update Services (WSUS)?
- **ClientVersion** The version number of the software distribution client.
- **CSIErrorType** The stage of CBS installation where it failed.
- **CurrentMobileOperator** Mobile operator that device is currently connected to.
- **DeviceModel** What is the device model.
-- **DeviceOEM** What OEM does this device belong to.
-- **DownloadPriority** The priority of the download activity.
-- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
- **DriverPingBack** Contains information about the previous driver and system state.
-- **Edition** Indicates the edition of Windows being used.
- **EventInstanceID** A globally unique identifier for event instance.
-- **EventNamespaceID** Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
- **EventType** Possible values are Child, Bundle, or Driver.
- **ExtendedErrorCode** The extended error code.
- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FeatureUpdatePause** Are feature OS updates paused on the device?
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program.
- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build.
- **FlightId** The specific ID of the Windows Insider build the device is getting.
@@ -3441,27 +3602,23 @@ The following fields are available:
- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
-- **IsAOACDevice** Is it Always On, Always Connected? (Mobile device usage model)
- **IsDependentSet** Is the driver part of a larger System Hardware/Firmware update?
- **IsFinalOutcomeEvent** Does this event signal the end of the update/upgrade process?
- **IsFirmware** Is this update a firmware update?
- **IsSuccessFailurePostReboot** Did it succeed and then fail after a restart?
- **IsWUfBDualScanEnabled** Is Windows Update for Business dual scan enabled on the device?
-- **IsWUfBEnabled** Is Windows Update for Business enabled on the device?
+- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device.
- **MergedUpdate** Was the OS update and a BSP update merged for installation?
- **MsiAction** The stage of MSI installation where it failed.
- **MsiProductCode** The unique identifier of the MSI installer.
- **PackageFullName** The package name of the content being installed.
- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced.
-- **PlatformRole** The PowerPlatformRole as defined on MSDN.
- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **ProcessorArchitecture** Processor architecture of the system (x86, AMD64, ARM).
- **QualityUpdatePause** Are quality OS updates paused on the device?
- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install.
-- **RepeatSuccessInstallFlag** Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it.
- **RevisionNumber** The revision number of this specific piece of content.
-- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
- **ShippingMobileOperator** The mobile operator that a device shipped on.
- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult).
@@ -3471,420 +3628,540 @@ The following fields are available:
- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
- **TransactionCode** The ID which represents a given MSI installation
- **UpdateId** Unique update ID
+- **UpdateID** An identifier associated with the specific piece of content.
- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **WUSetting** Indicates the user's current updating settings.
-### SoftwareUpdateClientTelemetry.DownloadHeartbeat
+### SoftwareUpdateClientTelemetry.UpdateDetected
-This event allows tracking of ongoing downloads and contains data to explain the current state of the download
+This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
The following fields are available:
-- **BundleID** Identifier associated with the specific content bundle. If this value is found, it shouldn't report as all zeros
-- **BytesTotal** Total bytes to transfer for this content
-- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat
-- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat
-- **CurrentError** Last (transient) error encountered by the active download
-- **DownloadFlags** Flags indicating if power state is ignored
-- **DownloadState** Current state of the active download for this content (queued, suspended, or progressing)
-- **IsNetworkMetered** "Indicates whether Windows considered the current network to be ?metered"""
-- **MOAppDownloadLimit** Mobile operator cap on size of application downloads, if any
-- **MOUpdateDownloadLimit** Mobile operator cap on size of operating system update downloads, if any
-- **PowerState** Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
-- **RelatedCV** "The previous correlation vector that was used by the client, before swapping with a new one "
-- **ResumeCount** Number of times this active download has resumed from a suspended state
-- **ServiceID** "Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) "
-- **SuspendCount** Number of times this active download has entered a suspended state
-- **SuspendReason** Last reason for why this active download entered a suspended state
-- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client
-- **ClientVersion** The version number of the software distribution client
-- **EventType** "Possible values are ""Child"", ""Bundle"", or ""Driver"""
-- **FlightId** The unique identifier for each flight
-- **RevisionNumber** Identifies the revision number of this specific piece of content
-- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
-- **UpdateId** "Identifier associated with the specific piece of content "
-- **WUDeviceID** "Unique device id controlled by the software distribution client "
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one.
+- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.).
+- **WUDeviceID** The unique device ID controlled by the software distribution client.
-## Update Assistant Orchestrator events
->[!NOTE]
->Events from this provider are sent with the installation of KB4023814. For details, see [this support article](https://support.microsoft.com/help/4023814).
+### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
+
+Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack.
+
+The following fields are available:
+
+- **EndpointUrl** The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
+- **EventScenario** The purpose of this event, such as scan started, scan succeeded, or scan failed.
+- **ExtendedStatusCode** The secondary status code of the event.
+- **LeafCertId** Integral ID from the FragmentSigning data for certificate that failed.
+- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
+- **MetadataIntegrityMode** The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
+- **MetadataSignature** A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
+- **RawMode** The raw unparsed mode string from the SLS response. This field is null if not applicable.
+- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
+- **RevisionId** The revision ID for a specific piece of content.
+- **RevisionNumber** The revision number for a specific piece of content.
+- **ServiceGuid** Identifies the service to which the software distribution client is connected, Example: Windows Update or Windows Store
+- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
+- **SHA256OfLeafCertPublicKey** A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
+- **SHA256OfTimestampToken** A base64-encoded string of hash of the timestamp token blob.
+- **SignatureAlgorithm** The hash algorithm for the metadata signature.
+- **SLSPrograms** A test program to which a device may have opted in. Example: Insider Fast
+- **StatusCode** The status code of the event.
+- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token.
+- **TimestampTokenId** The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
+- **UpdateId** The update ID for a specific piece of content.
+- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp.
+
+
+## Update Assistant events
### Microsoft.Windows.UpdateAssistant.Orchestrator.BlockingEventId
-Event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous rollbacks, or admin policies..
+The event sends basic info on the reason that Windows 10 was not updated due to compatibility issues, previous rollbacks, or admin policies.
The following fields are available:
-- **ApplicabilityBlockedReason** Blocked due to an applicability issue.
-- **ClientId** Identification of the current installed version of Update Assistant.
-- **TriggerTaskSource** Describes which task launched this instance of Update Assistant.
+- **ApplicabilityBlockedReason** Blocked due to an applicability issue.
+- **BlockWuUpgrades** The upgrade assistant is currently blocked.
+- **clientID** An identification of the current release of Update Assistant.
+- **CloverTrail** This device is Clovertrail.
+- **DeviceIsMdmManaged** This device is MDM managed.
+- **IsNetworkAvailable** If the device network is not available.
+- **IsNetworkMetered** If network is metered.
+- **IsSccmManaged** This device is SCCM managed.
+- **NewlyInstalledOs** OS is newly installed quiet period.
+- **PausedByPolicy** Updates are paused by policy.
+- **RecoveredFromRS3** Previously recovered from RS3.
+- **RS1UninstallActive** Blocked due to an active RS1 uninstall.
+- **RS3RollBacks** Exceeded number of allowable RS3 rollbacks.
+- **triggerTaskSource** Describe which task launches this instance.
+- **WsusManaged** This device is WSUS managed.
+- **ZeroExhaust** This device is zero exhaust.
+
### Microsoft.Windows.UpdateAssistant.Orchestrator.DeniedLaunchEventId
-Event sends basic info on the reason the Windows 10 update was blocked or prevented.
+The event sends basic info when a device was blocked or prevented from updating to the latest Windows 10 version.
The following fields are available:
-- **ClientId** Identification of the current installed version of Update Assistant.
-- **DenyReason** Reasons why Update Assistant was prevented from launching.
-- **TriggerTaskSource** Describes which task launched this instance of Update Assistant.
+- **calendarRun** Indicates the calendar run task invoked the update assistant wrapper.
+- **clientID** An identification of the current release of Update Assistant.
+- **denyReason** All the reasons why the Update Assistant was prevented from launching. Bitmask with values from UpdateAssistant.cpp eUpgradeModeReason.
+- **triggerTaskSource** Describe which task launches this instance.
+
### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedLaunchEventId
-Event sends basic info when the Windows 10 Update Assistant tool could not be launched due to an error..
+Event to mark that Update Assistant Orchestrator failed to launch Update Assistant.
The following fields are available:
-- **ClientId** Identification of the current installed version of Update Assistant.
-- **HResult** Error code of the Update Assistant Orchestrator error.
-- **TriggerTaskSource** Describes which task launched this instance of Update Assistant.
+- **clientID** An identification of the current release of Update Assistant.
+- **hResult** Error code of the Update Assistant Orchestrator failure.
+- **triggerTaskSource** Describe which task launches this instance.
+
### Microsoft.Windows.UpdateAssistant.Orchestrator.FailedOneSettingsQueryEventId
-Event sends basic info to signal when the settings related to the Windows 10 update could not be downloaded.
+Event indicating One Settings was not queried by update assistant.
The following fields are available:
-- **ClientId** Identification of the current installed version of Update Assistant.
-- **HResult** Error code of the attempted query for the settings.
+- **clientID** An identification of the current release of Update Assistant.
+- **hResult** Error code of One Settings query failure.
+
### Microsoft.Windows.UpdateAssistant.Orchestrator.LaunchEventId
-Event sends basic info on whether the device should or should not be updated to the latest Windows 10 version.
+This event sends basic information on whether the device should be updated to the latest Windows 10 version.
The following fields are available:
-- **ClientId** Identification of the current installed version of Update Assistant.
-- **LaunchMode** Type of launch performed.
-- **LaunchTypeReason** All of the reasons for the type of launch performed.
-- **TriggerTaskSource** Describes which task launched this instance of Update Assistant.
-- **UALaunchRunCount** Total number of times Update Assistant was launched.
+- **autoStartRunCount** The auto start run count of Update Assistant.
+- **clientID** The ID of the current release of Update Assistant.
+- **launchMode** Indicates the type of launch performed.
+- **launchTypeReason** A bitmask of all the reasons for type of launch.
+- **triggerTaskSource** Indicates which task launches this instance.
+- **UALaunchRunCount** Total number of times Update Assistant launched.
+
### Microsoft.Windows.UpdateAssistant.Orchestrator.RestoreEventId
-Event sends basic info on whether the Windows 10 update notification had launched previously.
+The event sends basic info on whether the Windows 10 update notification has previously launched.
The following fields are available:
-- **ClientId** Identification of the current installed version of Update Assistant.
-- **RestoreReason** All of the reasons for being restored.
-- **TriggerTaskSource** Describes which task launched this instance of Update Assistant.
+- **calendarRun** Indicates the update assistant wrapper was started by the calendar run task.
+- **clientID** ID of the current release of Update Assistant.
+- **restoreReason** All the reasons for the restore.
+- **triggerTaskSource** Indicates which task launches this instance.
+
## Update events
-### Update360Telemetry.UpdateAgentPostRebootResult
+### Update360Telemetry.UpdateAgentCommit
-This event collects information for both Mobile and Desktop regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario
-
-The following fields are available:
-
-- **ErrorCode** The error code returned for the current post reboot phase
-- **FlightId** The unique identifier for each flight
-- **ObjectId** Unique value for each Update Agent mode
-- **RelatedCV** Correlation vector value generated from the latest USO scan
-- **Result** Indicates the Hresult
-- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionId** Unique value for each Update Agent mode attempt
-- **UpdateId** Unique ID for each update
-- **PostRebootResult** Indicates the Hresult
-
-
-### Update360Telemetry.UpdateAgent_Initialize
-
-This event sends data during the initialize phase of updating Windows.
-
-The following fields are available:
-
-- **ErrorCode** The error code returned for the current initialize phase.
-- **FlightId** Unique ID for each flight.
-- **FlightMetadata** Contains the FlightId and the build being flighted.
-- **ObjectId** Unique value for each Update Agent mode.
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
-- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
-- **SessionId** Unique value for each Update Agent mode attempt .
-- **UpdateId** Unique ID for each update.
-- **Result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
-
-
-### Update360Telemetry.UpdateAgent_DownloadRequest
-
-This event sends data during the download request phase of updating Windows.
-
-The following fields are available:
-
-- **ErrorCode** The error code returned for the current download request phase.
-- **ObjectId** Unique value for each Update Agent mode.
-- **PackageCountOptional** Number of optional packages requested.
-- **PackageCountRequired** Number of required packages requested.
-- **PackageCountTotal** Total number of packages needed.
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
-- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionId** Unique value for each Update Agent mode attempt.
-- **PackageSizeCanonical** Size of canonical packages in bytes
-- **PackageSizeDiff** Size of diff packages in bytes
-- **PackageSizeExpress** Size of express packages in bytes
-- **Result** Result of the download request phase of update.
-- **FlightId** Unique ID for each flight.
-- **UpdateId** Unique ID for each update.
-- **PackageCountTotalCanonical** Total number of canonical packages.
-- **PackageCountTotalDiff** Total number of diff packages.
-- **PackageCountTotalExpress** Total number of express packages.
-- **DeletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
-- **RangeRequestState** Represents the state of the download range request.
-
-
-### Update360Telemetry.UpdateAgent_Install
-
-This event sends data during the install phase of updating Windows.
+This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
- **ErrorCode** The error code returned for the current install phase.
-- **ObjectId** Unique value for each Update Agent mode.
-- **RelatedCV** Correlation vector value generated from the latest scan.
-- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionId** Unique value for each Update Agent mode attempt.
-- **Result** "Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled "
- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Outcome of the install phase of the update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
- **UpdateId** Unique ID for each update.
-### Update360Telemetry.UpdateAgent_ModeStart
+### Update360Telemetry.UpdateAgentDownloadRequest
-This event sends data for the start of each mode during the process of updating Windows.
+This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile.
The following fields are available:
-- **Mode** Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
-- **ObjectId** Unique value for each Update Agent mode.
-- **RelatedCV** The correlation vector value generated from the latest scan.
-- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionId** Unique value for each Update Agent mode attempt.
+- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted.
+- **DownloadRequests** Number of times a download was retried.
+- **ErrorCode** The error code returned for the current download request phase.
+- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin.
- **FlightId** Unique ID for each flight.
-- **UpdateId** Unique ID for each update.
+- **InternalFailureResult** Indicates a non-fatal error from a plugin.
+- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **PackageCountOptional** # of optional packages requested.
+- **PackageCountRequired** # of required packages requested.
+- **PackageCountTotal** Total # of packages needed.
+- **PackageCountTotalCanonical** Total number of canonical packages.
+- **PackageCountTotalDiff** Total number of diff packages.
+- **PackageCountTotalExpress** Total number of express packages.
+- **PackageExpressType** Type of express package.
+- **PackageSizeCanonical** Size of canonical packages in bytes.
+- **PackageSizeDiff** Size of diff packages in bytes.
+- **PackageSizeExpress** Size of express packages in bytes.
+- **RangeRequestState** Indicates the range request type used.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Outcome of the download request phase of update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases).
+- **UpdateId** Unique ID for each Update.
-### Update360Telemetry.UpdateAgent_SetupBoxLaunch
+### Update360Telemetry.UpdateAgentExpand
-This event sends data during the launching of the setup box when updating Windows.
+This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
-- **ObjectId** Unique value for each Update Agent mode.
-- **Quiet** Indicates whether setup is running in quiet mode. 0 = false 1 = true
-- **RelatedCV** Correlation vector value generated from the latest scan.
-- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionId** Unique value for each Update Agent mode attempt.
+- **ElapsedTickCount** Time taken for expand phase.
+- **EndFreeSpace** Free space after expand phase.
+- **EndSandboxSize** Sandbox size after expand phase.
+- **ErrorCode** The error code returned for the current install phase.
- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **StartFreeSpace** Free space before expand phase.
+- **StartSandboxSize** Sandbox size after expand phase.
+- **UpdateId** Unique ID for each Update.
+
+
+### Update360Telemetry.UpdateAgentFellBackToCanonical
+
+This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique value for each Update Agent mode.
+- **PackageCount** Number of packages that feel back to canonical.
+- **PackageList** PackageIds which fell back to canonical.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
- **UpdateId** Unique ID for each update.
-- **SetupMode** Setup mode 1 = predownload, 2 = install, 3 = finalize
-- **SandboxSize** The size of the sandbox folder on the device.
+
+
+### Update360Telemetry.UpdateAgentInitialize
+
+This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current install phase.
+- **FlightId** Unique ID for each flight.
+- **FlightMetadata** Contains the FlightId and the build being flighted.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Outcome of the install phase of the update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentInstall
+
+This event sends data for the install phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current install phase.
+- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **ObjectId** Correlation vector value generated from the latest USO scan.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** The result for the current install phase.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentMerge
+
+The UpdateAgentMerge event sends data on the merge phase when updating Windows.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current merge phase.
+- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Related correlation vector value.
+- **Result** Outcome of the merge phase of the update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each attempt.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentMitigationResult
+
+This event sends data indicating the result of each update agent mitigation.
+
+The following fields are available:
+
+- **Applicable** Indicates whether the mitigation is applicable for the current update.
+- **CommandCount** The number of command operations in the mitigation entry.
+- **CustomCount** The number of custom operations in the mitigation entry.
+- **FileCount** The number of file operations in the mitigation entry.
+- **FlightId** Unique identifier for each flight.
+- **Index** The mitigation index of this particular mitigation.
+- **MitigationScenario** The update scenario in which the mitigation was executed.
+- **Name** The friendly name of the mitigation.
+- **ObjectId** Unique value for each Update Agent mode.
+- **OperationIndex** The mitigation operation index (in the event of a failure).
+- **OperationName** The friendly name of the mitigation operation (in the event of failure).
+- **RegistryCount** The number of registry operations in the mitigation entry.
+- **RelatedCV** The correlation vector value generated from the latest USO scan.
+- **Result** The HResult of this operation.
+- **ScenarioId** The update agent scenario ID.
+- **SessionId** Unique value for each update attempt.
+- **TimeDiff** The amount of time spent performing the mitigation (in 100-nanosecond increments).
+- **UpdateId** Unique ID for each Update.
+
+
+### Update360Telemetry.UpdateAgentMitigationSummary
+
+This event sends a summary of all the update agent mitigations available for an this update.
+
+The following fields are available:
+
+- **Applicable** The count of mitigations that were applicable to the system and scenario.
+- **Failed** The count of mitigations that failed.
+- **FlightId** Unique identifier for each flight.
+- **MitigationScenario** The update scenario in which the mitigations were attempted.
+- **ObjectId** The unique value for each Update Agent mode.
+- **RelatedCV** The correlation vector value generated from the latest USO scan.
+- **Result** The HResult of this operation.
+- **ScenarioId** The update agent scenario ID.
+- **SessionId** Unique value for each update attempt.
+- **TimeDiff** The amount of time spent performing all mitigations (in 100-nanosecond increments).
+- **Total** Total number of mitigations that were available.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentModeStart
+
+This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile.
+
+The following fields are available:
+
+- **FlightId** Unique ID for each flight.
+- **Mode** Indicates the mode that has started.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+- **Version** Version of update
+
+
+### Update360Telemetry.UpdateAgentPostRebootResult
+
+This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current post reboot phase.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **ObjectId** Unique value for each Update Agent mode.
+- **PostRebootResult** Indicates the Hresult.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Indicates the Hresult
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentSetupBoxLaunch
+
+The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs.
+
+The following fields are available:
+
+- **ContainsExpressPackage** Indicates whether the download package is express.
+- **FlightId** Unique ID for each flight.
+- **FreeSpace** Free space on OS partition.
+- **InstallCount** Number of install attempts using the same sandbox.
+- **ObjectId** Unique value for each Update Agent mode.
+- **Quiet** Indicates whether setup is running in quiet mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **SandboxSize** Size of the sandbox.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **SetupMode** Mode of setup to be launched.
+- **UpdateId** Unique ID for each update.
+- **UserSession** Indicates whether install was invoked by user actions.
## Update notification events
### Microsoft.Windows.UpdateNotificationPipeline.JavascriptJavascriptCriticalGenericMessage
-This event indicates that Javascript is reporting a schema and a set of values for critical diagnostic data.
+This event indicates that Javascript is reporting a schema and a set of values for critical telemetry.
The following fields are available:
-- **CampaignConfigVersion** Configuration version for the current campaign
-- **CampaignID** Currently campaign that's running on UNP
-- **ConfigCatalogVersion** Current catalog version of UNP
-- **ContentVersion** Content version for the current campaign on UNP
-- **CV** Correlation vector
-- **DetectorVersion** Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
+- **CampaignConfigVersion** Configuration version of the current campaign.
+- **CampaignID** ID of the currently running campaign.
+- **ConfigCatalogVersion** Current catalog version of the update notification.
+- **ContentVersion** Content version of the current update notification campaign.
+- **CV** Correlation vector.
+- **DetectorVersion** Most recently run detector version for the current campaign.
+- **GlobalEventCounter** Client side counter that indicates the ordering of events sent by this user.
- **key1** Interaction data for the UI
-- **key10** Interaction data for the UI
-- **key11** Interaction data for the UI
-- **key12** Interaction data for the UI
-- **key13** Interaction data for the UI
-- **key14** Interaction data for the UI
-- **key15** Interaction data for the UI
-- **key16** Interaction data for the UI
-- **key17** Interaction data for the UI
-- **key18** Interaction data for the UI
-- **key19** Interaction data for the UI
+- **key10** UI interaction data
+- **key11** UI interaction data
+- **key12** UI interaction data
+- **key13** UI interaction data
+- **key14** UI interaction data
+- **key15** UI interaction data
+- **key16** UI interaction data
+- **key17** UI interaction data
+- **key18** UI interaction data
+- **key19** UI interaction data
- **key2** Interaction data for the UI
-- **key20** Interaction data for the UI
+- **key20** UI interaction data
- **key21** Interaction data for the UI
-- **key22** Interaction data for the UI
-- **key23** Interaction data for the UI
-- **key24** Interaction data for the UI
-- **key25** Interaction data for the UI
-- **key26** Interaction data for the UI
-- **key27** Interaction data for the UI
-- **key28** Interaction data for the UI
-- **key29** Interaction data for the UI
+- **key22** UI interaction data
+- **key23** UI interaction data
+- **key24** UI interaction data
+- **key25** UI interaction data
+- **key26** UI interaction data
+- **key27** UI interaction data
+- **key28** UI interaction data
+- **key29** UI interaction data
- **key3** Interaction data for the UI
-- **key30** Interaction data for the UI
+- **key30** UI interaction data
- **key4** Interaction data for the UI
-- **key5** Interaction data for the UI
-- **key6** Interaction data for the UI
+- **key5** UI interaction data
+- **key6** UI interaction data
- **key7** Interaction data for the UI
- **key8** Interaction data for the UI
-- **key9** Interaction data for the UI
-- **PackageVersion** Current package version of UNP
-- **schema** Type of UI interaction
+- **key9** UI interaction data
+- **PackageVersion** Current package version of the update notification.
+- **schema** UI interaction type.
### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignHeartbeat
-This event is sent at the start of each campaign, to be used as a heartbeat
+This event is sent at the start of each campaign, to be used as a heartbeat.
The following fields are available:
-- **CampaignConfigVersion** Configuration version for the current campaign
-- **CampaignID** Currently campaign that's running on UNP
-- **ConfigCatalogVersion** Current catalog version of UNP
-- **ContentVersion** Content version for the current campaign on UNP
-- **CV** Correlation vector
-- **DetectorVersion** Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
-- **PackageVersion** Current UNP package version
+- **CampaignConfigVersion** Configuration version for the current campaign.
+- **CampaignID** Current campaign that is running on Update Notification Pipeline.
+- **ConfigCatalogVersion** Current catalog version of Update Notification Pipeline.
+- **ContentVersion** Content version for the current campaign on Update Notification Pipeline.
+- **CV** Correlation vector.
+- **DetectorVersion** Most recently run detector version for the current campaign on Update Notification Pipeline.
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user.
+- **PackageVersion** Current package version for Update Notification Pipeline.
### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerCleaningCampaign
-This event indicates that the Campaign Manager is cleaning up the campaign content
+This event indicates that the Campaign Manager is cleaning up the campaign content.
The following fields are available:
-- **CampaignConfigVersion** Configuration version for the current campaign
-- **CampaignID** Current campaign that's running on UNP
-- **ConfigCatalogVersion** Current catalog version of UNP
-- **ContentVersion** Content version for the current campaign on UNP
+- **CampaignConfigVersion** Configuration version for the current campaign.
+- **CampaignID** The current campaign that is running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion** The current catalog version of the Update Notification Pipeline (UNP).
+- **ContentVersion** Content version for the current campaign on UNP.
- **CV** Correlation vector
-- **DetectorVersion** Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
-- **PackageVersion** Current UNP package version
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user.
+- **PackageVersion** Current UNP package version.
### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerGetIsCamppaignCompleteFailed
-This event is sent when a campaign completion status query fails
+This event is sent when a campaign completion status query fails.
The following fields are available:
-- **CampaignConfigVersion** Configuration version for the current campaign
-- **CampaignID** Current campaign that's running on UNP
-- **ConfigCatalogVersion** Current catalog version of UNP
-- **ContentVersion** Content version for the current campaign on UNP
-- **CV** Correlation vector
-- **DetectorVersion** Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
-- **hresult** HRESULT of the failure
-- **PackageVersion** Current UNP package version
+- **CampaignConfigVersion** Configuration version for the current campaign.
+- **CampaignID** Current campaign that is running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion** Current catalog version of UNP.
+- **ContentVersion** Content version for the current campaign on UNP.
+- **CV** Correlation vector.
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user.
+- **hresult** HRESULT of the failure.
+- **PackageVersion** Current UNP package version.
### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
-This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat
+This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat.
The following fields are available:
-- **CampaignConfigVersion** Configuration version for the current campaign
-- **CampaignID** Currently campaign that's running on UNP
-- **ConfigCatalogVersion** Current catalog version of UNP
-- **ContentVersion** Content version for the current campaign on UNP
-- **CV** Correlation vector
-- **DetectorVersion** Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
-- **PackageVersion** Current UNP package version
+- **CampaignConfigVersion** Configuration version for the current campaign.
+- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion** Current catalog version of UNP.
+- **ContentVersion** Content version for the current campaign on UNP.
+- **CV** Correlation vector.
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user.
+- **PackageVersion** Current UNP package version.
### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerRunCampaignFailed
-This event is sent when the Campaign Manager encounters an unexpected error while running the campaign
+This event is sent when the Campaign Manager encounters an unexpected error while running the campaign.
The following fields are available:
-- **CampaignConfigVersion** Configuration version for the current campaign
-- **CampaignID** Currently campaign that's running on UNP
-- **ConfigCatalogVersion** Current catalog version of UNP
-- **ContentVersion** Content version for the current campaign on UNP
-- **CV** Correlation vector
-- **DetectorVersion** Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
-- **hresult** HRESULT of the failure#N#
-- **PackageVersion** Current UNP package version
+- **CampaignConfigVersion** Configuration version for the current campaign.
+- **CampaignID** Currently campaign that's running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion** Current catalog version of UNP.
+- **ContentVersion** Content version for the current campaign on UNP.
+- **CV** Correlation vector.
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user.
+- **hresult** HRESULT of the failure.
+- **PackageVersion** Current UNP package version.
## Upgrade events
-### Setup360Telemetry.PreDownloadUX
+### FacilitatorTelemetry.DCATDownload
-The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PredownloadUX indicates the outcome of the PredownloadUX portion of the update process.
+This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure.
+
+
+
+### Setup360Telemetry.Downlevel
+
+This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure.
The following fields are available:
-- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber** The build number of the previous operating system.
-- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system).
-- **InstanceId** Unique GUID that identifies each instance of setuphost.exe.
-- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario** The Setup360 flow type. Examplle: Boot, Media, Update, MCT
+- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the downlevel OS.
+- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** More detailed information about phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback).
+- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors).
+- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT).
- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
-- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId** A string to uniquely identify a group of events.
-- **WuId** Windows Update client ID.
-
-
-### Setup360Telemetry.UnexpectedEvent
-
-This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
-
-The following fields are available:
-
-- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber** The build number of the previous OS.
-- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
-- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
-- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId** A string to uniquely identify a group of events.
-- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
-
-
-### Setup360Telemetry.PreInstallQuiet
-
-This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up to date.
-
-The following fields are available:
-
-- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber** The build number of the previous OS.
-- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
-- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
-- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback etc.
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT)
-- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId** A string to uniquely identify a group of events.
-- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** An ID that uniquely identifies a group of events.
+- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
### Setup360Telemetry.Finalize
-This event sends data indicating that the device has invoked the finalize phase of the upgrade, to help keep Windows up-to-date.
+This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure.
The following fields are available:
@@ -3893,19 +4170,40 @@ The following fields are available:
- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended** d
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+### Setup360Telemetry.OsUninstall
+
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall.
+
+The following fields are available:
+
+- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** Windows Update client ID.
+
+
### Setup360Telemetry.PostRebootInstall
-This event sends data indicating that the device has invoked the postrebootinstall phase of the upgrade, to help keep Windows up-to-date.
+This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date.
The following fields are available:
@@ -3933,63 +4231,63 @@ The following fields are available:
- **ClientId** Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **HostOSBuildNumber** The build number of the previous OS.
- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system).
-- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
-- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
+- **TestId** ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
-### Setup360Telemetry.OsUninstall
+### Setup360Telemetry.PreDownloadUX
-The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.OSUninstall indicates the outcome of an OS uninstall.
+This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process.
The following fields are available:
- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber** The build number of the previous OS.
-- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
-- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
+- **HostOSBuildNumber** The build number of the previous operating system.
+- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system).
+- **InstanceId** Unique GUID that identifies each instance of setuphost.exe.
- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
+- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** Windows Update client ID.
-### Setup360Telemetry.Downlevel
+### Setup360Telemetry.PreInstallQuiet
-This event sends data indicating that the device has invoked the downlevel phase of the upgrade. It's used to help keep Windows up-to-date and secure.
+This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date.
The following fields are available:
-- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber** The build number of the downlevel OS.
-- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS).
-- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
-- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result** The result of Setup360. It's an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
-- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId** A string that uniquely identifies a group of events.
-- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT).
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
### Setup360Telemetry.PreInstallUX
-This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PreinstallUX indicates the outcome of the PreinstallUX portion of the update process.
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process.
The following fields are available:
@@ -3998,12 +4296,12 @@ The following fields are available:
- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT
+- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** Windows Update client ID.
@@ -4014,37 +4312,56 @@ This event sends data about OS deployment scenarios, to help keep Windows up-to-
The following fields are available:
+- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **FieldName** Retrieves the data point.
- **FlightData** Specifies a unique identifier for each group of Windows Insider builds.
- **InstanceId** Retrieves a unique identifier for each instance of a setup session.
- **ReportId** Retrieves the report ID.
- **ScenarioId** Retrieves the deployment scenario.
- **Value** Retrieves the value associated with the corresponding FieldName.
-- **ClientId** Retrieves the upgrade ID: Upgrades via Windows Update - specifies the WU clientID. All other deployment - static string.
-## Windows as a Service diagnostic events
+### Setup360Telemetry.Setup360DynamicUpdate
-### Microsoft.Windows.WaaSMedic.SummaryEvent
+This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date.
-This event provides the results from the WaaSMedic engine
+
+
+### Setup360Telemetry.Setup360MitigationResult
+
+This event sends data indicating the result of each setup mitigation.
+
+
+
+### Setup360Telemetry.Setup360MitigationSummary
+
+This event sends a summary of all the setup mitigations available for this update.
+
+
+
+### Setup360Telemetry.UnexpectedEvent
+
+This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
The following fields are available:
-- **detectionSummary** Result of each detection that ran
-- **featureAssessmentImpact** Windows as a Service (WaaS) Assessment impact on feature updates
-- **insufficientSessions** True, if the device has enough activity to be eligible for update diagnostics. False, if otherwise
-- **isManaged** Indicates the device is managed for updates
-- **isWUConnected** Indicates the device is connected to Windows Update
-- **noMoreActions** All available WaaSMedic diagnostics have run. There are no pending diagnostics and corresponding actions
-- **qualityAssessmentImpact** Windows as a Service (WaaS) Assessment impact for quality updates
-- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on
-- **usingBackupFeatureAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup feature assessments, which are determined programmatically on the client#N#
-- **usingBackupQualityAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup quality assessments, which are determined programmatically on the client#N#
-- **versionString** Installed version of the WaaSMedic engine
-- **hrEngineResult** Indicates the WaaSMedic engine operation error codes
+- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber** The build number of the previous OS.
+- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
+- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** A string to uniquely identify a group of events.
+- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+## Windows as a Service diagnostic events
+
### Microsoft.Windows.WaaSMedic.Summary
This event provides the results of the WaaSMedic diagnostic run
@@ -4052,39 +4369,45 @@ This event provides the results of the WaaSMedic diagnostic run
The following fields are available:
- **detectionSummary** Result of each detection that ran
-- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on
-- **versionString** Installed version of the WaaSMedic engine
- **featureAssessmentImpact** Windows as a Service (WaaS) Assessment impact on feature updates
- **insufficientSessions** True, if the device has enough activity to be eligible for update diagnostics. False, if otherwise
- **isManaged** Indicates the device is managed for updates
- **isWUConnected** Indicates the device is connected to Windows Update
- **noMoreActions** All available WaaSMedic diagnostics have run. There are no pending diagnostics and corresponding actions
- **qualityAssessmentImpact** Windows as a Service (WaaS) Assessment impact for quality updates
+- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on
- **usingBackupFeatureAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup feature assessments, which are determined programmatically on the client
- **usingBackupQualityAssessment** The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup quality assessments, which are determined programmatically on the client
+- **versionString** Installed version of the WaaSMedic engine
-## Windows Error Reporting events
+### Microsoft.Windows.WaaSMedic.SummaryEvent
-### Microsoft.Windows.WERVertical.OSCrash
-
-This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+This event provides the results from the WaaSMedic engine
The following fields are available:
-- **BootId** Uint32 identifying the boot number for this device.
-- **BugCheckCode** "Uint64 ""bugcheck code"" that identifies a proximate cause of the bug check."
-- **BugCheckParameter1** Uint64 parameter providing additional information.
-- **BugCheckParameter2** Uint64 parameter providing additional information.
-- **BugCheckParameter3** Uint64 parameter providing additional information.
-- **BugCheckParameter4** Uint64 parameter providing additional information.
-- **DumpFileAttributes** Codes that identify the type of data contained in the dump file
-- **DumpFileSize** Size of the dump file
-- **IsValidDumpFile** True if the dump file is valid for the debugger, false otherwise
-- **ReportId** WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
+- **detectionSummary** Result of each applicable detection that was run.
+- **featureAssessmentImpact** WaaS Assessment impact for feature updates.
+- **hrEngineResult** Indicates the WaaSMedic engine operation error codes
+- **insufficientSessions** Device not eligible for diagnostics.
+- **isManaged** Device is managed for updates.
+- **isWUConnected** Device is connected to Windows Update.
+- **noMoreActions** No more applicable diagnostics.
+- **qualityAssessmentImpact** WaaS Assessment impact for quality updates.
+- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on.
+- **usingBackupFeatureAssessment** Relying on backup feature assessment.
+- **usingBackupQualityAssessment** Relying on backup quality assessment.
+- **versionString** Version of the WaaSMedic engine.
+
+
+## Windows Store events
+
+### Microsoft.Windows.Store.Partner.ReportApplication
+
+Report application event for Windows Store client.
-## Microsoft Store events
### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
@@ -4098,281 +4421,30 @@ The following fields are available:
- **CategoryId** The Item Category ID.
- **ClientAppId** The identity of the app that initiated this operation.
- **HResult** The result code of the last action performed before this operation.
-- **IntentPFNs** Intent Product Family Name
- **IsBundle** Is this a bundle?
- **IsInteractive** Was this requested by a user?
- **IsMandatory** Was this a mandatory update?
- **IsRemediation** Was this a remediation install?
- **IsRestore** Is this automatically restoring a previously acquired product?
- **IsUpdate** Flag indicating if this is an update.
-- **IsWin32** Flag indicating if this is a Win32 app (not used).
- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
- **PFN** The product family name of the product being installed.
- **ProductId** The identity of the package or packages being installed.
- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled.
-- **UpdateId** Update ID (if this is an update)
- **UserAttemptNumber** The total number of user attempts at installation before it was canceled.
-- **WUContentId** The Windows Update content ID
+- **WUContentId** Licensing identity of this package.
-### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
+### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds
-This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set.
-- **AttemptNumber** The total number of attempts to acquire this product.
-- **BundleId** The bundle ID
-- **CategoryId** The identity of the package or packages being installed.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **HResult** HResult code to show the result of the operation (success/failure).
-- **IntentPFNs** Intent Product Family Name
-- **IsBundle** Is this a bundle?
-- **IsInteractive** Did the user initiate the installation?
-- **IsMandatory** Is this a mandatory update?
-- **IsRemediation** Is this repairing a previous installation?
-- **IsRestore** Is this happening after a device restore?
-- **IsUpdate** Is this an update?
-- **IsWin32** Flag indicating if this is a Win32app.
-- **ParentBundledId** The product's parent bundle ID.
-- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
-- **PFN** Product Family Name of the product being installed.
-- **ProductId** The Store Product ID for the product being installed.
-- **SystemAttemptNumber** The number of attempts by the system to acquire this product.
-- **UpdateId** The update ID (if this is an update)
-- **UserAttemptNumber** The number of attempts by the user to acquire this product
-- **WUContentId** The Windows Update content ID
+This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure.
-### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
-This event happens during the app update or installation when content is being downloaded at the end of the process to report success or failure. It's used to help keep Windows up-to-date and secure.
+### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare
-The following fields are available:
+This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure.
-- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
-- **AttemptNumber** Number of retry attempts before it was canceled.
-- **BundleId** The identity of the Windows Insider build associated with this product.
-- **CategoryId** The identity of the package or packages being installed.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **DownloadSize** The total size of the download.
-- **ExtendedHResult** Any extended HResult error codes.
-- **HResult** The result code of the last action performed.
-- **IntentPFNs** Intent Product Family Name
-- **IsBundle** Is this a bundle?
-- **IsInteractive** Is this initiated by the user?
-- **IsMandatory** Is this a mandatory installation?
-- **IsRemediation** Is this repairing a previous installation?
-- **IsRestore** Is this a restore of a previously acquired product?
-- **IsUpdate** Is this an update?
-- **IsWin32** Flag indicating if this is a Win32 app (unused).
-- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
-- **PFN** The Product Family Name of the app being download.
-- **ProductId** The Store Product ID for the product being installed.
-- **SystemAttemptNumber** The number of attempts by the system to download.
-- **UpdateId** Update ID (if this is an update)
-- **UserAttemptNumber** The number of attempts by the user to download.
-- **WUContentId** The Windows Update content ID.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
-
-This event happens when an app update requires an updated Framework package and the process starts to download it. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **HResult** The result code of the last action performed before this operation.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds
-
-This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **HResult** The result code of the last action performed before this operation.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
-
-This event is sent after a product has been installed. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
-- **AttemptNumber** The number of retry attempts before it was canceled.
-- **BundleId** The identity of the build associated with this product.
-- **CategoryId** The identity of the package or packages being installed.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **ExtendedHResult** The extended HResult error code.
-- **HResult** The result code of the last action performed.
-- **IntentPFNs** Intent Product Family Name
-- **IsBundle** Is this a bundle?
-- **IsInteractive** Is this an interactive installation?
-- **IsMandatory** Is this a mandatory installation?
-- **IsRemediation** Is this repairing a previous installation?
-- **IsRestore** Is this automatically restoring a previously acquired product?
-- **IsUpdate** Is this an update?
-- **IsWin32** Flag indicating if this a Win32 app (unused).
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **PFN** Product Family Name of the product being installed.
-- **ProductId** The Store Product ID for the product being installed.
-- **SystemAttemptNumber** The total number of system attempts.
-- **UpdateId** Update ID (if this is an update)
-- **UserAttemptNumber** The total number of user attempts.
-- **WUContentId** The Windows Update content ID
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
-
-This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **ClientAppId** The identity of the app that initiated this operation.
-- **HResult** The result code of the last action performed.
-- **IsApplicability** Is this request to only check if there are any applicable packages to install?
-- **IsInteractive** Is this user requested?
-- **IsOnline** Is the request doing an online check?
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
-
-This event is sent after searching for update packages to install. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
-- **AttemptNumber** The total number of retry attempts before it was canceled.
-- **BundleId** The identity of the build associated with this product.
-- **CategoryId** The identity of the package or packages being installed.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **HResult** The result code of the last action performed.
-- **IntentPFNs** The licensing identity of this package.
-- **IsBundle** Is this a bundle?
-- **IsInteractive** Is this user requested?
-- **IsMandatory** Is this a mandatory update?
-- **IsRemediation** Is this repairing a previous installation?
-- **IsRestore** Is this restoring previously acquired content?
-- **IsUpdate** Is this an update?
-- **IsWin32** Flag indicating if this a Win32 app (unused).
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **PFN** The name of the package or packages requested for install.
-- **ProductId** The Store Product ID for the product being installed.
-- **SystemAttemptNumber** The total number of system attempts.
-- **UpdateId** Update ID (if this is an update)
-- **UserAttemptNumber** The total number of user attempts.
-- **WUContentId** The Windows Update content ID
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
-
-This event is sent between download and installation to see if there is app data that needs to be restored from the cloud. It's used to keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AttemptNumber** The total number of retry attempts before it was canceled.
-- **BundleId** The identity of the build associated with this product.
-- **CategoryId** The identity of the package or packages being installed.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **HResult** The result code of the last action performed.
-- **IsBundle** Is this a bundle?
-- **IsInteractive** Is this user requested?
-- **IsMandatory** Is this a mandatory update?
-- **IsRemediation** Is this repairing a previous installation?
-- **IsRestore** Is this restoring previously acquired content?
-- **IsUpdate** Is this an update?
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **PFN** The name of the package or packages requested for install.
-- **ProductId** The Store Product ID for the product being installed.
-- **SystemAttemptNumber** The total number of system attempts.
-- **UserAttemptNumber** The total number of system attempts.
-- **WUContentId** The Windows Update content ID
-- **IntentPFNs** The licensing identity of this package.
-- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
-
-This event happens at the beginning of the install process when an app update or new app is installed. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **BundleId** The identity of the build associated with this product.
-- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed.
-- **ProductId** The Store Product ID for the product being installed.
-- **SkuId** Specific edition ID being installed.
-- **VolumePath** The disk path of the installation.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
-
-This event is sent when a product install or update is paused either by a user or the system. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AttemptNumber** The total number of retry attempts before it was canceled.
-- **BundleId** The identity of the build associated with this product.
-- **CategoryId** The identity of the package or packages being installed.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **IsBundle** Is this a bundle?
-- **IsInteractive** Is this user requested?
-- **IsMandatory** Is this a mandatory update?
-- **IsRemediation** Is this repairing a previous installation?
-- **IsRestore** Is this restoring previously acquired content?
-- **IsUpdate** Is this an update?
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **PFN** The Product Full Name.
-- **PreviousHResult** The result code of the last action performed before this operation.
-- **PreviousInstallState** Previous state before the installation or update was paused.
-- **ProductId** The Store Product ID for the product being installed.
-- **RelatedCV** Correlation Vector of a previous performed action on this product.
-- **SystemAttemptNumber** The total number of system attempts.
-- **UserAttemptNumber** The total number of user attempts.
-- **WUContentId** The Windows Update content ID
-- **IntentPFNs** The licensing identity of this package.
-- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
-
-This event happens when a product install or update is resumed either by a user or the system. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AttemptNumber** The number of retry attempts before it was canceled.
-- **BundleId** The identity of the build associated with this product.
-- **CategoryId** The identity of the package or packages being installed.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **IsBundle** Is this a bundle?
-- **IsInteractive** Is this user requested?
-- **IsMandatory** Is this a mandatory update?
-- **IsRemediation** Is this repairing a previous installation?
-- **IsRestore** Is this restoring previously acquired content?
-- **IsUpdate** Is this an update?
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **PFN** The name of the package or packages requested for install.
-- **PreviousHResult** The previous HResult error code.
-- **PreviousInstallState** Previous state before the installation was paused.
-- **ProductId** The Store Product ID for the product being installed.
-- **RelatedCV** Correlation Vector for the original install before it was resumed.
-- **SystemAttemptNumber** The total number of system attempts.
-- **UserAttemptNumber** The total number of user attempts.
-- **WUContentId** The Windows Update content ID
-- **IntentPFNs** Intent Product Family Name
-- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
-- **HResult** The result code of the last action performed before this operation.
-- **IsUserRetry** Did the user initiate the retry?
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
-
-This event happens an app for a user needs to be updated. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **PFamN** The name of the product that is requested for update.
### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation
@@ -4381,6 +4453,7 @@ This event is sent when an app update or installation is canceled while in inter
The following fields are available:
+- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed.
- **AttemptNumber** Total number of installation attempts.
- **BundleId** The identity of the Windows Insider build that is associated with this product.
- **CategoryId** The identity of the package or packages being installed.
@@ -4399,34 +4472,12 @@ The following fields are available:
- **RelatedCV** Correlation Vector of a previous performed action on this product.
- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled.
- **UserAttemptNumber** Total number of user attempts to install before it was canceled.
-- **WUContentId** The Windows Update content ID
-- **IntentPFNs** Intent Product Family Name
-- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
-
-This event is sent when searching for update packages to install. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **CatalogId** The Store Product ID for the product being installed.
-- **ProductId** The Store Product ID for the product being installed.
-- **SkuId** Specfic edition of the app being updated.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
-
-This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **HResult** The result code of the last action performed.
+- **WUContentId** The Windows Update content ID.
### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest
-This event is sent after the app installations or updates. It's used to help keep Windows up-to-date and secure
+This event is sent at the end of the installs or updates. Store Agent events are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique across devices and without this data from every device we will not be able to track failures and fix future vulnerabilities related to these Windows Apps.
The following fields are available:
@@ -4438,39 +4489,334 @@ The following fields are available:
- **SkuId** Specific edition of the item being installed.
+### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
+
+This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set.
+- **AttemptNumber** The total number of attempts to acquire this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** HResult code to show the result of the operation (success/failure).
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Did the user initiate the installation?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this happening after a device restore?
+- **IsUpdate** Is this an update?
+- **PFN** Product Family Name of the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The number of attempts by the system to acquire this product.
+- **UserAttemptNumber** The number of attempts by the user to acquire this product
+- **WUContentId** Licensing identity of this package.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
+
+This event is sent after an app is downloaded to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
+- **AttemptNumber** Number of retry attempts before it was canceled.
+- **BundleId** The identity of the Windows Insider build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **DownloadSize** The total size of the download.
+- **ExtendedHResult** Any extended HResult error codes.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this initiated by the user?
+- **IsMandatory** Is this a mandatory installation?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this a restore of a previously acquired product?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
+- **PFN** The Product Family Name of the app being download.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The number of attempts by the system to download.
+- **UserAttemptNumber** The number of attempts by the user to download.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
+
+This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds
+
+This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
+
+This event is sent after a product has been installed to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **ExtendedHResult** The extended HResult error code.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this an interactive installation?
+- **IsMandatory** Is this a mandatory installation?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this automatically restoring a previously acquired product?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** Product Family Name of the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** Licensing identity of this package.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
+
+This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsApplicability** Is this request to only check if there are any applicable packages to install?
+- **IsInteractive** Is this user requested?
+- **IsOnline** Is the request doing an online check?
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
+
+This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
+
+This event is sent after restoring user data (if any) that needs to be restored following a product install. Store Agent events are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique across devices and without this data from every device we will not be able to track failures and fix future vulnerabilities related to these Windows Apps.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of system attempts.
+- **WUContentId** Licensing identity of this package.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
+
+This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
+
+FulfillmentComplete event is fired at the end of an app install or update. We use this to track the very end of the install/update process. StoreAgent events are needed to help keep Windows pre-installed 1st party apps up to date and secure such as the mail and calendar apps. App update failure can be unique across devices and without this data from every device we will not be able to track the success/failure and fix any future vulnerabilities related to these built in Windows Apps.
+
+The following fields are available:
+
+- **FailedRetry** Tells us if the retry for an install or update was successful or not.
+- **HResult** Resulting HResult error/success code of this call
+- **PFN** Package Family Name of the app that being installed or updated
+- **ProductId** Product Id of the app that is being updated or installed
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
+
+FulfillmentInitiate event is fired at the start of an app install or update. We use this to track the very beginning of the install/update process. StoreAgent events are needed to help keep Windows pre-installed 1st party apps up to date and secure such as the mail and calendar apps. App update failure can be unique across devices and without this data from every device we will not be able to track the success/failure and fix any future vulnerabilities related to these built in Windows Apps.
+
+The following fields are available:
+
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **ProductId** The product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
+
+This event is sent when a product install or update is initiated. Store Agent events are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique across devices and without this data from every device we will not be able to track failures and fix future vulnerabilities related to these Windows Apps.
+
+The following fields are available:
+
+- **BundleId** The identity of the build associated with this product.
+- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SkuId** Specific edition ID being installed.
+- **VolumePath** The disk path of the installation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
+
+This event is sent when a product install or update is paused either by a user or the system. Store Agent events are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique across devices and without this data from every device we will not be able to track failures and fix future vulnerabilities related to these Windows Apps.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The Product Full Name.
+- **PreviousHResult** The result code of the last action performed before this operation.
+- **PreviousInstallState** Previous state before the installation or update was paused.
+- **ProductId** The Store Product ID for the product being installed.
+- **RelatedCV** Correlation Vector of a previous performed action on this product.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** Licensing identity of this package.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
+
+This event is sent when a product install or update is resumed either by a user or the system. Store Agent events are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique across devices and without this data from every device we will not be able to track failures and fix future vulnerabilities related to these Windows Apps.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed before this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **IsUserRetry** Did the user initiate the retry?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **PreviousHResult** The previous HResult error code.
+- **PreviousInstallState** Previous state before the installation was paused.
+- **ProductId** The Store Product ID for the product being installed.
+- **RelatedCV** Correlation Vector for the original install before it was resumed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** Licensing identity of this package.
+
+
### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
-This event happens when a product install or update is resumed by a user and on installation retries. It's used to help keep Windows up-to-date and secure.
+This event is sent when a product install or update is resumed by a user and on install retries. Store Agent events are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique across devices and without this data from every device we will not be able to track failures and fix future vulnerabilities related to these Windows Apps.
The following fields are available:
- **ProductId** The Store Product ID for the product being installed.
-### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
+### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
-This event is sent at the end of an app install or update and is used to track the very end of the install or update process.
+This event is sent when searching for update packages to install. Store Agent events are needed to help keep Windows Apps up to date and secure, like the Mail and Calendar Apps. App install or update failures can be unique across devices and without this data from every device we will not be able to track failures and fix future vulnerabilities related to these Windows Apps.
The following fields are available:
-- **FailedRetry** Was the installation or update retry successful?
-- **HResult** The HResult code of the operation.
-- **PFN** The Package Family Name of the app that is being installed or updated.
-- **ProductId** The product ID of the app that is being updated or installed.
+- **CatalogId** The Store Catalog ID for the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SkuId** Specfic edition of the app being updated.
-### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
+### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
-This event is sent at the beginning of an app install or update and is used to track the very beginning of the install or update process.
+This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure.
The following fields are available:
-- **PFN** The Package Family Name of the app that is being installed or updated.
-- **ProductId** The product ID of the app that is being updated or installed.
+- **PFamN** The name of the app that is requested for update.
## Windows Update Delivery Optimization events
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
+
+This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **background** Is the download being done in the background?
+- **bytesFromCacheServer** Bytes received from a cache host.
+- **bytesFromCDN** The number of bytes received from a CDN source.
+- **bytesFromGroupPeers** The number of bytes received from a peer in the same group.
+- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group.
+- **bytesFromLocalCache** Bytes copied over from local (on disk) cache.
+- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
+- **callerName** Name of the API caller.
+- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
+- **clientTelId** A random number used for device sampling.
+- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session.
+- **doErrorCode** The Delivery Optimization error code that was returned.
+- **errorCode** The error code that was returned.
+- **experimentId** When running a test, this is used to correlate events that are part of the same test.
+- **fileID** The ID of the file being downloaded.
+- **gCurMemoryStreamBytes** Current usage for memory streaming.
+- **gMaxMemoryStreamBytes** Maximum usage for memory streaming.
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **jobID** Identifier for the Windows Update job.
+- **reasonCode** Reason the action or event occurred.
+- **scenarioID** The ID of the scenario.
+- **sessionID** The ID of the file download session.
+- **updateID** The ID of the update being downloaded.
+- **usedMemoryStream** Did the download use memory streaming?
+
+
### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads.
@@ -4478,24 +4824,35 @@ This event describes when a download has completed with Delivery Optimization. I
The following fields are available:
- **background** Is the download a background download?
+- **bytesFromCacheServer** Bytes received from a cache host.
- **bytesFromCDN** The number of bytes received from a CDN source.
- **bytesFromGroupPeers** The number of bytes received from a peer in the same domain group.
- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same domain group.
+- **bytesFromLocalCache** Bytes copied over from local (on disk) cache.
- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
- **bytesRequested** The total number of bytes requested for download.
+- **cacheServerConnectionCount** Number of connections made to cache hosts.
+- **callerName** Name of the API caller.
- **cdnConnectionCount** The total number of connections made to the CDN.
- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
- **cdnIp** The IP address of the source CDN.
- **clientTelId** A random number used for device sampling.
+- **dataSourcesTotal** Bytes received per source type, accumulated for the whole session.
- **doErrorCode** The Delivery Optimization error code that was returned.
- **downlinkBps** The maximum measured available download bandwidth (in bytes per second).
- **downlinkUsageBps** The download speed (in bytes per second).
- **downloadMode** The download mode used for this file download session.
+- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
- **fileID** The ID of the file being downloaded.
- **fileSize** The size of the file being downloaded.
+- **gCurMemoryStreamBytes** Current usage for memory streaming.
+- **gMaxMemoryStreamBytes** Maximum usage for memory streaming.
- **groupConnectionCount** The total number of connections made to peers in the same group.
- **internetConnectionCount** The total number of connections made to peers not in the same LAN or the same group.
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **jobID** Identifier for the Windows Update job.
- **lanConnectionCount** The total number of connections made to peers in the same LAN.
- **numPeers** The total number of peers used for this download.
- **restrictedUpload** Is the upload restricted?
@@ -4505,8 +4862,6 @@ The following fields are available:
- **updateID** The ID of the update being downloaded.
- **uplinkBps** The maximum measured available upload bandwidth (in bytes per second).
- **uplinkUsageBps** The upload speed (in bytes per second).
-- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
-- **isVpn** Is the device connected to a Virtual Private Network?
- **usedMemoryStream** Did the download use memory streaming?
@@ -4517,15 +4872,77 @@ This event represents a temporary suspension of a download with Delivery Optimiz
The following fields are available:
- **background** Is the download a background download?
+- **callerName** The name of the API caller.
- **clientTelId** A random number used for device sampling.
- **errorCode** The error code that was returned.
+- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
- **fileID** The ID of the file being paused.
+- **isVpn** Is the device connected to a Virtual Private Network?
+- **jobID** Identifier for the Windows Update job.
- **reasonCode** The reason for pausing the download.
- **scenarioID** The ID of the scenario.
- **sessionID** The ID of the download session.
- **updateID** The ID of the update being paused.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
+
+This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **background** Indicates whether the download is happening in the background.
+- **bytesRequested** Number of bytes requested for the download.
+- **callerName** Name of the API caller.
+- **cdnUrl** The URL of the source CDN.
+- **clientTelId** Random number used for device selection
+- **costFlags** A set of flags representing network cost.
+- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM).
+- **diceRoll** Random number used for determining if a client will use peering.
+- **doClientVersion** The version of the Delivery Optimization client.
+- **doErrorCode** The Delivery Optimization error code that was returned.
+- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100).
+- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
+- **errorCode** The error code that was returned.
+- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing.
+- **fileID** The ID of the file being downloaded.
+- **filePath** The path to where the downloaded file will be written.
+- **fileSize** Total file size of the file that was downloaded.
+- **fileSizeCaller** Value for total file size provided by our caller.
+- **groupID** ID for the group.
+- **isVpn** Indicates whether the device is connected to a Virtual Private Network.
+- **jobID** The ID of the Windows Update job.
+- **minDiskSizeGB** The minimum disk size (in GB) policy set for the device to allow peering with delivery optimization.
+- **minDiskSizePolicyEnforced** Indicates whether there is an enforced minimum disk size requirement for peering.
+- **minFileSizePolicy** The minimum content file size policy to allow the download using peering with delivery optimization.
+- **peerID** The ID for this delivery optimization client.
+- **scenarioID** The ID of the scenario.
+- **sessionID** The ID for the file download session.
+- **updateID** The ID of the update being downloaded.
+- **usedMemoryStream** Indicates whether the download used memory streaming.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
+
+This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **cdnHeaders** The HTTP headers returned by the CDN.
+- **cdnIp** The IP address of the CDN.
+- **cdnUrl** The URL of the CDN.
+- **clientTelId** A random number used for device sampling.
+- **errorCode** The error code that was returned.
+- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
-- **isVpn** Is the device connected to a Virtual Private Network?
+- **fileID** The ID of the file being downloaded.
+- **httpStatusCode** The HTTP status code returned by the CDN.
+- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET
+- **peerType** The type of peer (LAN, Group, Internet, CDN, Cache Host, etc.).
+- **requestOffset** The byte offset within the file in the sent request.
+- **requestSize** The size of the range requested from the CDN.
+- **responseSize** The size of the range response received from the CDN.
+- **sessionID** The ID of the download session.
### Microsoft.OSG.DU.DeliveryOptClient.JobError
@@ -4535,105 +4952,56 @@ This event represents a Windows Update job error. It allows for investigation of
The following fields are available:
- **clientTelId** A random number used for device sampling.
+- **doErrorCode** Error code returned for delivery optimization.
- **errorCode** The error code returned.
- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
- **fileID** The ID of the file being downloaded.
- **jobID** The Windows Update job ID.
-### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
-
-This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads.
-
-The following fields are available:
-
-- **background** Is the download being done in the background?
-- **bytesFromCDN** The number of bytes received from a CDN source.
-- **bytesFromGroupPeers** The number of bytes received from a peer in the same group.
-- **bytesFromIntPeers** The number of bytes received from peers not in the same LAN or in the same group.
-- **bytesFromPeers** The number of bytes received from a peer in the same LAN.
-- **cdnErrorCodes** A list of CDN connection errors since the last FailureCDNCommunication event.
-- **cdnErrorCounts** The number of times each error in cdnErrorCodes was encountered.
-- **clientTelId** A random number used for device sampling.
-- **doErrorCode** The Delivery Optimization error code that was returned.
-- **errorCode** The error code that was returned.
-- **experimentId** When running a test, this is used to correlate events that are part of the same test.
-- **fileID** The ID of the file being downloaded.
-- **isVpn** Is the device connected to a Virtual Private Network?
-- **scenarioID** The ID of the scenario.
-- **sessionID** The ID of the file download session.
-- **updateID** The ID of the update being downloaded.
-- **usedMemoryStream** Did the download use memory streaming?
-
-
-### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
-
-This event describes the start of a new download with Delivery Optimization. It's used to understand and address problems regarding downloads.
-
-The following fields are available:
-
-- **background** Is the download a background download?
-- **cdnUrl** The URL of the CDN.
-- **clientTelId** A random number used for device sampling.
-- **deviceProfile** Identifies the usage or form factor. Example: Desktop or Xbox
-- **diceRoll** The dice roll value used in sampling events.
-- **doClientVersion** The version of the Delivery Optimization client.
-- **doErrorCode** The Delivery Optimization error code that was returned.
-- **downloadMode** The download mode used for this file download session.
-- **errorCode** The error code that was returned.
-- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
-- **fileID** The ID of the file being downloaded.
-- **filePath** The path where the file will be written.
-- **groupID** ID for the group.
-- **isVpn** Is the device connected to a Virtual Private Network?
-- **jobID** The ID of the Windows Update job.
-- **minDiskSizeGB** The minimum disk size (in GB) required for Peering.
-- **minDiskSizePolicyEnforced** Is the minimum disk size enforced via policy?
-- **minFileSizePolicy** The minimum content file size policy to allow the download using Peering.
-- **peerID** The ID for this Delivery Optimization client.
-- **scenarioID** The ID of the scenario.
-- **sessionID** The ID of the download session.
-- **updateID** The ID of the update being downloaded.
-- **usedMemoryStream** Did the download use memory streaming?
-- **costFlags** A set of flags representing network cost.
-
-
-### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
-
-This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads.
-
-The following fields are available:
-
-- **cdnIp** The IP address of the CDN.
-- **cdnUrl** The URL of the CDN.
-- **clientTelId** A random number used for device sampling.
-- **errorCode** The error code that was returned.
-- **errorCount** The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
-- **httpStatusCode** The HTTP status code returned by the CDN.
-- **sessionID** The ID of the download session.
-- **cdnHeaders** The HTTP headers returned by the CDN.
-- **experimentId** When running a test, this is used to correlate with other events that are part of the same test.
-- **fileID** The ID of the file being downloaded.
-- **isHeadRequest** The type of HTTP request that was sent to the CDN. Example: HEAD or GET
-- **requestSize** The size of the range requested from the CDN.
-- **responseSize** The size of the range response received from the CDN.
-
-
## Windows Update events
-### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
-This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
The following fields are available:
-- **flightId** The unique identifier for each flight
-- **mode** Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
-- **objectId** Unique value for each Update Agent mode
-- **relatedCV** Correlation vector value generated from the latest scan
-- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **sessionId** Unique value for each Update Agent mode attempt
-- **updateId** Unique ID for each update
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **objectId** The unique GUID for each diagnostics session.
+- **relatedCV** A correlation vector value generated from the latest USO scan.
+- **result** Outcome of the initialization of the session.
+- **scenarioId** Identifies the Update scenario.
+- **sessionId** The unique value for each update session.
+- **updateId** The unique identifier for each Update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
+
+This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+
+The following fields are available:
+
+- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **objectId** Unique value for each Update Agent mode.
+- **packageCountOptional** Number of optional packages requested.
+- **packageCountRequired** Number of required packages requested.
+- **packageCountTotal** Total number of packages needed.
+- **packageCountTotalCanonical** Total number of canonical packages.
+- **packageCountTotalDiff** Total number of diff packages.
+- **packageCountTotalExpress** Total number of express packages.
+- **packageSizeCanonical** Size of canonical packages in bytes.
+- **packageSizeDiff** Size of diff packages in bytes.
+- **packageSizeExpress** Size of express packages in bytes
+- **rangeRequestState** Represents the state of the download range request.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Result of the download request phase of update.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique ID for each update.
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
@@ -4642,32 +5010,16 @@ This event sends data for initializing a new update session for the new device m
The following fields are available:
-- **errorCode** The error code returned for the current initialize phase
-- **flightId** The unique identifier for each flight
-- **flightMetadata** Contains the FlightId and the build being flighted
-- **objectId** Unique value for each Update Agent mode
-- **relatedCV** Correlation vector value generated from the latest USO scan
-- **result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
-- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate#N#
-- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios)
-- **sessionId** "Unique value for each Update Agent mode attempt "
-- **updateId** Unique ID for each update
-
-
-### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
-
-This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
-
-The following fields are available:
-
-- **errorCode** The error code returned for the current session initialization
-- **flightId** The unique identifier for each flight
-- **objectId** The unique GUID for each diagnostics session
-- **relatedCV** A correlation vector value, generated from the latest USO scan
-- **result** Outcome of the initialization of the session
-- **scenarioId** Identifies the Update scenario
-- **sessionId** The unique value for each update session
-- **updateId** The unique identifier for each Update
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **flightMetadata** Contains the FlightId and the build being flighted.
+- **objectId** Unique value for each Update Agent mode.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique ID for each update.
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
@@ -4686,252 +5038,143 @@ The following fields are available:
- **updateId** Unique ID for each update
-### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
-This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario. The update scenario is used to install a device manifest describing a set of driver packages.
The following fields are available:
-- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted
-- **errorCode** The error code returned for the current session initialization
-- **flightId** The unique identifier for each flight
-- **objectId** Unique value for each Update Agent mode
-- **packageCountOptional** Number of optional packages requested
-- **packageCountRequired** Number of required packages requested
-- **packageCountTotal** Total number of packages needed
-- **packageCountTotalCanonical** Total number of canonical packages
-- **packageCountTotalDiff** Total number of diff packages
-- **packageCountTotalExpress** Total number of express packages
-- **packageSizeCanonical** Size of canonical packages in bytes
-- **packageSizeDiff** Size of diff packages in bytes
-- **packageSizeExpress** Size of express packages in bytes
-- **rangeRequestState** Represents the state of the download range request
-- **relatedCV** Correlation vector value generated from the latest USO scan
-- **result** Result of the download request phase of update
-- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **sessionId** Unique value for each Update Agent mode attempt
-- **updateId** Unique ID for each update
+- **flightId** Unique ID for each flight.
+- **mode** The mode that is starting.
+- **objectId** Unique value for each diagnostics session.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **scenarioId** Indicates the update scenario.
+- **sessionId** Unique value for each update session.
+- **updateId** Unique ID for each Update.
-### Microsoft.Windows.Update.Orchestrator.GameActive
+### Microsoft.Windows.Update.NotificationUx.RebootScheduled
-This event indicates that an enabled GameMode process prevented the device from restarting to complete an update
+Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update.
The following fields are available:
-- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **gameModeReason** Name of the enabled GameMode process that prevented the device from restarting to complete an update
-- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
-
-
-### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationCompleted
-
-This event sends data collected at the end of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
-
-The following fields are available:
-
-- **MigrationDurationInMilliseconds** How long the DMF migration took (in milliseconds)
-- **MigrationEndTime** A system timestamp of when the DMF migration completed.
-- **RevisionNumbers** A collection of revision numbers for the updates associated with the DMF session.
-- **UpdateIds** A collection of GUIDs for updates that are associated with the DMF session.
-- **WuClientId** The GUID of the Windows Update client responsible for triggering the DMF migration
-
-
-### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted
-
-This event sends data collected at the beginning of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
-
-The following fields are available:
-
-- **MigrationMicrosoftPhases** Revision numbers for the updates that were installed.
-- **MigrationOEMPhases** WU Update IDs for the updates that were installed.
-- **MigrationStartTime** The timestamp representing the beginning of the DMF migration
-- **WuClientId** The GUID of the Windows Update client invoking DMF
-- **RevisionNumbers** A collection of the revision numbers associated with the UpdateIds.
-- **UpdateIds** A collection of GUIDs identifying the upgrades that are running.
-
-
-### Microsoft.Windows.Update.DataMigrationFramework.MigratorResult
-
-This event sends DMF migrator data to help keep Windows up to date.
-
-The following fields are available:
-
-- **CurrentStep** This is the last step the migrator reported before returning a result. This tells us how far through the individual migrator the device was before failure.
-- **ErrorCode** The result (as an HRESULT) of the migrator that just completed.
-- **MigratorId** A GUID identifying the migrator that just completed.
-- **MigratorName** The name of the migrator that just completed.
-- **RunDurationInSeconds** The time it took for the migrator to complete.
-- **TotalSteps** Migrators report progress in number of completed steps against the total steps. This is the total number of steps.
-
-
-### Microsoft.Windows.Update.Orchestrator.Download
-
-This event sends launch data for a Windows Update download to help keep Windows up to date.
-
-The following fields are available:
-
-- **deferReason** Reason for download not completing
-- **detectionDeferreason** Reason for download not completing
-- **errorCode** An error code represented as a hexadecimal value
-- **eventScenario** End to end update session ID.
-- **flightID** Unique update ID.
-- **interactive** Identifies if session is user initiated.
-- **revisionNumber** Update revision number.
-- **updateId** Update ID.
-- **updateScenarioType** The update session type.
-- **wuDeviceid** Unique device ID used by Windows Update.
-
-
-### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
-
-This event sends data on whether the update was applicable to the device, to help keep Windows up to date.
-
-The following fields are available:
-
-- **EventPublishedTime** time that the event was generated
-- **revisionNumber** Revision Number of the Update
-- **updateId** Unique Update ID
-- **UpdateStatus** Integer that describes Update state
-- **wuDeviceid** Unique Device ID
-- **flightID** Unique Update ID
-- **updateScenarioType** The update session type.
-
-
-### Microsoft.Windows.Update.Orchestrator.PostInstall
-
-This event sends data about lite stack devices (mobile, IOT, anything non-PC) immediately before data migration is launched to help keep Windows up to date.
-
-The following fields are available:
-
-- **batteryLevel** Current battery capacity in mWh or percentage left.
-- **bundleId** Update grouping ID.
-- **bundleRevisionnumber** Bundle revision number.
-- **errorCode** Hex code for the error message, to allow lookup of the specific error.
-- **eventScenario** End to end update session ID.
-- **flightID** Unique update ID.
-- **sessionType** Interactive vs. Background.
-- **wuDeviceid** Unique device ID used by Windows Update.
-
-
-### Microsoft.Windows.Update.Orchestrator.RebootFailed
-
-This event sends information about whether an update required a reboot and reasons for failure to help keep Windows up to date.
-
-The following fields are available:
-
-- **batteryLevel** Current battery capacity in mWh or percentage left.
-- **deferReason** Reason for install not completing.
-- **EventPublishedTime** The time that the reboot failure occurred.
-- **flightID** Unique update ID.
-- **installRebootDeferreason** Reason for reboot not occurring.
-- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code.
-- **revisionNumber** Update revision number.
-- **updateId** Update ID.
-- **updateScenarioType** The update session type.
-- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
-- **wuDeviceid** Unique device ID used by Windows Update.
-
-
-### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
-
-This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date.
-
-The following fields are available:
-
-- **configuredPoliciescount** Policy Count
-- **policiesNamevaluesource** Policy Name
-- **policyCacherefreshtime** Refresh time
-- **updateInstalluxsetting** This shows whether a user has set policies via UX option
-- **wuDeviceid** Unique device ID used by Windows Update.
-
-
-### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired
-
-This event sends data about whether an update required a reboot to help keep Windows up to date.
-
-The following fields are available:
-
-- **revisionNumber** Update revision number.
-- **updateId** Update ID.
-- **wuDeviceid** Unique device ID used by Windows Update.
-- **flightID** Unique update ID.
-- **interactive** Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
-- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
-- **updateScenarioType** The update session type.
-
-
-### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
-
-This event sends data about a required reboot that is scheduled with no user interaction, to help keep Windows up to date.
-
-The following fields are available:
-
-- **activeHoursApplicable** True, If Active Hours applicable on this device. False, otherwise.
-- **forcedReboot** True, if a reboot is forced on the device. Otherwise, this is False
+- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device.
- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action.
-- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise.
-- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
-- **revisionNumber** Revision number of the update that is getting installed with this reboot.
-- **scheduledRebootTime** Time of the scheduled reboot
-- **updateId** Update ID of the update that is getting installed with this reboot.
+- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours.
+- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically).
+- **rebootState** The current state of the restart.
+- **revisionNumber** Revision number of the update that is getting installed with this restart.
+- **scheduledRebootTime** Time of the scheduled restart.
+- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time.
+- **updateId** ID of the update that is getting installed with this restart.
+- **wuDeviceid** Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.CommitFailed
+
+This event indicates that a device was unable to restart after an update.
+
+The following fields are available:
+
+- **errorCode** The error code that was returned.
+- **wuDeviceid** The Windows Update device GUID.
+
+
+### Microsoft.Windows.Update.Orchestrator.DeferRestart
+
+This event indicates that a restart required for installing updates was postponed.
+
+The following fields are available:
+
+- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.).
+- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery).
+- **raisedDeferReason** Indicates all potential reasons for postponing restart (such as user active, or low battery).
- **wuDeviceid** Unique device ID used by Windows Update.
-- **rebootState** The state of the reboot.
### Microsoft.Windows.Update.Orchestrator.Detection
-This event sends launch data for a Windows Update scan to help keep Windows up to date.
+This event indicates that a scan for a Windows Update occurred.
The following fields are available:
- **deferReason** Reason why the device could not check for updates.
- **detectionBlockreason** Reason for detection not completing.
-- **detectionDeferreason** A log of deferral reasons for every update state.
+- **detectionRetryMode** Indicates whether we will try to scan again.
- **errorCode** The returned error code.
-- **eventScenario** End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
-- **flightID** A unique update ID.
-- **interactive** Identifies if session is User Initiated.
+- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **flightID** The specific ID of the Windows Insider build the device is getting.
+- **interactive** Indicates whether the session was user initiated.
- **revisionNumber** Update revision number.
- **updateId** Update ID.
-- **updateScenarioType** The update session type.
-- **wuDeviceid** Unique device ID used by Windows Update.
+- **updateScenarioType** Device ID
+- **wuDeviceid** Device ID
-### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
+### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
-This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date.
+This event indicates the reboot was postponed due to needing a display.
The following fields are available:
-- **EventPublishedTime** Time of the event.
+- **displayNeededReason** Reason the display is needed.
+- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours.
- **revisionNumber** Revision number of the update.
- **updateId** Update ID.
-- **wuDeviceid** Unique device ID used by Windows Update.
-- **flightID** Unique update ID
-- **interactive** Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
-- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
- **updateScenarioType** The update session type.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated.
+- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
-### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
+### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
-This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date.
+This event indicates that the update is no longer applicable to this device.
The following fields are available:
-- **activeHoursApplicable** Is the restart respecting Active Hours?
-- **rebootArgument** The arguments that are passed to the OS for the restarted.
-- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours?
-- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device.
-- **rebootState** The state of the restart.
-- **revisionNumber** The revision number of the OS being updated.
-- **scheduledRebootTime** Time of the scheduled reboot
-- **updateId** The Windows Update device GUID.
-- **wuDeviceid** The Windows Update device GUID.
-- **forcedReboot** True, if a reboot is forced on the device. Otherwise, this is False
+- **EventPublishedTime** Time when this event was generated.
+- **flightID** The specific ID of the Windows Insider build.
+- **revisionNumber** Update revision number.
+- **updateId** Unique Windows Update ID.
+- **updateScenarioType** Update session type.
+- **UpdateStatus** Last status of update.
+- **UUPFallBackConfigured** Indicates whether UUP fallback is configured.
+- **wuDeviceid** Unique Device ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.GameActive
+
+This event indicates that an enabled GameMode process prevented the device from restarting to complete an update.
+
+The following fields are available:
+
+- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **gameModeReason** Name of the enabled GameMode process that prevented the device from restarting to complete an update.
+- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
+### Microsoft.Windows.Update.Orchestrator.LowUptimes
+
+This event is sent if a device is identified as not having sufficient uptime to reliably process updates in order to keep secure.
+
+The following fields are available:
+
+- **isLowUptimeMachine** Is the machine considered low uptime or not.
+- **lowUptimeMinHours** Current setting for the minimum number of hours needed to not be considered low uptime.
+- **lowUptimeQueryDays** Current setting for the number of recent days to check for uptime.
+- **uptimeMinutes** Number of minutes of uptime measured.
+- **wuDeviceid** Unique device ID for Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
+
+This event is generated before the shutdown and commit operations.
+
+The following fields are available:
+
+- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
@@ -4943,148 +5186,56 @@ The following fields are available:
- **UtcTime** The Coordinated Universal Time that the restart was no longer needed.
-### Microsoft.Windows.Update.Ux.MusNotification.ToastDisplayedToScheduleReboot
+### Microsoft.Windows.Update.Ux.MusNotification.RebootRequestReasonsToIgnore
-This event is sent when a toast notification is shown to the user about scheduling a device restart.
+This event is sent when the reboot can be deferred based on some reasons, before reboot attempts
The following fields are available:
-- **UtcTime** The Coordinated Universal Time when the toast notification was shown.
+- **Reason** The reason sent which will cause the reboot to defer.
-### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
+### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot
-This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date.
+This event is fired the first time when the reboot is required.
+
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask
+
+This event is sent when MUSE broker schedules a task
The following fields are available:
-- **RebootTaskRestoredTime** Time at which this reboot task was restored.
-- **revisionNumber** Update revision number.
-- **updateId** Update ID.
-- **wuDeviceid** Device id on which the reboot is restored
+- **TaskArgument** The arguments which the task is scheduled with
+- **TaskName** Name of the task
-### Microsoft.Windows.Update.Orchestrator.SystemNeeded
+### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
-This event sends data about why a device is unable to reboot, to help keep Windows up to date.
+This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date
The following fields are available:
-- **eventScenario** End to end update session ID.
-- **revisionNumber** Update revision number.
-- **systemNeededReason** Reason ID
-- **updateId** Update ID.
-- **wuDeviceid** Unique device ID used by Windows Update.
-- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
-- **updateScenarioType** The update session type.
-
-
-### Microsoft.Windows.Update.UpdateStackServicing.CheckForUpdates
-
-This event sends data about the UpdateStackServicing check for updates, to help keep Windows up to date.
-
-The following fields are available:
-
-- **BspVersion** The version of the BSP.
-- **CallerApplicationName** The name of the USS scheduled task. Example UssScheduled or UssBoot
-- **ClientVersion** The version of the client.
-- **CommercializationOperator** The name of the operator.
-- **DetectionVersion** The string returned from the GetDetectionVersion export of the downloaded detection DLL.
-- **DeviceName** The name of the device.
-- **EventInstanceID** The USS session ID.
-- **EventScenario** The scenario of the event. Example: Started, Failed, or Succeeded
-- **OemName** The name of the manufacturer.
-- **ServiceGuid** The GUID of the service.
-- **StatusCode** The HRESULT code of the operation.
-- **WUDeviceID** The Windows Update device ID.
-
-
-### Microsoft.Windows.Update.Orchestrator.CommitFailed
-
-This events tracks when a device needs to restart after an update but did not.
-
-The following fields are available:
-
-- **errorCode** The error code that was returned.
+- **activeHoursApplicable** Is the restart respecting Active Hours?
+- **forcedReboot** True, if a reboot is forced on the device. Otherwise, this is False
+- **rebootArgument** The arguments that are passed to the OS for the restarted.
+- **rebootOutsideOfActiveHours** Was the restart scheduled outside of Active Hours?
+- **rebootScheduledByUser** Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device.
+- **rebootState** The state of the restart.
+- **revisionNumber** The revision number of the OS being updated.
+- **scheduledRebootTime** Time of the scheduled reboot
+- **scheduledRebootTimeInUTC** Time of the scheduled restart, in Coordinated Universal Time.
+- **updateId** The Windows Update device GUID.
- **wuDeviceid** The Windows Update device GUID.
-### Microsoft.Windows.Update.Orchestrator.Install
+## Winlogon events
-This event sends launch data for a Windows Update install to help keep Windows up to date.
+### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
-The following fields are available:
-
-- **batteryLevel** Current battery capacity in mWh or percentage left.
-- **deferReason** Reason for install not completing.
-- **eventScenario** End to end update session ID.
-- **interactive** Identifies if session is user initiated.
-- **wuDeviceid** Unique device ID used by Windows Update.
-- **flightUpdate** Flight update
-- **installRebootinitiatetime** The time it took for a reboot to be attempted.
-- **minutesToCommit** The time it took to install updates.
-- **revisionNumber** Update revision number.
-- **updateId** Update ID.
-- **errorCode** The error code reppresented by a hexadecimal value.
-- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress.
-- **flightID** Unique update ID
-- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates.
-- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
-- **updateScenarioType** The update session type.
+This event signals the completion of the setup process. It happens only once during the first logon.
-### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
-
-This event is generated right before the shutdown and commit operations
-
-The following fields are available:
-
-- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
-### Microsoft.Windows.Update.Orchestrator.DeferRestart
-
-This event indicates that a restart required for installing updates was postponed
-
-The following fields are available:
-
-- **filteredDeferReason** Indicates the raised, but ignorable, reasons that the USO didn't restart (for example, user active or low battery)
-- **raisedDeferReason** Indicates the reason that the USO didn't restart. For example, user active or low battery
-- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
-- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-
-
-### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
-
-Reboot postponed due to needing a display
-
-The following fields are available:
-
-- **displayNeededReason** Reason the display is needed
-- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date
-- **revisionNumber** Revision number of the update
-- **updateId** Update ID
-- **updateScenarioType** The update session type
-- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date
-- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
-
-
-### Microsoft.Windows.Update.NotificationUx.RebootScheduled
-
-Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update
-
-The following fields are available:
-
-- **activeHoursApplicable** True, If Active Hours applicable on this device. False, otherwise
-- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action
-- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise
-- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically
-- **rebootState** The state of the reboot
-- **revisionNumber** Revision number of the update that is getting installed with this reboot
-- **scheduledRebootTime** Time of the scheduled reboot
-- **updateId** ID of the update that is getting installed with this reboot
-- **wuDeviceid** Unique device ID used by Windows Update
-- **scheduledRebootTimeInUTC** Time of the scheduled reboot in Coordinated Universal Time
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
index 84da766a22..2f0e8fbb61 100644
--- a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1803.md
@@ -1,27 +1,26 @@
---
description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
title: Windows 10, version 1803 basic diagnostic events and fields (Windows 10)
-keywords: privacy, telemetry, diagnostic data
+keywords: privacy, telemetry
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: high
+localizationpriority: high
author: brianlic-msft
ms.author: brianlic
-ms.date: 4/30/2018
+ms.date: 09/10/2018
---
# Windows 10, version 1803 basic level Windows diagnostic events and fields
-
**Applies to**
- Windows 10, version 1803
-The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.
+The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store. When the level is set to Basic, it also includes the Security level information.
The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
@@ -33,227 +32,9 @@ You can learn more about Windows functional and diagnostic data through these ar
- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
-- [Manage Windows 10 connection endpoints](manage-windows-endpoints.md)
- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
-
-
-## Common data extensions
-
-### Common Data Extensions.App
-
-
-
-The following fields are available:
-
-- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
-- **userId** The userID as known by the application.
-- **env** The environment from which the event was logged.
-- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
-- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
-- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
-
-
-### Common Data Extensions.CS
-
-
-
-The following fields are available:
-
-- **sig** A common schema signature that identifies new and modified event schemas.
-
-
-### Common Data Extensions.CUET
-
-
-
-The following fields are available:
-
-- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
-- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
-- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
-- **op** Represents the ETW Op Code.
-- **cat** Represents a bitmask of the ETW Keywords associated with the event.
-- **flags** Represents the bitmap that captures various Windows specific flags.
-- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
-- **tickets** A list of strings that represent entries in the HTTP header of the web request that includes this event.
-- **bseq** Upload buffer sequence number in the format \:\
-- **mon** Combined monitor and event sequence numbers in the format \:\
-- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
-- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
-
-
-### Common Data Extensions.Device
-
-
-
-The following fields are available:
-
-- **ver** Represents the major and minor version of the extension.
-- **localId** Represents a locally defined unique ID for the device, not the human readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
-- **deviceClass** Represents the classification of the device, the device “family”. For example, Desktop, Server, or Mobile.
-
-
-### Common Data Extensions.Envelope
-
-
-
-The following fields are available:
-
-- **ver** Represents the major and minor version of the extension.
-- **name** Represents the uniquely qualified name for the event.
-- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
-- **popSample** Represents the effective sample rate for this event at the time it was generated by a client.
-- **iKey** Represents an ID for applications or other logical groupings of events.
-- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
-- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
-
-
-### Common Data Extensions.OS
-
-
-
-The following fields are available:
-
-- **ver** Represents the major and minor version of the extension.
-- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
-- **locale** Represents the locale of the operating system.
-- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
-- **os** Represents the operating system name.
-- **ver** Represents the OS version, and its format is OS dependent.
-
-
-### Common Data Extensions.User
-
-
-
-The following fields are available:
-
-- **ver** Represents the major and minor version of the extension.
-- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
-
-
-### Common Data Extensions.XBL
-
-
-
-The following fields are available:
-
-- **nbf** Not before time
-- **expId** Expiration time
-- **sbx** XBOX sandbox identifier
-- **dty** XBOX device type
-- **did** XBOX device ID
-- **xid** A list of base10-encoded XBOX User IDs.
-- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
-
-
-### Common Data Extensions.Consent UI Event
-
-This User Account Control (UAC) telemetry point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
-
-The following fields are available:
-
-- **eventType** Represents the type of elevation: If it succeeded, was cancelled, or was auto-approved.
-- **splitToken** Represents the flag used to distinguish between administrators and standard users.
-- **friendlyName** Represents the name of the file requesting elevation from low IL.
-- **elevationReason** Represents the distinction between various elevation requests sources (appcompat, installer, COM, MSI and so on).
-- **exeName** Represents the name of the file requesting elevation from low IL.
-- **signatureState** Represents the state of the signature, if it signed, unsigned, OS signed and so on.
-- **publisherName** Represents the name of the publisher of the file requesting elevation from low IL.
-- **cmdLine** Represents the full command line arguments being used to elevate.
-- **Hash.Length** Represents the length of the hash of the file requesting elevation from low IL.
-- **Hash** Represents the hash of the file requesting elevation from low IL.
-- **HashAlgId** Represents the algorithm ID of the hash of the file requesting elevation from low IL.
-- **telemetryFlags** Represents the details about the elevation prompt for CEIP data.
-- **timeStamp** Represents the time stamp on the file requesting elevation.
-- **fileVersionMS** Represents the major version of the file requesting elevation.
-- **fileVersionLS** Represents the minor version of the file requesting elevation.
-
-
-## Common data fields
-
-### Common Data Fields.MS.Device.DeviceInventory.Change
-
-These fields are added whenever Ms.Device.DeviceInventoryChange is included in the event.
-
-The following fields are available:
-
-- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
-- **objectType** Indicates the object type that the event applies to.
-- **Action** The change that was invoked on a device inventory object.
-- **inventoryId** Device ID used for Compatibility testing
-
-
-### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PreUpgradeSettings
-
-These fields are added whenever PreUpgradeSettings is included in the event.
-
-The following fields are available:
-
-- **HKLM_SensorPermissionState.SensorPermissionState** The state of the Location service before the feature update completed.
-- **HKLM_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the device.
-- **HKCU_SensorPermissionState.SensorPermissionState** The state of the Location service when a user signs on before the feature update completed.
-- **HKCU_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the current user.
-- **HKLM_LocationPlatform.Status** The state of the location platform after the feature update has completed.
-- **HKLM_LocationPlatform.HRESULT** The error code returned when trying to query the location platform for the device.
-- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the device before the feature update completed.
-- **HKLM_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the device.
-- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the current user before the feature update completed.
-- **HKCU_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the current user.
-- **HKLM_AllowTelemetry.AllowTelemetry** The state of the Connected User Experiences and Telemetry component for the device before the feature update.
-- **HKLM_AllowTelemetry.HRESULT** The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
-- **HKLM_TIPC.Enabled** The state of TIPC for the device.
-- **HKLM_TIPC.HRESULT** The error code returned when trying to query TIPC for the device.
-- **HKCU_TIPC.Enabled** The state of TIPC for the current user.
-- **HKCU_TIPC.HRESULT** The error code returned when trying to query TIPC for the current user.
-- **HKLM_FlipAhead.FPEnabled** Is Flip Ahead enabled for the device before the feature update was completed?
-- **HKLM_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the device.
-- **HKCU_FlipAhead.FPEnabled** Is Flip Ahead enabled for the current user before the feature update was completed?
-- **HKCU_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the current user.
-- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled** Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
-- **HKCU_TailoredExperiences.HRESULT** The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
-- **HKLM_AdvertisingID.Enabled** Is the adveristing ID enabled for the device?
-- **HKLM_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the device.
-- **HKCU_AdvertisingID.Enabled** Is the adveristing ID enabled for the current user?
-- **HKCU_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the user.
-
-
-### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PostUpgradeSettings
-
-These fields are added whenever PostUpgradeSettings is included in the event.
-
-The following fields are available:
-
-- **HKLM_SensorPermissionState.SensorPermissionState** The state of the Location service after the feature update has completed.
-- **HKLM_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the device.
-- **HKCU_SensorPermissionState.SensorPermissionState** The state of the Location service when a user signs on after a feature update has completed.
-- **HKCU_SensorPermissionState.HRESULT** The error code returned when trying to query the Location service for the current user.
-- **HKLM_LocationPlatform.Status** The state of the location platform after the feature update has completed.
-- **HKLM_LocationPlatform.HRESULT** The error code returned when trying to query the location platform for the device.
-- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the device after the feature update has completed.
-- **HKLM_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the device.
-- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy** The speech recognition state for the current user after the feature update has completed.
-- **HKCU_LocationSyncEnabled.HRESULT** The error code returned when trying to query the Find My Device service for the current user.
-- **HKLM_AllowTelemetry.AllowTelemetry** The state of the Connected User Experiences and Telemetry component for the device after the feature update.
-- **HKLM_AllowTelemetry.HRESULT** The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
-- **HKLM_TIPC.Enabled** The state of TIPC for the device.
-- **HKLM_TIPC.HRESULT** The error code returned when trying to query TIPC for the device.
-- **HKCU_TIPC.Enabled** The state of TIPC for the current user.
-- **HKCU_TIPC.HRESULT** The error code returned when trying to query TIPC for the current user.
-- **HKLM_FlipAhead.FPEnabled** Is Flip Ahead enabled for the device after the feature update has completed?
-- **HKLM_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the device.
-- **HKCU_FlipAhead.FPEnabled** Is Flip Ahead enabled for the current user after the feature update has completed?
-- **HKCU_FlipAhead.HRESULT** The error code returned when trying to query Flip Ahead for the current user.
-- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled** Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
-- **HKCU_TailoredExperiences.HRESULT** The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
-- **HKLM_AdvertisingID.Enabled** Is the adveristing ID enabled for the device?
-- **HKLM_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the device.
-- **HKCU_AdvertisingID.Enabled** Is the adveristing ID enabled for the current user?
-- **HKCU_AdvertisingID.HRESULT** The error code returned when trying to query the state of the advertising ID for the user.
-
-
## Appraiser events
### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
@@ -262,143 +43,82 @@ This event lists the types of objects and how many of each exist on the client d
The following fields are available:
-- **PCFP** An ID for the system, calculated by hashing hardware identifiers.
-- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device.
-- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device.
-- **SystemProcessorSse2** The count of the number of this particular object type present on this device.
-- **SystemProcessorNx** The count of the number of this particular object type present on this device.
-- **SystemWim** The count of the number of this particular object type present on this device.
-- **SystemWlan** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers.
+- **DatasourceApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device.
- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device.
-- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device.
-- **InventorySystemBios** The count of the number of this particular object type present on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
-- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
-- **SystemMemory** The count of the number of this particular object type present on this device.
-- **SystemProcessorPrefetchW** The count of the number of this particular object type present on this device.
-- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device.
-- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device.
-- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
-- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
-- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device.
-- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device.
-- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device.
-- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers.
-- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers.
-- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device.
-- **SystemTouch** The count of the number of this particular object type present on this device.
-- **InventoryApplicationFile** The count of the number of this particular object type present on this device.
-- **InventoryLanguagePack** The count of InventoryLanguagePack objects present on this machine.
-- **InventoryMediaCenter** The count of the number of this particular object type present on this device.
-- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device.
-- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device.
-- **DatasourceApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device.
- **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
+- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device.
- **DatasourceDriverPackage_RS3** The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device.
-- **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device.
-- **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device.
-- **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device.
-- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers.
-- **DecisionApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers.
- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device.
+- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device.
+- **DecisionApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers.
+- **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device.
+- **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device.
+- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device.
+- **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device.
- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device.
+- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device.
+- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device.
+- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **DecisionTest_RS1** An ID for the system, calculated by hashing hardware identifiers.
+- **InventoryApplicationFile** The count of the number of this particular object type present on this device.
+- **InventoryLanguagePack** The count of the number of this particular object type present on this device.
+- **InventoryMediaCenter** The count of the number of this particular object type present on this device.
+- **InventorySystemBios** The count of the number of this particular object type present on this device.
+- **InventoryTest** The count of the number of this particular object type present on this device.
+- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device.
+- **PCFP** An ID for the system, calculated by hashing hardware identifiers.
+- **SystemMemory** The count of the number of this particular object type present on this device.
+- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device.
+- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device.
+- **SystemProcessorNx** The count of SystemProcessorNx objects present on this machine.
+- **SystemProcessorPrefetchW** The count of the number of this particular object type present on this device.
+- **SystemProcessorSse2** The count of SystemProcessorSse2 objects present on this machine.
+- **SystemTouch** The count of SystemTouch objects present on this machine.
+- **SystemWim** The count of SystemWim objects present on this machine.
+- **SystemWindowsActivationStatus** The count of SystemWindowsActivationStatus objects present on this machine.
+- **SystemWlan** The count of SystemWlan objects present on this machine.
+- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers.
+- **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device.
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
-This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+Represents the basic metadata about specific application files installed on the system.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **AppraiserVersion** The version of the appraiser file generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
-
-This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
-
-This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
-
-This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the appraiser file generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
-
-This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
-
-This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
-
-This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the appraiser file generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
-
-This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
-
-This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-
+- **AppraiserVersion** The version of the appraiser file that is generating the events.
+- **AvDisplayName** If the app is an antivirus app, this is its display name.
+- **CompatModelIndex** The compatibility prediction for this file.
+- **HasCitData** Indicates whether the file is present in CIT data.
+- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file.
+- **IsAv** Is the file an antivirus reporting EXE?
+- **ResolveAttempted** This will always be an empty string when sent.
+- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file.
### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
This event indicates that the DatasourceApplicationFile object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -408,6 +128,8 @@ The following fields are available:
This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -415,23 +137,26 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
-This event sends compatibility data for a PNP device, to help keep Windows up-to-date.
+This event sends compatibility data for a Plug and Play device, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **ActiveNetworkConnection** Is the device an active network device?
+- **ActiveNetworkConnection** Indicates whether the device is an active network device.
- **AppraiserVersion** The version of the appraiser file generating the events.
-- **IsBootCritical** Is the device boot critical?
-- **SdbEntries** An array of fields indicating the SDB entries that apply to this device.
-- **WuDriverCoverage** Is there a driver uplevel for this device according to Windows Update?
-- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver
-- **WuPopulatedFromId** The expected up-level driver matching ID based on driver coverage from Windows Update
+- **IsBootCritical** Indicates whether the device boot is critical.
+- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update.
+- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver.
+- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update.
### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
This event indicates that the DatasourceDevicePnp object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -441,6 +166,8 @@ The following fields are available:
This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -448,7 +175,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
-This event sends compatibility database data about driver packages to help keep Windows up-to-date.
+This event sends compatibility database data about driver packages to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -459,6 +188,8 @@ The following fields are available:
This event indicates that the DatasourceDriverPackage object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -468,6 +199,107 @@ The following fields are available:
This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
+
+This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
+
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
+
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
+
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
+
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
+
+This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -477,16 +309,19 @@ The following fields are available:
This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file generating the events.
-- **SdbEntries** An array of fields indicating the SDB entries that apply to this BIOS.
### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
This event indicates that the DatasourceSystemBios object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -496,6 +331,8 @@ The following fields are available:
This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -505,11 +342,13 @@ The following fields are available:
This event sends compatibility decision data about a file to help keep Windows up-to-date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
-- **AppraiserVersion** The version of the appraiser file generating the events.
+- **AppraiserVersion** The version of the appraiser file that is generating the events.
- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS.
-- **BlockingApplication** Are there any application issues that interfere with upgrade due to the file in question?
+- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question.
- **DisplayGenericMessage** Will be a generic message be shown for this file?
- **HardBlock** This file is blocked in the SDB.
- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB?
@@ -530,7 +369,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-This event indicates that the DecisionApplicationFile object is no longer present.
+This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -541,6 +382,8 @@ The following fields are available:
This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -548,7 +391,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
-This event sends compatibility decision data about a PNP device to help keep Windows up-to-date.
+This event sends compatibility decision data about a PNP device to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -574,6 +419,8 @@ The following fields are available:
This event indicates that the DecisionDevicePnp object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -581,7 +428,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
-This event indicates that the DecisionDevicePnp object is no longer present.
+The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -590,7 +439,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
-This event sends decision data about driver package compatibility to help keep Windows up-to-date.
+This event sends decision data about driver package compatibility to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -606,6 +457,8 @@ The following fields are available:
This event indicates that the DecisionDriverPackage object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -615,6 +468,8 @@ The following fields are available:
This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -622,7 +477,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
-This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -639,6 +496,8 @@ The following fields are available:
This event indicates that the DecisionMatchingInfoBlock object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -648,6 +507,8 @@ The following fields are available:
This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -657,6 +518,8 @@ The following fields are available:
This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -668,6 +531,8 @@ The following fields are available:
This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -677,6 +542,8 @@ The following fields are available:
This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -684,7 +551,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
-This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up-to-date.
+This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -699,6 +568,8 @@ The following fields are available:
This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -706,7 +577,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
-This event sends decision data about the presence of Windows Media Center, to help keep Windows up-to-date.
+This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -723,6 +596,8 @@ The following fields are available:
This event indicates that the DecisionMediaCenter object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -732,6 +607,8 @@ The following fields are available:
This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -739,7 +616,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
-This event sends compatibility decision data about the BIOS to help keep Windows up-to-date.
+This event sends compatibility decision data about the BIOS to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -752,6 +631,8 @@ The following fields are available:
This event indicates that the DecisionSystemBios object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -761,6 +642,8 @@ The following fields are available:
This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -782,12 +665,14 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
-This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or are part of an anti-virus program.
+This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file generating the events.
-- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
+- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
@@ -807,6 +692,8 @@ The following fields are available:
This event indicates that the InventoryApplicationFile object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -814,7 +701,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-This event indicates that a new set of InventoryApplicationFileAdd events will be sent.
+This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -823,19 +712,23 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
-This event sends data about the number of language packs installed on the system, to help keep Windows up-to-date.
+This event sends data about the number of language packs installed on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-- **HasLanguagePack** Does this device have 2 or more language packs?
-- **LanguagePackCount** How many language packs are installed?
+- **HasLanguagePack** Indicates whether this device has 2 or more language packs.
+- **LanguagePackCount** The number of language packs are installed.
### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
This event indicates that the InventoryLanguagePack object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -845,6 +738,8 @@ The following fields are available:
This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -854,6 +749,8 @@ The following fields are available:
This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file generating the events.
@@ -870,6 +767,8 @@ The following fields are available:
This event indicates that the InventoryMediaCenter object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -879,6 +778,8 @@ The following fields are available:
This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -888,6 +789,8 @@ The following fields are available:
This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -899,7 +802,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
-This event indicates that the InventorySystemBios object is no longer present.
+This event indicates that the InventorySystemBios object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -910,6 +815,8 @@ The following fields are available:
This event indicates that a new set of InventorySystemBiosAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -919,6 +826,8 @@ The following fields are available:
This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -928,6 +837,8 @@ The following fields are available:
This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -935,7 +846,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.RunContext
-This event indicates what should be expected in the data payload.
+This event indicates what should be expected in the data payload.
The following fields are available:
@@ -951,6 +862,8 @@ The following fields are available:
This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file generating the events.
@@ -967,6 +880,8 @@ The following fields are available:
This event that the SystemMemory object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -976,6 +891,8 @@ The following fields are available:
This event indicates that a new set of SystemMemoryAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -985,6 +902,8 @@ The following fields are available:
This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file generating the events.
@@ -994,7 +913,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
-This event indicates that the SystemProcessorCompareExchange object is no longer present.
+This event indicates that the SystemProcessorCompareExchange object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -1005,6 +926,8 @@ The following fields are available:
This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1014,6 +937,8 @@ The following fields are available:
This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file generating the events.
@@ -1023,7 +948,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
-This event indicates that the SystemProcessorLahfSahf object is no longer present.
+This event indicates that the SystemProcessorLahfSahf object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -1034,6 +961,8 @@ The following fields are available:
This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1043,6 +972,8 @@ The following fields are available:
This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1055,6 +986,8 @@ The following fields are available:
This event indicates that the SystemProcessorNx object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1064,6 +997,8 @@ The following fields are available:
This event indicates that a new set of SystemProcessorNxAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1071,7 +1006,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
-This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -1084,6 +1021,8 @@ The following fields are available:
This event indicates that the SystemProcessorPrefetchW object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1093,6 +1032,8 @@ The following fields are available:
This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1100,7 +1041,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
-This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -1113,6 +1056,8 @@ The following fields are available:
This event indicates that the SystemProcessorSse2 object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1122,6 +1067,8 @@ The following fields are available:
This event indicates that a new set of SystemProcessorSse2Add events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1129,7 +1076,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemTouchAdd
-This event sends data indicating whether the system supports touch, to help keep Windows up-to-date.
+This event sends data indicating whether the system supports touch, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -1140,7 +1089,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemTouchRemove
-This event indicates that the SystemTouch object is no longer present.
+This event indicates that the SystemTouch object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -1151,6 +1102,8 @@ The following fields are available:
This event indicates that a new set of SystemTouchAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1158,7 +1111,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWimAdd
-This event sends data indicating whether the operating system is running from a compressed WIM file, to help keep Windows up-to-date.
+This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -1169,7 +1124,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWimRemove
-This event indicates that the SystemWim object is no longer present.
+This event indicates that the SystemWim object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -1180,6 +1137,8 @@ The following fields are available:
This event indicates that a new set of SystemWimAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1187,7 +1146,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
-This event sends data indicating whether the current operating system is activated, to help keep Windows up-to-date.
+This event sends data indicating whether the current operating system is activated, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -1200,6 +1161,8 @@ The following fields are available:
This event indicates that the SystemWindowsActivationStatus object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1209,6 +1172,8 @@ The following fields are available:
This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1216,7 +1181,9 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.SystemWlanRemove
-This event indicates that the SystemWlan object is no longer present.
+This event indicates that the SystemWlan object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -1227,6 +1194,8 @@ The following fields are available:
This event indicates that a new set of SystemWlanAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1234,7 +1203,7 @@ The following fields are available:
### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
-A summary event indicating the parameters and result of a telemetry run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
+This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
The following fields are available:
@@ -1242,7 +1211,7 @@ The following fields are available:
- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run.
- **AppraiserProcess** The name of the process that launched Appraiser.
- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
-- **AuxFinal** Obsolete, always set to false
+- **AuxFinal** Obsolete, always set to false.
- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
@@ -1269,14 +1238,16 @@ The following fields are available:
This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
-- **BlockingApplication** Same as NeedsDismissAction
+- **BlockingApplication** Same as NeedsDismissAction.
- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
- **WmdrmApiResult** Raw value of the API used to gather DRM state.
- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
-- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased
+- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased.
- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed.
- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses.
- **WmdrmPurchased** Indicates if the system has any files with permanent licenses.
@@ -1286,6 +1257,8 @@ The following fields are available:
This event indicates that the Wmdrm object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1295,6 +1268,8 @@ The following fields are available:
This event indicates that a new set of WmdrmAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **AppraiserVersion** The version of the Appraiser file that is generating the events.
@@ -1304,10 +1279,18 @@ The following fields are available:
### Census.App
-This event sends version data about the Apps running on this device, to help keep Windows up to date.
+Provides information on IE and Census versions running on the device.
The following fields are available:
+- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run.
+- **AppraiserErrorCode** The error code of the last Appraiser run.
+- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run.
+- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed.
+- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run.
+- **AppraiserTaskEnabled** Whether the Appraiser task is enabled.
+- **AppraiserTaskExitCode** The Appraiser task exist code.
+- **AppraiserTaskLastRun** The last runtime for the Appraiser task.
- **CensusVersion** The version of Census that generated the current data for this device.
- **IEVersion** Retrieves which version of Internet Explorer is running on this device.
@@ -1341,6 +1324,7 @@ This event sends data about Azure presence, type, and cloud domain use in order
The following fields are available:
+- **AADDeviceId** Azure Active Directory device ID.
- **AzureOSIDPresent** Represents the field used to identify an Azure machine.
- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
- **CDJType** Represents the type of cloud domain joined for the machine.
@@ -1374,7 +1358,7 @@ The following fields are available:
### Census.Flighting
-This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up-to-date.
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date.
The following fields are available:
@@ -1389,7 +1373,7 @@ The following fields are available:
### Census.Hardware
-This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up-to-date.
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date.
The following fields are available:
@@ -1397,6 +1381,7 @@ The following fields are available:
- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields.
- **D3DMaxFeatureLevel** Supported Direct3D version.
+- **DeviceColor** Indicates a color of the device.
- **DeviceForm** Indicates the form as per the device classification.
- **DeviceName** The device name that is set by the user.
- **DigitizerSupport** Is a digitizer supported?
@@ -1425,7 +1410,6 @@ The following fields are available:
- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user.
- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
- **VoiceSupported** Does the device have a cellular radio capable of making voice calls?
-- **DeviceColor** Indicates a color of the device.
### Census.Memory
@@ -1470,7 +1454,7 @@ The following fields are available:
- **ActivationChannel** Retrieves the retail license key or Volume license key for a machine.
- **AssignedAccessStatus** Kiosk configuration mode.
- **CompactOS** Indicates if the Compact OS feature from Win10 is enabled.
-- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy.
+- **DeveloperUnlockStatus** Represents if a device has been developer unlocked by the user or Group Policy.
- **DeviceTimeZone** The time zone that is set on the device. Example: Pacific Standard Time
- **GenuineState** Retrieves the ID Value specifying the OS Genuine check.
- **InstallationType** Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
@@ -1505,38 +1489,42 @@ The following fields are available:
### Census.Processor
-This event sends data about the processor (architecture, speed, number of cores, manufacturer, and model number), to help keep Windows up to date.
+Provides information on several important data points about Processor settings.
The following fields are available:
- **KvaShadow** Microcode info of the processor.
- **MMSettingOverride** Microcode setting of the processor.
- **MMSettingOverrideMask** Microcode setting override of the processor.
-- **ProcessorArchitecture** Processor architecture of the installed operating system.
+- **PreviousUpdateRevision** Previous microcode revision.
+- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system.
- **ProcessorClockSpeed** Clock speed of the processor in MHz.
- **ProcessorCores** Number of logical cores in the processor.
- **ProcessorIdentifier** Processor Identifier of a manufacturer.
- **ProcessorManufacturer** Name of the processor manufacturer.
- **ProcessorModel** Name of the processor model.
- **ProcessorPhysicalCores** Number of physical cores in the processor.
-- **ProcessorUpdateRevision** Microcode revision.
-- **ProcessorUpdateStatus** The status of the microcode update.
+- **ProcessorUpdateRevision** Microcode revision
+- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status.
- **SocketCount** Count of CPU sockets.
- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
### Census.Security
-This event provides information on about security settings used to help keep Windows up-to-date and secure.
+This event provides information on about security settings used to help keep Windows up to date and secure.
The following fields are available:
-- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard
+- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard.
- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running.
-- **DGState** This field summarizes Device Guard state
-- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running
-- **RequiredSecurityProperties** This field describes the required security properties to enable virtualization-based security
+- **DGState** This field summarizes the Device Guard state.
+- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running.
+- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest.
+- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host.
+- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security.
- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting.
+- **SModeState** The Windows S mode trail state.
- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running.
@@ -1568,6 +1556,16 @@ The following fields are available:
- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB.
+### Census.Userdefault
+
+This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
+- **DefaultBrowserProgId** The ProgramId of the current user's default browser.
+
+
### Census.UserDisplay
This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
@@ -1602,16 +1600,6 @@ The following fields are available:
- **SpeechInputLanguages** The Speech Input languages installed on the device.
-### Census.Userdefault
-
-This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
-
-The following fields are available:
-
-- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html,.htm,.jpg,.jpeg,.png,.mp3,.mp4, .mov,.pdf
-- **DefaultBrowserProgId** The ProgramId of the current user's default browser
-
-
### Census.VM
This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
@@ -1650,11 +1638,11 @@ The following fields are available:
- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device.
- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently.
- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS).
-- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates
-- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades
+- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates.
+- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades.
- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier.
-- **WUPauseState** Retrieves WU setting to determine if updates are paused
+- **WUPauseState** Retrieves WU setting to determine if updates are paused.
- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
@@ -1666,102 +1654,279 @@ The following fields are available:
- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console.
- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console.
-- **XboxLiveDeviceId** Retrieves the unique device id of the console.
-- **XboxLiveSandboxId** Retrieves the developer sandbox id if the device is internal to MS.
+- **XboxLiveDeviceId** Retrieves the unique device ID of the console.
+- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft.
-## Deployment events
+## Common data extensions
-### DeploymentTelemetry.Deployment_End
+### Common Data Extensions.app
-Event to indicate that a Deployment 360 API has completed.
+Describes the properties of the running application. This extension could be populated by a client app or a web app.
The following fields are available:
-- **ClientId** Client ID of user utilizing the D360 API
-- **ErrorCode** Error code of action
-- **FlightId** Flight being used
-- **Mode** Phase in upgrade
-- **RelatedCV** CV of any other related events
-- **Result** End result of action
+- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
+- **env** The environment from which the event was logged.
+- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
+- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **locale** The locale of the app.
+- **name** The name of the app.
+- **userId** The userID as known by the application.
+- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
+
+
+### Common Data Extensions.container
+
+Describes the properties of the container for events logged within a container.
+
+The following fields are available:
+
+- **epoch** An ID that's incremented for each SDK initialization.
+- **localId** The device ID as known by the client.
+- **osVer** The operating system version.
+- **seq** An ID that's incremented for each event.
+- **type** The container type. Examples: Process or VMHost
+
+
+### Common Data Extensions.cs
+
+Describes properties related to the schema of the event.
+
+The following fields are available:
+
+- **sig** A common schema signature that identifies new and modified event schemas.
+
+
+### Common Data Extensions.device
+
+Describes the device-related fields.
+
+The following fields are available:
+
+- **deviceClass** The device classification. For example, Desktop, Server, or Mobile.
+- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+- **make** Device manufacturer.
+- **model** Device model.
+
+
+### Common Data Extensions.Envelope
+
+Represents an envelope that contains all of the common data extensions.
+
+The following fields are available:
+
+- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
+- **data** Represents the optional unique diagnostic data for a particular event schema.
+- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp).
+- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer).
+- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs).
+- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice).
+- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos).
+- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts).
+- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk).
+- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser).
+- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc).
+- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl).
+- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **iKey** Represents an ID for applications or other logical groupings of events.
+- **name** Represents the uniquely qualified name for the event.
+- **popSample** Represents the effective sample rate for this event at the time it was generated by a client.
+- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
+- **ver** Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.os
+
+Describes some properties of the operating system.
+
+The following fields are available:
+
+- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
+- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
+- **locale** Represents the locale of the operating system.
+- **name** Represents the operating system name.
+- **ver** Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.receipts
+
+Represents various time information as provided by the client and helps for debugging purposes.
+
+The following fields are available:
+
+- **originalTime** The original event time.
+- **uploadTime** The time the event was uploaded.
+
+
+### Common Data Extensions.sdk
+
+Used by platform specific libraries to record fields that are required for a specific SDK.
+
+The following fields are available:
+
+- **epoch** An ID that is incremented for each SDK initialization.
+- **installId** An ID that's created during the initialization of the SDK for the first time.
+- **libVer** The SDK version.
+- **seq** An ID that is incremented for each event.
+
+
+### Common Data Extensions.user
+
+Describes the fields related to a user.
+
+The following fields are available:
+
+- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token.
+- **locale** The language and region.
+- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+
+
+### Common Data Extensions.utc
+
+Describes the properties that could be populated by a logging library on Windows.
+
+The following fields are available:
+
+- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
+- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number
+- **cat** Represents a bitmask of the ETW Keywords associated with the event.
+- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
+- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **flags** Represents the bitmap that captures various Windows specific flags.
+- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence
+- **op** Represents the ETW Op Code.
+- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
+- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
+
+
+### Common Data Extensions.xbl
+
+Describes the fields that are related to XBOX Live.
+
+The following fields are available:
+
+- **claims** Any additional claims whose short claim name hasn't been added to this structure.
+- **did** XBOX device ID
+- **dty** XBOX device type
+- **dvr** The version of the operating system on the device.
+- **eid** A unique ID that represents the developer entity.
+- **exp** Expiration time
+- **ip** The IP address of the client device.
+- **nbf** Not before time
+- **pid** A comma separated list of PUIDs listed as base10 numbers.
+- **sbx** XBOX sandbox identifier
+- **sid** The service instance ID.
+- **sty** The service type.
+- **tid** The XBOX Live title ID.
+- **tvr** The XBOX Live title version.
+- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
+- **xid** A list of base10-encoded XBOX User IDs.
+
+
+## Common data fields
+
+### Ms.Device.DeviceInventoryChange
+
+Describes the installation state for all hardware and software components available on a particular device.
+
+The following fields are available:
+
+- **action** The change that was invoked on a device inventory object.
+- **inventoryId** Device ID used for Compatibility testing
+- **objectInstanceId** Object identity which is unique within the device scope.
+- **objectType** Indicates the object type that the event applies to.
+- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+
+
+## Compatibility events
+
+### Microsoft.Windows.Compatibility.Apphelp.SdbFix
+
+Product instrumentation for helping debug/troubleshoot issues with inbox compatibility components.
+
+The following fields are available:
+
+- **AppName** Name of the application impacted by SDB.
+- **FixID** SDB GUID.
+- **Flags** List of flags applied.
+- **ImageName** Name of file.
+
+
+## Deployment extensions
+
+### DeploymentTelemetry.Deployment_End
+
+This event indicates that a Deployment 360 API has completed.
+
+The following fields are available:
+
+- **ClientId** Client ID of the user utilizing the D360 API.
+- **ErrorCode** Error code of action.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **Mode** Phase in upgrade.
+- **RelatedCV** The correction vector (CV) of any other related events
+- **Result** End result of the action.
### DeploymentTelemetry.Deployment_Initialize
-Event to indicate that the Deployment 360 APIs have been initialized for use.
+This event indicates that the Deployment 360 APIs have been initialized for use.
The following fields are available:
-- **ClientId** Client ID of user utilizing the D360 API
-- **ErrorCode** Error code of action
-- **FlightId** Flight being used
-- **RelatedCV** CV of any other related events
-- **Result** Phase Setup is in
+- **ClientId** Client ID of user utilizing the D360 API.
+- **ErrorCode** Error code of the action.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **RelatedCV** The correlation vector of any other related events.
+- **Result** End result of the action.
### DeploymentTelemetry.Deployment_SetupBoxLaunch
-Event to indicate that the Deployment 360 APIs have launched Setup Box.
+This event indicates that the Deployment 360 APIs have launched Setup Box.
The following fields are available:
-- **ClientId** Client ID of user utilizing the D360 API
-- **FlightId** Flight being used
-- **Quiet** Whether Setup will run in quiet mode or in full
-- **RelatedCV** CV of any other related events
-- **SetupMode** Phase Setup is in
+- **ClientId** The client ID of the user utilizing the D360 API.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **Quiet** Whether Setup will run in quiet mode or full mode.
+- **RelatedCV** The correlation vector (CV) of any other related events.
+- **SetupMode** The current setup phase.
### DeploymentTelemetry.Deployment_SetupBoxResult
-Event to indicate that the Deployment 360 APIs have received a return from Setup Box.
+This event indicates that the Deployment 360 APIs have received a return from Setup Box.
The following fields are available:
-- **ClientId** Client ID of user utilizing the D360 API
-- **ErrorCode** Error code of action
-- **FlightId** Flight being used
-- **Quiet** Whether Setup will run in quiet mode or in full
-- **RelatedCV** Correlation vector of any other related events
-- **SetupMode** Phase that Setup is in
+- **ClientId** Client ID of the user utilizing the D360 API.
+- **ErrorCode** Error code of the action.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **Quiet** Indicates whether Setup will run in quiet mode or full mode.
+- **RelatedCV** The correlation vector (CV) of any other related events.
+- **SetupMode** The current Setup phase.
### DeploymentTelemetry.Deployment_Start
-Event to indicate that a Deployment 360 API has been called.
+This event indicates that a Deployment 360 API has been called.
The following fields are available:
-- **ClientId** Client ID of user utilizing the D360 API
-- **FlightId** Flight being used
-- **Mode** Phase in upgrade
-- **RelatedCV** CV of any other related events
+- **ClientId** Client ID of the user utilizing the D360 API.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **Mode** The current phase of the upgrade.
+- **RelatedCV** The correlation vector (CV) of any other related events.
## Diagnostic data events
-### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
-
-Fired by UTC at state transitions to signal what data we are allowed to collect.
-
-The following fields are available:
-
-- **CanAddMsaToMsTelemetry** True if we can add MSA PUID and CID to telemetry, false otherwise.
-- **CanCollectAnyTelemetry** True if we are allowed to collect partner telemetry, false otherwise.
-- **CanCollectCoreTelemetry** True if we can collect CORE/Basic telemetry, false otherwise.
-- **CanCollectHeartbeats** True if we can collect heartbeat telemetry, false otherwise.
-- **CanCollectOsTelemetry** True if we can collect diagnostic data telemetry, false otherwise.
-- **CanCollectWindowsAnalyticsEvents** True if we can collect Windows Analytics data, false otherwise.
-- **CanPerformDiagnosticEscalations** True if we can perform diagnostic escalation collection, false otherwise.
-- **CanPerformTraceEscalations** True if we can perform trace escalation collection, false otherwise.
-- **CanReportScenarios** True if we can report scenario completions, false otherwise.
-- **PreviousPermissions** Bitmask of previous telemetry state.
-- **TransitionFromEverythingOff** True if we are transitioning from all telemetry being disabled, false otherwise.
-
-
### TelClientSynthetic.AuthorizationInfo_Startup
-Fired by UTC at startup to signal what data we are allowed to collect.
+This event sends data indicating that a device has undergone a change of telemetry opt-in level detected at UTC startup, to help keep Windows up to date. The telemetry opt-in level signals what data we are allowed to collect.
The following fields are available:
@@ -1780,18 +1945,18 @@ The following fields are available:
### TelClientSynthetic.HeartBeat_5
-Fired by UTC as a heartbeat signal.
+This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
The following fields are available:
- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel.
-- **CensusExitCode** Last exit code of Census task.
+- **CensusExitCode** The last exit code of the Census task.
- **CensusStartTime** Time of last Census run.
- **CensusTaskEnabled** True if Census is enabled, false otherwise.
- **CompressedBytesUploaded** Number of compressed bytes uploaded.
- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client.
- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer.
-- **CriticalDataThrottleDroppedCount** Number of critical data sampled events dropped due to�throttling.
+- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling.
- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB.
- **DbCriticalDroppedCount** Total number of dropped critical events in event DB.
- **DbDroppedCount** Number of events dropped due to DB fullness.
@@ -1802,6 +1967,9 @@ The following fields are available:
- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session.
- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client.
- **EventsPersistedCount** Number of events that reached the PersistEvent stage.
+- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC.
+- **EventStoreResetCounter** Number of times event DB was reset.
+- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance.
- **EventSubStoreResetCounter** Number of times event DB was reset.
- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance.
- **EventsUploaded** Number of events uploaded.
@@ -1812,41 +1980,38 @@ The following fields are available:
- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel.
- **LastEventSizeOffender** Event name of last event which exceeded max event size.
- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex.
-- **MaxActiveAgentConnectionCount** Maximum number of active agents during this heartbeat timeframe.
+- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe.
- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC.
- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events).
- **SettingsHttpAttempts** Number of attempts to contact OneSettings service.
-- **SettingsHttpFailures** Number of failures from contacting OneSettings service.
+- **SettingsHttpFailures** The number of failures from contacting the OneSettings service.
- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers.
- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client.
-- **VortexFailuresTimeout** Number of time out failures received from Vortex.
+- **VortexFailuresTimeout** The number of timeout failures received from Vortex.
- **VortexHttpAttempts** Number of attempts to contact Vortex.
- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex.
- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex.
- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400.
- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event.
-- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC.
-- **EventStoreResetCounter** Number of times event DB was reset.
-- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance.
### TelClientSynthetic.HeartBeat_Aria_5
-Telemetry client ARIA heartbeat event.
+This event is the telemetry client ARIA heartbeat.
The following fields are available:
- **CompressedBytesUploaded** Number of compressed bytes uploaded.
- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer.
-- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB.
-- **DbCriticalDroppedCount** Total number of dropped critical events in event DB.
-- **DbDroppedCount** Number of events dropped at the DB layer.
-- **DbDroppedFailureCount** Number of events dropped due to DB failures.
-- **DbDroppedFullCount** Number of events dropped due to DB fullness.
+- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database.
+- **DbCriticalDroppedCount** Total number of dropped critical events in event database.
+- **DbDroppedCount** Number of events dropped at the database layer.
+- **DbDroppedFailureCount** Number of events dropped due to database failures.
+- **DbDroppedFullCount** Number of events dropped due to database being full.
- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated.
- **EventsPersistedCount** Number of events that reached the PersistEvent stage.
-- **EventSubStoreResetCounter** Number of times event DB was reset.
-- **EventSubStoreResetSizeSum** Total size of event DB across all resets reports in this instance.
+- **EventSubStoreResetCounter** Number of times event database was reset.
+- **EventSubStoreResetSizeSum** Total size of event database across all resets reports in this instance.
- **EventsUploaded** Number of events uploaded.
- **HeartBeatSequenceNumber** The sequence number of this heartbeat.
- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex.
@@ -1854,7 +2019,7 @@ The following fields are available:
- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex.
- **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire.
- **SettingsHttpAttempts** Number of attempts to contact OneSettings service.
-- **SettingsHttpFailures** Number of failures from contacting OneSettings service.
+- **SettingsHttpFailures** Number of failures from contacting OneSettings service.
- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client.
- **VortexFailuresTimeout** Number of time out failures received from Vortex.
- **VortexHttpAttempts** Number of attempts to contact Vortex.
@@ -1864,21 +2029,11 @@ The following fields are available:
- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event.
-### TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate
-
-This event sends basic data on privacy settings before and after a feature update. This is used to ensure that customer privacy settings are correctly migrated across feature updates.
-
-The following fields are available:
-
-- **PostUpgradeSettings** The privacy settings after a feature update.
-- **PreUpgradeSettings** The privacy settings before a feature update.
-
-
## Direct to update events
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability
-Event to indicate that the Coordinator CheckApplicability call succeeded.
+This event indicates that the Coordinator CheckApplicability call succeeded.
The following fields are available:
@@ -1891,11 +2046,36 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure
-Event to indicate that we have received an unexpected error in the DTU Coordinators CheckApplicability call.
+This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call.
The following fields are available:
+- **CampaignID** ID of the campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess
+
+This event indicates that the Coordinator Cleanup call succeeded.
+
+The following fields are available:
+
- **CampaignID** Campaign ID being run.
- **ClientID** Client ID being run.
- **CoordinatorVersion** Coordinator version of DTU.
@@ -1904,20 +2084,20 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure
-Commit call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call.
The following fields are available:
-- **hResult** HRESULT of the failure.
- **CampaignID** Campaign ID being run.
- **ClientID** Client ID being run.
- **CoordinatorVersion** Coordinator version of DTU.
- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess
-Event to indicate that the Coordinator Commit call succeeded.
+This event indicates that the Coordinator Commit call succeeded.
The following fields are available:
@@ -1929,7 +2109,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure
-Event to indicate that we have received an unexpected error in the DTU Coordinator Download call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call.
The following fields are available:
@@ -1942,7 +2122,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure
-Event to indicate that we have received an error in the DTU Coordinator Download call that will be ignored.
+This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored.
The following fields are available:
@@ -1955,7 +2135,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess
-Event to indicate that the Coordinator Download call succeeded.
+This event indicates that the Coordinator Download call succeeded.
The following fields are available:
@@ -1967,7 +2147,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure
-Event to indicate that we have received an unexpected error in the DTU Coordinator HandleShutdown call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call.
The following fields are available:
@@ -1980,7 +2160,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess
-Event to indicate that the Coordinator HandleShutdown call succeeded.
+This event indicates that the Coordinator HandleShutdown call succeeded.
The following fields are available:
@@ -1992,20 +2172,20 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure
-Event to indicate that we have received an unexpected error in the DTU Coordinator Initialize call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call.
The following fields are available:
-- **hResult** HRESULT of the failure.
- **CampaignID** Campaign ID being run.
- **ClientID** Client ID being run.
- **CoordinatorVersion** Coordinator version of DTU.
- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess
-Event to indicate that the Coordinator Initialize call succeeded.
+This event indicates that the Coordinator Initialize call succeeded.
The following fields are available:
@@ -2017,7 +2197,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure
-Event to indicate that we have received an unexpected error in the DTU Coordinator Install call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call.
The following fields are available:
@@ -2030,7 +2210,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure
-Event to indicate that we have received an error in the DTU Coordinator Install call that will be ignored.
+This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored.
The following fields are available:
@@ -2043,7 +2223,7 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess
-Event to indicate that the Coordinator Install call succeeded.
+This event indicates that the Coordinator Install call succeeded.
The following fields are available:
@@ -2055,21 +2235,20 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack
-Event to indicate Coordinator's progress callback has been called.
+This event indicates that the Coordinator's progress callback has been called.
The following fields are available:
-- **Current Deploy Phase's percentage completed** Trigger which fired UXLauncher.
-- **DeployPhase** Current Deploy Phase.
- **CampaignID** Campaign ID being run.
- **ClientID** Client ID being run.
- **CoordinatorVersion** Coordinator version of DTU.
- **CV** Correlation vector.
+- **DeployPhase** Current Deploy Phase.
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadyGenericFailure
-Event to indicate that we have received an unexpected error in the DTU Coordinator SetCommitReady call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator SetCommitReady call.
The following fields are available:
@@ -2082,19 +2261,19 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess
-Event to indicate that the Coordinator SetCommitReady call succeeded.
+This event indicates that the Coordinator SetCommitReady call succeeded.
The following fields are available:
-- **CampaignID** Campaign ID being run.
-- **ClientID** Client ID being run.
-- **CoordinatorVersion** Coordinator version of DTU.
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
- **CV** Correlation vector.
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiGenericFailure
-Event to indicate that we have received an unexpected error in the DTU Coordinator WaitForRebootUi call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator WaitForRebootUi call.
The following fields are available:
@@ -2107,99 +2286,99 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown
-Event to indicate that the Coordinator WaitForRebootUi call succeeded.
+This event indicates that the Coordinator WaitForRebootUi call succeeded.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
-- **hResult** HRESULT of the failure
+- **CampaignID** Campaign ID being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection
-Event to indicate the user selected an option on the Reboot UI.
+This event indicates that the user selected an option on the Reboot UI.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
-- **rebootUiSelection** Selection on the Reboot UI
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **rebootUiSelection** Selection on the Reboot UI.
### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess
-Event to indicate that the Coordinator WaitForRebootUi call succeeded.
+This event indicates that the Coordinator WaitForRebootUi call succeeded.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityGenericFailure
-Event to indicate that we have received an unexpected error in the DTU Handler CheckApplicability call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicability call.
The following fields are available:
-- **hResult** HRESULT of the failure
- **CampaignID** Campaign ID being run
- **ClientID** Client ID being run
- **CoordinatorVersion** Coordinator version of DTU
- **CV** Correlation vector
- **CV_new** New correlation vector
+- **hResult** HRESULT of the failure
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure
-Event to indicate that we have received an unexpected error in the DTU Handler CheckApplicabilityInternal call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
-- **hResult** HRESULT of the failure
+- **CampaignID** ID of the campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess
-Event to indicate that the Handler CheckApplicabilityInternal call succeeded.
+This event indicates that the Handler CheckApplicabilityInternal call succeeded.
The following fields are available:
-- **ApplicabilityResult** Result of CheckApplicability function
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
+- **ApplicabilityResult** The result of the applicability check.
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess
-Event to indicate that the Handler CheckApplicability call succeeded.
+This event indicates that the Handler CheckApplicability call succeeded.
The following fields are available:
-- **ApplicabilityResult** Result of CheckApplicability function
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
-- **CV_new** New correlation vector
+- **ApplicabilityResult** The result code indicating whether the update is applicable.
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **CV_new** New correlation vector.
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionGenericFailure
-Event to indicate that we have received an unexpected error in the DTU Handler CheckIfCoordinatorMinApplicableVersion call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckIfCoordinatorMinApplicableVersion call.
The following fields are available:
@@ -2212,47 +2391,47 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess
-Event to indicate that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded.
+This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
+- **CampaignID** ID of the update campaign being run.
+- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure
-Event to indicate that we have received an unexpected error in the DTU Handler Commit call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
-- **CV_new** New correlation vector
-- **hResult** HRESULT of the failure
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **CV_new** New correlation vector.
+- **hResult** HRESULT of the failure.
### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess
-Event to indicate that the Handler Commit call succeeded.
+This event indicates that the Handler Commit call succeeded.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
-- **CV_new** New correlation vector
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **CV_new** New correlation vector.
### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabAlreadyDownloaded
-Event to indicate that the Handler Download and Extract cab returned a value indicating that the cab trying to be downloaded has already been downloaded.
+This event indicates that the Handler Download and Extract cab returned a value indicating that the cab has already been downloaded.
The following fields are available:
@@ -2264,199 +2443,215 @@ The following fields are available:
### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure
-Event to indicate that the Handler Download and Extract cab call failed.
+This event indicates that the Handler Download and Extract cab call failed.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
-- **DownloadAndExtractCabFunction_failureReason** Reason why the DownloadAndExtractCab function failed
-- **hResult** HRESULT of the failure
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed.
+- **hResult** HRESULT of the failure.
### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess
-Event to indicate that the Handler Download and Extract cab call succeeded.
+This event indicates that the Handler Download and Extract cab call succeeded.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure
-Event to indicate that we have received an unexpected error in the DTU Handler Download call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
-- **hResult** HRESULT of the failure
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess
-Event to indicate that the Handler Download call succeeded.
+This event indicates that the Handler Download call succeeded.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure
-Event to indicate that we have received an unexpected error in the DTU Handler Initialize call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
-- **DownloadAndExtractCabFunction_hResult** HRESULT of the DownloadAndExtractCab function
-- **hResult** HRESULT of the failure
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract.
+- **hResult** HRESULT of the failure.
### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess
-Event to indicate that the Handler Initialize call succeeded.
+This event indicates that the Handler Initialize call succeeded.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
-- **DownloadAndExtractCabFunction_hResult** HRESULT of the DownloadAndExtractCab function
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction.
### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure
-Event to indicate that we have received an unexpected error in the DTU Handler Install call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
-- **hResult** HRESULT of the failure
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess
-Event to indicate that the Coordinator Install call succeeded.
+This event indicates that the Coordinator Install call succeeded.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadyGenericFailure
-Event to indicate that we have received an unexpected error in the DTU Handler SetCommitReady call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler SetCommitReady call.
The following fields are available:
-- **hResult** HRESULT of the failure
- **CampaignID** Campaign ID being run
- **ClientID** Client ID being run
- **CoordinatorVersion** Coordinator version of DTU
- **CV** Correlation vector
+- **hResult** HRESULT of the failure
### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess
-Event to indicate that the Handler SetCommitReady call succeeded.
+This event indicates that the Handler SetCommitReady call succeeded.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
+- **CampaignID** ID of the campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure
-Event to indicate that we have received an unexpected error in the DTU Handler WaitForRebootUi call.
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call.
The following fields are available:
-- **hResult** HRESULT of the failure
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
+- **CampaignID** The ID of the campaigning being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **hResult** The HRESULT of the failure.
### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess
-Event to indicate that the Handler WaitForRebootUi call succeeded.
+This event indicates that the Handler WaitForRebootUi call succeeded.
The following fields are available:
-- **CampaignID** Campaign ID being run
-- **ClientID** Client ID being run
-- **CoordinatorVersion** Coordinator version of DTU
-- **CV** Correlation vector
+- **CampaignID** ID of the campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
## Feature update events
### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed
-This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state
+This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state.
The following fields are available:
-- **failureReason** Provides data about the uninstall initialization operation failure
-- **hr** Provides the Win32 error code for the operation failure
+- **failureReason** Provides data about the uninstall initialization operation failure.
+- **hr** Provides the Win32 error code for the operation failure.
### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered
-Indicates that the uninstall was properly configured and that a system reboot was initiated
+This event indicates that the uninstall was properly configured and that a system reboot was initiated.
### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked
-This event sends basic metadata about the starting point of uninstalling a feature update which helps us ensure customers can safely revert to a well-known state if the update caused any problems.
+This event sends basic metadata about the starting point of uninstalling a feature update, which helps ensure customers can safely revert to a well-known state if the update caused any problems.
+
## Inventory events
### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
-This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
The following fields are available:
-- **DriverPackageExtended** A count of driverpackageextended objects in cache
-- **FileSigningInfo** A count of file signing objects in cache
-- **InventoryApplication** A count of application objects in cache
-- **InventoryApplicationFile** A count of application file objects in cache
-- **InventoryDeviceContainer** A count of device container objects in cache
-- **InventoryDeviceInterface** A count of PNP device interface objects in cache
-- **InventoryDeviceMediaClass** A count of device media objects in cache
-- **InventoryDevicePnp** A count of devicepnp objects in cache
+- **DeviceCensus** A count of devicecensus objects in cache.
+- **DriverPackageExtended** A count of driverpackageextended objects in cache.
+- **FileSigningInfo** A count of file signing objects in cache.
+- **InventoryApplication** A count of application objects in cache.
+- **InventoryApplicationAppV** A count of application AppV objects in cache.
+- **InventoryApplicationDriver** A count of application driver objects in cache.
+- **InventoryApplicationFile** A count of application file objects in cache.
+- **InventoryApplicationFramework** A count of application framework objects in cache.
+- **InventoryApplicationShortcut** A count of application shortcut objects in cache.
+- **InventoryDeviceContainer** A count of device container objects in cache.
+- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache.
+- **InventoryDeviceMediaClass** A count of device media objects in cache.
+- **InventoryDevicePnp** A count of device Plug and Play objects in cache.
- **InventoryDeviceUsbHubClass** A count of device usb objects in cache
-- **InventoryDriverBinary** A count of driver binary objects in cache
-- **InventoryDriverPackage** A count of device objects in cache
+- **InventoryDriverBinary** A count of driver binary objects in cache.
+- **InventoryDriverPackage** A count of device objects in cache.
+- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache.
+- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache.
+- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache.
+- **InventoryMiscellaneousOfficeIESettings** A count of office IE settings objects in cache.
+- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache.
+- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache.
+- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache.
+- **InventoryMiscellaneousOfficeVBA** A count of office VBA objects in cache.
+- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office VBA rule violations objects in cache.
+- **InventoryMiscellaneousUUPInfo** A count of UUP info objects in cache.
### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
@@ -2473,24 +2668,26 @@ The following fields are available:
This event sends basic metadata about an application on the system to help keep Windows up to date.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **HiddenArp** Indicates whether a program hides itself from showing up in ARP.
- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics).
- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00
- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array.
-- **InstallDateMsi** The install date if the application was installed via MSI. Passed as an array.
+- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array.
- **InventoryVersion** The version of the inventory file generating the events.
- **Language** The language code of the program.
- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
- **MsiProductCode** A GUID that describe the MSI Product.
-- **Name** The name of the application
+- **Name** The name of the application.
- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install.
- **PackageFullName** The package full name for a Store application.
- **ProgramInstanceId** A hash of the file IDs in an app.
- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field.
- **RootDirPath** The path to the root directory where the program was installed.
-- **Source** How the program was installed (ARP, MSI, Appx, etc...)
+- **Source** How the program was installed (for example, ARP, MSI, Appx).
- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen.
- **Version** The version number of the program.
@@ -2498,28 +2695,34 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
-This event provides the basic metadata about the frameworks an application may depend on
+This event provides the basic metadata about the frameworks an application may depend on.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **FileId** A hash that uniquely identifies a file
-- **Frameworks** The list of frameworks this file depends on
-- **InventoryVersion** The version of the inventory file generating the events
+- **FileId** A hash that uniquely identifies a file.
+- **Frameworks** The list of frameworks this file depends on.
+- **InventoryVersion** The version of the inventory file generating the events.
### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
-This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **InventoryVersion** The version of the inventory file generating the events
+- **InventoryVersion** The version of the inventory file generating the events.
### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2529,6 +2732,8 @@ The following fields are available:
This event indicates that a new set of InventoryApplicationAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2536,7 +2741,9 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
-This event sends basic metadata about a device container (such as a monitor or printer as opposed to a PNP device) to help keep Windows up-to-date.
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -2550,7 +2757,7 @@ The following fields are available:
- **IsNetworked** Is this a networked device?
- **IsPaired** Does the device container require pairing?
- **Manufacturer** The manufacturer name for the device container.
-- **ModelId** A model GUID.
+- **ModelId** A unique model ID.
- **ModelName** The model name.
- **ModelNumber** The model number for the device container.
- **PrimaryCategory** The primary category for the device container.
@@ -2560,6 +2767,8 @@ The following fields are available:
This event indicates that the InventoryDeviceContainer object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2569,6 +2778,8 @@ The following fields are available:
This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2578,6 +2789,8 @@ The following fields are available:
This event retrieves information about what sensor interfaces are available on the device.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **Accelerometer3D** Indicates if an Accelerator3D sensor is found.
@@ -2606,6 +2819,8 @@ The following fields are available:
This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2613,7 +2828,9 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
-This event sends additional metadata about a PNP device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -2626,6 +2843,8 @@ The following fields are available:
This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2633,7 +2852,9 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
-This event represents the basic metadata about a PNP device and its associated driver
+This event represents the basic metadata about a plug and play (PNP) device and its associated driver.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -2650,7 +2871,7 @@ The following fields are available:
- **DriverVerDate** Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
- **DriverVerVersion** The immediate parent directory name in the Directory field of InventoryDriverPackage.
- **Enumerator** The date of the driver loaded for the device.
-- **HWID** The version of the driver loaded for the device.
+- **HWID** The version of the driver loaded for the device.
- **Inf** The bus that enumerated the device.
- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
- **InventoryVersion** List of hardware ids for the device.
@@ -2672,6 +2893,8 @@ The following fields are available:
This event indicates that the InventoryDevicePnpRemove object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2681,6 +2904,8 @@ The following fields are available:
This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2688,27 +2913,33 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
-This event sends basic metadata about the USB hubs on the device
+This event sends basic metadata about the USB hubs on the device.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **InventoryVersion** The version of the inventory file generating the events
-- **TotalUserConnectablePorts** Total number of connectable USB ports
-- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports
+- **InventoryVersion** The version of the inventory file generating the events.
+- **TotalUserConnectablePorts** Total number of connectable USB ports.
+- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports.
### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
-This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent
+This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **InventoryVersion** The version of the inventory file generating the events
+- **InventoryVersion** The version of the inventory file generating the events.
### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
-This event provides the basic metadata about driver binaries running on the system
+This event provides the basic metadata about driver binaries running on the system.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -2727,7 +2958,7 @@ The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
- **Product** The product name that is included in the driver file.
- **ProductVersion** The product version that is included in the driver file.
-- **Service** The device service name
+- **Service** The name of the service that is installed for the device.
- **WdfVersion** The Windows Driver Framework version.
@@ -2735,6 +2966,8 @@ The following fields are available:
This event indicates that the InventoryDriverBinary object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2744,6 +2977,8 @@ The following fields are available:
This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2751,7 +2986,9 @@ The following fields are available:
### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
-This event sends basic metadata about drive packages installed on the system to help keep Windows up-to-date.
+This event sends basic metadata about drive packages installed on the system to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
@@ -2771,6 +3008,8 @@ The following fields are available:
This event indicates that the InventoryDriverPackageRemove object is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2780,6 +3019,8 @@ The following fields are available:
This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **InventoryVersion** The version of the inventory file generating the events.
@@ -2789,22 +3030,32 @@ The following fields are available:
Provides data on the installed Office Add-ins
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
+- **AddinCLSID** The CLSID for the Office addin
- **AddInCLSID** CLSID key for the office addin
- **AddInId** Office addin ID
+- **AddinType** The type of the Office addin.
- **BinFileTimestamp** Timestamp of the Office addin
- **BinFileVersion** Version of the Office addin
- **Description** Office addin description
- **FileId** FileId of the Office addin
+- **FileSize** File size of the Office addin
- **FriendlyName** Friendly name for office addin
- **FullPath** Unexpanded path to the office addin
+- **InventoryVersion** The version of the inventory binary generating the events.
- **LoadBehavior** Uint32 that describes the load behavior
- **LoadTime** Load time for the office addin
- **OfficeApplication** The office application for this addin
- **OfficeArchitecture** Architecture of the addin
- **OfficeVersion** The office version for this addin
- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this addin
+- **ProductCompany** The name of the company associated with the Office addin
+- **ProductName** The product name associated with the Office addin
+- **ProductVersion** The version associated with the Office addin
+- **ProgramId** The unique program identifier of the Office addin
- **Provider** Name of the provider for this addin
@@ -2812,20 +3063,59 @@ The following fields are available:
Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
This event indicates that a new sync is being generated for this object type.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
+
+Provides data on the Office identifiers
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device
+- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device
+- **OMID** Identifier for the Office SQM Machine
+- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit
+- **OTenantId** Unique GUID representing the Microsoft O365 Tenant
+- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000
+- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows)
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
-This event includes the Office-related Internet Explorer features
+Office-related Internet Explorer features
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
+- **InventoryVersion** The version of the inventory binary generating the events.
- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature.
- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files.
- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
@@ -2847,62 +3137,55 @@ The following fields are available:
Diagnostic event to indicate a new sync is being generated for this object type.
-
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
-
-This event provides data on the Office identifiers
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device
-- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device
-- **OMID** Identifier for the Office SQM Machine
-- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit
-- **OTenantId** Unique GUID representing the Microsoft O365 Tenant
-- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000
-- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows)
-
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
-
-Diagnostic event to indicate a new sync is being generated for this object type.
-
+- **InventoryVersion** The version of the inventory binary generating the events.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
This event provides insight data on the installed Office products
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **OfficeApplication** The name of the Office application.
- **OfficeArchitecture** The bitness of the Office application.
- **OfficeVersion** The version of the Office application.
-- **Value** The insights collected about this entity.
+- **Value** The insights collected about this entity.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
This diagnostic event indicates that a new sync is being generated for this object type.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
-This event list all installed Office products
+Describes Office Products installed
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
+- **InventoryVersion** The version of the inventory binary generating the events.
- **OC2rApps** A GUID the describes the Office Click-To-Run apps
-- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus
-- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word
+- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus
+- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word
- **OProductCodes** A GUID that describes the Office MSI products
@@ -2910,16 +3193,24 @@ The following fields are available:
Diagnostic event to indicate a new sync is being generated for this object type.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
This event describes various Office settings
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **BrowserFlags** Browser flags for Office-related products
- **ExchangeProviderFlags** Provider policies for Office Exchange
+- **InventoryVersion** The version of the inventory binary generating the events.
- **SharedComputerLicensing** Office shared computer licensing policies
@@ -2927,12 +3218,19 @@ The following fields are available:
Diagnostic event to indicate a new sync is being generated for this object type.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **Design** Count of files with design issues found
@@ -2962,12 +3260,16 @@ The following fields are available:
Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **Count** Count of total Microsoft Office VBA rule violations
@@ -2977,24 +3279,35 @@ The following fields are available:
Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
This event indicates that a new sync is being generated for this object type.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
Provides data on Unified Update Platform (UUP) products and what version they are at.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
The following fields are available:
- **Identifier** UUP identifier
@@ -3008,12 +3321,16 @@ The following fields are available:
Indicates that this particular data object represented by the objectInstanceId is no longer present.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
Diagnostic event to indicate a new sync is being generated for this object type.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
### Microsoft.Windows.Inventory.Indicators.Checksum
@@ -3028,402 +3345,97 @@ The following fields are available:
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
-These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up-to-date.
+These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
The following fields are available:
-- **IndicatorValue** The indicator value
+- **IndicatorValue** The indicator value.
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
-## Microsoft Store events
-### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
+## Kernel events
-This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure.
+### IO
+
+This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup.
The following fields are available:
-- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
-- **AttemptNumber** Number of retry attempts before it was canceled.
-- **BundleId** The Item Bundle ID.
-- **CategoryId** The Item Category ID.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **HResult** The result code of the last action performed before this operation.
-- **IsBundle** Is this a bundle?
-- **IsInteractive** Was this requested by a user?
-- **IsMandatory** Was this a mandatory update?
-- **IsRemediation** Was this a remediation install?
-- **IsRestore** Is this automatically restoring a previously acquired product?
-- **IsUpdate** Flag indicating if this is an update.
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **PFN** The product family name of the product being installed.
-- **ProductId** The identity of the package or packages being installed.
-- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled.
-- **UserAttemptNumber** The total number of user attempts at installation before it was canceled.
-- **WUContentId** The Windows Update content ID
+- **BytesRead** The total number of bytes read from or read by the OS upon system startup.
+- **BytesWritten** The total number of bytes written to or written by the OS upon system startup.
-### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds
+### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
-This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure.
-
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare
-
-This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure.
-
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation
-
-This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure.
+OS information collected during Boot, used to evaluate the success of the upgrade process.
The following fields are available:
-- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed.
-- **AttemptNumber** Total number of installation attempts.
-- **BundleId** The identity of the Windows Insider build that is associated with this product.
-- **CategoryId** The identity of the package or packages being installed.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **IsBundle** Is this a bundle?
-- **IsInteractive** Was this requested by a user?
-- **IsMandatory** Is this a mandatory update?
-- **IsRemediation** Is this repairing a previous installation?
-- **IsRestore** Is this an automatic restore of a previously acquired product?
-- **IsUpdate** Is this a product update?
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **PFN** The name of all packages to be downloaded and installed.
-- **PreviousHResult** The previous HResult code.
-- **PreviousInstallState** Previous installation state before it was canceled.
-- **ProductId** The name of the package or packages requested for installation.
-- **RelatedCV** Correlation Vector of a previous performed action on this product.
-- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled.
-- **UserAttemptNumber** Total number of user attempts to install before it was canceled.
-- **WUContentId** The Windows Update content ID
+- **BootApplicationId** This field tells us what the OS Loader Application Identifier is.
+- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system.
+- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session.
+- **BootStatusPolicy** Identifies the applicable Boot Status Policy.
+- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume").
+- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made.
+- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware.
+- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed.
+- **FirmwareResetReasonPch** Reason for system reset provided by firmware.
+- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed.
+- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware.
+- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io).
+- **LastBootSucceeded** Flag indicating whether the last boot was successful.
+- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful.
+- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb.
+- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb.
+- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement).
+- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.).
+- **RecoveryEnabled** Indicates whether recovery is enabled.
+- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot.
+- **UserInputTime** The amount of time the loader application spent waiting for user input.
-### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest
+### Microsoft.Windows.Kernel.Power.OSStateChange
-This event is sent after the app installations or updates. It's used to help keep Windows up-to-date and secure
+This event indicates an OS state change.
The following fields are available:
-- **CatalogId** The Store Product ID of the app being installed.
-- **HResult** HResult code of the action being performed.
-- **IsBundle** Is this a bundle?
-- **PackageFamilyName** The name of the package being installed.
-- **ProductId** The Store Product ID of the product being installed.
-- **SkuId** Specific edition of the item being installed.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
-
-This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set.
-- **AttemptNumber** The total number of attempts to acquire this product.
-- **BundleId** The bundle ID
-- **CategoryId** The identity of the package or packages being installed.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **HResult** HResult code to show the result of the operation (success/failure).
-- **IsBundle** Is this a bundle?
-- **IsInteractive** Did the user initiate the installation?
-- **IsMandatory** Is this a mandatory update?
-- **IsRemediation** Is this repairing a previous installation?
-- **IsRestore** Is this happening after a device restore?
-- **IsUpdate** Is this an update?
-- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
-- **PFN** Product Family Name of the product being installed.
-- **ProductId** The Store Product ID for the product being installed.
-- **SystemAttemptNumber** The number of attempts by the system to acquire this product.
-- **UserAttemptNumber** The number of attempts by the user to acquire this product
-- **WUContentId** The Windows Update content ID
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
-
-This event happens during the app update or installation when content is being downloaded at the end of the process to report success or failure. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
-- **AttemptNumber** Number of retry attempts before it was canceled.
-- **BundleId** The identity of the Windows Insider build associated with this product.
-- **CategoryId** The identity of the package or packages being installed.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **DownloadSize** The total size of the download.
-- **ExtendedHResult** Any extended HResult error codes.
-- **HResult** The result code of the last action performed.
-- **IsBundle** Is this a bundle?
-- **IsInteractive** Is this initiated by the user?
-- **IsMandatory** Is this a mandatory installation?
-- **IsRemediation** Is this repairing a previous installation?
-- **IsRestore** Is this a restore of a previously acquired product?
-- **IsUpdate** Is this an update?
-- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
-- **PFN** The Product Family Name of the app being download.
-- **ProductId** The Store Product ID for the product being installed.
-- **SystemAttemptNumber** The number of attempts by the system to download.
-- **UserAttemptNumber** The number of attempts by the user to download.
-- **WUContentId** The Windows Update content ID.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
-
-This event happens when an app update requires an updated Framework package and the process starts to download it. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **HResult** The result code of the last action performed before this operation.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds
-
-This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **HResult** The result code of the last action performed before this operation.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
-
-This event is sent after a product has been installed. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
-- **AttemptNumber** The number of retry attempts before it was canceled.
-- **BundleId** The identity of the build associated with this product.
-- **CategoryId** The identity of the package or packages being installed.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **ExtendedHResult** The extended HResult error code.
-- **HResult** The result code of the last action performed.
-- **IsBundle** Is this a bundle?
-- **IsInteractive** Is this an interactive installation?
-- **IsMandatory** Is this a mandatory installation?
-- **IsRemediation** Is this repairing a previous installation?
-- **IsRestore** Is this automatically restoring a previously acquired product?
-- **IsUpdate** Is this an update?
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **PFN** Product Family Name of the product being installed.
-- **ProductId** The Store Product ID for the product being installed.
-- **SystemAttemptNumber** The total number of system attempts.
-- **UserAttemptNumber** The total number of user attempts.
-- **WUContentId** The Windows Update content ID
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
-
-This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **ClientAppId** The identity of the app that initiated this operation.
-- **HResult** The result code of the last action performed.
-- **IsApplicability** Is this request to only check if there are any applicable packages to install?
-- **IsInteractive** Is this user requested?
-- **IsOnline** Is the request doing an online check?
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
-
-This event is sent after searching for update packages to install. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
-- **AttemptNumber** The total number of retry attempts before it was canceled.
-- **BundleId** The identity of the build associated with this product.
-- **CategoryId** The identity of the package or packages being installed.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **HResult** The result code of the last action performed.
-- **IsBundle** Is this a bundle?
-- **IsInteractive** Is this user requested?
-- **IsMandatory** Is this a mandatory update?
-- **IsRemediation** Is this repairing a previous installation?
-- **IsRestore** Is this restoring previously acquired content?
-- **IsUpdate** Is this an update?
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **PFN** The name of the package or packages requested for install.
-- **ProductId** The Store Product ID for the product being installed.
-- **SystemAttemptNumber** The total number of system attempts.
-- **UserAttemptNumber** The total number of user attempts.
-- **WUContentId** The Windows Update content ID
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
-
-This event is sent between download and installation to see if there is app data that needs to be restored from the cloud. It's used to keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
-- **AttemptNumber** The total number of retry attempts before it was canceled.
-- **BundleId** The identity of the build associated with this product.
-- **CategoryId** The identity of the package or packages being installed.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **HResult** The result code of the last action performed.
-- **IsBundle** Is this a bundle?
-- **IsInteractive** Is this user requested?
-- **IsMandatory** Is this a mandatory update?
-- **IsRemediation** Is this repairing a previous installation?
-- **IsRestore** Is this restoring previously acquired content?
-- **IsUpdate** Is this an update?
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **PFN** The name of the package or packages requested for install.
-- **ProductId** The Store Product ID for the product being installed.
-- **SystemAttemptNumber** The total number of system attempts.
-- **UserAttemptNumber** The total number of system attempts.
-- **WUContentId** The Windows Update content ID
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
-
-This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **HResult** The result code of the last action performed.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
-
-The FulfillmentComplete event is fired at the end of an app install or update. We use this to track the very end of the install/update process. StoreAgent events are needed to help keep Windows pre-installed 1st party apps up to date and secure, such as the mail and calendar apps. App update failure can be unique across devices and without this data from every device we will not be able to track the success/failure and fix any future vulnerabilities related to these built in Windows Apps.
-
-The following fields are available:
-
-- **CatalogId** The CatalogId is the name of the product catalog from which this app was chosen.
-- **FailedRetry** Was the installation or update retry successful?
-- **HResult** The HResult code of the operation.
-- **PFN** The Package Family Name of the app that is being installed or updated.
-- **ProductId** The product ID of the app that is being updated or installed.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
-
-The FulfillmentInitiate event is fired at the start of an app install or update. We use this to track the very beginning of the install/update process. StoreAgent events are needed to help keep Windows pre-installed 1st party apps up to date and secure, such as the mail and calendar apps. App update failure can be unique across devices and without this data from every device we will not be able to track the success/failure and fix any future vulnerabilities related to these built in Windows Apps.
-
-The following fields are available:
-
-- **PFN** The Package Family Name of the app that is being installed or updated.
-- **ProductId** The product ID of the app that is being updated or installed.
-- **CatalogId** The CatalogId is the name of the product catalog from which this app was chosen.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
-
-This event happens at the beginning of the install process when an app update or new app is installed. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **BundleId** The identity of the build associated with this product.
-- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed.
-- **ProductId** The Store Product ID for the product being installed.
-- **SkuId** Specific edition ID being installed.
-- **VolumePath** The disk path of the installation.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
-
-This event is sent when a product install or update is paused either by a user or the system. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
-- **AttemptNumber** The total number of retry attempts before it was canceled.
-- **BundleId** The identity of the build associated with this product.
-- **CategoryId** The identity of the package or packages being installed.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **IsBundle** Is this a bundle?
-- **IsInteractive** Is this user requested?
-- **IsMandatory** Is this a mandatory update?
-- **IsRemediation** Is this repairing a previous installation?
-- **IsRestore** Is this restoring previously acquired content?
-- **IsUpdate** Is this an update?
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **PFN** The Product Full Name.
-- **PreviousHResult** The result code of the last action performed before this operation.
-- **PreviousInstallState** Previous state before the installation or update was paused.
-- **ProductId** The Store Product ID for the product being installed.
-- **RelatedCV** Correlation Vector of a previous performed action on this product.
-- **SystemAttemptNumber** The total number of system attempts.
-- **UserAttemptNumber** The total number of user attempts.
-- **WUContentId** The Windows Update content ID
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
-
-This event happens when a product install or update is resumed either by a user or the system. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
-- **AttemptNumber** The number of retry attempts before it was canceled.
-- **BundleId** The identity of the build associated with this product.
-- **CategoryId** The identity of the package or packages being installed.
-- **ClientAppId** The identity of the app that initiated this operation.
-- **HResult** The result code of the last action performed before this operation.
-- **IsBundle** Is this a bundle?
-- **IsInteractive** Is this user requested?
-- **IsMandatory** Is this a mandatory update?
-- **IsRemediation** Is this repairing a previous installation?
-- **IsRestore** Is this restoring previously acquired content?
-- **IsUpdate** Is this an update?
-- **IsUserRetry** Did the user initiate the retry?
-- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
-- **PFN** The name of the package or packages requested for install.
-- **PreviousHResult** The previous HResult error code.
-- **PreviousInstallState** Previous state before the installation was paused.
-- **ProductId** The Store Product ID for the product being installed.
-- **RelatedCV** Correlation Vector for the original install before it was resumed.
-- **SystemAttemptNumber** The total number of system attempts.
-- **UserAttemptNumber** The total number of user attempts.
-- **WUContentId** The Windows Update content ID
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
-
-This event happens when a product install or update is resumed by a user and on installation retries. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **ProductId** The Store Product ID for the product being installed.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
-
-This event is sent when searching for update packages to install. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **CatalogId** The Store Product ID for the product being installed.
-- **ProductId** The Store Product ID for the product being installed.
-- **SkuId** Specfic edition of the app being updated.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
-
-This event happens an app for a user needs to be updated. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **PFamN** The name of the product that is requested for update.
+- **AcPowerOnline** If "TRUE," the device is using AC power. If "FALSE," the device is using battery power.
+- **ActualTransitions** The number of transitions between operating system states since the last system boot
+- **BatteryCapacity** Maximum battery capacity in mWh
+- **BatteryCharge** Current battery charge as a percentage of total capacity
+- **BatteryDischarging** Flag indicating whether the battery is discharging or charging
+- **BootId** Total boot count since the operating system was installed
+- **BootTimeUTC** Date and time of a particular boot event (identified by BootId)
+- **EnergyChangeV2** A snapshot value in mWh reflecting a change in power usage
+- **EnergyChangeV2Flags** Flags for disambiguating EnergyChangeV2 context
+- **EventSequence** Indicates the sequence order for this event instance, relative to previous instances of OSStateChange events that have occurred since boot
+- **LastStateTransition** ID of the last operating system state transition
+- **LastStateTransitionSub** ID of the last operating system sub-state transition
+- **StateDurationMS** Number of milliseconds spent in the last operating system state
+- **StateTransition** ID of the operating system state the system is transitioning to
+- **StateTransitionSub** ID of the operating system sub-state the system is transitioning to
+- **TotalDurationMS** Total time (in milliseconds) spent in all states since the last boot
+- **TotalUptimeMS** Total time (in milliseconds) the device was in Up or Running states since the last boot
+- **TransitionsToOn** Number of transitions to the Powered On state since the last boot
+- **UptimeDeltaMS** Total time (in milliseconds) added to Uptime since the last event
## Privacy consent logging events
@@ -3446,13 +3458,29 @@ Event tells us effectiveness of new privacy experience.
The following fields are available:
-- **isAdmin** Whether the current user is an administrator or not
+- **isAdmin** whether the person who is logging in is an admin
- **isLaunching** Whether or not the privacy consent experience will be launched
-- **isSilentElevation** Whether the current user has enabled silent elevation
-- **privacyConsentState** The current state of the privacy consent experience
+- **isSilentElevation** whether the user has most restrictive UAC controls
+- **privacyConsentState** whether the user has completed privacy experience
- **userRegionCode** The current user's region setting
+## Sediment events
+
+### Microsoft.Windows.Sediment.OSRSS.UrlState
+
+This event indicates the state the Operating System Remediation System Service (OSRSS) is in while attempting a download from the URL.
+
+The following fields are available:
+
+- **Id** A number identifying the URL.
+- **ServiceVersionMajor** Version information for the component.
+- **ServiceVersionMinor** Version information for the component.
+- **StateData** State-specific data, such as the attempt number for the download.
+- **StateNumber** A number identifying the current state of the URL (for example, found, downloading, extracted).
+- **Time** System timestamp when the event was started.
+
+
## Setup events
### SetupPlatformTel.SetupPlatformTelEvent
@@ -3477,7 +3505,7 @@ The following fields are available:
- **accountType** The type of account that was deleted. Example: AD, AAD, or Local
- **deleteState** Whether the attempted deletion of the user account was successful.
- **userSid** The security identifier of the account.
-- **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager.
+- **wilActivity** Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager. See [wilActivity](#wilactivity).
### Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation
@@ -3486,9 +3514,59 @@ Activity for run of the Transient Account Manager that determines if any user ac
The following fields are available:
-- **totalAccountCount** The number of accounts on a device after running the Transient Account Manager policies.
-- **wilActivity** Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager.
- **evaluationTrigger** When was the Transient Account Manager policies ran? Example: At log off or during maintenance hours
+- **totalAccountCount** The number of accounts on a device after running the Transient Account Manager policies.
+- **wilActivity** Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager. See [wilActivity](#wilactivity).
+
+
+### wilActivity
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics.
+
+The following fields are available:
+
+- **callContext** The function where the failure occurred.
+- **currentContextId** The ID of the current call context where the failure occurred.
+- **currentContextMessage** The message of the current call context where the failure occurred.
+- **currentContextName** The name of the current call context where the failure occurred.
+- **failureCount** The number of failures for this failure ID.
+- **failureId** The ID of the failure that occurred.
+- **failureType** The type of the failure that occurred.
+- **fileName** The file name where the failure occurred.
+- **function** The function where the failure occurred.
+- **hresult** The HResult of the overall activity.
+- **lineNumber** The line number where the failure occurred.
+- **message** The message of the failure that occurred.
+- **module** The module where the failure occurred.
+- **originatingContextId** The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage** The message of the originating call context that resulted in the failure.
+- **originatingContextName** The name of the originating call context that resulted in the failure.
+- **threadId** The ID of the thread on which the activity is executing.
+
+
+### wilResult
+
+This event provides a Windows Internal Library context used for Product and Service diagnostics.
+
+The following fields are available:
+
+- **callContext** The call context stack where failure occurred.
+- **currentContextId** The ID of the current call context where the failure occurred.
+- **currentContextMessage** The message of the current call context where the failure occurred.
+- **currentContextName** The name of the current call context where the failure occurred.
+- **failureCount** The number of failures for this failure ID.
+- **failureId** The ID of the failure that occurred.
+- **failureType** The type of the failure that occurred.
+- **fileName** The file name where the failure occurred.
+- **function** The function where the failure occurred.
+- **hresult** The HResult of the overall activity.
+- **lineNumber** The line number where the failure occurred.
+- **message** The message of the failure that occurred.
+- **module** The module where the failure occurred.
+- **originatingContextId** The ID of the originating call context that resulted in the failure.
+- **originatingContextMessage** The message of the originating call context that resulted in the failure.
+- **originatingContextName** The name of the originating call context that resulted in the failure.
+- **threadId** The ID of the thread on which the activity is executing.
## SIH events
@@ -3546,37 +3624,6 @@ The following fields are available:
- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
- **AllowCachedResults** Indicates if the scan allowed using cached results.
-- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
-- **CurrentMobileOperator** The mobile operator the device is currently connected to.
-- **DriverSyncPassPerformed** Were drivers scanned this time?
-- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
-- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
-- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
-- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
-- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
-- **IPVersion** Indicates whether the download took place over IPv4 or IPv6
-- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
-- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
-- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
-- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked
-- **NumberOfLoop** The number of round trips the scan required
-- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan
-- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan
-- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down.
-- **Online** Indicates if this was an online scan.
-- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
-- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
-- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
-- **ScanDurationInSeconds** The number of seconds a scan took
-- **ScanEnqueueTime** The number of seconds it took to initialize a scan
-- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.).
-- **ServiceUrl** The environment URL a device is configured to scan with
-- **ShippingMobileOperator** The mobile operator that a device shipped on.
-- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
-- **SyncType** Describes the type of scan the event was
-- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down.
- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable
- **BiosFamily** The family of the BIOS (Basic Input Output System).
- **BiosName** The name of the device BIOS.
@@ -3585,40 +3632,71 @@ The following fields are available:
- **BIOSVendor** The vendor of the BIOS.
- **BiosVersion** The version of the BIOS.
- **BranchReadinessLevel** The servicing branch configured on the device.
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated.
+- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
- **ClientVersion** The version number of the software distribution client.
+- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
+- **CurrentMobileOperator** The mobile operator the device is currently connected to.
- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
- **DeferredUpdates** Update IDs which are currently being deferred until a later time
- **DeviceModel** What is the device model.
+- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered.
- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled.
+- **DriverSyncPassPerformed** Were drivers scanned this time?
- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ExtendedMetadataCabUrl** Hostname that is used to download an update.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
+- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan.
- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days).
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days).
+- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6
+- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
+- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device.
+- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **MSIError** The last error that was encountered during a scan for updates.
+- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked
+- **NumberOfLoop** The number of round trips the scan required
+- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan
+- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan
+- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down.
+- **Online** Indicates if this was an online scan.
- **PausedUpdates** A list of UpdateIds which that currently being paused.
- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days).
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days).
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **ScanDurationInSeconds** The number of seconds a scan took
+- **ScanEnqueueTime** The number of seconds it took to initialize a scan
+- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.).
+- **ServiceUrl** The environment URL a device is configured to scan with
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
+- **SyncType** Describes the type of scan the event was
- **SystemBIOSMajorRelease** Major version of the BIOS.
- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down.
- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation.
- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
-- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
-- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device.
-- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated.
-- **CDNCountryCode** Two letter country abbreviation for the CDN's location.
-- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered.
-- **ExtendedMetadataCabUrl** Hostname that is used to download an update.
-- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
-- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan.
-- **MSIError** The last error that was encountered during a scan for updates.
-- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
-- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
### SoftwareUpdateClientTelemetry.Commit
@@ -3633,31 +3711,31 @@ The following fields are available:
- **BiosSKUNumber** Device SKU as defined in the system BIOS
- **BIOSVendor** Vendor of the system BIOS
- **BiosVersion** Version of the system BIOS
-- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
-- **BundleRevisionNumber** Identifies the revision number of the content bundle
-- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle
+- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client
- **ClientVersion** Version number of the software distribution client
-- **DeviceModel** Device model as defined in the system bios
+- **DeviceModel** Device model as defined in the system bios
- **EventInstanceID** A globally unique identifier for event instance
- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
- **EventType** Possible values are "Child", "Bundle", "Relase" or "Driver".
-- **FlightId** The specific id of the flight the device is getting
-- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
+- **FlightId** The specific id of the flight the device is getting
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.)
- **RevisionNumber** Identifies the revision number of this specific piece of content
- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
-- **SystemBIOSMajorRelease** Major release version of the system bios
-- **SystemBIOSMinorRelease** Minor release version of the system bios
-- **UpdateId** Identifier associated with the specific piece of content
-- **WUDeviceID** Unique device id controlled by the software distribution client
+- **SystemBIOSMajorRelease** Major release version of the system bios
+- **SystemBIOSMinorRelease** Minor release version of the system bios
+- **UpdateId** Identifier associated with the specific piece of content
+- **WUDeviceID** Unique device id controlled by the software distribution client
### SoftwareUpdateClientTelemetry.Download
-Download process event for target update on Windows Update client (see eventscenario field for specifics, e.g.: started/failed/succeeded)
+Download process event for target update on Windows Update client. See EventScenario field for specifics (started/failed/succeeded).
The following fields are available:
-- **ActiveDownloadTime** How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
+- **ActiveDownloadTime** Number of seconds the update was actively being downloaded.
- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded.
- **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
- **BiosFamily** The family of the BIOS (Basic Input Output System).
@@ -3666,19 +3744,20 @@ The following fields are available:
- **BiosSKUNumber** The sku number of the device BIOS.
- **BIOSVendor** The vendor of the BIOS.
- **BiosVersion** The version of the BIOS.
-- **BundleBytesDownloaded** How many bytes were downloaded for the specific content bundle.
+- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle.
- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
-- **BundleRepeatFailFlag** Indicates whether this particular update bundle had previously failed to download.
+- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download.
- **BundleRevisionNumber** Identifies the revision number of the content bundle.
-- **BytesDownloaded** How many bytes were downloaded for an individual piece of content (not the entire bundle).
+- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle).
- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download.
-- **CDNCountryCode** Two letter country abbreviation for the CDN's location.
+- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
- **ClientVersion** The version number of the software distribution client.
- **CurrentMobileOperator** The mobile operator the device is currently connected to.
- **DeviceModel** What is the device model.
- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
+- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
- **EventInstanceID** A globally unique identifier for event instance.
- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
- **EventType** Possible values are Child, Bundle, or Driver.
@@ -3686,7 +3765,7 @@ The following fields are available:
- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight.
-- **FlightId** The specific id of the flight (pre-release build) the device is getting.
+- **FlightId** The specific ID of the flight (pre-release build) the device is getting.
- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
@@ -3703,10 +3782,10 @@ The following fields are available:
- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
- **RegulationReason** The reason that the update is regulated
-- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one.
- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
- **RevisionNumber** Identifies the revision number of this specific piece of content.
-- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
- **ShippingMobileOperator** The mobile operator that a device shipped on.
- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
@@ -3722,7 +3801,6 @@ The following fields are available:
- **UsedDO** Whether the download used the delivery optimization service.
- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **DownloadScenarioId** A unique ID for a given download used to tie together WU and DO events.
### SoftwareUpdateClientTelemetry.DownloadCheckpoint
@@ -3755,7 +3833,7 @@ The following fields are available:
- **BytesTotal** Total bytes to transfer for this content
- **BytesTransferred** Total bytes transferred for this content at the time of heartbeat
-- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client
+- **CallerApplicationName** Name provided by the caller who initiated API calls into the software distribution client
- **ClientVersion** The version number of the software distribution client
- **ConnectionStatus** Indicates the connectivity state of the device at the time of heartbeat
- **CurrentError** Last (transient) error encountered by the active download
@@ -3770,11 +3848,11 @@ The following fields are available:
- **RelatedCV** The previous correlation vector that was used by the client, before swapping with a new one
- **ResumeCount** Number of times this active download has resumed from a suspended state
- **RevisionNumber** Identifies the revision number of this specific piece of content
-- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
- **SuspendCount** Number of times this active download has entered a suspended state
- **SuspendReason** Last reason for why this active download entered a suspended state
-- **UpdateId** Identifier associated with the specific piece of content
-- **WUDeviceID** Unique device id controlled by the software distribution client
+- **UpdateId** Identifier associated with the specific piece of content
+- **WUDeviceID** Unique device id controlled by the software distribution client
### SoftwareUpdateClientTelemetry.Install
@@ -3790,43 +3868,43 @@ The following fields are available:
- **BIOSVendor** The vendor of the BIOS.
- **BiosVersion** The version of the BIOS.
- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
-- **BundleRepeatFailFlag** Has this particular update bundle previously failed to install?
+- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install.
- **BundleRevisionNumber** Identifies the revision number of the content bundle.
- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
- **ClientVersion** The version number of the software distribution client.
- **CSIErrorType** The stage of CBS installation where it failed.
-- **CurrentMobileOperator** Mobile operator that device is currently connected to.
-- **DeviceModel** What is the device model.
+- **CurrentMobileOperator** The mobile operator to which the device is currently connected.
+- **DeviceModel** The device model.
- **DriverPingBack** Contains information about the previous driver and system state.
- **EventInstanceID** A globally unique identifier for event instance.
- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
- **EventType** Possible values are Child, Bundle, or Driver.
- **ExtendedErrorCode** The extended error code.
-- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FeatureUpdatePause** Are feature OS updates paused on the device?
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program.
- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build.
- **FlightId** The specific ID of the Windows Insider build the device is getting.
- **FlightRing** The ring that a device is on if participating in the Windows Insider Program.
-- **HandlerType** Indicates what kind of content is being installed. Example: app, driver, Windows update
+- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update).
- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
-- **IsDependentSet** Is the driver part of a larger System Hardware/Firmware update?
-- **IsFinalOutcomeEvent** Does this event signal the end of the update/upgrade process?
-- **IsFirmware** Is this update a firmware update?
-- **IsSuccessFailurePostReboot** Did it succeed and then fail after a restart?
-- **IsWUfBDualScanEnabled** Is Windows Update for Business dual scan enabled on the device?
-- **IsWUfBEnabled** Is Windows Update for Business enabled on the device?
-- **MergedUpdate** Was the OS update and a BSP update merged for installation?
+- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update.
+- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process.
+- **IsFirmware** Indicates whether this update is a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart.
+- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device.
+- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation.
- **MsiAction** The stage of MSI installation where it failed.
- **MsiProductCode** The unique identifier of the MSI installer.
- **PackageFullName** The package name of the content being installed.
- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced.
-- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **QualityUpdatePause** Are quality OS updates paused on the device?
+- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
-- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to install.
+- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install.
- **RevisionNumber** The revision number of this specific piece of content.
- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
@@ -3836,8 +3914,8 @@ The following fields are available:
- **SystemBIOSMinorRelease** Minor version of the BIOS.
- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
-- **TransactionCode** The ID which represents a given MSI installation
-- **UpdateId** Unique update ID
+- **TransactionCode** The ID that represents a given MSI installation.
+- **UpdateId** Unique update ID.
- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
@@ -3849,13 +3927,13 @@ This event sends data about an AppX app that has been updated from the Microsoft
The following fields are available:
-- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable
-- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
-- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
-- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
-- **ServiceGuid** An ID which represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.)
-- **WUDeviceID** The unique device ID controlled by the software distribution client
+- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one.
+- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.).
+- **WUDeviceID** The unique device ID controlled by the software distribution client.
### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
@@ -3864,145 +3942,150 @@ Ensures Windows Updates are secure and complete. Event helps to identify whether
The following fields are available:
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
- **EndpointUrl** URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments.
- **EventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
-- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
-- **LeafCertId** Integral id from the FragmentSigning data for certificate which failed.
-- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode was not specific enough.
+- **LeafCertId** Integral id from the FragmentSigning data for certificate which failed.
+- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
+- **MetadataIntegrityMode** Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
- **MetadataSignature** Base64 string of the signature associated with the update metadata (specified by revision id)
+- **RawMode** Raw unparsed mode string from the SLS response. May be null if not applicable.
+- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
- **RevisionId** Identifies the revision of this specific piece of content
- **RevisionNumber** Identifies the revision number of this specific piece of content
- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
-- **SHA256OfLeafCertPublicKey** Base64 encoding of hash of the Base64CertData in the FragmentSigning data of leaf certificate.
+- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
+- **SHA256OfLeafCertPublicKey** Base64 encoding of hash of the Base64CertData in the FragmentSigning data of leaf certificate.
- **SHA256OfTimestampToken** Base64 string of hash of the timestamp token blob
- **SignatureAlgorithm** Hash algorithm for the metadata signature
- **SLSPrograms** A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
- **StatusCode** Result code of the event (success, cancellation, failure code HResult)
-- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed.
-- **UpdateId** Identifier associated with the specific piece of content
-- **RawMode** Raw unparsed mode string from the SLS response. May be null if not applicable.
-- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token.
+- **TimestampTokenCertThumbprint** The thumbprint of the encoded timestamp token.
+- **TimestampTokenId** Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed.
+- **UpdateId** Identifier associated with the specific piece of content
- **ValidityWindowInDays** The validity window that's in effect when verifying the timestamp.
-- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
-- **ListOfSHA256OfIntermediateCerData** A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
-- **RawValidityWindowInDays** The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
-- **SHA256OfLeafCerData** A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
## Update events
### Update360Telemetry.UpdateAgentCommit
-This event collects information regarding the commit phase of the new UUP (Unified Update Platform) update scenario, which is leveraged by both Mobile and Desktop.
-
-The following fields are available:
-
-- **ErrorCode** The error code returned for the current install phase.
-- **FlightId** Unique ID for each flight.
-- **ObjectId** Unique value for each Update Agent mode.
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
-- **Result** Outcome of the install phase of the update.
-- **ScenarioId** Indicates the update scenario.
-- **SessionId** Unique value for each update attempt.
-- **UpdateId** Unique ID for each update.
-
-
-### Update360Telemetry.UpdateAgentDownloadRequest
-
- The UpdateAgent_DownloadRequest event sends data for the download request phase of updating Windows via the new UUP (Unified Update Platform) scenario. Applicable to PC and Mobile.
-
-The following fields are available:
-
-- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted.
-- **ErrorCode** The error code returned for the current download request phase.
-- **FlightId** Unique ID for each flight.
-- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360)
-- **PackageCountOptional** Number of optional packages requested.
-- **PackageCountRequired** Number of required packages requested.
-- **PackageCountTotal** Total number of packages needed.
-- **PackageCountTotalCanonical** Total number of canonical packages.
-- **PackageCountTotalDiff** Total number of diff packages.
-- **PackageCountTotalExpress** Total number of express packages.
-- **PackageSizeCanonical** Size of canonical packages in bytes.
-- **PackageSizeDiff** Size of diff packages in bytes.
-- **PackageSizeExpress** Size of express packages in bytes.
-- **RangeRequestState** Indicates the range request type used.
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
-- **Result** Outcome of the download request phase of update.
-- **ScenarioId** Indicates the update scenario.
-- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases)
-- **UpdateId** Unique ID for each update.
-- **PackageExpressType** Type of express package.
-
-
-### Update360Telemetry.UpdateAgentExpand
-
- This event collects information regarding the expansion phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop.
-
-The following fields are available:
-
-- **ElapsedTickCount** Time taken for expand phase.
-- **EndFreeSpace** Free space after expand phase.
-- **EndSandboxSize** Sandbox size after expand phase.
-- **ErrorCode** The error code returned for the current install phase.
-- **FlightId** Unique ID for each flight.
-- **ObjectId** Unique value for each Update Agent mode.
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
-- **ScenarioId** Indicates the update scenario.
-- **SessionId** Unique value for each update attempt.
-- **StartFreeSpace** Free space before expand phase.
-- **StartSandboxSize** Sandbox size after expand phase.
-- **UpdateId** Unique ID for each update.
-
-
-### Update360Telemetry.UpdateAgentFellBackToCanonical
-
-This event collects information when express could not be used and we fall back to canonical during the new UUP (Unified Update Platform) update scenario, which is leveraged by both Mobile and Desktop.
-
-The following fields are available:
-
-- **FlightId** Unique ID for each flight.
-- **ObjectId** Unique value for each Update Agent mode.
-- **PackageCount** Number of packages that feel back to canonical.
-- **PackageList** PackageIds which fell back to canonical.
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
-- **ScenarioId** Indicates the update scenario.
-- **SessionId** Unique value for each update attempt.
-- **UpdateId** Unique ID for each update.
-
-
-### Update360Telemetry.UpdateAgentInitialize
-
- The UpdateAgentInitialize event sends data for the initialize phase of updating Windows via the new UUP (Unified Update Platform) scenario. Applicable to both PCs and Mobile.
-
-The following fields are available:
-
-- **ErrorCode** The error code returned for the current install phase.
-- **FlightId** Unique ID for each flight.
-- **FlightMetadata** Contains the FlightId and the build being flighted.
-- **ObjectId** Unique value for each Update Agent mode.
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
-- **Result** Outcome of the install phase of the update.
-- **ScenarioId** Indicates the update scenario.
-- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios).
-- **SessionId** Unique value for each update attempt.
-- **UpdateId** Unique ID for each update.
-
-
-### Update360Telemetry.UpdateAgentInstall
-
-The UpdateAgentInstall event sends data for the install phase of updating Windows.
+This event collects information regarding the commit phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
The following fields are available:
- **ErrorCode** The error code returned for the current install phase.
-- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
-- **ObjectId** Correlation vector value generated from the latest USO scan.
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Outcome of the install phase of the update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentDownloadRequest
+
+This event sends data for the download request phase of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to PC and Mobile.
+
+The following fields are available:
+
+- **DeletedCorruptFiles** Boolean indicating whether corrupt payload was deleted.
+- **DownloadRequests** Number of times a download was retried.
+- **ErrorCode** The error code returned for the current download request phase.
+- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin.
+- **FlightId** Unique ID for each flight.
+- **InternalFailureResult** Indicates a non-fatal error from a plugin.
+- **ObjectId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **PackageCountOptional** Number of optional packages requested.
+- **PackageCountRequired** Number of required packages requested.
+- **PackageCountTotal** Total number of packages needed.
+- **PackageCountTotalCanonical** Total number of canonical packages.
+- **PackageCountTotalDiff** Total number of diff packages.
+- **PackageCountTotalExpress** Total number of express packages.
+- **PackageExpressType** Type of express package.
+- **PackageSizeCanonical** Size of canonical packages in bytes.
+- **PackageSizeDiff** Size of diff packages in bytes.
+- **PackageSizeExpress** Size of express packages in bytes.
+- **RangeRequestState** Indicates the range request type used.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Outcome of the download request phase of update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each attempt (same value for initialize, download, install commit phases).
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentExpand
+
+This event collects information regarding the expansion phase of the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **ElapsedTickCount** Time taken for expand phase.
+- **EndFreeSpace** Free space after expand phase.
+- **EndSandboxSize** Sandbox size after expand phase.
+- **ErrorCode** The error code returned for the current install phase.
+- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **StartFreeSpace** Free space before expand phase.
+- **StartSandboxSize** Sandbox size after expand phase.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentFellBackToCanonical
+
+This event collects information when express could not be used and we fall back to canonical during the new Unified Update Platform (UUP) update scenario, which is leveraged by both Mobile and Desktop.
+
+The following fields are available:
+
+- **FlightId** Unique ID for each flight.
+- **ObjectId** Unique value for each Update Agent mode.
+- **PackageCount** Number of packages that feel back to canonical.
+- **PackageList** PackageIds which fell back to canonical.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentInitialize
+
+This event sends data for the initialize phase of updating Windows via the new Unified Update Platform (UUP) scenario, which is applicable to both PCs and Mobile.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current install phase.
+- **FlightId** Unique ID for each flight.
+- **FlightMetadata** Contains the FlightId and the build being flighted.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** Outcome of the install phase of the update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionData** String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgentInstall
+
+This event sends data for the install phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode** The error code returned for the current install phase.
+- **ExtensionName** Indicates whether the payload is related to Operating System content or a plugin.
+- **FlightId** Unique value for each Update Agent mode (same concept as InstanceId for Setup360).
+- **InternalFailureResult** Indicates a non-fatal error from a plugin.
+- **ObjectId** Correlation vector value generated from the latest USO scan.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
- **Result** The result for the current install phase.
-- **ScenarioId** Indicates the update scenario.
-- **SessionId** Unique value for each update attempt.
-- **UpdateId** Unique ID for each update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each update.
### Update360Telemetry.UpdateAgentMerge
@@ -4011,85 +4094,85 @@ The UpdateAgentMerge event sends data on the merge phase when updating Windows.
The following fields are available:
-- **ErrorCode** The error code returned for the current merge phase.
+- **ErrorCode** The error code returned for the current merge phase.
- **FlightId** Unique ID for each flight.
-- **ObjectId** Unique value for each Update Agent mode.
-- **RelatedCV** Related correlation vector value.
-- **Result** Outcome of the merge phase of the update.
-- **ScenarioId** Indicates the update scenario.
-- **SessionId** Unique value for each attempt.
-- **UpdateId** Unique ID for each update.
+- **ObjectId** Unique value for each Update Agent mode.
+- **RelatedCV** Related correlation vector value.
+- **Result** Outcome of the merge phase of the update.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each attempt.
+- **UpdateId** Unique ID for each update.
### Update360Telemetry.UpdateAgentModeStart
-The UpdateAgentModeStart event sends data for the start of each mode during the process of updating Windows via the new UUP (Unified Update Platform) scenario. Applicable to both PCs and Mobile.
+This event sends data for the start of each mode during the process of updating Windows via the new Unified Update Platform (UUP) scenario. Applicable to both PCs and Mobile.
The following fields are available:
-- **FlightId** Unique ID for each flight.
-- **Mode** Indicates the mode that has started.
+- **FlightId** Unique ID for each flight.
+- **Mode** Indicates the mode that has started.
- **ObjectId** Unique value for each Update Agent mode.
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
-- **ScenarioId** Indicates the update scenario.
-- **SessionId** Unique value for each update attempt.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
- **UpdateId** Unique ID for each update.
- **Version** Version of update
### Update360Telemetry.UpdateAgentPostRebootResult
-This event collects information for both Mobile and Desktop regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario
+This event collects information for both Mobile and Desktop regarding the post reboot phase of the new Unified Update Platform (UUP) update scenario.
The following fields are available:
-- **ErrorCode** The error code returned for the current post reboot phase
-- **FlightId** The unique identifier for each flight
-- **ObjectId** Unique value for each Update Agent mode
-- **PostRebootResult** Indicates the Hresult
-- **RelatedCV** Correlation vector value generated from the latest USO scan
-- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **ErrorCode** The error code returned for the current post reboot phase.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **ObjectId** Unique value for each Update Agent mode.
+- **PostRebootResult** Indicates the Hresult.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ScenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
- **SessionId** Unique value for each update attempt.
-- **UpdateId** Unique ID for each update
+- **UpdateId** Unique ID for each update.
### Update360Telemetry.UpdateAgentSetupBoxLaunch
-The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new UUP (Unified Update Plaform) scenario. This event is only applicable to PCs.
+The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new Unified Update Platform (UUP) scenario. This event is only applicable to PCs.
The following fields are available:
-- **FlightId** Unique ID for each flight.
-- **FreeSpace** Free space on OS partition.
-- **InstallCount** Number of install attempts using the same sandbox.
-- **ObjectId** Unique value for each Update Agent mode.
-- **Quiet** Indicates whether setup is running in quiet mode.
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
-- **SandboxSize** Size of the sandbox.
-- **ScenarioId** Indicates the update scenario.
-- **SessionId** Unique value for each update attempt.
-- **SetupMode** Mode of setup to be launched.
-- **UpdateId** Unique ID for each Update.
-- **UserSession** Indicates whether install was invoked by user actions.
- **ContainsExpressPackage** Indicates whether the download package is express.
+- **FlightId** Unique ID for each flight.
+- **FreeSpace** Free space on OS partition.
+- **InstallCount** Number of install attempts using the same sandbox.
+- **ObjectId** Unique value for each Update Agent mode.
+- **Quiet** Indicates whether setup is running in quiet mode.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **SandboxSize** Size of the sandbox.
+- **ScenarioId** Indicates the update scenario.
+- **SessionId** Unique value for each update attempt.
+- **SetupMode** Mode of setup to be launched.
+- **UpdateId** Unique ID for each update.
+- **UserSession** Indicates whether install was invoked by user actions.
## Update notification events
### Microsoft.Windows.UpdateNotificationPipeline.JavascriptJavascriptCriticalGenericMessage
-Event to indicate that Javascript is reporting a schema and a set of values for critical telemetry.
+This event indicates that Javascript is reporting a schema and a set of values for critical telemetry.
The following fields are available:
-- **CampaignConfigVersion** Config version of current campaign
-- **CampaignID** Currently running campaign on UNP
-- **ConfigCatalogVersion** Current catalog version of UNP
-- **ContentVersion** Content version of the current campaign on UNP
-- **CV** Correlation vector
-- **DetectorVersion** Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter** Client side counter which indicates ordering of events sent by this user
-- **key1** UI interaction data
+- **CampaignConfigVersion** Configuration version of the current campaign.
+- **CampaignID** ID of the currently running campaign.
+- **ConfigCatalogVersion** Current catalog version of the update notification.
+- **ContentVersion** Content version of the current update notification campaign.
+- **CV** Correlation vector.
+- **DetectorVersion** Most recently run detector version for the current campaign.
+- **GlobalEventCounter** Client side counter that indicates the ordering of events sent by this user.
+- **key1** Interaction data for the UI
- **key10** UI interaction data
- **key11** UI interaction data
- **key12** UI interaction data
@@ -4098,18 +4181,9 @@ The following fields are available:
- **key15** UI interaction data
- **key16** UI interaction data
- **key17** UI interaction data
-- **key2** UI interaction data
-- **key3** UI interaction data
-- **key4** UI interaction data
-- **key5** UI interaction data
-- **key6** UI interaction data
-- **key7** Interaction data for the UI
-- **key8** Interaction data for the UI
-- **key9** UI interaction data
-- **PackageVersion** Current package version of UNP
-- **schema** UI interaction type
- **key18** UI interaction data
- **key19** UI interaction data
+- **key2** Interaction data for the UI
- **key20** UI interaction data
- **key21** Interaction data for the UI
- **key22** UI interaction data
@@ -4118,120 +4192,156 @@ The following fields are available:
- **key25** UI interaction data
- **key26** UI interaction data
- **key27** UI interaction data
-- **key28** Interaction data for the UI
+- **key28** UI interaction data
- **key29** UI interaction data
+- **key3** Interaction data for the UI
- **key30** UI interaction data
+- **key4** Interaction data for the UI
+- **key5** UI interaction data
+- **key6** UI interaction data
+- **key7** Interaction data for the UI
+- **key8** Interaction data for the UI
+- **key9** UI interaction data
+- **PackageVersion** Current package version of the update notification.
+- **schema** UI interaction type.
### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignHeartbeat
-This event is sent at the start of each campaign, to be used as a heartbeat
+This event is sent at the start of each campaign, to be used as a heartbeat.
The following fields are available:
-- **CampaignConfigVersion** Configuration version for the current campaign
-- **CampaignID** Currently campaign that's running on UNP
-- **ConfigCatalogVersion** Current catalog version of UNP
-- **ContentVersion** Content version for the current campaign on UNP
-- **CV** Correlation vector
-- **DetectorVersion** Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
-- **PackageVersion** Current UNP package version
+- **CampaignConfigVersion** Configuration version for the current campaign.
+- **CampaignID** Current campaign that is running on Update Notification Pipeline.
+- **ConfigCatalogVersion** Current catalog version of Update Notification Pipeline.
+- **ContentVersion** Content version for the current campaign on Update Notification Pipeline.
+- **CV** Correlation vector.
+- **DetectorVersion** Most recently run detector version for the current campaign on Update Notification Pipeline.
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user.
+- **PackageVersion** Current package version for Update Notification Pipeline.
### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerCleaningCampaign
-This event indicates that the Campaign Manager is cleaning up the campaign content
+This event indicates that the Campaign Manager is cleaning up the campaign content.
The following fields are available:
-- **CampaignConfigVersion** Configuration version for the current campaign
-- **CampaignID** Current campaign that's running on UNP
-- **ConfigCatalogVersion** Current catalog version of UNP
-- **ContentVersion** Content version for the current campaign on UNP
+- **CampaignConfigVersion** Configuration version for the current campaign.
+- **CampaignID** The current campaign that is running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion** The current catalog version of the Update Notification Pipeline (UNP).
+- **ContentVersion** Content version for the current campaign on UNP.
- **CV** Correlation vector
-- **DetectorVersion** Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
-- **PackageVersion** Current UNP package version
-
-
-### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
-
-This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat
-
-The following fields are available:
-
-- **CampaignConfigVersion** Configuration version for the current campaign
-- **CampaignID** Currently campaign that's running on UNP
-- **ConfigCatalogVersion** Current catalog version of UNP
-- **ContentVersion** Content version for the current campaign on UNP
-- **CV** Correlation vector
-- **DetectorVersion** Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
-- **PackageVersion** Current UNP package version
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user.
+- **PackageVersion** Current UNP package version.
### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerGetIsCamppaignCompleteFailed
-This event is sent when a campaign completion status query fails
+This event is sent when a campaign completion status query fails.
The following fields are available:
-- **CampaignConfigVersion** Configuration version for the current campaign
-- **CampaignID** Current campaign that's running on UNP
-- **ConfigCatalogVersion** Current catalog version of UNP
-- **ContentVersion** Content version for the current campaign on UNP
-- **CV** Correlation vector
-- **DetectorVersion** Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
-- **hresult** HRESULT of the failure
-- **PackageVersion** Current UNP package version
+- **CampaignConfigVersion** Configuration version for the current campaign.
+- **CampaignID** Current campaign that is running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion** Current catalog version of UNP.
+- **ContentVersion** Content version for the current campaign on UNP.
+- **CV** Correlation vector.
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user.
+- **hresult** HRESULT of the failure.
+- **PackageVersion** Current UNP package version.
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
+
+This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat.
+
+The following fields are available:
+
+- **CampaignConfigVersion** Configuration version for the current campaign.
+- **CampaignID** Currently campaign that is running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion** Current catalog version of UNP.
+- **ContentVersion** Content version for the current campaign on UNP.
+- **CV** Correlation vector.
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user.
+- **PackageVersion** Current UNP package version.
### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerRunCampaignFailed
-This event is sent when the Campaign Manager encounters an unexpected error while running the campaign
+This event is sent when the Campaign Manager encounters an unexpected error while running the campaign.
The following fields are available:
-- **CampaignConfigVersion** Configuration version for the current campaign
-- **CampaignID** Currently campaign that's running on UNP
-- **ConfigCatalogVersion** Current catalog version of UNP
-- **ContentVersion** Content version for the current campaign on UNP
-- **CV** Correlation vector
-- **DetectorVersion** Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user
-- **hresult** HRESULT of the failure
-- **PackageVersion** Current UNP package version
+- **CampaignConfigVersion** Configuration version for the current campaign.
+- **CampaignID** Currently campaign that's running on Update Notification Pipeline (UNP).
+- **ConfigCatalogVersion** Current catalog version of UNP.
+- **ContentVersion** Content version for the current campaign on UNP.
+- **CV** Correlation vector.
+- **DetectorVersion** Most recently run detector version for the current campaign on UNP.
+- **GlobalEventCounter** Client-side counter that indicates the event ordering sent by the user.
+- **hresult** HRESULT of the failure.
+- **PackageVersion** Current UNP package version.
## Upgrade events
+### FacilitatorTelemetry.DCATDownload
+
+This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **DownloadSize** Download size of payload.
+- **ElapsedTime** Time taken to download payload.
+- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade.
+- **ResultCode** Result returned by the Facilitator DCAT call.
+- **Scenario** Dynamic Update scenario (Image DU, or Setup DU).
+- **Type** Type of package that was downloaded.
+
+
+### FacilitatorTelemetry.InitializeDU
+
+This event determines whether devices received additional or critical supplemental content during an OS upgrade.
+
+The following fields are available:
+
+- **DCATUrl** The Delivery Catalog (DCAT) URL we send the request to.
+- **DownloadRequestAttributes** The attributes we send to DCAT.
+- **ResultCode** The result returned from the initialization of Facilitator with the URL/attributes.
+- **Scenario** Dynamic Update scenario (Image DU, or Setup DU).
+- **Version** Version of Facilitator.
+
+
### Setup360Telemetry.Downlevel
-This event sends data indicating that the device has invoked the downlevel phase of the upgrade. It's used to help keep Windows up-to-date and secure.
+This event sends data indicating that the device has started the downlevel phase of the upgrade, to help keep Windows up-to-date and secure.
The following fields are available:
- **ClientId** If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
- **HostOSBuildNumber** The build number of the downlevel OS.
- **HostOsSkuName** The operating system edition which is running Setup360 instance (downlevel OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
- **ReportId** In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result** The result of Setup360. It's an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Extended** More detailed information about phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360 (for example, Predownload, Install, Finalize, Rollback).
+- **Setup360Result** The result of Setup360 (HRESULT used to diagnose errors).
+- **Setup360Scenario** The Setup360 flow type (for example, Boot, Media, Update, MCT).
- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
-- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId** A string that uniquely identifies a group of events.
+- **State** Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** An ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
-- **FlightData** Unique value that identifies the flight.
### Setup360Telemetry.Finalize
-This event sends data indicating that the device has invoked the finalize phase of the upgrade, to help keep Windows up-to-date.
+This event sends data indicating that the device has started the phase of finalizing the upgrade, to help keep Windows up-to-date and secure.
The following fields are available:
@@ -4241,45 +4351,46 @@ The following fields are available:
- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended** More detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
### Setup360Telemetry.OsUninstall
-The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.OSUninstall indicates the outcome of an OS uninstall.
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, it indicates the outcome of an OS uninstall.
The following fields are available:
- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
- **HostOSBuildNumber** The build number of the previous OS.
- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended** Detailed information about the phase or action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId** A string to uniquely identify a group of events.
+- **State** Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** ID that uniquely identifies a group of events.
- **WuId** Windows Update client ID.
-- **FlightData** Unique value that identifies the flight.
### Setup360Telemetry.PostRebootInstall
-This event sends data indicating that the device has invoked the postrebootinstall phase of the upgrade, to help keep Windows up-to-date.
+This event sends data indicating that the device has invoked the post reboot install phase of the upgrade, to help keep Windows up-to-date.
The following fields are available:
- **ClientId** With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
- **HostOSBuildNumber** The build number of the previous OS.
- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
@@ -4292,7 +4403,6 @@ The following fields are available:
- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
-- **FlightData** Unique value that identifies the flight.
### Setup360Telemetry.PreDownloadQuiet
@@ -4305,82 +4415,82 @@ The following fields are available:
- **FlightData** Unique value that identifies the flight.
- **HostOSBuildNumber** The build number of the previous OS.
- **HostOsSkuName** The OS edition which is running Setup360 instance (previous operating system).
-- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
+- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
- **ReportId** Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
-- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled.
+- **TestId** ID that uniquely identifies a group of events.
- **WuId** This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
### Setup360Telemetry.PreDownloadUX
-This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS. Specifically the Setup360Telemetry.PredownloadUX indicates the outcome of the PredownloadUX portion of the update process
+This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS, to help keep Windows up-to-date and secure. Specifically, it indicates the outcome of the PredownloadUX portion of the update process.
The following fields are available:
- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **HostOSBuildNumber** The build number of the previous operating system.
- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous operating system).
- **InstanceId** Unique GUID that identifies each instance of setuphost.exe.
- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario** The Setup360 flow type. Examplle: Boot, Media, Update, MCT
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of the target OS).
-- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId** A string to uniquely identify a group of events.
+- **State** The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled.
+- **TestId** ID that uniquely identifies a group of events.
- **WuId** Windows Update client ID.
-- **FlightData** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
### Setup360Telemetry.PreInstallQuiet
-This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up to date.
+This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up-to-date.
The following fields are available:
- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
- **HostOSBuildNumber** The build number of the previous OS.
- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback etc.
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT)
+- **Setup360Scenario** Setup360 flow type (Boot, Media, Update, MCT).
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
-- **FlightData** Unique value that identifies the flight.
### Setup360Telemetry.PreInstallUX
-This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PreinstallUX indicates the outcome of the PreinstallUX portion of the update process.
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10, to help keep Windows up-to-date. Specifically, it indicates the outcome of the PreinstallUX portion of the update process.
The following fields are available:
- **ClientId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
- **HostOSBuildNumber** The build number of the previous OS.
- **HostOsSkuName** The OS edition which is running the Setup360 instance (previous OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe.
- **ReportId** For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
- **Setup360Result** The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT
+- **Setup360Scenario** The Setup360 flow type, Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** Windows Update client ID.
-- **FlightData** Unique value that identifies the flight.
### Setup360Telemetry.Setup360
@@ -4389,13 +4499,29 @@ This event sends data about OS deployment scenarios, to help keep Windows up-to-
The following fields are available:
+- **ClientId** Retrieves the upgrade ID. In the Windows Update scenario, this will be the Windows Update client ID. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **FieldName** Retrieves the data point.
- **FlightData** Specifies a unique identifier for each group of Windows Insider builds.
- **InstanceId** Retrieves a unique identifier for each instance of a setup session.
- **ReportId** Retrieves the report ID.
- **ScenarioId** Retrieves the deployment scenario.
- **Value** Retrieves the value associated with the corresponding FieldName.
-- **ClientId** Retrieves the upgrade ID: Upgrades via Windows Update - specifies the WU clientID. All other deployment - static string.
+
+
+### Setup360Telemetry.Setup360DynamicUpdate
+
+This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **FlightData** Specifies a unique identifier for each group of Windows Insider builds.
+- **InstanceId** Retrieves a unique identifier for each instance of a setup session.
+- **Operation** Facilitator’s last known operation (scan, download, etc.).
+- **ReportId** ID for tying together events stream side.
+- **ResultCode** Result returned by setup for the entire operation.
+- **Scenario** Dynamic Update scenario (Image DU, or Setup DU).
+- **TargetBranch** Branch of the target OS.
+- **TargetBuild** Build of the target OS.
### Setup360Telemetry.UnexpectedEvent
@@ -4405,19 +4531,19 @@ This event sends data indicating that the device has invoked the unexpected even
The following fields are available:
- **ClientId** With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData** Unique value that identifies the flight.
- **HostOSBuildNumber** The build number of the previous OS.
- **HostOsSkuName** The OS edition which is running Setup360 instance (previous OS).
- **InstanceId** A unique GUID that identifies each instance of setuphost.exe
- **ReportId** With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended** Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **Setup360Extended** Detailed information about the phase/action when the potential failure occurred.
+- **Setup360Mode** The phase of Setup360. Example: Predownload, Install, Finalize, Rollback.
+- **Setup360Result** The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Scenario** The Setup360 flow type. Example: Boot, Media, Update, MCT.
- **SetupVersionBuildNumber** The build number of Setup360 (build number of target OS).
-- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **State** The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled.
- **TestId** A string to uniquely identify a group of events.
- **WuId** This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
-- **FlightData** Unique value that identifies the flight.
## Windows as a Service diagnostic events
@@ -4428,116 +4554,505 @@ Result of the WaaSMedic operation.
The following fields are available:
-- **detectionSummary** Result of each applicable detection that was ran.
+- **detectionSummary** Result of each applicable detection that was run.
- **featureAssessmentImpact** WaaS Assessment impact for feature updates.
- **hrEngineResult** Error code from the engine operation.
+- **insufficientSessions** Device not eligible for diagnostics.
- **isManaged** Device is managed for updates.
- **isWUConnected** Device is connected to Windows Update.
- **noMoreActions** No more applicable diagnostics.
-- **qualityAssessmentImpact** WaaS Assessment impact for quality updates.
-- **remediationSummary** Result of each applicable resolution that was ran.
-- **usingBackupFeatureAssessment** Relying on backup feature assessment.
+- **qualityAssessmentImpact** WaaS Assessment impact for quality updates.
+- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on.
+- **usingBackupFeatureAssessment** Relying on backup feature assessment.
- **usingBackupQualityAssessment** Relying on backup quality assessment.
-- **versionString** Version of the WaaSMedic engine.
- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run.
- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run.
-- **insufficientSessions** Device not eligible for diagnostics.
+- **versionString** Version of the WaaSMedic engine.
-## Windows Error Reporting events
-
## Windows Error Reporting MTT events
### Microsoft.Windows.WER.MTT.Denominator
-This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors to help keep Windows up to date.
+This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors, to help keep Windows up to date.
The following fields are available:
-- **Value** Standard UTC emitted DP value structure
+- **Value** Standard UTC emitted DP value structure See [Microsoft.Windows.WER.MTT.Value](#microsoftwindowswermttvalue).
+
+
+### Microsoft.Windows.WER.MTT.Value
+
+This event is used for differential privacy.
+
+The following fields are available:
+
+- **Algorithm** Privacy protecting algorithm used for randomization.
+- **DPRange** Maximum mean value range.
+- **DPValue** Randomized bit value (0 or 1) that can be reconstituted over a large population to estimate mean.
+- **Epsilon** Constant used in algorithm for randomization.
+- **HistType** Histogram type.
+- **PertProb** Constant used in algorithm for randomization.
+
+
+## Windows Store events
+
+### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
+
+This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** Number of retry attempts before it was canceled.
+- **BundleId** The Item Bundle ID.
+- **CategoryId** The Item Category ID.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed before this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Was this requested by a user?
+- **IsMandatory** Was this a mandatory update?
+- **IsRemediation** Was this a remediation install?
+- **IsRestore** Is this automatically restoring a previously acquired product?
+- **IsUpdate** Flag indicating if this is an update.
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The product family name of the product being installed.
+- **ProductId** The identity of the package or packages being installed.
+- **SystemAttemptNumber** The total number of automatic attempts at installation before it was canceled.
+- **UserAttemptNumber** The total number of user attempts at installation before it was canceled.
+- **WUContentId** Licensing identity of this package.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds
+
+This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure.
+
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare
+
+This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure.
+
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation
+
+This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all package or packages to be downloaded and installed.
+- **AttemptNumber** Total number of installation attempts.
+- **BundleId** The identity of the Windows Insider build that is associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Was this requested by a user?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this an automatic restore of a previously acquired product?
+- **IsUpdate** Is this a product update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of all packages to be downloaded and installed.
+- **PreviousHResult** The previous HResult code.
+- **PreviousInstallState** Previous installation state before it was canceled.
+- **ProductId** The name of the package or packages requested for installation.
+- **RelatedCV** Correlation Vector of a previous performed action on this product.
+- **SystemAttemptNumber** Total number of automatic attempts to install before it was canceled.
+- **UserAttemptNumber** Total number of user attempts to install before it was canceled.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest
+
+This event is sent at the end of app installations or updates to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId** The Store Product ID of the app being installed.
+- **HResult** HResult code of the action being performed.
+- **IsBundle** Is this a bundle?
+- **PackageFamilyName** The name of the package being installed.
+- **ProductId** The Store Product ID of the product being installed.
+- **SkuId** Specific edition of the item being installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
+
+This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** Includes a set of package full names for each app that is part of an atomic set.
+- **AttemptNumber** The total number of attempts to acquire this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** HResult code to show the result of the operation (success/failure).
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Did the user initiate the installation?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this happening after a device restore?
+- **IsUpdate** Is this an update?
+- **PFN** Product Family Name of the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The number of attempts by the system to acquire this product.
+- **UserAttemptNumber** The number of attempts by the user to acquire this product
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
+
+This event is sent after an app is downloaded to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
+- **AttemptNumber** Number of retry attempts before it was canceled.
+- **BundleId** The identity of the Windows Insider build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **DownloadSize** The total size of the download.
+- **ExtendedHResult** Any extended HResult error codes.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this initiated by the user?
+- **IsMandatory** Is this a mandatory installation?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this a restore of a previously acquired product?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The parent bundle ID (if it's part of a bundle).
+- **PFN** The Product Family Name of the app being download.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The number of attempts by the system to download.
+- **UserAttemptNumber** The number of attempts by the user to download.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
+
+This event is sent when an app update requires an updated Framework package and the process starts to download it. It is used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds
+
+This event is sent after sending the inventory of the products installed to determine whether updates for those products are available. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
+
+This event is sent after a product has been installed to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **ExtendedHResult** The extended HResult error code.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this an interactive installation?
+- **IsMandatory** Is this a mandatory installation?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this automatically restoring a previously acquired product?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** Product Family Name of the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
+
+This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsApplicability** Is this request to only check if there are any applicable packages to install?
+- **IsInteractive** Is this user requested?
+- **IsOnline** Is the request doing an online check?
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
+
+This event is sent after searching for update packages to install. It is used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
+
+This event is sent after restoring user data (if any) that needs to be restored following a product install. It is used to keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The name of all packages to be downloaded and installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **ProductId** The Store Product ID for the product being installed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of system attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
+
+This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult** The result code of the last action performed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
+
+This event is sent at the end of an app install or update to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId** The name of the product catalog from which this app was chosen.
+- **FailedRetry** Indicates whether the installation or update retry was successful.
+- **HResult** The HResult code of the operation.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **ProductId** The product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
+
+This event is sent at the beginning of an app install or update to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId** The name of the product catalog from which this app was chosen.
+- **PFN** The Package Family Name of the app that is being installed or updated.
+- **ProductId** The product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
+
+This event is sent when a product install or update is initiated, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **BundleId** The identity of the build associated with this product.
+- **CatalogId** If this product is from a private catalog, the Store Product ID for the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SkuId** Specific edition ID being installed.
+- **VolumePath** The disk path of the installation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
+
+This event is sent when a product install or update is paused (either by a user or the system), to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The total number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The Product Full Name.
+- **PreviousHResult** The result code of the last action performed before this operation.
+- **PreviousInstallState** Previous state before the installation or update was paused.
+- **ProductId** The Store Product ID for the product being installed.
+- **RelatedCV** Correlation Vector of a previous performed action on this product.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
+
+This event is sent when a product install or update is resumed (either by a user or the system), to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames** The names of all packages to be downloaded and installed.
+- **AttemptNumber** The number of retry attempts before it was canceled.
+- **BundleId** The identity of the build associated with this product.
+- **CategoryId** The identity of the package or packages being installed.
+- **ClientAppId** The identity of the app that initiated this operation.
+- **HResult** The result code of the last action performed before this operation.
+- **IsBundle** Is this a bundle?
+- **IsInteractive** Is this user requested?
+- **IsMandatory** Is this a mandatory update?
+- **IsRemediation** Is this repairing a previous installation?
+- **IsRestore** Is this restoring previously acquired content?
+- **IsUpdate** Is this an update?
+- **IsUserRetry** Did the user initiate the retry?
+- **ParentBundleId** The product ID of the parent (if this product is part of a bundle).
+- **PFN** The name of the package or packages requested for install.
+- **PreviousHResult** The previous HResult error code.
+- **PreviousInstallState** Previous state before the installation was paused.
+- **ProductId** The Store Product ID for the product being installed.
+- **RelatedCV** Correlation Vector for the original install before it was resumed.
+- **SystemAttemptNumber** The total number of system attempts.
+- **UserAttemptNumber** The total number of user attempts.
+- **WUContentId** The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
+
+This event is sent when a product install or update is resumed by a user or on installation retries, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ProductId** The Store Product ID for the product being installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
+
+This event is sent when searching for update packages to install, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId** The Store Catalog ID for the product being installed.
+- **ProductId** The Store Product ID for the product being installed.
+- **SkuId** Specfic edition of the app being updated.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
+
+This event occurs when an update is requested for an app, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **PFamN** The name of the app that is requested for update.
## Windows Update CSP events
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureFailed
-The Execute Rollback Feature Failed event sends basic telemetry on the failure of the Feature Rollback. This functionality supports our feature by providing IT Admins the ability to see the operation failed, allowing them to do further triage of the device.
+This event sends basic telemetry on the failure of the Feature Rollback.
The following fields are available:
-- **current** Result of currency check
-- **dismOperationSucceeded** Dism uninstall operation status
-- **hResult** Failure Error code
-- **oSVersion** Build number of the machine
-- **paused** Machine's pause status
-- **rebootRequestSucceeded** Reboot CSP call success status
-- **wUfBConnected** Result of WUfB connection check
+- **current** Result of currency check.
+- **dismOperationSucceeded** Dism uninstall operation status.
+- **hResult** Failure error code.
+- **oSVersion** Build number of the device.
+- **paused** Indicates whether the device is paused.
+- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
+- **wUfBConnected** Result of WUfB connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
-The Execute Rollback Feature Not Applicable event sends basic telemetry on the applicability of the Feature Rollback, to support the functionality of Feature Rollback. This event provides critical information for the feature because it will alert IT Admins that devices they are attempting to rollback Features updates are not applicable.
+This event sends basic telemetry on whether Feature Rollback (rolling back features updates) is applicable to a device.
The following fields are available:
-- **current** Result of currency check
-- **dismOperationSucceeded** Dism uninstall operation status
-- **oSVersion** Build number of the machine
-- **paused** Machine's pause status
-- **rebootRequestSucceeded** Reboot CSP call success status
-- **wUfBConnected** Result of WUfB connection check
+- **current** Result of currency check.
+- **dismOperationSucceeded** Dism uninstall operation status.
+- **oSVersion** Build number of the device.
+- **paused** Indicates whether the device is paused.
+- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
+- **wUfBConnected** Result of WUfB connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
-The Execute Rollback Feature Started event sends basic information on the start process to provide information that the Feature Rollback has started.
+This event sends basic information indicating that Feature Rollback has started.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureSucceeded
-The Execute Rollback Feature Succeed event sends basic telemetry on the success of the Rollback of the Feature updates. This functionality supports our feature by providing insights to IT Admins of the success of the Feature rollback.
+This event sends basic telemetry on the success of the rollback of feature updates.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityFailed
-The Execute Rollback Quality Failed event sends basic telemetry on the failure of the rollback of the Quality/LCU builds. This functionality supports our feature by providing IT Admins the ability to see the operation failed allowing them to do further triage of the device.
+This event sends basic telemetry on the failure of the rollback of the Quality/LCU builds.
The following fields are available:
-- **current** Result of currency check
-- **dismOperationSucceeded** Dism uninstall operation status
-- **hResult** Failure Error code
-- **oSVersion** Build number of the machine
-- **paused** Machine's pause status
-- **rebootRequestSucceeded** Reboot CSP call success status
-- **wUfBConnected** Result of WUfB connection check
+- **current** Result of currency check.
+- **dismOperationSucceeded** Dism uninstall operation status.
+- **hResult** Failure error code.
+- **oSVersion** Build number of the device.
+- **paused** Indicates whether the device is paused.
+- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
+- **wUfBConnected** Result of Windows Update for Business connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityNotApplicable
-The Execute Rollback Quality Not Applicable event sends basic telemetry on the applicability of the Quality Rollback, to support the functionality of Quality Rollback. This event provides critical information for feature because it will alert IT Admins that devices they are attempting to rollback Quality updates are not applicable.
+This event informs you whether a rollback of Quality updates is applicable to the devices that you are attempting to rollback.
The following fields are available:
-- **current** Result of currency check
-- **dismOperationSucceeded** Dism uninstall operation status
-- **oSVersion** Build number of the machine
-- **paused** Machine's pause status
-- **rebootRequestSucceeded** Reboot CSP call success status
-- **wUfBConnected** Result of WUfB connection check
+- **current** Result of currency check.
+- **dismOperationSucceeded** Dism uninstall operation status.
+- **oSVersion** Build number of the device.
+- **paused** Indicates whether the device is paused.
+- **rebootRequestSucceeded** Reboot Configuration Service Provider (CSP) call success status.
+- **wUfBConnected** Result of WUfB connection check.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
-The Execute Rollback Quality Started event sends basic information on the start process to provide information that the Quality Rollback has started.
+This event indicates that the Quality Rollback process has started.
### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualitySucceeded
-The Execute Rollback Quality Succeed event sends basic telemetry on the success of the rollback of the Quality/LCU builds. This functionality supports our feature by providing insights to IT Admins of the success of the Quality rollback.
+This event sends basic telemetry on the success of the rollback of the Quality/LCU builds.
@@ -4549,37 +5064,37 @@ This event sends data describing the start of a new download to enable Delivery
The following fields are available:
-- **background** If the download is happening in the background
-- **bytesRequested** Number of bytes requested for download.
-- **cdnUrl** Url of the source CDN
-- **costFlags** Network cost flags
-- **deviceProfile** Identifies the usage or form factor (Desktop, Xbox, VM, etc)
-- **diceRoll** Random number used for determining if a client will use peering
-- **doClientVersion** Version of the Delivery Optimization client
-- **doErrorCode** Delivery Optimization error code returned
-- **downloadMode** DownloadMode used (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100)
-- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider: 0, GeoProvider: 1, GeoVerProvider: 2, CpProvider: 3, DiscoveryProvider: 4, RegistryProvider: 5, GroupPolicyProvider: 6, MdmProvider: 7, SettingsProvider: 8, InvalidProviderType: 9)
-- **errorCode** Error code returned
-- **experimentId** Used to correlate client/services calls that are part of the same test during A/B testing
-- **fileID** ID of the File being downloaded
-- **filePath** Path to where the downloaded file will be written
-- **fileSize** Total filesize of the file that was downloaded
-- **fileSizeCaller** Value for total file size provided by our caller
-- **groupID** ID for the group
-- **isVpn** If the machine is connected to a Virtual Private Network
-- **jobID** Identifier for the Windows Update Job
-- **peerID** ID for this Delivery Optimization client
-- **predefinedCallerName** Name of the API caller
-- **sessionID** ID for the file download session
-- **setConfigs** ID of the update being downloaded
-- **updateID** ID for the file download session
-- **usedMemoryStream** If the download is using memory streaming in App downloads
-- **callerName** Name of the API Caller
-- **minDiskSizeGB** The minimum disk size policy set for the device to allow Peering with Delivery Optimization
-- **minDiskSizePolicyEnforced** If there is an enforced mininum disk size requirement for peering
-- **minFileSizePolicy** The minimum file size policy set for the device to allow Peering with Delivery Optimization
-- **scenarioID** ID for the Scenario
-- **isEncrypted** Whether the download is encrypted
+- **background** Indicates whether the download is happening in the background.
+- **bytesRequested** Number of bytes requested for the download.
+- **callerName** Name of the API caller.
+- **cdnUrl** The URL of the source CDN
+- **costFlags** A set of flags representing network cost.
+- **deviceProfile** Identifies the usage or form factor (such as Desktop, Xbox, or VM).
+- **diceRoll** Random number used for determining if a client will use peering.
+- **doClientVersion** The version of the Delivery Optimization client.
+- **doErrorCode** The Delivery Optimization error code that was returned.
+- **downloadMode** The download mode used for this file download session (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100).
+- **downloadModeSrc** Source of the DownloadMode setting (KvsProvider = 0, GeoProvider = 1, GeoVerProvider = 2, CpProvider = 3, DiscoveryProvider = 4, RegistryProvider = 5, GroupPolicyProvider = 6, MdmProvider = 7, SettingsProvider = 8, InvalidProviderType = 9).
+- **errorCode** The error code that was returned.
+- **experimentId** ID used to correlate client/services calls that are part of the same test during A/B testing.
+- **fileID** The ID of the file being downloaded.
+- **filePath** The path to where the downloaded file will be written.
+- **fileSize** Total file size of the file that was downloaded.
+- **fileSizeCaller** Value for total file size provided by our caller.
+- **groupID** ID for the group.
+- **isEncrypted** Indicates whether the download is encrypted.
+- **isVpn** Indicates whether the device is connected to a Virtual Private Network.
+- **jobID** The ID of the Windows Update job.
+- **minDiskSizeGB** The minimum disk size (in GB) policy set for the device to allow peering with delivery optimization.
+- **minDiskSizePolicyEnforced** Indicates whether there is an enforced minimum disk size requirement for peering.
+- **minFileSizePolicy** The minimum content file size policy to allow the download using peering with delivery optimization.
+- **peerID** The ID for this delivery optimization client.
+- **predefinedCallerName** Name of the API caller.
+- **scenarioID** The ID of the scenario.
+- **sessionID** The ID for the file download session.
+- **setConfigs** A JSON representation of the configurations that have been set, and their sources.
+- **updateID** The ID of the update being downloaded.
+- **usedMemoryStream** Indicates whether the download used memory streaming.
## Windows Update events
@@ -4591,328 +5106,328 @@ This event collects information regarding the state of devices and drivers on th
The following fields are available:
- **activated** Whether the entire device manifest update is considered activated and in use.
-- **analysisErrorCount** How many driver packages that could not be analyzed because errors were hit during the analysis.
-- **flightId** Unique ID for each flight.
-- **missingDriverCount** How many driver packages that were delivered by the device manifest that are missing from the system.
-- **missingUpdateCount** How many updates that were part of the device manifest that are missing from the system.
-- **objectId** Unique value for each diagnostics session.
-- **publishedCount** How many drivers packages that were delivered by the device manifest that are published and available to be used on devices.
-- **relatedCV** Correlation vector value generated from the latest USO scan.
-- **scenarioId** Indicates the update scenario.
-- **sessionId** Unique value for each update session.
-- **summary** A summary string that contains some basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match on.
+- **analysisErrorCount** How many driver packages could not be analyzed because errors were hit during the analysis.
+- **flightId** Unique ID for each flight.
+- **missingDriverCount** How many driver packages that were delivered by the device manifest are missing from the system.
+- **missingUpdateCount** How many updates that were part of the device manifest are missing from the system.
+- **objectId** Unique value for each diagnostics session.
+- **publishedCount** How many drivers packages that were delivered by the device manifest are published and available to be used on devices.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **scenarioId** Indicates the update scenario.
+- **sessionId** Unique value for each update session.
+- **summary** A summary string that contains some basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match.
- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string.
-- **truncatedDeviceCount** How many devices are missing from the summary string due to there not being enough room in the string.
-- **truncatedDriverCount** How many driver packages are missing from the summary string due to there not being enough room in the string.
+- **truncatedDeviceCount** How many devices are missing from the summary string because there is not enough room in the string.
+- **truncatedDriverCount** How many driver packages are missing from the summary string because there is not enough room in the string.
- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices.
-- **updateId** Unique ID for each Update.
+- **updateId** Unique ID for each update.
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
-This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
The following fields are available:
-- **errorCode** The error code returned for the current session initialization
-- **flightId** The unique identifier for each flight
-- **objectId** The unique GUID for each diagnostics session
-- **relatedCV** A correlation vector value, generated from the latest USO scan
-- **result** Outcome of the initialization of the session
-- **scenarioId** Identifies the Update scenario
-- **sessionId** The unique value for each update session
-- **updateId** The unique identifier for each Update
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **objectId** The unique GUID for each diagnostics session.
+- **relatedCV** A correlation vector value generated from the latest USO scan.
+- **result** Outcome of the initialization of the session.
+- **scenarioId** Identifies the Update scenario.
+- **sessionId** The unique value for each update session.
+- **updateId** The unique identifier for each Update.
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
-This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
The following fields are available:
-- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted
-- **errorCode** The error code returned for the current session initialization
-- **flightId** The unique identifier for each flight
-- **objectId** Unique value for each Update Agent mode
-- **packageCountOptional** Number of optional packages requested
-- **packageCountRequired** Number of required packages requested
-- **packageCountTotal** Total number of packages needed
-- **packageCountTotalCanonical** Total number of canonical packages
-- **packageCountTotalDiff** Total number of diff packages
-- **packageCountTotalExpress** Total number of express packages
-- **packageSizeCanonical** Size of canonical packages in bytes
-- **packageSizeDiff** Size of diff packages in bytes
-- **packageSizeExpress** Size of express packages in bytes
-- **rangeRequestState** Represents the state of the download range request
-- **relatedCV** Correlation vector value generated from the latest USO scan
-- **result** Result of the download request phase of update
-- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **sessionId** Unique value for each Update Agent mode attempt
-- **updateId** Unique ID for each update
+- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **objectId** Unique value for each Update Agent mode.
+- **packageCountOptional** Number of optional packages requested.
+- **packageCountRequired** Number of required packages requested.
+- **packageCountTotal** Total number of packages needed.
+- **packageCountTotalCanonical** Total number of canonical packages.
+- **packageCountTotalDiff** Total number of diff packages.
+- **packageCountTotalExpress** Total number of express packages.
+- **packageSizeCanonical** Size of canonical packages in bytes.
+- **packageSizeDiff** Size of diff packages in bytes.
+- **packageSizeExpress** Size of express packages in bytes.
+- **rangeRequestState** Represents the state of the download range request.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Result of the download request phase of update.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique ID for each update.
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
-This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
The following fields are available:
-- **errorCode** The error code returned for the current initialize phase
-- **flightId** The unique identifier for each flight
-- **flightMetadata** Contains the FlightId and the build being flighted
-- **objectId** Unique value for each Update Agent mode
-- **relatedCV** Correlation vector value generated from the latest USO scan
-- **result** Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
-- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios)
-- **sessionId** Unique value for each Update Agent mode attempt
-- **updateId** Unique ID for each update
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **flightMetadata** Contains the FlightId and the build being flighted.
+- **objectId** Unique value for each Update Agent mode.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique ID for each update.
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
-This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages.
The following fields are available:
-- **errorCode** The error code returned for the current install phase
-- **flightId** The unique identifier for each flight
-- **objectId** Unique value for each Update Agent mode
-- **relatedCV** Correlation vector value generated from the latest scan
-- **result** Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
-- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **sessionId** Unique value for each Update Agent mode attempt
-- **updateId** Unique ID for each update
+- **errorCode** The error code returned for the current install phase.
+- **flightId** Unique ID for each flight.
+- **objectId** Unique value for each diagnostics session.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Outcome of the install phase of the update.
+- **scenarioId** Indicates the update scenario.
+- **sessionId** Unique value for each update session.
+- **updateId** Unique ID for each Update.
### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
-This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages.
The following fields are available:
-- **flightId** The unique identifier for each flight
-- **mode** Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
-- **objectId** Unique value for each Update Agent mode
-- **relatedCV** Correlation vector value generated from the latest scan
-- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **sessionId** Unique value for each Update Agent mode attempt
-- **updateId** Unique ID for each update
+- **flightId** Unique ID for each flight.
+- **mode** The mode that is starting.
+- **objectId** Unique value for each diagnostics session.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **scenarioId** Indicates the update scenario.
+- **sessionId** Unique value for each update session.
+- **updateId** Unique ID for each Update.
### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed
-Dialog notification about to be displayed to user.
+This event indicates that a notification dialog box is about to be displayed to user.
The following fields are available:
-- **AcceptAutoModeLimit** Maximum number of days for a device to automatically enter Auto Reboot mode
-- **AutoToAutoFailedLimit** Maximum number of days for Auto Reboot mode to fail before RebootFailed dialog will be shown
-- **DeviceLocalTime** Time of dialog shown on local device
-- **EngagedModeLimit** Number of days to switch between DTE dialogs
-- **EnterAutoModeLimit** Maximum number of days for a device to enter Auto Reboot mode
-- **ETag** OneSettings versioning value
-- **IsForcedEnabled** Is Forced Reboot mode enabled for this device?
-- **IsUltimateForcedEnabled** Is Ultimate Forced Reboot mode enabled for this device?
-- **NotificationUxState** Which dialog is shown (ENUM)?
-- **NotificationUxStateString** Which dialog is shown (string mapping)?
-- **RebootUxState** Engaged/Auto/Forced/UltimateForced
-- **RebootUxStateString** Engaged/Auto/Forced/UltimateForced
-- **RebootVersion** Version of DTE
-- **SkipToAutoModeLimit** The minimum length of time to pass in reboot pending before a machine can be put into auto mode
-- **UpdateId** The ID of the update that is pending reboot to finish installation
-- **UpdateRevision** The revision of the update that is pending reboot to finish installation
-- **UtcTime** The Coordinated Universal Time when the dialog notification will be displayed.
-- **DaysSinceRebootRequired** Number of days since reboot was required.
+- **AcceptAutoModeLimit** The maximum number of days for a device to automatically enter Auto Reboot mode.
+- **AutoToAutoFailedLimit** The maximum number of days for Auto Reboot mode to fail before the RebootFailed dialog box is shown.
+- **DaysSinceRebootRequired** Number of days since restart was required.
+- **DeviceLocalTime** The local time on the device sending the event.
+- **EngagedModeLimit** The number of days to switch between DTE dialog boxes.
+- **EnterAutoModeLimit** The maximum number of days for a device to enter Auto Reboot mode.
+- **ETag** OneSettings versioning value.
+- **IsForcedEnabled** Indicates whether Forced Reboot mode is enabled for this device.
+- **IsUltimateForcedEnabled** Indicates whether Ultimate Forced Reboot mode is enabled for this device.
+- **NotificationUxState** Indicates which dialog box is shown.
+- **NotificationUxStateString** Indicates which dialog box is shown.
+- **RebootUxState** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced).
+- **RebootUxStateString** Indicates the state of the restart (Engaged, Auto, Forced, or UltimateForced).
+- **RebootVersion** Version of DTE.
+- **SkipToAutoModeLimit** The minimum length of time to pass in restart pending before a device can be put into auto mode.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UtcTime** The time the dialog box notification will be displayed, in Coordinated Universal Time.
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog
-Enhanced Engaged reboot accept auto dialog was displayed.
+This event indicates that the Enhanced Engaged restart "accept automatically" dialog box was displayed.
The following fields are available:
-- **DeviceLocalTime** Local time of the device sending the event
-- **ETag** OneSettings ETag
-- **ExitCode** Dialog exit code - user response
-- **RebootVersion** Reboot flow version
-- **UpdateId** Id of pending update
-- **UpdateRevision** Revision number of the pending update
-- **UserResponseString** User response to the reboot dialog
-- **UtcTime** The Coordinated Universal Time that dialog was displayed
+- **DeviceLocalTime** The local time on the device sending the event.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that user chose on this dialog box.
+- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time.
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog
-Enhanced Engaged reboot first reminder dialog was displayed.
+This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed.
The following fields are available:
-- **DeviceLocalTime** Time of dialog shown on local device
-- **ETag** OneSettings versioning value
-- **ExitCode** Indicates how users exited the dialog
-- **RebootVersion** Version of DTE
-- **UpdateId** The id of the update that is pending reboot to finish installation
-- **UpdateRevision** The revision of the update that is pending reboot to finish installation
-- **UserResponseString** The option that user chose on this dialog
-- **UtcTime** The Coordinated Universal Time that dialog was displayed
+- **DeviceLocalTime** The local time on the device sending the event.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that user chose in this dialog box.
+- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time.
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedPrecursorDialog
-Enhanced Engaged reboot forced precursor dialog was displayed.
+This event indicates that the Enhanced Engaged restart "forced precursor" dialog box was displayed.
The following fields are available:
-- **DeviceLocalTime** Time of dialog shown on local device
-- **ETag** OneSettings versioning value
-- **ExitCode** Indicates how users exited the dialog
-- **RebootVersion** Version of DTE
-- **UpdateId** The id of the update that is pending reboot to finish installation
-- **UpdateRevision** The revision of the update that is pending reboot to finish installation
-- **UserResponseString** The option that user chose on this dialog
-- **UtcTime** The Coordinated Universal Time that dialog was displayed
+- **DeviceLocalTime** The local time on the device sending the event.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that the user chose in this dialog box.
+- **UtcTime** The time the dialog box was displayed, in Coordinated Universal Time.
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedWarningDialog
-Enhanced Engaged forced warning dialog was displayed.
+This event indicates that the Enhanced Engaged "forced warning" dialog box was displayed.
The following fields are available:
-- **DeviceLocalTime** Time of dialog shown on local device
-- **ETag** OneSettings versioning value
-- **ExitCode** Indicates how users exited the dialog
-- **RebootVersion** Version of DTE
-- **UpdateId** The id of the update that is pending reboot to finish installation
-- **UpdateRevision** The revision of the update that is pending reboot to finish installation
-- **UserResponseString** The option that user chose on this dialog
-- **UtcTime** The Coordinated Universal Time that dialog was displayed
+- **DeviceLocalTime** The local time on the device sending the event.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that the user chose in this dialog box.
+- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time.
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog
-Enhanced Engaged reboot reboot failed dialog was displayed.
+This event indicates that the Enhanced Engaged restart "restart failed" dialog box was displayed.
The following fields are available:
-- **DeviceLocalTime** Dialog exit code - user response
-- **ETag** OneSettings versioning value
-- **ExitCode** Indicates how users exited the dialog
-- **RebootVersion** Version of DTE
-- **UpdateId** The ID of the update that is pending reboot to finish installation
-- **UpdateRevision** The revision of the update that is pending reboot to finish installation
-- **UserResponseString** The option that user chose on this dialog
-- **UtcTime** The Coordinated Universal Time that dialog was displayed
+- **DeviceLocalTime** The local time of the device sending the event.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that the user chose in this dialog box.
+- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time.
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog
-Enhanced Engaged reboot reboot imminent dialog was displayed.
+This event indicates that the Enhanced Engaged restart "restart imminent" dialog box was displayed..
The following fields are available:
-- **DeviceLocalTime** Time of dialog shown on local device
-- **ETag** OneSettings versioning value
-- **ExitCode** Indicates how users exited the dialog
-- **RebootVersion** Version of DTE
-- **UpdateId** The ID of the update that is pending reboot to finish installation
-- **UpdateRevision** The revision of the update that is pending reboot to finish installation
-- **UserResponseString** The option that user chose on this dialog
-- **UtcTime** The Coordinated Universal Time that dialog was displayed
+- **DeviceLocalTime** Time the dialog box was shown on the local device.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that user chose in this dialog box.
+- **UtcTime** The time that dialog box was displayed, in Coordinated Universal Time.
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootSecondReminderDialog
-Enhanced Engaged reboot second reminder dialog was displayed.
+This event indicates that the second reminder dialog box was displayed for Enhanced Engaged restart.
The following fields are available:
-- **DeviceLocalTime** Time of dialog shown on local device
-- **ETag** OneSettings versioning value
-- **ExitCode** Indicates how users exited the dialog
-- **RebootVersion** Version of DTE
-- **UpdateId** The ID of the update that is pending reboot to finish installation
-- **UpdateRevision** The revision of the update that is pending reboot to finish installation
-- **UserResponseString** The option that user chose on this dialog
-- **UtcTime** The Coordinated Universal Time that dialog was displayed
+- **DeviceLocalTime** The time the dialog box was shown on the local device.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that the user chose in this dialog box.
+- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time.
### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootThirdReminderDialog
-Enhanced Engaged reboot third reminder dialog was displayed.
+This event indicates that the third reminder dialog box for Enhanced Engaged restart was displayed.
The following fields are available:
-- **DeviceLocalTime** Time of dialog shown on local device
-- **ETag** OneSettings versioning value
-- **ExitCode** Indicates how users exited the dialog
-- **RebootVersion** Version of DTE
-- **UpdateId** The ID of the update that is pending reboot to finish installation
-- **UpdateRevision** The revision of the update that is pending reboot to finish installation
-- **UserResponseString** The option that user chose on this dialog
-- **UtcTime** The Coordinated Universal Time that dialog was displayed
+- **DeviceLocalTime** The time the dialog box was shown on the local device.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that the user chose in this dialog box.
+- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time.
### Microsoft.Windows.Update.NotificationUx.RebootScheduled
-Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update
+Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update.
The following fields are available:
-- **activeHoursApplicable** True, If Active Hours applicable on this device. False, otherwise
-- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action
-- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise
-- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically
-- **rebootState** The state of the reboot
-- **revisionNumber** Revision number of the update that is getting installed with this reboot
-- **scheduledRebootTime** Time of the scheduled reboot
-- **scheduledRebootTimeInUTC** Time of the scheduled reboot in Coordinated Universal Time
-- **updateId** ID of the update that is getting installed with this reboot
-- **wuDeviceid** Unique device ID used by Windows Update
-- **IsEnhancedEngagedReboot** Whether this is an Enhanced Engaged reboot
+- **activeHoursApplicable** Indicates whether an Active Hours policy is present on the device.
+- **IsEnhancedEngagedReboot** Indicates whether this is an Enhanced Engaged reboot.
+- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action.
+- **rebootOutsideOfActiveHours** Indicates whether a restart is scheduled outside of active hours.
+- **rebootScheduledByUser** Indicates whether the restart was scheduled by user (if not, it was scheduled automatically).
+- **rebootState** The current state of the restart.
+- **revisionNumber** Revision number of the update that is getting installed with this restart.
+- **scheduledRebootTime** Time of the scheduled restart.
+- **scheduledRebootTimeInUTC** Time of the scheduled restart in Coordinated Universal Time.
+- **updateId** ID of the update that is getting installed with this restart.
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy
-A policy is present that may restrict update activity to outside of active hours.
+This event indicates a policy is present that may restrict update activity to outside of active hours.
The following fields are available:
-- **activeHoursEnd** The end of the active hours window
-- **activeHoursStart** The start of the active hours window
-- **wuDeviceid** Device ID
+- **activeHoursEnd** The end of the active hours window.
+- **activeHoursStart** The start of the active hours window.
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours
-Update activity blocked due to active hours being currently active.
+This event indicates that update activity was blocked because it is within the active hours window.
The following fields are available:
-- **blockReason** The current state of the update process
-- **updatePhase** The current state of the update process
-- **wuDeviceid** Device ID
-- **activeHoursEnd** The end of the active hours window
-- **activeHoursStart** The start of the active hours window
+- **activeHoursEnd** The end of the active hours window.
+- **activeHoursStart** The start of the active hours window.
+- **blockReason** Reason for stopping the update activity.
+- **updatePhase** The current state of the update process.
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel
-Update activity blocked due to low battery level.
+This event indicates that Windows Update activity was blocked due to low battery level.
The following fields are available:
-- **batteryLevel** The current battery charge capacitity
-- **batteryLevelThreshold** The battery capacity threshold to stop update activity
-- **blockReason** The current state of the update process
-- **updatePhase** The current state of the update process
-- **wuDeviceid** Device ID
+- **batteryLevel** The current battery charge capacity.
+- **batteryLevelThreshold** The battery capacity threshold to stop update activity.
+- **blockReason** Reason for stopping Windows Update activity.
+- **updatePhase** The current state of the update process.
+- **wuDeviceid** Device ID.
### Microsoft.Windows.Update.Orchestrator.CommitFailed
-This events tracks when a device needs to restart after an update but did not.
+This event indicates that a device was unable to restart after an update.
The following fields are available:
@@ -4920,89 +5435,60 @@ The following fields are available:
- **wuDeviceid** The Windows Update device GUID.
-### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit
-
-Event to indicate that DTU completed installation of the ESD, when WU was already Pending Commit of the feature update.
-
-The following fields are available:
-
-- **wuDeviceid** Device ID used by WU
-
-
-### Microsoft.Windows.Update.Orchestrator.DTUEnabled
-
-Inbox DTU functionality enabled.
-
-The following fields are available:
-
-- **wuDeviceid** Device ID.
-
-
-### Microsoft.Windows.Update.Orchestrator.DTUInitiated
-
-Inbox DTU functionality intiated.
-
-The following fields are available:
-
-- **dtuErrorCode** Return code from creating the DTU Com Server.
-- **isDtuApplicable** Determination of whether DTU is applicable to the machine it is running on.
-- **wuDeviceid** Return code from creating the DTU Com Server.
-
-
### Microsoft.Windows.Update.Orchestrator.DeferRestart
-Indicates that a restart required for installing updates was postponed.
+This event indicates that a restart required for installing updates was postponed.
The following fields are available:
-- **displayNeededReason** Semicolon-separated list of reasons reported for display needed
-- **eventScenario** Indicates the purpose of the event - whether because scan started, succeded, failed, etc
-- **filteredDeferReason** The raised reason that the USO did not restart (e.g. user active, low battery) that were ignorable
-- **gameModeReason** Name of the executable that caused the game mode state check to trigger.
-- **ignoredReason** Semicolon-separated list of reasons that were intentionally ignored.
-- **revisionNumber** Update ID revision number
-- **systemNeededReason** Semicolon-separated list of reasons reported for system needed.
-- **updateId** Update ID
-- **updateScenarioType** Update session type
-- **wuDeviceid** Windows Update Device GUID
-- **raisedDeferReason** The reason that the USO did not restart (e.g. user active, low battery)
+- **displayNeededReason** List of reasons for needing display.
+- **eventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.).
+- **filteredDeferReason** Applicable filtered reasons why reboot was postponed (such as user active, or low battery).
+- **gameModeReason** Name of the executable that caused the game mode state check to start.
+- **ignoredReason** List of reasons that were intentionally ignored.
+- **raisedDeferReason** Indicates all potential reasons for postponing restart (such as user active, or low battery).
+- **revisionNumber** Update ID revision number.
+- **systemNeededReason** List of reasons why system is needed.
+- **updateId** Update ID.
+- **updateScenarioType** Update session type.
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.Detection
-A scan for an update occurred.
+This event indicates that a scan for a Windows Update occurred.
The following fields are available:
-- **detectionBlockingPolicy** State of update action
-- **detectionBlockreason** Reason for detection not completing.
-- **eventScenario** End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
-- **interactive** Identifies if session is User Initiated.
-- **scanTriggerSource** Source of the triggered scan.
-- **updateScenarioType** The update session type.
-- **wuDeviceid** Unique device ID used by Windows Update.
-- **detectionRetryMode** If we retry to scan
-- **errorCode** The returned error code.
-- **deferReason** Reason for postponing detection
-- **flightID** Flight info
-- **revisionNumber** Update version
-- **updateId** Update ID - GUID
+- **deferReason** Reason why the device could not check for updates.
+- **detectionBlockingPolicy** State of update action.
+- **detectionBlockreason** Reason for blocking detection
+- **detectionRetryMode** Indicates whether we will try to scan again.
+- **errorCode** Error info
+- **eventScenario** End-to-end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **flightID** The specific ID of the Windows Insider build the device is getting.
+- **interactive** Indicates whether the session was user initiated.
- **networkStatus** Error info
+- **revisionNumber** Update revision number.
+- **scanTriggerSource** Source of the triggered scan.
+- **updateId** Update ID.
+- **updateScenarioType** Source of the triggered scan
+- **wuDeviceid** Device ID
### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
-Reboot postponed due to needing a display
+This event indicates the reboot was postponed due to needing a display.
The following fields are available:
-- **displayNeededReason** Reason the display is needed
-- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date
-- **revisionNumber** Revision number of the update
-- **updateId** Update ID
-- **updateScenarioType** The update session type
-- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date
+- **displayNeededReason** Reason the display is needed.
+- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours.
+- **revisionNumber** Revision number of the update.
+- **updateId** Update ID.
+- **updateScenarioType** The update session type.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated.
- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
@@ -5012,83 +5498,112 @@ This event sends launch data for a Windows Update download to help keep Windows
The following fields are available:
-- **deferReason** Reason for download not completing
-- **errorCode** An error code represented as a hexadecimal value
-- **eventScenario** End to end update session ID.
-- **flightID** Unique update ID.
-- **interactive** Identifies if session is user initiated.
+- **deferReason** Reason for download not completing.
+- **errorCode** An error code represented as a hexadecimal value.
+- **eventScenario** End-to-end update session ID.
+- **flightID** The specific ID of the Windows Insider build the device is getting.
+- **interactive** Indicates whether the session is user initiated.
- **revisionNumber** Update revision number.
- **updateId** Update ID.
- **updateScenarioType** The update session type.
- **wuDeviceid** Unique device ID used by Windows Update.
-### Microsoft.Windows.Update.Orchestrator.Escalation
+### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit
-Event sent when USO takes an Escalation action on device.
+This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update.
The following fields are available:
-- **configVersion** Escalation config version on device
-- **escalationAction** Indicate the specific escalation action that took place on device
-- **updateClassificationGUID** GUID of the update the device is offered
-- **updateId** ID of the update the device is offered
-- **wuDeviceid** Device ID used by WU
+- **wuDeviceid** Device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.DTUEnabled
+
+This event indicates that Inbox DTU functionality was enabled.
+
+The following fields are available:
+
+- **wuDeviceid** Device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.DTUInitiated
+
+This event indicates that Inbox DTU functionality was intiated.
+
+The following fields are available:
+
+- **dtuErrorCode** Return code from creating the DTU Com Server.
+- **isDtuApplicable** Determination of whether DTU is applicable to the machine it is running on.
+- **wuDeviceid** Device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.Escalation
+
+This event is sent when USO takes an Escalation action on a device.
+
+The following fields are available:
+
+- **configVersion** Escalation config version on device.
+- **escalationAction** Indicate the specific escalation action that took place on device.
+- **updateClassificationGUID** GUID of the update the device is offered.
+- **updateId** ID of the update the device is offered.
+- **wuDeviceid** Device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels
-Event sent during update scan, download, install. Indicates that the device is at risk of being out-of-date.
+This event is sent during update scan, download, or install, and indicates that the device is at risk of being out-of-date.
The following fields are available:
-- **configVersion** Escalation config version on device
-- **downloadElapsedTime** How long since the download is required on device
-- **downloadRiskLevel** At-risk level of download phase
-- **installElapsedTime** How long since the install is required on device
-- **installRiskLevel** At-risk level of install phase
-- **isSediment** WaaSmedic's assessment of whether is device is at risk or not
-- **scanElapsedTime** How long since the scan is required on device
-- **scanRiskLevel** At-risk level of scan phase
-- **wuDeviceid** Device id used by WU
+- **configVersion** Escalation config version on device .
+- **downloadElapsedTime** Indicates how long since the download is required on device.
+- **downloadRiskLevel** At-risk level of download phase.
+- **installElapsedTime** Indicates how long since the install is required on device.
+- **installRiskLevel** The at-risk level of install phase.
+- **isSediment** Assessment of whether is device is at risk.
+- **scanElapsedTime** Indicates how long since the scan is required on device.
+- **scanRiskLevel** At-risk level of the scan phase.
+- **wuDeviceid** Device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.EscalationsRefreshFailed
-USO has a set of escalation actions to prevent a device from becoming out-of-date, and the actions are triggered based on the Escalation config that USO obtains from OneSettings. This event is sent when USO fails to refresh the escalation config from OneSettings.
+USO has a set of escalation actions to prevent a device from becoming out-of-date, and the actions are triggered based on the Escalation configuration that USO obtains from OneSettings. This event is sent when USO fails to refresh the escalation configuration from OneSettings.
The following fields are available:
-- **configVersion** Current escalation config version on device
-- **errorCode** Error code for the refresh failure
-- **wuDeviceid** Device ID used by WU
+- **configVersion** Current escalation config version on device.
+- **errorCode** Error code for the refresh failure.
+- **wuDeviceid** Device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
-The Update is no longer Applicable to this device
+This event indicates that the update is no longer applicable to this device.
The following fields are available:
-- **EventPublishedTime** Flight specific info
-- **flightID** Update ID revision number
-- **revisionNumber** Update ID - GUID
-- **updateId** Update session type
-- **updateScenarioType** Last status of update
-- **UpdateStatus** Is UUP fallback configured?
-- **UUPFallBackConfigured** Windows Update Device GUID
-- **wuDeviceid** Windows Update Device GUID
+- **EventPublishedTime** Time when this event was generated
+- **flightID** The specific ID of the Windows Insider build.
+- **revisionNumber** Update revision number.
+- **updateId** Unique Windows Update ID.
+- **updateScenarioType** Update session type.
+- **UpdateStatus** Last status of update.
+- **UUPFallBackConfigured** Indicates whether UUP fallback is configured.
+- **wuDeviceid** Unique Device ID.
### Microsoft.Windows.Update.Orchestrator.GameActive
-This event indicates that an enabled GameMode process prevented the device from restarting to complete an update
+This event indicates that an enabled GameMode process prevented the device from restarting to complete an update.
The following fields are available:
-- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **gameModeReason** Name of the enabled GameMode process that prevented the device from restarting to complete an update
-- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+- **eventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **gameModeReason** Name of the enabled GameMode process that prevented the device from restarting to complete an update.
+- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
@@ -5099,12 +5614,12 @@ The following fields are available:
- **EventPublishedTime** Time of the event.
- **flightID** Unique update ID
-- **interactive** Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
-- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action.
+- **rebootOutsideOfActiveHours** Indicates whether the reboot was to occur outside of active hours.
- **revisionNumber** Revision number of the update.
- **updateId** Update ID.
- **updateScenarioType** The update session type.
-- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated.
- **wuDeviceid** Unique device ID used by Windows Update.
@@ -5116,82 +5631,82 @@ The following fields are available:
- **batteryLevel** Current battery capacity in mWh or percentage left.
- **deferReason** Reason for install not completing.
-- **eventScenario** End to end update session ID.
+- **errorCode** The error code reppresented by a hexadecimal value.
+- **eventScenario** End-to-end update session ID.
+- **flightID** The specific ID of the Windows Insider build the device is getting.
+- **flightUpdate** Indicates whether the update is a Windows Insider build.
+- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates.
+- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress.
+- **installRebootinitiatetime** The time it took for a reboot to be attempted.
- **interactive** Identifies if session is user initiated.
-- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **minutesToCommit** The time it took to install updates.
+- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours.
+- **revisionNumber** Update revision number.
+- **updateId** Update ID.
- **updateScenarioType** The update session type.
- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
- **wuDeviceid** Unique device ID used by Windows Update.
-- **flightID** Unique update ID
-- **flightUpdate** Flight update
-- **ForcedRebootReminderSet** A boolean value that indicates if a forced reboot will happen for updates.
-- **installRebootinitiatetime** The time it took for a reboot to be attempted.
-- **minutesToCommit** The time it took to install updates.
-- **revisionNumber** Update revision number.
-- **updateId** Update ID.
-- **errorCode** The error code reppresented by a hexadecimal value.
-- **installCommitfailedtime** The time it took for a reboot to happen but the upgrade failed to progress.
### Microsoft.Windows.Update.Orchestrator.PostInstall
-Event sent after Update install completes.
+This event is sent after a Windows update install completes.
The following fields are available:
-- **batteryLevel** Battery level percentage
-- **bundleId** Update ID - GUID
-- **bundleRevisionnumber** Update ID revision number
-- **errorCode** Error value
-- **eventScenario** State of update action
-- **sessionType** Update session type
-- **wuDeviceid** Windows Update device GUID
+- **batteryLevel** Current battery capacity in mWh or percentage left.
+- **bundleId** Identifier associated with the specific content bundle.
+- **bundleRevisionnumber** Identifies the revision number of the content bundle.
+- **errorCode** The error code returned for the current phase.
+- **eventScenario** State of update action.
- **flightID** The flight ID of the device
-- **updateScenarioType** The scenario type of this update
+- **sessionType** The Windows Update session type (Interactive or Background).
+- **updateScenarioType** The update session type.
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.PowerMenuOptionsChanged
-This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed.
+This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed.
The following fields are available:
-- **powermenuNewOptions** The new options after the power menu changed
-- **powermenuOldOptions** The old options before the power menu changed
-- **rebootPendingMinutes** If the power menu changed because a reboot is pending due to a update, how long that reboot has been pending
-- **wuDeviceid** If the power menu changed because a reboot is pending due to a update, the device ID recorded by WU
+- **powermenuNewOptions** The new options after the power menu changed.
+- **powermenuOldOptions** The old options before the power menu changed.
+- **rebootPendingMinutes** If the power menu changed because a reboot is pending due to a update, this indicates how long that reboot has been pending.
+- **wuDeviceid** The device ID recorded by Windows Update if the power menu changed because a reboot is pending due to an update.
### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
-This event is generated right before the shutdown and commit operations
+This event is generated before the shutdown and commit operations.
The following fields are available:
-- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+- **wuDeviceid** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
### Microsoft.Windows.Update.Orchestrator.Progress
-Event sent when the download of a update reaches a milestone change, such as network cost policy changed, a internal phase has completed, or a transient state has changed.
+This event is sent when the download of a update reaches a milestone change, such as a change in network cost policy, completion of an internal phase, or change in a transient state.
The following fields are available:
-- **errorCode** Error info
-- **flightID** Flight info
-- **interactive** Is USO session interactive or non-interactive?
-- **networkCostPolicy** The current network cost policy on device
-- **revisionNumber** Update ID revision number
-- **updateId** Update ID - GUID
-- **updateScenarioType** Update Session type
-- **updateState** Subphase of the download
-- **UpdateStatus** Subphase of the update
-- **wuDeviceid** Device ID
+- **errorCode** Error code returned.
+- **flightID** The specific ID of the Windows Insider build the device is getting.
+- **interactive** Identifies whether the session is user initiated.
+- **networkCostPolicy** The current network cost policy on device.
+- **revisionNumber** Update ID revision number.
+- **updateId** Unique ID for each update.
+- **updateScenarioType** Update Session type.
+- **updateState** Subphase of the download.
+- **UpdateStatus** Subphase of the update.
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.RebootFailed
-This event sends information about whether an update required a reboot and reasons for failure to help keep Windows up to date.
+This event sends information about whether an update required a reboot and reasons for failure, to help keep Windows up to date.
The following fields are available:
@@ -5199,7 +5714,7 @@ The following fields are available:
- **deferReason** Reason for install not completing.
- **EventPublishedTime** The time that the reboot failure occurred.
- **flightID** Unique update ID.
-- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **rebootOutsideOfActiveHours** Indicates whether a reboot was scheduled outside of active hours.
- **RebootResults** Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code.
- **revisionNumber** Update revision number.
- **updateId** Update ID.
@@ -5215,25 +5730,25 @@ This event sends data indicating that a reboot task is missing unexpectedly on a
The following fields are available:
- **RebootTaskRestoredTime** Time at which this reboot task was restored.
-- **wuDeviceid** Device id on which the reboot is restored
+- **wuDeviceid** Device ID for the device on which the reboot is restored.
### Microsoft.Windows.Update.Orchestrator.ScanTriggered
-Indicates that Update Orchestrator has started a scan operation.
+This event indicates that Update Orchestrator has started a scan operation.
The following fields are available:
-- **errorCode** Error info
-- **eventScenario** Indicates the purpose of sending this event
-- **interactive** Whether or not the scan is interactive.
-- **isScanPastSla** Has the SLA elapsed for scanning?
-- **isScanPastTriggerSla** Has the SLA elapsed for triggering a scan?
-- **minutesOverScanSla** How many minutes over the scan SLA is the scan?
-- **minutesOverScanTriggerSla** How many minutes over the scan trigger SLA is the scan?
-- **scanTriggerSource** What caused the scan?
-- **updateScenarioType** The type of scenario we are in.
-- **wuDeviceid** WU Device ID of the machine.
+- **errorCode** The error code returned for the current scan operation.
+- **eventScenario** Indicates the purpose of sending this event.
+- **interactive** Indicates whether the scan is interactive.
+- **isScanPastSla** Indicates whether the SLA has elapsed for scanning.
+- **isScanPastTriggerSla** Indicates whether the SLA has elapsed for triggering a scan.
+- **minutesOverScanSla** Indicates how many minutes the scan exceeded the scan SLA.
+- **minutesOverScanTriggerSla** Indicates how many minutes the scan exceeded the scan trigger SLA.
+- **scanTriggerSource** Indicates what caused the scan.
+- **updateScenarioType** The update session type.
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.Orchestrator.SystemNeeded
@@ -5242,10 +5757,10 @@ This event sends data about why a device is unable to reboot, to help keep Windo
The following fields are available:
-- **eventScenario** End to end update session ID.
-- **rebootOutsideOfActiveHours** Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **eventScenario** End-to-end update session ID.
+- **rebootOutsideOfActiveHours** Indicates whether a reboot is scheduled outside of active hours.
- **revisionNumber** Update revision number.
-- **systemNeededReason** Reason ID
+- **systemNeededReason** List of apps or tasks that are preventing the system from restarting.
- **updateId** Update ID.
- **updateScenarioType** The update session type.
- **uxRebootstate** Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
@@ -5254,26 +5769,26 @@ The following fields are available:
### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours
-Update activity was stopped due to active hours starting.
+This event indicates that update activity was stopped due to active hours starting.
The following fields are available:
-- **activeHoursEnd** The end of the active hours window
-- **activeHoursStart** The start of the active hours window
-- **updatePhase** The current state of the update process
-- **wuDeviceid** Device ID
+- **activeHoursEnd** The end of the active hours window.
+- **activeHoursStart** The start of the active hours window.
+- **updatePhase** The current state of the update process.
+- **wuDeviceid** The device identifier.
### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel
-Update activity was stopped due to a low battery level.
+This event is sent when update activity was stopped due to a low battery level.
The following fields are available:
-- **batteryLevel** The current battery charge capacity
-- **batteryLevelThreshold** The battery capacity threshold to stop update activity
-- **updatePhase** The current state of the update process
-- **wuDeviceid** Device ID
+- **batteryLevel** The current battery charge capacity.
+- **batteryLevelThreshold** The battery capacity threshold to stop update activity.
+- **updatePhase** The current state of the update process.
+- **wuDeviceid** The device identifier.
### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
@@ -5282,10 +5797,10 @@ This event sends data on whether Update Management Policies were enabled on a de
The following fields are available:
-- **configuredPoliciescount** Policy Count
-- **policiesNamevaluesource** Policy Name
-- **policyCacherefreshtime** Refresh time
-- **updateInstalluxsetting** This shows whether a user has set policies via UX option
+- **configuredPoliciescount** Number of policies on the device.
+- **policiesNamevaluesource** Policy name and source of policy (group policy, MDM or flight).
+- **policyCacherefreshtime** Time when policy cache was refreshed.
+- **updateInstalluxsetting** Indicates whether a user has set policies via a user experience option.
- **wuDeviceid** Unique device ID used by Windows Update.
@@ -5295,8 +5810,8 @@ This event sends data about whether an update required a reboot to help keep Win
The following fields are available:
-- **flightID** Unique update ID.
-- **interactive** Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
+- **flightID** The specific ID of the Windows Insider build the device is getting.
+- **interactive** Indicates whether the reboot initiation stage of the update process was entered as a result of user action.
- **revisionNumber** Update revision number.
- **updateId** Update ID.
- **updateScenarioType** The update session type.
@@ -5324,21 +5839,21 @@ The following fields are available:
### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
-The RebootScheduled event sends basic information for scheduling a update related reboot to facilitate the flow of getting security updates and keeping Windows up to date.
+This event sends basic information about scheduling an update-related reboot, to get security updates and to help keep Windows up-to-date.
The following fields are available:
-- **activeHoursApplicable** Whether Active Hours applies.
-- **rebootArgument** The reboot arguments
-- **rebootOutsideOfActiveHours** If reboot was outside of Active Hours
-- **rebootScheduledByUser** If the reboot was scheduled by the user, or the system.
-- **rebootState** Which state the reboot is in
-- **revisionNumber** Revision number of the OS
-- **scheduledRebootTime** Time the reboot was scheduled for.
-- **scheduledRebootTimeInUTC** Time the reboot was scheduled for in UTC
-- **updateId** UpdateId to identify which update is being scheduled.
-- **wuDeviceid** Unique DeviceID
-- **IsEnhancedEngagedReboot** If Enhanced reboot was enabled.
+- **activeHoursApplicable** Indicates whether Active Hours applies on this device.
+- **IsEnhancedEngagedReboot** Indicates whether Enhanced reboot was enabled.
+- **rebootArgument** Argument for the reboot task. It also represents specific reboot related action.
+- **rebootOutsideOfActiveHours** True, if a reboot is scheduled outside of active hours. False, otherwise.
+- **rebootScheduledByUser** True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
+- **rebootState** Current state of the reboot.
+- **revisionNumber** Revision number of the OS.
+- **scheduledRebootTime** Time scheduled for the reboot.
+- **scheduledRebootTimeInUTC** Time scheduled for the reboot, in UTC.
+- **updateId** Identifies which update is being scheduled.
+- **wuDeviceid** Unique device ID used by Windows Update.
### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot
@@ -5353,34 +5868,34 @@ This event is sent when MUSE broker schedules a task.
The following fields are available:
-- **TaskArgument** The arguments with which the task is scheduled.
-- **TaskName** Name of the task.
+- **TaskArgument** The arguments which the task is scheduled with
+- **TaskName** Name of the task
## Windows Update mitigation events
### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages
-This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates.
+This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates.
The following fields are available:
-- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **FlightId** Unique identifier for each flight.
-- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
-- **MitigationScenario** The update scenario in which the mitigation was executed.
-- **MountedImageCount** Number of mounted images.
-- **MountedImageMatches** Number of mounted images that were under %systemdrive%\$Windows.~BT.
-- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed.
-- **MountedImagesRemoved** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed.
-- **MountedImagesSkipped** Number of mounted images that were not under %systemdrive%\$Windows.~BT.
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
-- **Result** HResult of this operation.
-- **ScenarioId** ID indicating the mitigation scenario.
-- **ScenarioSupported** Indicates whether the scenario was supported.
-- **SessionId** Unique value for each update attempt.
-- **UpdateId** Unique ID for each Update.
-- **WuId** Unique ID for the Windows Update client.
+- **ClientId** Unique identifier for each flight.
+- **FlightId** Unique GUID that identifies each instances of setuphost.exe.
+- **InstanceId** The update scenario in which the mitigation was executed.
+- **MitigationScenario** Number of mounted images.
+- **MountedImageCount** Number of mounted images that were under %systemdrive%\$Windows.~BT.
+- **MountedImageMatches** Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed.
+- **MountedImagesFailed** Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed.
+- **MountedImagesRemoved** Number of mounted images that were not under %systemdrive%\$Windows.~BT.
+- **MountedImagesSkipped** Correlation vector value generated from the latest USO scan.
+- **RelatedCV** HResult of this operation.
+- **Result** ID indicating the mitigation scenario.
+- **ScenarioId** Indicates whether the scenario was supported.
+- **ScenarioSupported** Unique value for each update attempt.
+- **SessionId** Unique ID for each Update.
+- **UpdateId** Unique ID for the Windows Update client.
+- **WuId** Unique ID for the Windows Update client.
### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints
@@ -5389,19 +5904,19 @@ This event sends data specific to the FixAppXReparsePoints mitigation used for O
The following fields are available:
-- **ClientId** Unique identifier for each flight.
-- **FlightId** Unique GUID that identifies each instances of setuphost.exe.
-- **InstanceId** The update scenario in which the mitigation was executed.
-- **MitigationScenario** Correlation vector value generated from the latest USO scan.
-- **RelatedCV** Number of reparse points that are corrupted but we failed to fix them.
-- **ReparsePointsFailed** Number of reparse points that were corrupted and were fixed by this mitigation.
-- **ReparsePointsFixed** Number of reparse points that are not corrupted and no action is required.
-- **ReparsePointsSkipped** HResult of this operation.
-- **Result** ID indicating the mitigation scenario.
-- **ScenarioId** Indicates whether the scenario was supported.
-- **ScenarioSupported** Unique value for each update attempt.
-- **SessionId** Unique ID for each Update.
-- **UpdateId** Unique ID for the Windows Update client.
+- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightId** Unique identifier for each flight.
+- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **MitigationScenario** The update scenario in which the mitigation was executed.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **ReparsePointsFailed** Number of reparse points that are corrupted but we failed to fix them.
+- **ReparsePointsFixed** Number of reparse points that were corrupted and were fixed by this mitigation.
+- **ReparsePointsSkipped** Number of reparse points that are not corrupted and no action is required.
+- **Result** HResult of this operation.
+- **ScenarioId** ID indicating the mitigation scenario.
+- **ScenarioSupported** Indicates whether the scenario was supported.
+- **SessionId** Unique value for each update attempt.
+- **UpdateId** Unique ID for each Update.
- **WuId** Unique ID for the Windows Update client.
@@ -5411,20 +5926,29 @@ This event sends data specific to the FixupEditionId mitigation used for OS upda
The following fields are available:
-- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **ClientId** In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
- **EditionIdUpdated** Determine whether EditionId was changed.
-- **FlightId** Unique identifier for each flight.
-- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
-- **MitigationScenario** The update scenario in which the mitigation was executed.
+- **FlightId** Unique identifier for each flight.
+- **InstanceId** Unique GUID that identifies each instances of setuphost.exe.
+- **MitigationScenario** The update scenario in which the mitigation was executed.
- **ProductEditionId** Expected EditionId value based on GetProductInfo.
- **ProductType** Value returned by GetProductInfo.
- **RegistryEditionId** EditionId value in the registry.
-- **RelatedCV** Correlation vector value generated from the latest USO scan.
-- **Result** HResult of this operation.
-- **ScenarioId** ID indicating the mitigation scenario.
-- **ScenarioSupported** Indicates whether the scenario was supported.
+- **RelatedCV** Correlation vector value generated from the latest USO scan.
+- **Result** HResult of this operation.
+- **ScenarioId** ID indicating the mitigation scenario.
+- **ScenarioSupported** Indicates whether the scenario was supported.
- **SessionId** Unique value for each update attempt.
-- **UpdateId** Unique ID for each update.
-- **WuId** Unique ID for the Windows Update client.
+- **UpdateId** Unique ID for each update.
+- **WuId** Unique ID for the Windows Update client.
+
+
+## Winlogon events
+
+### Microsoft.Windows.Security.Winlogon.SetupCompleteLogon
+
+This event signals the completion of the setup process. It happens only once during the first logon.
+
+
diff --git a/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
new file mode 100644
index 0000000000..634376dd9a
--- /dev/null
+++ b/windows/privacy/basic-level-windows-diagnostic-events-and-fields-1809.md
@@ -0,0 +1,4661 @@
+---
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
+title: Windows 10, version 1809 basic diagnostic events and fields (Windows 10)
+keywords: privacy, telemetry
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: brianlic-msft
+ms.author: brianlic
+ms.date: 09/10/2018
+---
+
+
+# Windows 10, version 1809 basic level Windows diagnostic events and fields
+
+ **Applies to**
+
+- Windows 10, version 1809
+
+
+The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.
+
+The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
+
+Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data.
+
+You can learn more about Windows functional and diagnostic data through these articles:
+
+
+- [Windows 10, version 1803 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1803.md)
+- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
+- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
+- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
+
+
+
+
+## AppLocker events
+
+### Microsoft.Windows.Security.AppLockerCSP.ActivityStoppedAutomatically
+
+Automatically closed activity for start/stop operations that aren't explicitly closed.
+
+
+
+### Microsoft.Windows.Security.AppLockerCSP.AddParams
+
+Parameters passed to Add function of the AppLockerCSP Node.
+
+The following fields are available:
+
+- **child** The child URI of the node to add.
+- **uri** URI of the node relative to %SYSTEM32%/AppLocker.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.AddStart
+
+Start of "Add" Operation for the AppLockerCSP Node.
+
+
+
+### Microsoft.Windows.Security.AppLockerCSP.AddStop
+
+End of "Add" Operation for AppLockerCSP Node.
+
+The following fields are available:
+
+- **hr** The HRESULT returned by Add function in AppLockerCSP.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.CAppLockerCSP::Rollback
+
+Result of the 'Rollback' operation in AppLockerCSP.
+
+The following fields are available:
+
+- **oldId** Previous id for the CSP transaction.
+- **txId** Current id for the CSP transaction.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.ClearParams
+
+Parameters passed to the "Clear" operation for AppLockerCSP.
+
+The following fields are available:
+
+- **uri** The URI relative to the %SYSTEM32%\AppLocker folder.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.ClearStart
+
+Start of the "Clear" operation for the AppLockerCSP Node.
+
+
+
+### Microsoft.Windows.Security.AppLockerCSP.ClearStop
+
+End of the "Clear" operation for the AppLockerCSP node.
+
+The following fields are available:
+
+- **hr** HRESULT reported at the end of the 'Clear' function.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStart
+
+Start of the "ConfigManagerNotification" operation for AppLockerCSP.
+
+The following fields are available:
+
+- **NotifyState** State sent by ConfigManager to AppLockerCSP.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.ConfigManagerNotificationStop
+
+End of the "ConfigManagerNotification" operation for AppLockerCSP.
+
+The following fields are available:
+
+- **hr** HRESULT returned by the ConfigManagerNotification function in AppLockerCSP.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceParams
+
+Parameters passed to the CreateNodeInstance function of the AppLockerCSP node.
+
+The following fields are available:
+
+- **NodeId** NodeId passed to CreateNodeInstance.
+- **nodeOps** NodeOperations parameter passed to CreateNodeInstance.
+- **uri** URI passed to CreateNodeInstance, relative to %SYSTEM32%\AppLocker.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStart
+
+Start of the "CreateNodeInstance" operation for the AppLockerCSP node.
+
+
+
+### Microsoft.Windows.Security.AppLockerCSP.CreateNodeInstanceStop
+
+End of the "CreateNodeInstance" operation for the AppLockerCSP node
+
+The following fields are available:
+
+- **hr** HRESULT returned by the CreateNodeInstance function in AppLockerCSP.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.DeleteChildParams
+
+Parameters passed to the DeleteChild function of the AppLockerCSP node.
+
+The following fields are available:
+
+- **child** The child URI of the node to delete.
+- **uri** URI relative to %SYSTEM32%\AppLocker.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStart
+
+Start of the "DeleteChild" operation for the AppLockerCSP node.
+
+
+
+### Microsoft.Windows.Security.AppLockerCSP.DeleteChildStop
+
+End of the "DeleteChild" operation for the AppLockerCSP node.
+
+The following fields are available:
+
+- **hr** HRESULT returned by the DeleteChild function in AppLockerCSP.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.EnumPolicies
+
+Logged URI relative to %SYSTEM32%\AppLocker, if the Plugin GUID is null, or the CSP doesn't believe the old policy is present.
+
+The following fields are available:
+
+- **uri** URI relative to %SYSTEM32%\AppLocker.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesParams
+
+Parameters passed to the GetChildNodeNames function of the AppLockerCSP node.
+
+The following fields are available:
+
+- **uri** URI relative to %SYSTEM32%/AppLocker for MDM node.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStart
+
+Start of the "GetChildNodeNames" operation for the AppLockerCSP node.
+
+
+
+### Microsoft.Windows.Security.AppLockerCSP.GetChildNodeNamesStop
+
+End of the "GetChildNodeNames" operation for the AppLockerCSP node.
+
+The following fields are available:
+
+- **child[0]** If function succeeded, the first child's name, else "NA".
+- **count** If function succeeded, the number of child node names returned by the function, else 0.
+- **hr** HRESULT returned by the GetChildNodeNames function of AppLockerCSP.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.GetLatestId
+
+The result of 'GetLatestId' in AppLockerCSP (the latest time stamped GUID).
+
+The following fields are available:
+
+- **dirId** The latest directory identifier found by GetLatestId.
+- **id** The id returned by GetLatestId if id > 0 - otherwise the dirId parameter.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.HResultException
+
+HRESULT thrown by any arbitrary function in AppLockerCSP.
+
+The following fields are available:
+
+- **file** File in the OS code base in which the exception occurs.
+- **function** Function in the OS code base in which the exception occurs.
+- **hr** HRESULT that is reported.
+- **line** Line in the file in the OS code base in which the exception occurs.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.SetValueParams
+
+Parameters passed to the SetValue function of the AppLockerCSP node.
+
+The following fields are available:
+
+- **dataLength** Length of the value to set.
+- **uri** The node URI to that should contain the value, relative to %SYSTEM32%\AppLocker.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.SetValueStart
+
+Start of the "SetValue" operation for the AppLockerCSP node.
+
+
+
+### Microsoft.Windows.Security.AppLockerCSP.SetValueStop
+
+End of the "SetValue" operation for the AppLockerCSP node.
+
+The following fields are available:
+
+- **hr** HRESULT returned by the SetValue function in AppLockerCSP.
+
+
+### Microsoft.Windows.Security.AppLockerCSP.TryRemediateMissingPolicies
+
+EntryPoint of fix step or policy remediation, includes URI relative to %SYSTEM32%\AppLocker that needs to be fixed.
+
+The following fields are available:
+
+- **uri** URI for node relative to %SYSTEM32%/AppLocker.
+
+
+## Appraiser events
+
+### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
+
+This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client.
+
+The following fields are available:
+
+- **DatasourceApplicationFile_RS1** An ID for the system, calculated by hashing hardware identifiers.
+- **DatasourceApplicationFile_RS2** An ID for the system, calculated by hashing hardware identifiers.
+- **DatasourceApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DatasourceApplicationFile_RS4** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_RS4Setup** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_TH1** The count of the number of this particular object type present on this device.
+- **DatasourceApplicationFile_TH2** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS1** The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device.
+- **DatasourceDevicePnp_RS2** The count of DatasourceApplicationFile objects present on this machine targeting the next release of Windows
+- **DatasourceDevicePnp_RS3** The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
+- **DatasourceDevicePnp_RS4** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS4Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_TH1** The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_TH2** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_RS1** The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device.
+- **DatasourceDriverPackage_RS2** The total DataSourceDriverPackage objects targeting Windows 10, version 1703 on this device.
+- **DatasourceDriverPackage_RS3** The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
+- **DatasourceDriverPackage_RS4** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_RS4Setup** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_TH1** The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_TH2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_RS1** The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoBlock_RS2** The count of DatasourceDevicePnp objects present on this machine targeting the next release of Windows
+- **DataSourceMatchingInfoBlock_RS3** The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_RS1** The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS1** The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS2** The count of DatasourceDriverPackage objects present on this machine targeting the next release of Windows
+- **DataSourceMatchingInfoPostUpgrade_RS3** The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_RS1** The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device.
+- **DatasourceSystemBios_RS2** The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device.
+- **DatasourceSystemBios_RS3** The total DatasourceSystemBios objects targeting the next release of Windows on this device.
+- **DatasourceSystemBios_RS4** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_RS4Setup** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_TH1** The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_TH2** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS1** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS2** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS3** The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DecisionApplicationFile_RS4** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_RS4Setup** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_TH1** The count of the number of this particular object type present on this device.
+- **DecisionApplicationFile_TH2** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS1** The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device.
+- **DecisionDevicePnp_RS2** The count of DataSourceMatchingInfoBlock objects present on this machine targeting the next release of Windows
+- **DecisionDevicePnp_RS3** The total DecisionDevicePnp objects targeting the next release of Windows on this device.
+- **DecisionDevicePnp_RS4** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_RS4Setup** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_TH1** The count of the number of this particular object type present on this device.
+- **DecisionDevicePnp_TH2** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS1** The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device.
+- **DecisionDriverPackage_RS2** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS3** The total DecisionDriverPackage objects targeting the next release of Windows on this device.
+- **DecisionDriverPackage_RS4** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_RS4Setup** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_TH1** The count of the number of this particular object type present on this device.
+- **DecisionDriverPackage_TH2** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_RS1** The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device.
+- **DecisionMatchingInfoBlock_RS2** The count of DataSourceMatchingInfoPassive objects present on this machine targeting the next release of Windows
+- **DecisionMatchingInfoBlock_RS3** The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoBlock_RS4** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_RS4Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_TH1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoBlock_TH2** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_RS1** The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoPassive_RS2** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_RS3** The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPassive_RS4** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_RS4Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_TH1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPassive_TH2** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_RS1** The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoPostUpgrade_RS2** The count of DataSourceMatchingInfoPostUpgrade objects present on this machine targeting the next release of Windows
+- **DecisionMatchingInfoPostUpgrade_RS3** The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPostUpgrade_RS4** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_RS4Setup** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_TH1** The count of the number of this particular object type present on this device.
+- **DecisionMatchingInfoPostUpgrade_TH2** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_RS1** The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device.
+- **DecisionMediaCenter_RS2** The count of DatasourceSystemBios objects present on this machine targeting the next release of Windows
+- **DecisionMediaCenter_RS3** The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **DecisionMediaCenter_RS4** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_RS4Setup** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_TH1** The count of the number of this particular object type present on this device.
+- **DecisionMediaCenter_TH2** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_RS1** The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device.
+- **DecisionSystemBios_RS2** The total DecisionSystemBios objects targeting Windows 10 version 1703 present on this device.
+- **DecisionSystemBios_RS3** The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS4** The total DecisionSystemBios objects targeting Windows 10 version, 1803 present on this device.
+- **DecisionSystemBios_RS4Setup** The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_TH1** The count of the number of this particular object type present on this device.
+- **DecisionSystemBios_TH2** The count of the number of this particular object type present on this device.
+- **InventoryApplicationFile** The count of the number of this particular object type present on this device.
+- **InventoryLanguagePack** The count of the number of this particular object type present on this device.
+- **InventoryMediaCenter** The count of the number of this particular object type present on this device.
+- **InventorySystemBios** The count of the number of this particular object type present on this device.
+- **InventoryUplevelDriverPackage** The count of the number of this particular object type present on this device.
+- **PCFP** The count of the number of this particular object type present on this device.
+- **SystemMemory** The count of the number of this particular object type present on this device.
+- **SystemProcessorCompareExchange** The count of the number of this particular object type present on this device.
+- **SystemProcessorLahfSahf** The count of the number of this particular object type present on this device.
+- **SystemProcessorNx** The count of the number of this particular object type present on this device.
+- **SystemProcessorPrefetchW** The count of the number of this particular object type present on this device.
+- **SystemProcessorSse2** The count of the number of this particular object type present on this device.
+- **SystemTouch** The count of the number of this particular object type present on this device.
+- **SystemWim** The count of the number of this particular object type present on this device.
+- **SystemWindowsActivationStatus** The count of the number of this particular object type present on this device.
+- **SystemWlan** The count of the number of this particular object type present on this device.
+- **Wmdrm_RS1** An ID for the system, calculated by hashing hardware identifiers.
+- **Wmdrm_RS2** The count of InventoryLanguagePack objects present on this machine.
+- **Wmdrm_RS3** The total Wmdrm objects targeting the next release of Windows on this device.
+- **Wmdrm_RS4** The total Wmdrm objects targeting Windows 10, version 1803 present on this device.
+- **Wmdrm_RS4Setup** The count of the number of this particular object type present on this device.
+- **Wmdrm_TH1** The count of the number of this particular object type present on this device.
+- **Wmdrm_TH2** The count of the number of this particular object type present on this device.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
+
+Represents the basic metadata about specific application files installed on the system.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file that is generating the events.
+- **AvDisplayName** If the app is an anti-virus app, this is its display name.
+- **CompatModelIndex** The compatibility prediction for this file.
+- **HasCitData** Indicates whether the file is present in CIT data.
+- **HasUpgradeExe** Indicates whether the anti-virus app has an upgrade.exe file.
+- **IsAv** Is the file an anti-virus reporting EXE?
+- **ResolveAttempted** This will always be an empty string when sending telemetry.
+- **SdbEntries** An array of fields that indicates the SDB entries that apply to this file.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
+
+This event indicates that the DatasourceApplicationFile object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
+
+This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
+
+This event sends compatibility data for a Plug and Play device, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **ActiveNetworkConnection** Indicates whether the device is an active network device.
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **IsBootCritical** Indicates whether the device boot is critical.
+- **WuDriverCoverage** Indicates whether there is a driver uplevel for this device, according to Windows Update.
+- **WuDriverUpdateId** The Windows Update ID of the applicable uplevel driver.
+- **WuPopulatedFromId** The expected uplevel driver matching ID based on driver coverage from Windows Update.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
+
+This event indicates that the DatasourceDevicePnp object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
+
+This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
+
+This event sends compatibility database data about driver packages to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
+
+This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
+
+This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
+
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
+
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
+
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
+
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
+
+This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
+
+This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
+
+This event indicates that the DatasourceSystemBios object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
+
+This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
+
+This event sends compatibility decision data about a file to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file that is generating the events.
+- **BlockAlreadyInbox** The uplevel runtime block on the file already existed on the current OS.
+- **BlockingApplication** Indicates whether there are any application issues that interfere with the upgrade due to the file in question.
+- **DisplayGenericMessage** Will be a generic message be shown for this file?
+- **HardBlock** This file is blocked in the SDB.
+- **HasUxBlockOverride** Does the file have a block that is overridden by a tag in the SDB?
+- **MigApplication** Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode?
+- **MigRemoval** Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
+- **NeedsDismissAction** Will the file cause an action that can be dimissed?
+- **NeedsInstallPostUpgradeData** After upgrade, the file will have a post-upgrade notification to install a replacement for the app.
+- **NeedsNotifyPostUpgradeData** Does the file have a notification that should be shown after upgrade?
+- **NeedsReinstallPostUpgradeData** After upgrade, this file will have a post-upgrade notification to reinstall the app.
+- **NeedsUninstallAction** The file must be uninstalled to complete the upgrade.
+- **SdbBlockUpgrade** The file is tagged as blocking upgrade in the SDB,
+- **SdbBlockUpgradeCanReinstall** The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade.
+- **SdbBlockUpgradeUntilUpdate** The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed.
+- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade.
+- **SdbReinstallUpgradeWarn** The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
+- **SoftBlock** The file is softblocked in the SDB and has a warning.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
+
+This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
+
+This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
+
+This event sends compatibility decision data about a PNP device to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **AssociatedDriverIsBlocked** Is the driver associated with this PNP device blocked?
+- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate?
+- **BlockAssociatedDriver** Should the driver associated with this PNP device be blocked?
+- **BlockingDevice** Is this PNP device blocking upgrade?
+- **BlockUpgradeIfDriverBlocked** Is the PNP device both boot critical and does not have a driver included with the OS?
+- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork** Is this PNP device the only active network device?
+- **DisplayGenericMessage** Will a generic message be shown during Setup for this PNP device?
+- **DriverAvailableInbox** Is a driver included with the operating system for this PNP device?
+- **DriverAvailableOnline** Is there a driver for this PNP device on Windows Update?
+- **DriverAvailableUplevel** Is there a driver on Windows Update or included with the operating system for this PNP device?
+- **DriverBlockOverridden** Is there is a driver block on the device that has been overridden?
+- **NeedsDismissAction** Will the user would need to dismiss a warning during Setup for this device?
+- **NotRegressed** Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
+- **SdbDeviceBlockUpgrade** Is there an SDB block on the PNP device that blocks upgrade?
+- **SdbDriverBlockOverridden** Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
+
+This event indicates that the DecisionDevicePnp object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
+
+The DecisionDevicePnpStartSync event indicates that a new set of DecisionDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
+
+This event sends decision data about driver package compatibility to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **DriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+- **DriverIsDeviceBlocked** Was the driver package was blocked because of a device block?
+- **DriverIsDriverBlocked** Is the driver package blocked because of a driver block?
+- **DriverShouldNotMigrate** Should the driver package be migrated during upgrade?
+- **SdbDriverBlockOverridden** Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
+
+This event indicates that the DecisionDriverPackage object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
+
+This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
+
+This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the appraiser file generating the events.
+- **BlockingApplication** Are there are any application issues that interfere with upgrade due to matching info blocks?
+- **DisplayGenericMessage** Will a generic message be shown for this block?
+- **NeedsUninstallAction** Does the user need to take an action in setup due to a matching info block?
+- **SdbBlockUpgrade** Is a matching info block blocking upgrade?
+- **SdbBlockUpgradeCanReinstall** Is a matching info block blocking upgrade, but has the can reinstall tag?
+- **SdbBlockUpgradeUntilUpdate** Is a matching info block blocking upgrade but has the until update tag?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
+
+This event indicates that the DecisionMatchingInfoBlock object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
+
+This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
+
+This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BlockingApplication** Are there any application issues that interfere with upgrade due to matching info blocks?
+- **MigApplication** Is there a matching info block with a mig for the current mode of upgrade?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
+
+This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
+
+This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **NeedsInstallPostUpgradeData** Will the file have a notification after upgrade to install a replacement for the app?
+- **NeedsNotifyPostUpgradeData** Should a notification be shown for this file after upgrade?
+- **NeedsReinstallPostUpgradeData** Will the file have a notification after upgrade to reinstall the app?
+- **SdbReinstallUpgrade** The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
+
+This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
+
+This event sends decision data about the presence of Windows Media Center, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **BlockingApplication** Is there any application issues that interfere with upgrade due to Windows Media Center?
+- **MediaCenterActivelyUsed** If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true?
+- **MediaCenterIndicators** Do any indicators imply that Windows Media Center is in active use?
+- **MediaCenterInUse** Is Windows Media Center actively being used?
+- **MediaCenterPaidOrActivelyUsed** Is Windows Media Center actively being used or is it running on a supported edition?
+- **NeedsDismissAction** Are there any actions that can be dismissed coming from Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
+
+This event indicates that the DecisionMediaCenter object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
+
+This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
+
+This event sends compatibility decision data about the BIOS to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the device blocked from upgrade due to a BIOS block?
+- **HasBiosBlock** Does the device have a BIOS block?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
+
+This event indicates that the DecisionSystemBios object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
+
+This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.GatedRegChange
+
+This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date.
+
+The following fields are available:
+
+- **NewData** The data in the registry value after the scan completed.
+- **OldData** The previous data in the registry value before the scan ran.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **RegKey** The registry key name for which a result is being sent.
+- **RegValue** The registry value for which a result is being sent.
+- **Time** The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
+
+This event represents the basic metadata about a file on the system. The file must be part of an app and either have a block in the compatibility database or be part of an antivirus program.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **AvDisplayName** If the app is an antivirus app, this is its display name.
+- **AvProductState** Indicates whether the antivirus program is turned on and the signatures are up to date.
+- **BinaryType** A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64.
+- **BinFileVersion** An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
+- **BinProductVersion** An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
+- **BoeProgramId** If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
+- **CompanyName** The company name of the vendor who developed this file.
+- **FileId** A hash that uniquely identifies a file.
+- **FileVersion** The File version field from the file metadata under Properties -> Details.
+- **HasUpgradeExe** Indicates whether the antivirus app has an upgrade.exe file.
+- **IsAv** Indicates whether the file an antivirus reporting EXE.
+- **LinkDate** The date and time that this file was linked on.
+- **LowerCaseLongPath** The full file path to the file that was inventoried on the device.
+- **Name** The name of the file that was inventoried.
+- **ProductName** The Product name field from the file metadata under Properties -> Details.
+- **ProductVersion** The Product version field from the file metadata under Properties -> Details.
+- **ProgramId** A hash of the Name, Version, Publisher, and Language of an application used to identify it.
+- **Size** The size of the file (in hexadecimal bytes).
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
+
+This event indicates that the InventoryApplicationFile object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
+
+This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
+
+This event sends data about the number of language packs installed on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **HasLanguagePack** Indicates whether this device has 2 or more language packs.
+- **LanguagePackCount** The number of language packs are installed.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
+
+This event indicates that the InventoryLanguagePack object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
+
+This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
+
+This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **EverLaunched** Has Windows Media Center ever been launched?
+- **HasConfiguredTv** Has the user configured a TV tuner through Windows Media Center?
+- **HasExtendedUserAccounts** Are any Windows Media Center Extender user accounts configured?
+- **HasWatchedFolders** Are any folders configured for Windows Media Center to watch?
+- **IsDefaultLauncher** Is Windows Media Center the default app for opening music or video files?
+- **IsPaid** Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
+- **IsSupported** Does the running OS support Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
+
+This event indicates that the InventoryMediaCenter object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
+
+This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
+
+This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **biosDate** The release date of the BIOS in UTC format.
+- **BiosDate** The release date of the BIOS in UTC format.
+- **biosName** The name field from Win32_BIOS.
+- **BiosName** The name field from Win32_BIOS.
+- **manufacturer** The manufacturer field from Win32_ComputerSystem.
+- **Manufacturer** The manufacturer field from Win32_ComputerSystem.
+- **model** The model field from Win32_ComputerSystem.
+- **Model** The model field from Win32_ComputerSystem.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
+
+This event indicates that the InventorySystemBios object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
+
+This event indicates that a new set of InventorySystemBiosAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
+
+This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BootCritical** Is the driver package marked as boot critical?
+- **Build** The build value from the driver package.
+- **CatalogFile** The name of the catalog file within the driver package.
+- **Class** The device class from the driver package.
+- **ClassGuid** The device class unique ID from the driver package.
+- **Date** The date from the driver package.
+- **Inbox** Is the driver package of a driver that is included with Windows?
+- **OriginalName** The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU.
+- **Provider** The provider of the driver package.
+- **PublishedName** The name of the INF file after it was renamed.
+- **Revision** The revision of the driver package.
+- **SignatureStatus** Indicates if the driver package is signed. Unknown = 0, Unsigned = 1, Signed = 2.
+- **VersionMajor** The major version of the driver package.
+- **VersionMinor** The minor version of the driver package.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
+
+This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
+
+This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.RunContext
+
+This event indicates what should be expected in the data payload.
+
+The following fields are available:
+
+- **AppraiserBranch** The source branch in which the currently running version of Appraiser was built.
+- **AppraiserProcess** The name of the process that launched Appraiser.
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Context** Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **Time** The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
+
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the device from upgrade due to memory restrictions?
+- **MemoryRequirementViolated** Was a memory requirement violated?
+- **pageFile** The current committed memory limit for the system or the current process, whichever is smaller (in bytes).
+- **ram** The amount of memory on the device.
+- **ramKB** The amount of memory (in KB).
+- **virtual** The size of the user-mode portion of the virtual address space of the calling process (in bytes).
+- **virtualKB** The amount of virtual memory (in KB).
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
+
+This event that the SystemMemory object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
+
+This event indicates that a new set of SystemMemoryAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
+
+This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **CompareExchange128Support** Does the CPU support CompareExchange128?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
+
+This event indicates that the SystemProcessorCompareExchange object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
+
+This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
+
+This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **LahfSahfSupport** Does the CPU support LAHF/SAHF?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
+
+This event indicates that the SystemProcessorLahfSahf object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
+
+This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
+
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **NXDriverResult** The result of the driver used to do a non-deterministic check for NX support.
+- **NXProcessorSupport** Does the processor support NX?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
+
+This event indicates that the SystemProcessorNx object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
+
+This event indicates that a new set of SystemProcessorNxAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
+
+This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **PrefetchWSupport** Does the processor support PrefetchW?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
+
+This event indicates that the SystemProcessorPrefetchW object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
+
+This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
+
+This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked due to the processor?
+- **SSE2ProcessorSupport** Does the processor support SSE2?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
+
+This event indicates that the SystemProcessorSse2 object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
+
+This event indicates that a new set of SystemProcessorSse2Add events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchAdd
+
+This event sends data indicating whether the system supports touch, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **IntegratedTouchDigitizerPresent** Is there an integrated touch digitizer?
+- **MaximumTouches** The maximum number of touch points supported by the device hardware.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchRemove
+
+This event indicates that the SystemTouch object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
+
+This event indicates that a new set of SystemTouchAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimAdd
+
+This event sends data indicating whether the operating system is running from a compressed Windows Imaging Format (WIM) file, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **IsWimBoot** Is the current operating system running from a compressed WIM file?
+- **RegistryWimBootValue** The raw value from the registry that is used to indicate if the device is running from a WIM.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimRemove
+
+This event indicates that the SystemWim object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimStartSync
+
+This event indicates that a new set of SystemWimAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
+
+This event sends data indicating whether the current operating system is activated, to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **WindowsIsLicensedApiValue** The result from the API that's used to indicate if operating system is activated.
+- **WindowsNotActivatedDecision** Is the current operating system activated?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
+
+This event indicates that the SystemWindowsActivationStatus object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
+
+This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanAdd
+
+This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **Blocking** Is the upgrade blocked because of an emulated WLAN driver?
+- **HasWlanBlock** Does the emulated WLAN driver have an upgrade block?
+- **WlanEmulatedDriver** Does the device have an emulated WLAN driver?
+- **WlanExists** Does the device support WLAN at all?
+- **WlanModulePresent** Are any WLAN modules present?
+- **WlanNativeDriver** Does the device have a non-emulated WLAN driver?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanRemove
+
+This event indicates that the SystemWlan object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
+
+This event indicates that a new set of SystemWlanAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
+
+This event indicates the parameters and result of a telemetry (diagnostic) run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserBranch** The source branch in which the version of Appraiser that is running was built.
+- **AppraiserDataVersion** The version of the data files being used by the Appraiser telemetry run.
+- **AppraiserProcess** The name of the process that launched Appraiser.
+- **AppraiserVersion** The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
+- **AuxFinal** Obsolete, always set to false.
+- **AuxInitial** Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
+- **DeadlineDate** A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
+- **EnterpriseRun** Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **FullSync** Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
+- **InboxDataVersion** The original version of the data files before retrieving any newer version.
+- **IndicatorsWritten** Indicates if all relevant UEX indicators were successfully written or updated.
+- **InventoryFullSync** Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
+- **PCFP** An ID for the system calculated by hashing hardware identifiers.
+- **PerfBackoff** Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
+- **PerfBackoffInsurance** Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
+- **RunAppraiser** Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **RunDate** The date that the telemetry run was stated, expressed as a filetime.
+- **RunGeneralTel** Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
+- **RunOnline** Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **RunResult** The hresult of the Appraiser telemetry run.
+- **SendingUtc** Indicates if the Appraiser client is sending events during the current telemetry run.
+- **StoreHandleIsNotNull** Obsolete, always set to false
+- **TelementrySent** Indicates if telemetry was successfully sent.
+- **ThrottlingUtc** Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **Time** The client time of the event.
+- **VerboseMode** Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
+- **WhyFullSyncWithoutTablePrefix** Indicates the reason or reasons that a full sync was generated.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmAdd
+
+This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+- **BlockingApplication** Same as NeedsDismissAction.
+- **NeedsDismissAction** Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
+- **WmdrmApiResult** Raw value of the API used to gather DRM state.
+- **WmdrmCdRipped** Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
+- **WmdrmIndicators** WmdrmCdRipped OR WmdrmPurchased.
+- **WmdrmInUse** WmdrmIndicators AND dismissible block in setup was not dismissed.
+- **WmdrmNonPermanent** Indicates if the system has any files with non-permanent licenses.
+- **WmdrmPurchased** Indicates if the system has any files with permanent licenses.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmRemove
+
+This event indicates that the Wmdrm object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmStartSync
+
+This event indicates that a new set of WmdrmAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AppraiserVersion** The version of the Appraiser file that is generating the events.
+
+
+## Census events
+
+### Census.App
+
+Provides information on IE and Census versions running on the device
+
+The following fields are available:
+
+- **AppraiserEnterpriseErrorCode** The error code of the last Appraiser enterprise run.
+- **AppraiserErrorCode** The error code of the last Appraiser run.
+- **AppraiserRunEndTimeStamp** The end time of the last Appraiser run.
+- **AppraiserRunIsInProgressOrCrashed** Flag that indicates if the Appraiser run is in progress or has crashed.
+- **AppraiserRunStartTimeStamp** The start time of the last Appraiser run.
+- **AppraiserTaskEnabled** Whether the Appraiser task is enabled.
+- **AppraiserTaskExitCode** The Appraiser task exist code.
+- **AppraiserTaskLastRun** The last runtime for the Appraiser task.
+- **CensusVersion** The version of Census that generated the current data for this device.
+- **IEVersion** IE version running on the device.
+
+
+### Census.Battery
+
+This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date.
+
+The following fields are available:
+
+- **InternalBatteryCapablities** Represents information about what the battery is capable of doing.
+- **InternalBatteryCapacityCurrent** Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity to estimate the battery's wear.
+- **InternalBatteryCapacityDesign** Represents the theoretical capacity of the battery when new, in mWh.
+- **InternalBatteryNumberOfCharges** Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance.
+- **IsAlwaysOnAlwaysConnectedCapable** Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
+
+
+### Census.Camera
+
+This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FrontFacingCameraResolution** Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0.
+- **RearFacingCameraResolution** Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0.
+
+
+### Census.Enterprise
+
+This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment.
+
+The following fields are available:
+
+- **AADDeviceId** Azure Active Directory device ID.
+- **AzureOSIDPresent** Represents the field used to identify an Azure machine.
+- **AzureVMType** Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
+- **CDJType** Represents the type of cloud domain joined for the machine.
+- **CommercialId** Represents the GUID for the commercial entity which the device is a member of. Will be used to reflect insights back to customers.
+- **ContainerType** The type of container, such as process or virtual machine hosted.
+- **EnrollmentType** Defines the type of MDM enrollment on the device.
+- **HashedDomain** The hashed representation of the user domain used for login.
+- **IsCloudDomainJoined** Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsDERequirementMet** Represents if the device can do device encryption.
+- **IsDeviceProtected** Represents if Device protected by BitLocker/Device Encryption
+- **IsDomainJoined** Indicates whether a machine is joined to a domain.
+- **IsEDPEnabled** Represents if Enterprise data protected on the device.
+- **IsMDMEnrolled** Whether the device has been MDM Enrolled or not.
+- **MPNId** Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
+- **SCCMClientId** This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
+- **ServerFeatures** Represents the features installed on a Windows Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **SystemCenterID** The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
+
+
+### Census.Firmware
+
+This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FirmwareManufacturer** Represents the manufacturer of the device's firmware (BIOS).
+- **FirmwareReleaseDate** Represents the date the current firmware was released.
+- **FirmwareType** Represents the firmware type. The various types can be unknown, BIOS, UEFI.
+- **FirmwareVersion** Represents the version of the current firmware.
+
+
+### Census.Flighting
+
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DeviceSampleRate** The telemetry sample rate assigned to the device.
+- **EnablePreviewBuilds** Used to enable Windows Insider builds on a device.
+- **FlightIds** A list of the different Windows Insider builds on this device.
+- **FlightingBranchName** The name of the Windows Insider branch currently used by the device.
+- **IsFlightsDisabled** Represents if the device is participating in the Windows Insider program.
+- **MSA_Accounts** Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device.
+- **SSRK** Retrieves the mobile targeting settings.
+
+
+### Census.Hardware
+
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ActiveMicCount** The number of active microphones attached to the device.
+- **ChassisType** Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
+- **ComputerHardwareID** Identifies a device class that is represented by a hash of different SMBIOS fields.
+- **D3DMaxFeatureLevel** Supported Direct3D version.
+- **DeviceForm** Indicates the form as per the device classification.
+- **DeviceName** The device name that is set by the user.
+- **DigitizerSupport** Is a digitizer supported?
+- **DUID** The device unique ID.
+- **Gyroscope** Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation).
+- **InventoryId** The device ID used for compatibility testing.
+- **Magnetometer** Indicates whether the device has a magnetometer (a mechanical component that works like a compass).
+- **NFCProximity** Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.)
+- **OEMDigitalMarkerFileName** The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device.
+- **OEMManufacturerName** The device manufacturer name. The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date.
+- **OEMModelBaseBoard** The baseboard model used by the OEM.
+- **OEMModelBaseBoardVersion** Differentiates between developer and retail devices.
+- **OEMModelName** The device model name.
+- **OEMModelNumber** The device model number.
+- **OEMModelSKU** The device edition that is defined by the manufacturer.
+- **OEMModelSystemFamily** The system family set on the device by an OEM.
+- **OEMModelSystemVersion** The system model version set on the device by the OEM.
+- **OEMOptionalIdentifier** A Microsoft assigned value that represents a specific OEM subsidiary.
+- **OEMSerialNumber** The serial number of the device that is set by the manufacturer.
+- **PhoneManufacturer** The friendly name of the phone manufacturer.
+- **PowerPlatformRole** The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
+- **SoCName** The firmware manufacturer of the device.
+- **StudyID** Used to identify retail and non-retail device.
+- **TelemetryLevel** The telemetry level the user has opted into, such as Basic or Enhanced.
+- **TelemetryLevelLimitEnhanced** The telemetry level for Windows Analytics-based solutions.
+- **TelemetrySettingAuthority** Determines who set the telemetry level, such as GP, MDM, or the user.
+- **TPMManufacturerId** The ID of the TPM manufacturer.
+- **TPMManufacturerVersion** The version of the TPM manufacturer.
+- **TPMVersion** The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
+- **VoiceSupported** Does the device have a cellular radio capable of making voice calls?
+
+
+### Census.Memory
+
+This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date.
+
+The following fields are available:
+
+- **TotalPhysicalRAM** Represents the physical memory (in MB).
+- **TotalVisibleMemory** Represents the memory that is not reserved by the system.
+
+
+### Census.Network
+
+This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date.
+
+The following fields are available:
+
+- **IMEI0** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI1** Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **MCC0** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MCC1** Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MEID** Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user.
+- **MNC0** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MNC1** Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MobileOperatorBilling** Represents the telephone company that provides services for mobile phone users.
+- **MobileOperatorCommercialized** Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US.
+- **MobileOperatorNetwork0** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **MobileOperatorNetwork1** Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **NetworkAdapterGUID** The GUID of the primary network adapter.
+- **NetworkCost** Represents the network cost associated with a connection.
+- **SPN0** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+- **SPN1** Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+
+
+### Census.PrivacySettings
+
+This event provides information about the device level privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represent the authority that set the value. The effective consent (first 8 bits) is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority (last 8 bits) is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = system, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings.
+
+The following fields are available:
+
+- **Activity** Current state of the activity history setting.
+- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting.
+- **ActivityHistoryCollection** Current state of the activity history collection setting.
+- **AdvertisingId** Current state of the advertising ID setting.
+- **AppDiagnostics** Current state of the app diagnostics setting.
+- **Appointments** Current state of the calendar setting.
+- **AppointmentsSystem** Current state of the calendar setting.
+- **Bluetooth** Current state of the Bluetooth capability setting.
+- **BluetoothSync** Current state of the Bluetooth sync capability setting.
+- **BroadFileSystemAccess** Current state of the broad file system access setting.
+- **CellularData** Current state of the cellular data capability setting.
+- **Chat** Current state of the chat setting.
+- **ChatSystem** Current state of the chat setting.
+- **Contacts** Current state of the contacts setting.
+- **ContactsSystem** Current state of the Contacts setting.
+- **DocumentsLibrary** Current state of the documents library setting.
+- **Email** Current state of the email setting.
+- **EmailSystem** Current state of the email setting.
+- **FindMyDevice** Current state of the "find my device" setting.
+- **GazeInput** Current state of the gaze input setting.
+- **HumanInterfaceDevice** Current state of the human interface device setting.
+- **InkTypeImprovement** Current state of the improve inking and typing setting.
+- **Location** Current state of the location setting.
+- **LocationHistory** Current state of the location history setting.
+- **LocationHistoryCloudSync** Current state of the location history cloud sync setting.
+- **LocationHistoryOnTimeline** Current state of the location history on timeline setting.
+- **Microphone** Current state of the microphone setting.
+- **PhoneCall** Current state of the phone call setting.
+- **PhoneCallHistory** Current state of the call history setting.
+- **PhoneCallHistorySystem** Current state of the call history setting.
+- **PicturesLibrary** Current state of the pictures library setting.
+- **Radios** Current state of the radios setting.
+- **SensorsCustom** Current state of the custom sensor setting.
+- **SerialCommunication** Current state of the serial communication setting.
+- **Sms** Current state of the text messaging setting.
+- **SpeechPersonalization** Current state of the speech services setting.
+- **USB** Current state of the USB setting.
+- **UserAccountInformation** Current state of the account information setting.
+- **UserDataTasks** Current state of the tasks setting.
+- **UserDataTasksSystem** Current state of the tasks setting.
+- **UserNotificationListener** Current state of the notifications setting.
+- **VideosLibrary** Current state of the videos library setting.
+- **Webcam** Current state of the camera setting.
+- **WiFiDirect** Current state of the Wi-Fi direct setting.
+
+
+### Census.Processor
+
+Provides information on several important data points about Processor settings
+
+The following fields are available:
+
+- **KvaShadow** Microcode info of the processor.
+- **MMSettingOverride** Microcode setting of the processor.
+- **MMSettingOverrideMask** Microcode setting override of the processor.
+- **PreviousUpdateRevision** Previous microcode revision
+- **ProcessorArchitecture** Retrieves the processor architecture of the installed operating system.
+- **ProcessorClockSpeed** Clock speed of the processor in MHz.
+- **ProcessorCores** Number of logical cores in the processor.
+- **ProcessorIdentifier** Processor Identifier of a manufacturer.
+- **ProcessorManufacturer** Name of the processor manufacturer.
+- **ProcessorModel** Name of the processor model.
+- **ProcessorPhysicalCores** Number of physical cores in the processor.
+- **ProcessorUpdateRevision** Microcode revision
+- **ProcessorUpdateStatus** Enum value that represents the processor microcode load status
+- **SocketCount** Count of CPU sockets.
+- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
+
+
+### Census.Security
+
+This event provides information on about security settings used to help keep Windows up to date and secure.
+
+The following fields are available:
+
+- **AvailableSecurityProperties** This field helps to enumerate and report state on the relevant security properties for Device Guard.
+- **CGRunning** Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running.
+- **DGState** This field summarizes the Device Guard state.
+- **HVCIRunning** Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running.
+- **IsSawGuest** Indicates whether the device is running as a Secure Admin Workstation Guest.
+- **IsSawHost** Indicates whether the device is running as a Secure Admin Workstation Host.
+- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security.
+- **SecureBootCapable** Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting.
+- **SModeState** The Windows S mode trail state.
+- **VBSState** Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation. VBS has a tri-state that can be Disabled, Enabled, or Running.
+
+
+### Census.Speech
+
+This event is used to gather basic speech settings on the device.
+
+The following fields are available:
+
+- **AboveLockEnabled** Cortana setting that represents if Cortana can be invoked when the device is locked.
+- **GPAllowInputPersonalization** Indicates if a Group Policy setting has enabled speech functionalities.
+- **HolographicSpeechInputDisabled** Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
+- **HolographicSpeechInputDisabledRemote** Indicates if a remote policy has disabled speech functionalities for the HMD devices.
+- **KeyVer** Version information for the census speech event.
+- **KWSEnabled** Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
+- **MDMAllowInputPersonalization** Indicates if an MDM policy has enabled speech functionalities.
+- **RemotelyManaged** Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities.
+- **SpeakerIdEnabled** Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
+- **SpeechServicesEnabled** Windows setting that represents whether a user is opted-in for speech services on the device.
+- **SpeechServicesValueSource** Indicates the deciding factor for the effective online speech recognition privacy policy settings: remote admin, local admin, or user preference.
+
+
+### Census.Storage
+
+This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date.
+
+The following fields are available:
+
+- **PrimaryDiskTotalCapacity** Retrieves the amount of disk space on the primary disk of the device in MB.
+- **PrimaryDiskType** Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any).
+- **SystemVolumeTotalCapacity** Retrieves the size of the partition that the System volume is installed on in MB.
+
+
+### Census.Userdefault
+
+This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DefaultApp** The current uer's default program selected for the following extension or protocol: .html, .htm, .jpg, .jpeg, .png, .mp3, .mp4, .mov, .pdf.
+- **DefaultBrowserProgId** The ProgramId of the current user's default browser.
+
+
+### Census.UserDisplay
+
+This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
+
+The following fields are available:
+
+- **InternalPrimaryDisplayLogicalDPIX** Retrieves the logical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayLogicalDPIY** Retrieves the logical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIX** Retrieves the physical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIY** Retrieves the physical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayResolutionHorizontal** Retrieves the number of pixels in the horizontal direction of the internal display.
+- **InternalPrimaryDisplayResolutionVertical** Retrieves the number of pixels in the vertical direction of the internal display.
+- **InternalPrimaryDisplaySizePhysicalH** Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
+- **InternalPrimaryDisplaySizePhysicalY** Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
+- **NumberofExternalDisplays** Retrieves the number of external displays connected to the machine
+- **NumberofInternalDisplays** Retrieves the number of internal displays in a machine.
+- **VRAMDedicated** Retrieves the video RAM in MB.
+- **VRAMDedicatedSystem** Retrieves the amount of memory on the dedicated video card.
+- **VRAMSharedSystem** Retrieves the amount of RAM memory that the video card can use.
+
+
+### Census.UserNLS
+
+This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DefaultAppLanguage** The current user Default App Language.
+- **DisplayLanguage** The current user preferred Windows Display Language.
+- **HomeLocation** The current user location, which is populated using GetUserGeoId() function.
+- **KeyboardInputLanguages** The Keyboard input languages installed on the device.
+- **SpeechInputLanguages** The Speech Input languages installed on the device.
+
+
+### Census.UserPrivacySettings
+
+This event provides information about the current users privacy settings and whether device-level access was granted to these capabilities. Not all settings are applicable to all devices. Each field records the consent state for the corresponding privacy setting. The consent state is encoded as a 16-bit signed integer, where the first 8 bits represents the effective consent value, and the last 8 bits represents the authority that set the value. The effective consent is one of the following values: -3 = unexpected consent value, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = undefined, 1 = allow, 2 = deny, 3 = prompt. The consent authority is one of the following values: -3 = unexpected authority, -2 = value was not requested, -1 = an error occurred while attempting to retrieve the value, 0 = user, 1 = a higher authority (a gating setting, the system-wide setting, or a group policy), 2 = advertising ID group policy, 3 = advertising ID policy for child account, 4 = privacy setting provider doesn't know the actual consent authority, 5 = consent was not configured and a default set in code was used, 6 = system default, 7 = organization policy, 8 = OneSettings.
+
+The following fields are available:
+
+- **Activity** Current state of the activity history setting.
+- **ActivityHistoryCloudSync** Current state of the activity history cloud sync setting.
+- **ActivityHistoryCollection** Current state of the activity history collection setting.
+- **AdvertisingId** Current state of the advertising ID setting.
+- **AppDiagnostics** Current state of the app diagnostics setting.
+- **Appointments** Current state of the calendar setting.
+- **AppointmentsSystem** Current state of the calendar setting.
+- **Bluetooth** Current state of the Bluetooth capability setting.
+- **BluetoothSync** Current state of the Bluetooth sync capability setting.
+- **BroadFileSystemAccess** Current state of the broad file system access setting.
+- **CellularData** Current state of the cellular data capability setting.
+- **Chat** Current state of the chat setting.
+- **ChatSystem** Current state of the chat setting.
+- **Contacts** Current state of the contacts setting.
+- **ContactsSystem** Current state of the contacts setting.
+- **DocumentsLibrary** Current state of the documents library setting.
+- **Email** Current state of the email setting.
+- **EmailSystem** Current state of the email setting.
+- **GazeInput** Current state of the gaze input setting.
+- **HumanInterfaceDevice** Current state of the human interface device setting.
+- **InkTypeImprovement** Current state of the improve inking and typing setting.
+- **InkTypePersonalization** Current state of the inking and typing personalization setting.
+- **Location** Current state of the location setting.
+- **LocationHistory** Current state of the location history setting.
+- **LocationHistoryCloudSync** Current state of the location history cloud synchronization setting.
+- **LocationHistoryOnTimeline** Current state of the location history on timeline setting.
+- **Microphone** Current state of the microphone setting.
+- **PhoneCall** Current state of the phone call setting.
+- **PhoneCallHistory** Current state of the call history setting.
+- **PhoneCallHistorySystem** Current state of the call history setting.
+- **PicturesLibrary** Current state of the pictures library setting.
+- **Radios** Current state of the radios setting.
+- **SensorsCustom** Current state of the custom sensor setting.
+- **SerialCommunication** Current state of the serial communication setting.
+- **Sms** Current state of the text messaging setting.
+- **SpeechPersonalization** Current state of the speech services setting.
+- **USB** Current state of the USB setting.
+- **UserAccountInformation** Current state of the account information setting.
+- **UserDataTasks** Current state of the tasks setting.
+- **UserDataTasksSystem** Current state of the tasks setting.
+- **UserNotificationListener** Current state of the notifications setting.
+- **VideosLibrary** Current state of the videos library setting.
+- **Webcam** Current state of the camera setting.
+- **WiFiDirect** Current state of the Wi-Fi direct setting.
+
+
+### Census.VM
+
+This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
+
+The following fields are available:
+
+- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within.
+- **HyperVisor** Retrieves whether the current OS is running on top of a Hypervisor.
+- **IOMMUPresent** Represents if an input/output memory management unit (IOMMU) is present.
+- **IsVDI** Is the device using Virtual Desktop Infrastructure?
+- **IsVirtualDevice** Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors.
+- **SLATSupported** Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
+- **VirtualizationFirmwareEnabled** Represents whether virtualization is enabled in the firmware.
+
+
+### Census.WU
+
+This event sends data about the Windows update server and other App store policies, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserGatedStatus** Indicates whether a device has been gated for upgrading.
+- **AppStoreAutoUpdate** Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
+- **AppStoreAutoUpdateMDM** Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
+- **AppStoreAutoUpdatePolicy** Retrieves the Microsoft Store App Auto Update group policy setting
+- **DelayUpgrade** Retrieves the Windows upgrade flag for delaying upgrades.
+- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it?
+- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update?
+- **OSAssessmentForQualityUpdate** Is the device on the latest quality update?
+- **OSAssessmentForSecurityUpdate** Is the device on the latest security update?
+- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it?
+- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment.
+- **OSRollbackCount** The number of times feature updates have rolled back on the device.
+- **OSRolledBack** A flag that represents when a feature update has rolled back during setup.
+- **OSUninstalled** A flag that represents when a feature update is uninstalled on a device .
+- **OSWUAutoUpdateOptions** Retrieves the auto update settings on the device.
+- **OSWUAutoUpdateOptionsSource** The source of auto update setting that appears in the OSWUAutoUpdateOptions field. For example: Group Policy (GP), Mobile Device Management (MDM), and Default.
+- **UninstallActive** A flag that represents when a device has uninstalled a previous upgrade recently.
+- **UpdateServiceURLConfigured** Retrieves if the device is managed by Windows Server Update Services (WSUS).
+- **WUDeferUpdatePeriod** Retrieves if deferral is set for Updates.
+- **WUDeferUpgradePeriod** Retrieves if deferral is set for Upgrades.
+- **WUDODownloadMode** Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WUMachineId** Retrieves the Windows Update (WU) Machine Identifier.
+- **WUPauseState** Retrieves WU setting to determine if updates are paused.
+- **WUServer** Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
+
+
+### Census.Xbox
+
+This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date.
+
+The following fields are available:
+
+- **XboxConsolePreferredLanguage** Retrieves the preferred language selected by the user on Xbox console.
+- **XboxConsoleSerialNumber** Retrieves the serial number of the Xbox console.
+- **XboxLiveDeviceId** Retrieves the unique device ID of the console.
+- **XboxLiveSandboxId** Retrieves the developer sandbox ID if the device is internal to Microsoft.
+
+
+## Common data extensions
+
+### Common Data Extensions.app
+
+Describes the properties of the running application. This extension could be populated by a client app or a web app.
+
+The following fields are available:
+
+- **asId** An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
+- **env** The environment from which the event was logged.
+- **expId** Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
+- **id** Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **locale** The locale of the app.
+- **name** The name of the app.
+- **userId** The userID as known by the application.
+- **ver** Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
+
+
+### Common Data Extensions.container
+
+Describes the properties of the container for events logged within a container.
+
+The following fields are available:
+
+- **epoch** An ID that's incremented for each SDK initialization.
+- **localId** The device ID as known by the client.
+- **osVer** The operating system version.
+- **seq** An ID that's incremented for each event.
+- **type** The container type. Examples: Process or VMHost
+
+
+### Common Data Extensions.cs
+
+Describes properties related to the schema of the event.
+
+The following fields are available:
+
+- **sig** A common schema signature that identifies new and modified event schemas.
+
+
+### Common Data Extensions.device
+
+Describes the device-related fields.
+
+The following fields are available:
+
+- **deviceClass** The device classification. For example, Desktop, Server, or Mobile.
+- **localId** A locally-defined unique ID for the device. This is not the human-readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+- **make** Device manufacturer.
+- **model** Device model.
+
+
+### Common Data Extensions.Envelope
+
+Represents an envelope that contains all of the common data extensions.
+
+The following fields are available:
+
+- **cV** Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
+- **data** Represents the optional unique diagnostic data for a particular event schema.
+- **ext_app** Describes the properties of the running application. This extension could be populated by either a client app or a web app. See [Common Data Extensions.app](#common-data-extensionsapp).
+- **ext_container** Describes the properties of the container for events logged within a container. See [Common Data Extensions.container](#common-data-extensionscontainer).
+- **ext_cs** Describes properties related to the schema of the event. See [Common Data Extensions.cs](#common-data-extensionscs).
+- **ext_device** Describes the device-related fields. See [Common Data Extensions.device](#common-data-extensionsdevice).
+- **ext_os** Describes the operating system properties that would be populated by the client. See [Common Data Extensions.os](#common-data-extensionsos).
+- **ext_receipts** Describes the fields related to time as provided by the client for debugging purposes. See [Common Data Extensions.receipts](#common-data-extensionsreceipts).
+- **ext_sdk** Describes the fields related to a platform library required for a specific SDK. See [Common Data Extensions.sdk](#common-data-extensionssdk).
+- **ext_user** Describes the fields related to a user. See [Common Data Extensions.user](#common-data-extensionsuser).
+- **ext_utc** Describes the fields that might be populated by a logging library on Windows. See [Common Data Extensions.utc](#common-data-extensionsutc).
+- **ext_xbl** Describes the fields related to XBOX Live. See [Common Data Extensions.xbl](#common-data-extensionsxbl).
+- **flags** Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **iKey** Represents an ID for applications or other logical groupings of events.
+- **name** Represents the uniquely qualified name for the event.
+- **popSample** Represents the effective sample rate for this event at the time it was generated by a client.
+- **time** Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
+- **ver** Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.os
+
+Describes some properties of the operating system.
+
+The following fields are available:
+
+- **bootId** An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
+- **expId** Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
+- **locale** Represents the locale of the operating system.
+- **name** Represents the operating system name.
+- **ver** Represents the major and minor version of the extension.
+
+
+### Common Data Extensions.receipts
+
+Represents various time information as provided by the client and helps for debugging purposes.
+
+The following fields are available:
+
+- **originalTime** The original event time.
+- **uploadTime** The time the event was uploaded.
+
+
+### Common Data Extensions.sdk
+
+Used by platform specific libraries to record fields that are required for a specific SDK.
+
+The following fields are available:
+
+- **epoch** An ID that is incremented for each SDK initialization.
+- **installId** An ID that's created during the initialization of the SDK for the first time.
+- **libVer** The SDK version.
+- **seq** An ID that is incremented for each event.
+
+
+### Common Data Extensions.user
+
+Describes the fields related to a user.
+
+The following fields are available:
+
+- **authId** This is an ID of the user associated with this event that is deduced from a token such as a Microsoft Account ticket or an XBOX token.
+- **locale** The language and region.
+- **localId** Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+
+
+### Common Data Extensions.utc
+
+Describes the properties that could be populated by a logging library on Windows.
+
+The following fields are available:
+
+- **aId** Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
+- **bSeq** Upload buffer sequence number in the format: buffer identifier:sequence number
+- **cat** Represents a bitmask of the ETW Keywords associated with the event.
+- **cpId** The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
+- **epoch** Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **flags** Represents the bitmap that captures various Windows specific flags.
+- **mon** Combined monitor and event sequence numbers in the format: monitor sequence : event sequence
+- **op** Represents the ETW Op Code.
+- **raId** Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
+- **seq** Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue. The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **stId** Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
+
+
+### Common Data Extensions.xbl
+
+Describes the fields that are related to XBOX Live.
+
+The following fields are available:
+
+- **claims** Any additional claims whose short claim name hasn't been added to this structure.
+- **did** XBOX device ID
+- **dty** XBOX device type
+- **dvr** The version of the operating system on the device.
+- **eid** A unique ID that represents the developer entity.
+- **exp** Expiration time
+- **ip** The IP address of the client device.
+- **nbf** Not before time
+- **pid** A comma separated list of PUIDs listed as base10 numbers.
+- **sbx** XBOX sandbox identifier
+- **sid** The service instance ID.
+- **sty** The service type.
+- **tid** The XBOX Live title ID.
+- **tvr** The XBOX Live title version.
+- **uts** A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
+- **xid** A list of base10-encoded XBOX User IDs.
+
+
+## Common data fields
+
+### Ms.Device.DeviceInventoryChange
+
+Describes the installation state for all hardware and software components available on a particular device.
+
+The following fields are available:
+
+- **action** The change that was invoked on a device inventory object.
+- **inventoryId** Device ID used for Compatibility testing
+- **objectInstanceId** Object identity which is unique within the device scope.
+- **objectType** Indicates the object type that the event applies to.
+- **syncId** A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+
+
+## Component-based servicing events
+
+### CbsServicingProvider.CbsLateAcquisition
+
+This event sends data to indicate if some Operating System packages could not be updated as part of an upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **Features** The list of feature packages that could not be updated.
+- **RetryID** The ID identifying the retry attempt to update the listed packages.
+
+
+## Deployment extensions
+
+### DeploymentTelemetry.Deployment_End
+
+This event indicates that a Deployment 360 API has completed.
+
+The following fields are available:
+
+- **ClientId** Client ID of the user utilizing the D360 API.
+- **ErrorCode** Error code of action.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **Mode** Phase in upgrade.
+- **RelatedCV** The correction vector (CV) of any other related events
+- **Result** End result of the action.
+
+
+### DeploymentTelemetry.Deployment_SetupBoxLaunch
+
+This event indicates that the Deployment 360 APIs have launched Setup Box.
+
+The following fields are available:
+
+- **ClientId** The client ID of the user utilizing the D360 API.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **Quiet** Whether Setup will run in quiet mode or full mode.
+- **RelatedCV** The correlation vector (CV) of any other related events.
+- **SetupMode** The current setup phase.
+
+
+### DeploymentTelemetry.Deployment_SetupBoxResult
+
+This event indicates that the Deployment 360 APIs have received a return from Setup Box.
+
+The following fields are available:
+
+- **ClientId** Client ID of the user utilizing the D360 API.
+- **ErrorCode** Error code of the action.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **Quiet** Indicates whether Setup will run in quiet mode or full mode.
+- **RelatedCV** The correlation vector (CV) of any other related events.
+- **SetupMode** The current Setup phase.
+
+
+### DeploymentTelemetry.Deployment_Start
+
+This event indicates that a Deployment 360 API has been called.
+
+The following fields are available:
+
+- **ClientId** Client ID of the user utilizing the D360 API.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **Mode** The current phase of the upgrade.
+- **RelatedCV** The correlation vector (CV) of any other related events.
+
+
+## Diagnostic data events
+
+### TelClientSynthetic.AbnormalShutdown_0
+
+This event sends data about boot IDs for which a normal clean shutdown was not observed, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AbnormalShutdownBootId** BootId of the abnormal shutdown being reported by this event.
+- **AcDcStateAtLastShutdown** Identifies if the device was on battery or plugged in.
+- **BatteryLevelAtLastShutdown** The last recorded battery level.
+- **BatteryPercentageAtLastShutdown** The battery percentage at the last shutdown.
+- **CrashDumpEnabled** Are crash dumps enabled?
+- **CumulativeCrashCount** Cumulative count of operating system crashes since the BootId reset.
+- **CurrentBootId** BootId at the time the abnormal shutdown event was being reported.
+- **Firmwaredata->ResetReasonEmbeddedController** The reset reason that was supplied by the firmware.
+- **Firmwaredata->ResetReasonEmbeddedControllerAdditional** Additional data related to reset reason provided by the firmware.
+- **Firmwaredata->ResetReasonPch** The reset reason that was supplied by the hardware.
+- **Firmwaredata->ResetReasonPchAdditional** Additional data related to the reset reason supplied by the hardware.
+- **Firmwaredata->ResetReasonSupplied** Indicates whether the firmware supplied any reset reason or not.
+- **FirmwareType** ID of the FirmwareType as enumerated in DimFirmwareType.
+- **HardwareWatchdogTimerGeneratedLastReset** Indicates whether the hardware watchdog timer caused the last reset.
+- **HardwareWatchdogTimerPresent** Indicates whether hardware watchdog timer was present or not.
+- **LastBugCheckBootId** bootId of the last captured crash.
+- **LastBugCheckCode** Code that indicates the type of error.
+- **LastBugCheckContextFlags** Additional crash dump settings.
+- **LastBugCheckOriginalDumpType** The type of crash dump the system intended to save.
+- **LastBugCheckOtherSettings** Other crash dump settings.
+- **LastBugCheckParameter1** The first parameter with additional info on the type of the error.
+- **LastBugCheckProgress** Progress towards writing out the last crash dump.
+- **LastBugCheckVersion** The version of the information struct written during the crash.
+- **LastSuccessfullyShutdownBootId** BootId of the last fully successful shutdown.
+- **LongPowerButtonPressDetected** Identifies if the user was pressing and holding power button.
+- **OOBEInProgress** Identifies if OOBE is running.
+- **OSSetupInProgress** Identifies if the operating system setup is running.
+- **PowerButtonCumulativePressCount** How many times has the power button been pressed?
+- **PowerButtonCumulativeReleaseCount** How many times has the power button been released?
+- **PowerButtonErrorCount** Indicates the number of times there was an error attempting to record power button metrics.
+- **PowerButtonLastPressBootId** BootId of the last time the power button was pressed.
+- **PowerButtonLastPressTime** Date and time of the last time the power button was pressed.
+- **PowerButtonLastReleaseBootId** BootId of the last time the power button was released.
+- **PowerButtonLastReleaseTime** Date and time of the last time the power button was released.
+- **PowerButtonPressCurrentCsPhase** Represents the phase of Connected Standby exit when the power button was pressed.
+- **PowerButtonPressIsShutdownInProgress** Indicates whether a system shutdown was in progress at the last time the power button was pressed.
+- **PowerButtonPressLastPowerWatchdogStage** Progress while the monitor is being turned on.
+- **PowerButtonPressPowerWatchdogArmed** Indicates whether or not the watchdog for the monitor was active at the time of the last power button press.
+- **ShutdownDeviceType** Identifies who triggered a shutdown. Is it because of battery, thermal zones, or through a Kernel API.
+- **SleepCheckpoint** Provides the last checkpoint when there is a failure during a sleep transition.
+- **SleepCheckpointSource** Indicates whether the source is the EFI variable or bootstat file.
+- **SleepCheckpointStatus** Indicates whether the checkpoint information is valid.
+- **StaleBootStatData** Identifies if the data from bootstat is stale.
+- **TransitionInfoBootId** BootId of the captured transition info.
+- **TransitionInfoCSCount** l number of times the system transitioned from Connected Standby mode.
+- **TransitionInfoCSEntryReason** Indicates the reason the device last entered Connected Standby mode.
+- **TransitionInfoCSExitReason** Indicates the reason the device last exited Connected Standby mode.
+- **TransitionInfoCSInProgress** At the time the last marker was saved, the system was in or entering Connected Standby mode.
+- **TransitionInfoLastReferenceTimeChecksum** The checksum of TransitionInfoLastReferenceTimestamp,
+- **TransitionInfoLastReferenceTimestamp** The date and time that the marker was last saved.
+- **TransitionInfoLidState** Describes the state of the laptop lid.
+- **TransitionInfoPowerButtonTimestamp** The date and time of the last time the power button was pressed.
+- **TransitionInfoSleepInProgress** At the time the last marker was saved, the system was in or entering sleep mode.
+- **TransitionInfoSleepTranstionsToOn** Total number of times the device transitioned from sleep mode.
+- **TransitionInfoSystemRunning** At the time the last marker was saved, the device was running.
+- **TransitionInfoSystemShutdownInProgress** Indicates whether a device shutdown was in progress when the power button was pressed.
+- **TransitionInfoUserShutdownInProgress** Indicates whether a user shutdown was in progress when the power button was pressed.
+- **TransitionLatestCheckpointId** Represents a unique identifier for a checkpoint during the device state transition.
+- **TransitionLatestCheckpointSeqNumber** Represents the chronological sequence number of the checkpoint.
+- **TransitionLatestCheckpointType** Represents the type of the checkpoint, which can be the start of a phase, end of a phase, or just informational.
+- **VirtualMachineId** If the operating system is on a virtual Machine, it gives the virtual Machine ID (GUID) that can be used to correlate events on the host.
+
+
+### TelClientSynthetic.HeartBeat_5
+
+This event sends data about the health and quality of the diagnostic data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
+
+The following fields are available:
+
+- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host/agent channel.
+- **CensusExitCode** The last exit code of the Census task.
+- **CensusStartTime** Time of last Census run.
+- **CensusTaskEnabled** True if Census is enabled, false otherwise.
+- **CompressedBytesUploaded** Number of compressed bytes uploaded.
+- **ConsumerDroppedCount** Number of events dropped at consumer layer of telemetry client.
+- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer.
+- **CriticalDataThrottleDroppedCount** The number of critical data sampled events that were dropped because of throttling.
+- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event DB.
+- **DbCriticalDroppedCount** Total number of dropped critical events in event DB.
+- **DbDroppedCount** Number of events dropped due to DB fullness.
+- **DbDroppedFailureCount** Number of events dropped due to DB failures.
+- **DbDroppedFullCount** Number of events dropped due to DB fullness.
+- **DecodingDroppedCount** Number of events dropped due to decoding failures.
+- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated.
+- **EtwDroppedBufferCount** Number of buffers dropped in the UTC ETW session.
+- **EtwDroppedCount** Number of events dropped at ETW layer of telemetry client.
+- **EventsPersistedCount** Number of events that reached the PersistEvent stage.
+- **EventStoreLifetimeResetCounter** Number of times event DB was reset for the lifetime of UTC.
+- **EventStoreResetCounter** Number of times event DB was reset.
+- **EventStoreResetSizeSum** Total size of event DB across all resets reports in this instance.
+- **EventsUploaded** Number of events uploaded.
+- **Flags** Flags indicating device state such as network state, battery state, and opt-in state.
+- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full.
+- **HeartBeatSequenceNumber** The sequence number of this heartbeat.
+- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex.
+- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel.
+- **LastEventSizeOffender** Event name of last event which exceeded max event size.
+- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex.
+- **MaxActiveAgentConnectionCount** The maximum number of active agents during this heartbeat timeframe.
+- **MaxInUseScenarioCounter** Soft maximum number of scenarios loaded by UTC.
+- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events).
+- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer.
+- **SettingsHttpAttempts** Number of attempts to contact OneSettings service.
+- **SettingsHttpFailures** The number of failures from contacting the OneSettings service.
+- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers.
+- **TopUploaderErrors** List of top errors received from the upload endpoint.
+- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client.
+- **UploaderErrorCount** Number of errors received from the upload endpoint.
+- **VortexFailuresTimeout** The number of timeout failures received from Vortex.
+- **VortexHttpAttempts** Number of attempts to contact Vortex.
+- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex.
+- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event.
+
+
+### TelClientSynthetic.HeartBeat_Aria_5
+
+This event is the telemetry client ARIA heartbeat.
+
+The following fields are available:
+
+- **CompressedBytesUploaded** Number of compressed bytes uploaded.
+- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer.
+- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database.
+- **DbCriticalDroppedCount** Total number of dropped critical events in event database.
+- **DbDroppedCount** Number of events dropped at the database layer.
+- **DbDroppedFailureCount** Number of events dropped due to database failures.
+- **DbDroppedFullCount** Number of events dropped due to database being full.
+- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated.
+- **EventsPersistedCount** Number of events that reached the PersistEvent stage.
+- **EventStoreLifetimeResetCounter** Number of times the event store has been reset.
+- **EventStoreResetCounter** Number of times the event store has been reset during this heartbeat.
+- **EventStoreResetSizeSum** Size of event store reset in bytes.
+- **EventsUploaded** Number of events uploaded.
+- **HeartBeatSequenceNumber** The sequence number of this heartbeat.
+- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex.
+- **LastEventSizeOffender** Event name of last event which exceeded max event size.
+- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex.
+- **PreviousHeartBeatTime** The FILETIME of the previous heartbeat fire.
+- **RepeatedUploadFailureDropped** Number of events lost due to repeated upload failures for a single buffer.
+- **SettingsHttpAttempts** Number of attempts to contact OneSettings service.
+- **SettingsHttpFailures** Number of failures from contacting OneSettings service.
+- **TopUploaderErrors** List of top errors received from the upload endpoint.
+- **UploaderDroppedCount** Number of events dropped at the uploader layer of telemetry client.
+- **UploaderErrorCount** Number of errors received from the upload endpoint.
+- **VortexFailuresTimeout** Number of time out failures received from Vortex.
+- **VortexHttpAttempts** Number of attempts to contact Vortex.
+- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex.
+- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event.
+
+
+### TelClientSynthetic.HeartBeat_Seville_5
+
+This event is sent by the universal telemetry client (UTC) as a heartbeat signal for Sense.
+
+The following fields are available:
+
+- **AgentConnectionErrorsCount** Number of non-timeout errors associated with the host or agent channel.
+- **CompressedBytesUploaded** Number of compressed bytes uploaded.
+- **ConsumerDroppedCount** Number of events dropped at consumer layer of the telemetry client.
+- **CriticalDataDbDroppedCount** Number of critical data sampled events dropped at the database layer.
+- **CriticalDataThrottleDroppedCount** Number of critical data sampled events dropped due to throttling.
+- **CriticalOverflowEntersCounter** Number of times critical overflow mode was entered in event database.
+- **DailyUploadQuotaInBytes** Daily upload quota for Sense in bytes (only in in-proc mode).
+- **DbCriticalDroppedCount** Total number of dropped critical events in event database.
+- **DbDroppedCount** Number of events dropped due to database being full.
+- **DbDroppedFailureCount** Number of events dropped due to database failures.
+- **DbDroppedFullCount** Number of events dropped due to database being full.
+- **DecodingDroppedCount** Number of events dropped due to decoding failures.
+- **DiskSizeInBytes** Size of event store for Sense in bytes (only in in-proc mode).
+- **EnteringCriticalOverflowDroppedCounter** Number of events dropped due to critical overflow mode being initiated.
+- **EtwDroppedBufferCount** Number of buffers dropped in the universal telemetry client (UTC) event tracing for Windows (ETW) session.
+- **EtwDroppedCount** Number of events dropped at the event tracing for Windows (ETW) layer of telemetry client.
+- **EventsPersistedCount** Number of events that reached the PersistEvent stage.
+- **EventStoreLifetimeResetCounter** Number of times event the database was reset for the lifetime of the universal telemetry client (UTC).
+- **EventStoreResetCounter** Number of times the event database was reset.
+- **EventStoreResetSizeSum** Total size of the event database across all resets reports in this instance.
+- **EventsUploaded** Number of events uploaded.
+- **Flags** Flags indicating device state, such as network state, battery state, and opt-in state.
+- **FullTriggerBufferDroppedCount** Number of events dropped due to trigger buffer being full.
+- **HeartBeatSequenceNumber** The sequence number of this heartbeat.
+- **InvalidHttpCodeCount** Number of invalid HTTP codes received from contacting Vortex.
+- **LastAgentConnectionError** Last non-timeout error encountered in the host/agent channel.
+- **LastEventSizeOffender** Event name of last event which exceeded the maximum event size.
+- **LastInvalidHttpCode** Last invalid HTTP code received from Vortex.
+- **MaxActiveAgentConnectionCount** Maximum number of active agents during this heartbeat timeframe.
+- **NormalUploadTimerMillis** Number of milliseconds between each upload of normal events for SENSE (only in in-proc mode).
+- **PreviousHeartBeatTime** Time of last heartbeat event (allows chaining of events).
+- **RepeatedUploadFailureDropped** Number of events lost due to repeated failed uploaded attempts.
+- **SettingsHttpAttempts** Number of attempts to contact OneSettings service.
+- **SettingsHttpFailures** Number of failures from contacting the OneSettings service.
+- **ThrottledDroppedCount** Number of events dropped due to throttling of noisy providers.
+- **TopUploaderErrors** Top uploader errors, grouped by endpoint and error type.
+- **UploaderDroppedCount** Number of events dropped at the uploader layer of the telemetry client.
+- **UploaderErrorCount** Number of input for the TopUploaderErrors mode estimation.
+- **VortexFailuresTimeout** Number of time out failures received from Vortex.
+- **VortexHttpAttempts** Number of attempts to contact Vortex.
+- **VortexHttpFailures4xx** Number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx** Number of 500-599 error codes received from Vortex.
+- **VortexHttpResponseFailures** Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponsesWithDroppedEvents** Number of Vortex responses containing at least 1 dropped event.
+
+
+## Direct to update events
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure
+
+This event indicatse that we have received an unexpected error in the Direct to Update (DTU) Coordinators CheckApplicability call.
+
+The following fields are available:
+
+- **CampaignID** ID of the campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Cleanup call.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run
+- **ClientID** Client ID being run
+- **CoordinatorVersion** Coordinator version of DTU
+- **CV** Correlation vector
+- **hResult** HRESULT of the failure
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCleanupSuccess
+
+This event indicates that the Coordinator Cleanup call succeeded.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run
+- **ClientID** Client ID being run
+- **CoordinatorVersion** Coordinator version of DTU
+- **CV** Correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Commit call.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess
+
+This event indicates that the Coordinator Commit call succeeded.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Download call.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure
+
+This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Download call that will be ignored.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess
+
+This event indicates that the Coordinator Download call succeeded.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator HandleShutdown call.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinate version of DTU.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess
+
+This event indicates that the Coordinator HandleShutdown call succeeded.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Initialize call.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess
+
+This event indicates that the Coordinator Initialize call succeeded.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Coordinator Install call.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure
+
+This event indicates that we have received an error in the Direct to Update (DTU) Coordinator Install call that will be ignored.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess
+
+This event indicates that the Coordinator Install call succeeded.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack
+
+This event indicates that the Coordinator's progress callback has been called.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** Client ID being run.
+- **CoordinatorVersion** Coordinator version of DTU.
+- **CV** Correlation vector.
+- **DeployPhase** Current Deploy Phase.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess
+
+This event indicates that the Coordinator SetCommitReady call succeeded.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown
+
+This event indicates that the Coordinator WaitForRebootUi call succeeded.
+
+The following fields are available:
+
+- **CampaignID** Campaign ID being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection
+
+This event indicates that the user selected an option on the Reboot UI.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **rebootUiSelection** Selection on the Reboot UI.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess
+
+This event indicates that the Coordinator WaitForRebootUi call succeeded.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler CheckApplicabilityInternal call.
+
+The following fields are available:
+
+- **CampaignID** ID of the campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess
+
+This event indicates that the Handler CheckApplicabilityInternal call succeeded.
+
+The following fields are available:
+
+- **ApplicabilityResult** The result of the applicability check.
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess
+
+This event indicates that the Handler CheckApplicability call succeeded.
+
+The following fields are available:
+
+- **ApplicabilityResult** The result code indicating whether the update is applicable.
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **CV_new** New correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess
+
+This event indicates that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **CheckIfCoordinatorMinApplicableVersionResult** Result of CheckIfCoordinatorMinApplicableVersion function.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Commit call.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **CV_new** New correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess
+
+This event indicates that the Handler Commit call succeeded.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.run
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **CV_new** New correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure
+
+This event indicates that the Handler Download and Extract cab call failed.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **DownloadAndExtractCabFunction_failureReason** Reason why the update download and extract process failed.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess
+
+This event indicates that the Handler Download and Extract cab call succeeded.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Download call.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess
+
+This event indicates that the Handler Download call succeeded.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Initialize call.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extract.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess
+
+This event indicates that the Handler Initialize call succeeded.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **DownloadAndExtractCabFunction_hResult** HRESULT of the download and extraction.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler Install call.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **hResult** HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess
+
+This event indicates that the Coordinator Install call succeeded.
+
+The following fields are available:
+
+- **CampaignID** ID of the update campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess
+
+This event indicates that the Handler SetCommitReady call succeeded.
+
+The following fields are available:
+
+- **CampaignID** ID of the campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure
+
+This event indicates that we have received an unexpected error in the Direct to Update (DTU) Handler WaitForRebootUi call.
+
+The following fields are available:
+
+- **CampaignID** The ID of the campaigning being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+- **hResult** The HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess
+
+This event indicates that the Handler WaitForRebootUi call succeeded.
+
+The following fields are available:
+
+- **CampaignID** ID of the campaign being run.
+- **ClientID** ID of the client receiving the update.
+- **CoordinatorVersion** Coordinator version of Direct to Update.
+- **CV** Correlation vector.
+
+
+## Inventory events
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
+
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
+
+The following fields are available:
+
+- **DeviceCensus** A count of device census objects in cache.
+- **DriverPackageExtended** A count of driverpackageextended objects in cache.
+- **FileSigningInfo** A count of file signing objects in cache.
+- **InventoryApplication** A count of application objects in cache.
+- **InventoryApplicationAppV** A count of application AppV objects in cache.
+- **InventoryApplicationDriver** A count of application driver objects in cache
+- **InventoryApplicationFile** A count of application file objects in cache.
+- **InventoryApplicationFramework** A count of application framework objects in cache
+- **InventoryApplicationShortcut** A count of application shortcut objects in cache
+- **InventoryDeviceContainer** A count of device container objects in cache.
+- **InventoryDeviceInterface** A count of Plug and Play device interface objects in cache.
+- **InventoryDeviceMediaClass** A count of device media objects in cache.
+- **InventoryDevicePnp** A count of device Plug and Play objects in cache.
+- **InventoryDeviceUsbHubClass** A count of device usb objects in cache
+- **InventoryDriverBinary** A count of driver binary objects in cache.
+- **InventoryDriverPackage** A count of device objects in cache.
+- **InventoryMiscellaneousOfficeAddIn** A count of office add-in objects in cache
+- **InventoryMiscellaneousOfficeAddInUsage** A count of office add-in usage objects in cache.
+- **InventoryMiscellaneousOfficeIdentifiers** A count of office identifier objects in cache
+- **InventoryMiscellaneousOfficeIESettings** A count of office ie settings objects in cache
+- **InventoryMiscellaneousOfficeInsights** A count of office insights objects in cache
+- **InventoryMiscellaneousOfficeProducts** A count of office products objects in cache
+- **InventoryMiscellaneousOfficeSettings** A count of office settings objects in cache
+- **InventoryMiscellaneousOfficeVBA** A count of office vba objects in cache
+- **InventoryMiscellaneousOfficeVBARuleViolations** A count of office vba rule violations objects in cache
+- **InventoryMiscellaneousUUPInfo** A count of uup info objects in cache
+
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheFileInfo
+
+Diagnostic data about the inventory cache.
+
+The following fields are available:
+
+- **CacheFileSize** Size of the cache.
+- **InventoryVersion** Inventory version of the cache.
+- **TempCacheCount** Number of temp caches created.
+- **TempCacheDeletedCount** Number of temp caches deleted.
+
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
+
+This event sends inventory component versions for the Device Inventory data.
+
+The following fields are available:
+
+- **aeinv** The version of the App inventory component.
+- **devinv** The file version of the Device inventory component.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
+
+This event sends basic metadata about an application on the system to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **HiddenArp** Indicates whether a program hides itself from showing up in ARP.
+- **InstallDate** The date the application was installed (a best guess based on folder creation date heuristics).
+- **InstallDateArpLastModified** The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015 00:00:00
+- **InstallDateFromLinkFile** The estimated date of install based on the links to the files. Passed as an array.
+- **InstallDateMsi** The install date if the application was installed via Microsoft Installer (MSI). Passed as an array.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Language** The language code of the program.
+- **MsiPackageCode** A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
+- **MsiProductCode** A GUID that describe the MSI Product.
+- **Name** The name of the application.
+- **OSVersionAtInstallTime** The four octets from the OS version at the time of the application's install.
+- **PackageFullName** The package full name for a Store application.
+- **ProgramInstanceId** A hash of the file IDs in an app.
+- **Publisher** The Publisher of the application. Location pulled from depends on the 'Source' field.
+- **RootDirPath** The path to the root directory where the program was installed.
+- **Source** How the program was installed (for example, ARP, MSI, Appx).
+- **StoreAppType** A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
+- **Type** One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen.
+- **Version** The version number of the program.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
+
+This event represents what drivers an application installs.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory component
+- **ProgramIds** The unique program identifier the driver is associated with
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
+
+The InventoryApplicationDriverStartSync event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory component.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
+
+This event provides the basic metadata about the frameworks an application may depend on.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **FileId** A hash that uniquely identifies a file.
+- **Frameworks** The list of frameworks this file depends on.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
+
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
+
+This event indicates that a new set of InventoryApplicationAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
+
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a Plug and Play device) to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Categories** A comma separated list of functional categories in which the container belongs.
+- **DiscoveryMethod** The discovery method for the device container.
+- **FriendlyName** The name of the device container.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **IsActive** Is the device connected, or has it been seen in the last 14 days?
+- **IsConnected** For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
+- **IsMachineContainer** Is the container the root device itself?
+- **IsNetworked** Is this a networked device?
+- **IsPaired** Does the device container require pairing?
+- **Manufacturer** The manufacturer name for the device container.
+- **ModelId** A unique model ID.
+- **ModelName** The model name.
+- **ModelNumber** The model number for the device container.
+- **PrimaryCategory** The primary category for the device container.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
+
+This event indicates that the InventoryDeviceContainer object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
+
+This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
+
+This event retrieves information about what sensor interfaces are available on the device.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Accelerometer3D** Indicates if an Accelerator3D sensor is found.
+- **ActivityDetection** Indicates if an Activity Detection sensor is found.
+- **AmbientLight** Indicates if an Ambient Light sensor is found.
+- **Barometer** Indicates if a Barometer sensor is found.
+- **Custom** Indicates if a Custom sensor is found.
+- **EnergyMeter** Indicates if an Energy sensor is found.
+- **FloorElevation** Indicates if a Floor Elevation sensor is found.
+- **GeomagneticOrientation** Indicates if a Geo Magnetic Orientation sensor is found.
+- **GravityVector** Indicates if a Gravity Detector sensor is found.
+- **Gyrometer3D** Indicates if a Gyrometer3D sensor is found.
+- **Humidity** Indicates if a Humidity sensor is found.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **LinearAccelerometer** Indicates if a Linear Accelerometer sensor is found.
+- **Magnetometer3D** Indicates if a Magnetometer3D sensor is found.
+- **Orientation** Indicates if an Orientation sensor is found.
+- **Pedometer** Indicates if a Pedometer sensor is found.
+- **Proximity** Indicates if a Proximity sensor is found.
+- **RelativeOrientation** Indicates if a Relative Orientation sensor is found.
+- **SimpleDeviceOrientation** Indicates if a Simple Device Orientation sensor is found.
+- **Temperature** Indicates if a Temperature sensor is found.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
+
+This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
+
+This event sends additional metadata about a Plug and Play device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Audio_CaptureDriver** The Audio device capture driver endpoint.
+- **Audio_RenderDriver** The Audio device render driver endpoint.
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
+
+This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
+
+This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
+
+This event represents the basic metadata about a plug and play (PNP) device and its associated driver.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **BusReportedDescription** The description of the device reported by the bux.
+- **Class** The device setup class of the driver loaded for the device.
+- **ClassGuid** The device class GUID from the driver package
+- **COMPID** The device setup class guid of the driver loaded for the device.
+- **ContainerId** The list of compat ids for the device.
+- **Description** System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.
+- **DeviceState** The device description.
+- **DriverId** DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
+- **DriverName** A unique identifier for the driver installed.
+- **DriverPackageStrongName** The immediate parent directory name in the Directory field of InventoryDriverPackage
+- **DriverVerDate** Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
+- **DriverVerVersion** The immediate parent directory name in the Directory field of InventoryDriverPackage.
+- **Enumerator** The date of the driver loaded for the device.
+- **HWID** The version of the driver loaded for the device.
+- **Inf** The bus that enumerated the device.
+- **InstallState** The device installation state. One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
+- **InventoryVersion** List of hardware ids for the device.
+- **LowerClassFilters** Lower filter class drivers IDs installed for the device
+- **LowerFilters** Lower filter drivers IDs installed for the device
+- **Manufacturer** INF file name (the name could be renamed by OS, such as oemXX.inf)
+- **MatchingID** Device installation state.
+- **Model** The version of the inventory binary generating the events.
+- **ParentId** Lower filter class drivers IDs installed for the device.
+- **ProblemCode** Lower filter drivers IDs installed for the device.
+- **Provider** The device manufacturer.
+- **Service** The device service name
+- **STACKID** Represents the hardware ID or compatible ID that Windows uses to install a device instance.
+- **UpperClassFilters** Upper filter drivers IDs installed for the device
+- **UpperFilters** The device model.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
+
+This event indicates that the InventoryDevicePnpRemove object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
+
+This event sends basic metadata about the USB hubs on the device.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+- **TotalUserConnectablePorts** Total number of connectable USB ports.
+- **TotalUserConnectableTypeCPorts** Total number of connectable USB Type C ports.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
+
+This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
+
+This event provides the basic metadata about driver binaries running on the system.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **DriverCheckSum** The checksum of the driver file.
+- **DriverCompany** The company name that developed the driver.
+- **DriverInBox** Is the driver included with the operating system?
+- **DriverIsKernelMode** Is it a kernel mode driver?
+- **DriverName** The file name of the driver.
+- **DriverPackageStrongName** The strong name of the driver package
+- **DriverSigned** The strong name of the driver package
+- **DriverTimeStamp** The low 32 bits of the time stamp of the driver file.
+- **DriverType** A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
+- **DriverVersion** The version of the driver file.
+- **ImageSize** The size of the driver file.
+- **Inf** The name of the INF file.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Product** The product name that is included in the driver file.
+- **ProductVersion** The product version that is included in the driver file.
+- **Service** The name of the service that is installed for the device.
+- **WdfVersion** The Windows Driver Framework version.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
+
+This event indicates that the InventoryDriverBinary object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
+
+This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
+
+This event sends basic metadata about drive packages installed on the system to help keep Windows up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Class** The class name for the device driver.
+- **ClassGuid** The class GUID for the device driver.
+- **Date** The driver package date.
+- **Directory** The path to the driver package.
+- **DriverInBox** Is the driver included with the operating system?
+- **Inf** The INF name of the driver package.
+- **InventoryVersion** The version of the inventory file generating the events.
+- **Provider** The provider for the driver package.
+- **SubmissionId** The HLK submission ID for the driver package.
+- **Version** The version of the driver package.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
+
+This event indicates that the InventoryDriverPackageRemove object is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
+
+This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.General.AppHealthStaticAdd
+
+This event sends details collected for a specific application on the source device.
+
+The following fields are available:
+
+- **AhaVersion** The binary version of the App Health Analyzer tool.
+- **ApplicationErrors** The count of application errors from the event log.
+- **Bitness** The architecture type of the application (16 Bit or 32 bit or 64 bit).
+- **device_level** Various JRE/JAVA versions installed on a particular device.
+- **ExtendedProperties** Attribute used for aggregating all other attributes under this event type.
+- **Jar** Flag to determine if an app has a Java JAR file dependency.
+- **Jre** Flag to determine if an app has JRE framework dependency.
+- **Jre_version** JRE versions an app has declared framework dependency for.
+- **Name** Name of the application.
+- **NonDPIAware** Flag to determine if an app is non-DPI aware.
+- **NumBinaries** Count of all binaries (.sys,.dll,.ini) from application install location.
+- **RequiresAdmin** Flag to determine if an app requests admin privileges for execution.
+- **RequiresAdminv2** Additional flag to determine if an app requests admin privileges for execution.
+- **RequiresUIAccess** Flag to determine if an app is based on UI features for accessibility.
+- **VB6** Flag to determine if an app is based on VB6 framework.
+- **VB6v2** Additional flag to determine if an app is based on VB6 framework.
+- **Version** Version of the application.
+- **VersionCheck** Flag to determine if an app has a static dependency on OS version.
+- **VersionCheckv2** Additional flag to determine if an app has a static dependency on OS version.
+
+
+### Microsoft.Windows.Inventory.General.AppHealthStaticStartSync
+
+This event indicates the beginning of a series of AppHealthStaticAdd events.
+
+The following fields are available:
+
+- **AllowTelemetry** Indicates the presence of the 'allowtelemetry' command line argument.
+- **CommandLineArgs** Command line arguments passed when launching the App Health Analyzer executable.
+- **Enhanced** Indicates the presence of the 'enhanced' command line argument.
+- **StartTime** UTC date and time at which this event was sent.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
+
+Provides data on the installed Office Add-ins.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **AddinCLSID** The CLSID for the Office add-in.
+- **AddInId** Office add-in ID.
+- **AddinType** Office add-in Type.
+- **BinFileTimestamp** Timestamp of the Office add-in.
+- **BinFileVersion** Version of the Office add-in.
+- **Description** Office add-in description.
+- **FileId** FileId of the Office add-in.
+- **FileSize** File size of the Office add-in.
+- **FriendlyName** Friendly name for office add-in.
+- **FullPath** Unexpanded path to the office add-in.
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **LoadBehavior** Uint32 that describes the load behavior.
+- **OfficeApplication** The office application for this add-in.
+- **OfficeArchitecture** Architecture of the add-in.
+- **OfficeVersion** The office version for this add-in.
+- **OutlookCrashingAddin** Boolean that indicates if crashes have been found for this add-in.
+- **ProductCompany** The name of the company associated with the Office add-in.
+- **ProductName** The product name associated with the Office add-in.
+- **ProductVersion** The version associated with the Office add-in.
+- **ProgramId** The unique program identifier of the Office add-in.
+- **Provider** Name of the provider for this add-in.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
+
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
+
+Provides data on the Office identifiers.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **OAudienceData** Sub-identifier for Microsoft Office release management, identifying the pilot group for a device
+- **OAudienceId** Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device
+- **OMID** Identifier for the Office SQM Machine
+- **OPlatform** Whether the installed Microsoft Office product is 32-bit or 64-bit
+- **OTenantId** Unique GUID representing the Microsoft O365 Tenant
+- **OVersion** Installed version of Microsoft Office. For example, 16.0.8602.1000
+- **OWowMID** Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows)
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
+
+Provides data on Office-related Internet Explorer features.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **OIeFeatureAddon** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature.
+- **OIeMachineLockdown** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files.
+- **OIeMimeHandling** Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
+- **OIeMimeSniffing** Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag
+- **OIeNoAxInstall** Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request
+- **OIeNoDownload** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
+- **OIeObjectCaching** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts
+- **OIePasswordDisable** Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTPS protocols. URLs using other protocols, such as FTP, still allow usernames and passwords
+- **OIeSafeBind** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control
+- **OIeSecurityBand** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted
+- **OIeUncSaveCheck** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC)
+- **OIeValidateUrl** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL
+- **OIeWebOcPopup** Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior
+- **OIeWinRestrict** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows
+- **OIeZoneElevate** Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
+
+This event provides insight data on the installed Office products
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **OfficeApplication** The name of the Office application.
+- **OfficeArchitecture** The bitness of the Office application.
+- **OfficeVersion** The version of the Office application.
+- **Value** The insights collected about this entity.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
+
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
+
+This diagnostic event indicates that a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
+
+Describes Office Products installed.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **OC2rApps** A GUID the describes the Office Click-To-Run apps
+- **OC2rSkus** Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus
+- **OMsiApps** Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word
+- **OProductCodes** A GUID that describes the Office MSI products
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
+
+This event describes various Office settings
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **BrowserFlags** Browser flags for Office-related products.
+- **ExchangeProviderFlags** Provider policies for Office Exchange.
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **SharedComputerLicensing** Office shared computer licensing policies.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
+
+Indicates a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
+
+This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Design** Count of files with design issues found.
+- **Design_x64** Count of files with 64 bit design issues found.
+- **DuplicateVBA** Count of files with duplicate VBA code.
+- **HasVBA** Count of files with VBA code.
+- **Inaccessible** Count of files that were inaccessible for scanning.
+- **InventoryVersion** The version of the inventory binary generating the events.
+- **Issues** Count of files with issues detected.
+- **Issues_x64** Count of files with 64-bit issues detected.
+- **IssuesNone** Count of files with no issues detected.
+- **IssuesNone_x64** Count of files with no 64-bit issues detected.
+- **Locked** Count of files that were locked, preventing scanning.
+- **NoVBA** Count of files with no VBA inside.
+- **Protected** Count of files that were password protected, preventing scanning.
+- **RemLimited** Count of files that require limited remediation changes.
+- **RemLimited_x64** Count of files that require limited remediation changes for 64-bit issues.
+- **RemSignificant** Count of files that require significant remediation changes.
+- **RemSignificant_x64** Count of files that require significant remediation changes for 64-bit issues.
+- **Score** Overall compatibility score calculated for scanned content.
+- **Score_x64** Overall 64-bit compatibility score calculated for scanned content.
+- **Total** Total number of files scanned.
+- **Validation** Count of files that require additional manual validation.
+- **Validation_x64** Count of files that require additional manual validation for 64-bit issues.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove
+
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
+
+This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Count** Count of total Microsoft Office VBA rule violations
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove
+
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory binary generating the events.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
+
+Provides data on Unified Update Platform (UUP) products and what version they are at.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **Identifier** UUP identifier
+- **LastActivatedVersion** Last activated version
+- **PreviousVersion** Previous version
+- **Source** UUP source
+- **Version** UUP version
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove
+
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.Indicators.Checksum
+
+This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
+
+The following fields are available:
+
+- **ChecksumDictionary** A count of each operating system indicator.
+- **PCFP** Equivalent to the InventoryId field that is found in other core events.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
+
+These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up to date.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+The following fields are available:
+
+- **IndicatorValue** The indicator value.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
+
+This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
+
+This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
+
+This event includes fields from [Ms.Device.DeviceInventoryChange](#msdevicedeviceinventorychange).
+
+
+
+## Kernel events
+
+### IO
+
+This event indicates the number of bytes read from or read by the OS and written to or written by the OS upon system startup.
+
+The following fields are available:
+
+- **BytesRead** The total number of bytes read from or read by the OS upon system startup.
+- **BytesWritten** The total number of bytes written to or written by the OS upon system startup.
+
+
+### Microsoft.Windows.Kernel.BootEnvironment.OsLaunch
+
+OS information collected during Boot, used to evaluate the success of the upgrade process.
+
+The following fields are available:
+
+- **BootApplicationId** This field tells us what the OS Loader Application Identifier is.
+- **BootAttemptCount** The number of consecutive times the boot manager has attempted to boot into this operating system.
+- **BootSequence** The current Boot ID, used to correlate events related to a particular boot session.
+- **BootStatusPolicy** Identifies the applicable Boot Status Policy.
+- **BootType** Identifies the type of boot (e.g.: "Cold", "Hiber", "Resume").
+- **EventTimestamp** Seconds elapsed since an arbitrary time point. This can be used to identify the time difference in successive boot attempts being made.
+- **FirmwareResetReasonEmbeddedController** Reason for system reset provided by firmware.
+- **FirmwareResetReasonEmbeddedControllerAdditional** Additional information on system reset reason provided by firmware if needed.
+- **FirmwareResetReasonPch** Reason for system reset provided by firmware.
+- **FirmwareResetReasonPchAdditional** Additional information on system reset reason provided by firmware if needed.
+- **FirmwareResetReasonSupplied** Flag indicating that a reason for system reset was provided by firmware.
+- **IO** Amount of data written to and read from the disk by the OS Loader during boot. See [IO](#io).
+- **LastBootSucceeded** Flag indicating whether the last boot was successful.
+- **LastShutdownSucceeded** Flag indicating whether the last shutdown was successful.
+- **MaxAbove4GbFreeRange** This field describes the largest memory range available above 4Gb.
+- **MaxBelow4GbFreeRange** This field describes the largest memory range available below 4Gb.
+- **MeasuredLaunchPrepared** This field tells us if the OS launch was initiated using Measured/Secure Boot over DRTM (Dynamic Root of Trust for Measurement).
+- **MeasuredLaunchResume** This field tells us if Dynamic Root of Trust for Measurement (DRTM) was used when resuming from hibernation.
+- **MenuPolicy** Type of advanced options menu that should be shown to the user (Legacy, Standard, etc.).
+- **RecoveryEnabled** Indicates whether recovery is enabled.
+- **SecureLaunchPrepared** This field indicates if DRTM was prepared during boot.
+- **TcbLaunch** Indicates whether the Trusted Computing Base was used during the boot flow.
+- **UserInputTime** The amount of time the loader application spent waiting for user input.
+
+
+## Privacy consent logging events
+
+### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
+
+This event is used to determine whether the user successfully completed the privacy consent experience.
+
+The following fields are available:
+
+- **presentationVersion** Which display version of the privacy consent experience the user completed
+- **privacyConsentState** The current state of the privacy consent experience
+- **settingsVersion** Which setting version of the privacy consent experience the user completed
+- **userOobeExitReason** The exit reason of the privacy consent experience
+
+
+### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus
+
+Event tells us effectiveness of new privacy experience.
+
+The following fields are available:
+
+- **isAdmin** whether the person who is logging in is an admin
+- **isExistingUser** whether the account existed in a downlevel OS
+- **isLaunching** Whether or not the privacy consent experience will be launched
+- **isSilentElevation** whether the user has most restrictive UAC controls
+- **privacyConsentState** whether the user has completed privacy experience
+- **userRegionCode** The current user's region setting
+
+
+## Software update events
+
+### SoftwareUpdateClientTelemetry.CheckForUpdates
+
+Scan process event on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded).
+
+The following fields are available:
+
+- **ActivityMatchingId** Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
+- **AllowCachedResults** Indicates if the scan allowed using cached results.
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosName** The name of the device BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **BiosSKUNumber** The sku number of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
+- **BranchReadinessLevel** The servicing branch configured on the device.
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **CapabilityDetectoidGuid** The GUID for a hardware applicability detectoid that could not be evaluated.
+- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNId** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **ClientVersion** The version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No data is currently reported in this field. Expected value for this field is 0.
+- **Context** Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
+- **CurrentMobileOperator** The mobile operator the device is currently connected to.
+- **DeferralPolicySources** Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
+- **DeferredUpdates** Update IDs which are currently being deferred until a later time
+- **DeviceModel** What is the device model.
+- **DriverError** The error code hit during a driver scan. This is 0 if no error was encountered.
+- **DriverExclusionPolicy** Indicates if the policy for not including drivers with Windows Update is enabled.
+- **DriverSyncPassPerformed** Were drivers scanned this time?
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ExtendedMetadataCabUrl** Hostname that is used to download an update.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FailedUpdateGuids** The GUIDs for the updates that failed to be evaluated during the scan.
+- **FailedUpdatesCount** The number of updates that failed to be evaluated during the scan.
+- **FeatureUpdateDeferral** The deferral period configured for feature OS updates on the device (in days).
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FeatureUpdatePausePeriod** The pause duration configured for feature OS updates on the device (in days).
+- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6
+- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
+- **IsWUfBFederatedScanDisabled** Indicates if Windows Update for Business federated scan is disabled on the device.
+- **MetadataIntegrityMode** The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **MSIError** The last error that was encountered during a scan for updates.
+- **NetworkConnectivityDetected** Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
+- **NumberOfApplicableUpdates** The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **NumberOfApplicationsCategoryScanEvaluated** The number of categories (apps) for which an app update scan checked
+- **NumberOfLoop** The number of round trips the scan required
+- **NumberOfNewUpdatesFromServiceSync** The number of updates which were seen for the first time in this scan
+- **NumberOfUpdatesEvaluated** The total number of updates which were evaluated as a part of the scan
+- **NumFailedMetadataSignatures** The number of metadata signatures checks which failed for new metadata synced down.
+- **Online** Indicates if this was an online scan.
+- **PausedUpdates** A list of UpdateIds which that currently being paused.
+- **PauseFeatureUpdatesEndTime** If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseFeatureUpdatesStartTime** If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PauseQualityUpdatesEndTime** If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseQualityUpdatesStartTime** If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **QualityUpdateDeferral** The deferral period configured for quality OS updates on the device (in days).
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **QualityUpdatePausePeriod** The pause duration configured for quality OS updates on the device (in days).
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **ScanDurationInSeconds** The number of seconds a scan took
+- **ScanEnqueueTime** The number of seconds it took to initialize a scan
+- **ScanProps** This is a 32-bit integer containing Boolean properties for a given Windows Update scan. The following bits are used; all remaining bits are reserved and set to zero. Bit 0 (0x1): IsInteractive - is set to 1 if the scan is requested by a user, or 0 if the scan is requested by Automatic Updates. Bit 1 (0x2): IsSeeker - is set to 1 if the Windows Update client's Seeker functionality is enabled. Seeker functionality is enabled on certain interactive scans, and results in the scans returning certain updates that are in the initial stages of release (not yet released for full adoption via Automatic Updates).
+- **ServiceGuid** An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.).
+- **ServiceUrl** The environment URL a device is configured to scan with
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **StatusCode** Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
+- **SyncType** Describes the type of scan the event was
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **TotalNumMetadataSignatures** The total number of metadata signatures checks done for new metadata that was synced down.
+- **WebServiceRetryMethods** Web service method requests that needed to be retried to complete operation.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
+### SoftwareUpdateClientTelemetry.Download
+
+Download process event for target update on Windows Update client. See the EventScenario field for specifics (started/failed/succeeded).
+
+The following fields are available:
+
+- **ActiveDownloadTime** Number of seconds the update was actively being downloaded.
+- **AppXBlockHashFailures** Indicates the number of blocks that failed hash validation during download of the app payload.
+- **AppXBlockHashValidationFailureCount** A count of the number of blocks that have failed validation after being downloaded.
+- **AppXDownloadScope** Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
+- **AppXScope** Indicates the scope of the app download. The values can be one of the following: "RequiredContentOnly" - only the content required to launch the app is being downloaded; "AutomaticContentOnly" - only the optional [automatic] content for the app (the ones that can downloaded after the app has been launched) is being downloaded; "AllContent" - all content for the app, including the optional [automatic] content, is being downloaded.
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosName** The name of the device BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **BiosSKUNumber** The sku number of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
+- **BundleBytesDownloaded** Number of bytes downloaded for the specific content bundle.
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed.
+- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to download.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **BytesDownloaded** Number of bytes that were downloaded for an individual piece of content (not the entire bundle).
+- **CachedEngineVersion** For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **CbsDownloadMethod** Indicates whether the download was a full-file download or a partial/delta download.
+- **CbsMethod** The method used for downloading the update content related to the Component Based Servicing (CBS) technology. This value can be one of the following: (1) express download method was used for download; (2) SelfContained download method was used for download indicating the update had no express content; (3) SelfContained download method was used indicating that the update has an express payload, but the server is not hosting it; (4) SelfContained download method was used indicating that range requests are not supported; (5) SelfContained download method was used indicating that the system does not support express download (dpx.dll is not present); (6) SelfContained download method was used indicating that self-contained download method was selected previously; (7) SelfContained download method was used indicating a fall back to self-contained if the number of requests made by DPX exceeds a certain threshold.
+- **CDNCountryCode** Two letter country abbreviation for the Content Distribution Network (CDN) location.
+- **CDNId** ID which defines which CDN the software distribution client downloaded the content from.
+- **ClientVersion** The version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0.
+- **ConnectTime** Indicates the cumulative sum (in seconds) of the time it took to establish the connection for all updates in an update bundle.
+- **CurrentMobileOperator** The mobile operator the device is currently connected to.
+- **DeviceModel** What is the device model.
+- **DownloadPriority** Indicates whether a download happened at background, normal, or foreground priority.
+- **DownloadProps** Indicates a bitmask for download operations indicating: (1) if an update was downloaded to a system volume (least significant bit i.e. bit 0); (2) if the update was from a channel other than the installed channel (bit 1); (3) if the update was for a product pinned by policy (bit 2); (4) if the deployment action for the update is uninstall (bit 3).
+- **DownloadType** Differentiates the download type of SIH downloads between Metadata and Payload downloads.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
+- **EventType** Possible values are Child, Bundle, or Driver.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBranch** The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightBuildNumber** If this download was for a flight (pre-release build), this indicates the build number of that flight.
+- **FlightId** The specific ID of the flight (pre-release build) the device is getting.
+- **FlightRing** The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HandlerType** Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
+- **HostName** The hostname URL the content is downloading from.
+- **IPVersion** Indicates whether the download took place over IPv4 or IPv6.
+- **IsDependentSet** Indicates whether a driver is a part of a larger System Hardware/Firmware Update
+- **IsWUfBDualScanEnabled** Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Indicates if Windows Update for Business is enabled on the device.
+- **NetworkCost** A flag indicating the cost of the network used for downloading the update content. The values can be: 0x0 (Unkown); 0x1 (Network cost is unrestricted); 0x2 (Network cost is fixed); 0x4 (Network cost is variable); 0x10000 (Network cost over data limit); 0x20000 (Network cost congested); 0x40000 (Network cost roaming); 0x80000 (Network cost approaching data limit).
+- **NetworkCostBitMask** Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
+- **NetworkRestrictionStatus** More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
+- **PackageFullName** The package name of the content.
+- **PhonePreviewEnabled** Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
+- **PostDnldTime** Time taken (in seconds) to signal download completion after the last job has completed downloading payload.
+- **ProcessName** The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **Reason** A 32-bit integer representing the reason the update is blocked from being downloaded in the background.
+- **RegulationReason** The reason that the update is regulated
+- **RegulationResult** The result code (HResult) of the last attempt to contact the regulation web service for download regulation of update content.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific piece of content has previously failed.
+- **RepeatFailFlag** Indicates whether this specific piece of content had previously failed to download.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** An ID that represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **Setup360Phase** If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **SizeCalcTime** Time taken (in seconds) to calculate the total download size of the payload.
+- **StatusCode** Indicates the result of a Download event (success, cancellation, failure code HResult).
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TargetMetadataVersion** For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **ThrottlingServiceHResult** Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
+- **TimeToEstablishConnection** Time (in ms) it took to establish the connection prior to beginning downloaded.
+- **TotalExpectedBytes** The total count of bytes that the download is expected to be.
+- **UpdateId** An identifier associated with the specific piece of content.
+- **UpdateID** An identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedDO** Whether the download used the delivery optimization service.
+- **UsedSystemVolume** Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
+### SoftwareUpdateClientTelemetry.Install
+
+This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date.
+
+The following fields are available:
+
+- **BiosFamily** The family of the BIOS (Basic Input Output System).
+- **BiosName** The name of the device BIOS.
+- **BiosReleaseDate** The release date of the device BIOS.
+- **BiosSKUNumber** The sku number of the device BIOS.
+- **BIOSVendor** The vendor of the BIOS.
+- **BiosVersion** The version of the BIOS.
+- **BundleId** Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed.
+- **BundleRepeatFailFlag** Indicates whether this particular update bundle previously failed to install.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **ClientVersion** The version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. No value is currently reported in this field. Expected value for this field is 0.
+- **CSIErrorType** The stage of CBS installation where it failed.
+- **CurrentMobileOperator** The mobile operator to which the device is currently connected.
+- **DeviceModel** The device model.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **EventType** Possible values are Child, Bundle, or Driver.
+- **ExtendedErrorCode** The extended error code.
+- **ExtendedStatusCode** Secondary error code for certain scenarios where StatusCode is not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBranch** The branch that a device is on if participating in the Windows Insider Program.
+- **FlightBuildNumber** If this installation was for a Windows Insider build, this is the build number of that build.
+- **FlightId** The specific ID of the Windows Insider build the device is getting.
+- **FlightRing** The ring that a device is on if participating in the Windows Insider Program.
+- **HandlerType** Indicates what kind of content is being installed (for example, app, driver, Windows update).
+- **HardwareId** If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HomeMobileOperator** The mobile operator that the device was originally intended to work with.
+- **InstallProps** A bitmask for future flags associated with the install operation. No value is currently reported in this field. Expected value for this field is 0.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **IsDependentSet** Indicates whether the driver is part of a larger System Hardware/Firmware update.
+- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process.
+- **IsFirmware** Indicates whether this update is a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether the update succeeded and then failed after a restart.
+- **IsWUfBDualScanEnabled** Indicates whether Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Indicates whether Windows Update for Business is enabled on the device.
+- **MergedUpdate** Indicates whether the OS update and a BSP update merged for installation.
+- **MsiAction** The stage of MSI installation where it failed.
+- **MsiProductCode** The unique identifier of the MSI installer.
+- **PackageFullName** The package name of the content being installed.
+- **PhonePreviewEnabled** Indicates whether a phone was getting preview build, prior to flighting being introduced.
+- **ProcessName** The process name of the caller who initiated API calls, in the event that CallerApplicationName was not provided.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one
+- **RepeatFailCount** Indicates whether this specific piece of content has previously failed.
+- **RepeatFailFlag** Indicates whether this specific piece of content previously failed to install.
+- **RevisionNumber** The revision number of this specific piece of content.
+- **ServiceGuid** An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **Setup360Phase** If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
+- **ShippingMobileOperator** The mobile operator that a device shipped on.
+- **StatusCode** Indicates the result of an installation event (success, cancellation, failure code HResult).
+- **SystemBIOSMajorRelease** Major version of the BIOS.
+- **SystemBIOSMinorRelease** Minor version of the BIOS.
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TransactionCode** The ID that represents a given MSI installation.
+- **UpdateId** Unique update ID.
+- **UpdateImportance** Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedSystemVolume** Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
+- **WUDeviceID** The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
+### SoftwareUpdateClientTelemetry.Revert
+
+Revert event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded).
+
+The following fields are available:
+
+- **BundleId** Identifier associated with the specific content bundle. Should not be all zeros if the BundleId was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle has previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **CSIErrorType** Stage of CBS installation that failed.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers if a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.).
+- **EventType** Event type (Child, Bundle, Release, or Driver).
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of the flight.
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **HardwareId** If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process.
+- **IsFirmware** Indicates whether an update was a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether an initial success was a failure after a reboot.
+- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device.
+- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific piece of content has previously failed.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **UpdateId** The identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver, and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedSystemVolume** Indicates whether the device's main system storage drive or an alternate storage drive was used.
+- **WUDeviceID** Unique device ID controlled by the software distribution client.
+
+
+### SoftwareUpdateClientTelemetry.TaskRun
+
+Start event for Server Initiated Healing client. See EventScenario field for specifics (for example, started/completed).
+
+The following fields are available:
+
+- **CallerApplicationName** Name of application making the Windows Update request. Used to identify context of request.
+- **ClientVersion** Version number of the software distribution client.
+- **CmdLineArgs** Command line arguments passed in by the caller.
+- **EventInstanceID** A globally unique identifier for the event instance.
+- **EventScenario** Indicates the purpose of the event (scan started, succeeded, failed, etc.).
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **WUDeviceID** Unique device ID controlled by the software distribution client.
+
+
+### SoftwareUpdateClientTelemetry.Uninstall
+
+Uninstall event for target update on Windows Update Client. See EventScenario field for specifics (for example, Started/Failed/Succeeded).
+
+The following fields are available:
+
+- **BundleId** The identifier associated with the specific content bundle. This should not be all zeros if the bundleID was found.
+- **BundleRepeatFailCount** Indicates whether this particular update bundle previously failed.
+- **BundleRevisionNumber** Identifies the revision number of the content bundle.
+- **CallerApplicationName** Name of the application making the Windows Update request. Used to identify context of request.
+- **ClientVersion** Version number of the software distribution client.
+- **CommonProps** A bitmask for future flags associated with the Windows Update client behavior. There is no value being reported in this field right now. Expected value for this field is 0.
+- **DriverPingBack** Contains information about the previous driver and system state.
+- **DriverRecoveryIds** The list of identifiers that could be used for uninstalling the drivers when a recovery is required.
+- **EventInstanceID** A globally unique identifier for event instance.
+- **EventScenario** Indicates the purpose of the event (a scan started, succeded, failed, etc.).
+- **EventType** Indicates the event type. Possible values are "Child", "Bundle", "Release" or "Driver".
+- **ExtendedStatusCode** Secondary status code for certain scenarios where StatusCode is not specific enough.
+- **FeatureUpdatePause** Indicates whether feature OS updates are paused on the device.
+- **FlightBuildNumber** Indicates the build number of the flight.
+- **FlightId** The specific ID of the flight the device is getting.
+- **HandlerType** Indicates the kind of content (app, driver, windows patch, etc.).
+- **HardwareId** If the download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **IsFinalOutcomeEvent** Indicates whether this event signals the end of the update/upgrade process.
+- **IsFirmware** Indicates whether an update was a firmware update.
+- **IsSuccessFailurePostReboot** Indicates whether an initial success was then a failure after a reboot.
+- **IsWUfBDualScanEnabled** Flag indicating whether WU-for-Business dual scan is enabled on the device.
+- **IsWUfBEnabled** Flag indicating whether WU-for-Business is enabled on the device.
+- **MergedUpdate** Indicates whether an OS update and a BSP update were merged for install.
+- **ProcessName** Process name of the caller who initiated API calls into the software distribution client.
+- **QualityUpdatePause** Indicates whether quality OS updates are paused on the device.
+- **RelatedCV** The previous correlation vector that was used by the client before swapping with a new one.
+- **RepeatFailCount** Indicates whether this specific piece of content previously failed.
+- **RevisionNumber** Identifies the revision number of this specific piece of content.
+- **ServiceGuid** Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc.).
+- **StatusCode** Result code of the event (success, cancellation, failure code HResult).
+- **TargetGroupId** For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion** For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **UpdateId** Identifier associated with the specific piece of content.
+- **UpdateImportance** Indicates the importance of a driver and why it received that importance level (0-Unknown, 1-Optional, 2-Important-DNF, 3-Important-Generic, 4-Important-Other, 5-Recommended).
+- **UsedSystemVolume** Indicates whether the device’s main system storage drive or an alternate storage drive was used.
+- **WUDeviceID** Unique device ID controlled by the software distribution client.
+
+
+### SoftwareUpdateClientTelemetry.UpdateDetected
+
+This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
+
+The following fields are available:
+
+- **ApplicableUpdateInfo** Metadata for the updates which were detected as applicable.
+- **CallerApplicationName** The name provided by the caller who initiated API calls into the software distribution client.
+- **IntentPFNs** Intended application-set metadata for atomic update scenarios.
+- **NumberOfApplicableUpdates** The number of updates ultimately deemed applicable to the system after the detection process is complete.
+- **RelatedCV** The previous Correlation Vector that was used before swapping with a new one.
+- **ServiceGuid** An ID that represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.).
+- **WUDeviceID** The unique device ID controlled by the software distribution client.
+
+
+## System Resource Usage Monitor events
+
+### Microsoft.Windows.Srum.Sdp.CpuUsage
+
+This event provides information on CPU usage.
+
+The following fields are available:
+
+- **UsageMax** The maximum of hourly average CPU usage.
+- **UsageMean** The mean of hourly average CPU usage.
+- **UsageMedian** The median of hourly average CPU usage.
+- **UsageTwoHourMaxMean** The mean of the maximum of every two hour of hourly average CPU usage.
+- **UsageTwoHourMedianMean** The mean of the median of every two hour of hourly average CPU usage.
+
+
+### Microsoft.Windows.Srum.Sdp.NetworkUsage
+
+This event provides information on network usage.
+
+The following fields are available:
+
+- **AdapterGuid** The unique ID of the adapter.
+- **BytesTotalMax** The maximum of the hourly average bytes total.
+- **BytesTotalMean** The mean of the hourly average bytes total.
+- **BytesTotalMedian** The median of the hourly average bytes total.
+- **BytesTotalTwoHourMaxMean** The mean of the maximum of every two hours of hourly average bytes total.
+- **BytesTotalTwoHourMedianMean** The mean of the median of every two hour of hourly average bytes total.
+- **LinkSpeed** The adapter link speed.
+
+
+## Upgrade events
+
+### FacilitatorTelemetry.DCATDownload
+
+This event indicates whether devices received additional or critical supplemental content during an OS Upgrade, to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **DownloadSize** Download size of payload.
+- **ElapsedTime** Time taken to download payload.
+- **MediaFallbackUsed** Used to determine if we used Media CompDBs to figure out package requirements for the upgrade.
+- **ResultCode** Result returned by the Facilitator DCAT call.
+- **Scenario** Dynamic update scenario (Image DU, or Setup DU).
+- **Type** Type of package that was downloaded.
+
+
+### FacilitatorTelemetry.InitializeDU
+
+This event determines whether devices received additional or critical supplemental content during an OS upgrade.
+
+The following fields are available:
+
+- **DCATUrl** The Delivery Catalog (DCAT) URL we send the request to.
+- **DownloadRequestAttributes** The attributes we send to DCAT.
+- **ResultCode** The result returned from the initiation of Facilitator with the URL/attributes.
+- **Scenario** Dynamic Update scenario (Image DU, or Setup DU).
+- **Url** The Delivery Catalog (DCAT) URL we send the request to.
+- **Version** Version of Facilitator.
+
+
+### Setup360Telemetry.Setup360DynamicUpdate
+
+This event helps determine whether the device received supplemental content during an operating system upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **FlightData** Specifies a unique identifier for each group of Windows Insider builds.
+- **InstanceId** Retrieves a unique identifier for each instance of a setup session.
+- **Operation** Facilitator's last known operation (scan, download, etc.).
+- **ReportId** ID for tying together events stream side.
+- **ResultCode** Result returned by Setup for the entire operation.
+- **Scenario** Dynamic Update scenario (Image DU, or Setup DU).
+- **ScenarioId** Identifies the update scenario.
+- **TargetBranch** Branch of the target OS.
+- **TargetBuild** Build of the target OS.
+
+
+## Windows as a Service diagnostic events
+
+### Microsoft.Windows.WaaSMedic.SummaryEvent
+
+Result of the WaaSMedic operation.
+
+The following fields are available:
+
+- **callerApplication** The name of the calling application.
+- **detectionSummary** Result of each applicable detection that was run.
+- **featureAssessmentImpact** WaaS Assessment impact for feature updates.
+- **hrEngineResult** Error code from the engine operation.
+- **isInteractiveMode** The user started a run of WaaSMedic.
+- **isManaged** Device is managed for updates.
+- **isWUConnected** Device is connected to Windows Update.
+- **noMoreActions** No more applicable diagnostics.
+- **qualityAssessmentImpact** WaaS Assessment impact for quality updates.
+- **remediationSummary** Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on.
+- **usingBackupFeatureAssessment** Relying on backup feature assessment.
+- **usingBackupQualityAssessment** Relying on backup quality assessment.
+- **usingCachedFeatureAssessment** WaaS Medic run did not get OS build age from the network on the previous run.
+- **usingCachedQualityAssessment** WaaS Medic run did not get OS revision age from the network on the previous run.
+- **versionString** Version of the WaaSMedic engine.
+- **waasMedicRunMode** Indicates whether this was a background regular run of the medic or whether it was triggered by a user launching Windows Update Troubleshooter.
+
+
+## Windows Update events
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary
+
+This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **activated** Whether the entire device manifest update is considered activated and in use.
+- **analysisErrorCount** How many driver packages that could not be analyzed because errors were hit during the analysis.
+- **flightId** Unique ID for each flight.
+- **missingDriverCount** How many driver packages that were delivered by the device manifest that are missing from the system.
+- **missingUpdateCount** How many updates that were part of the device manifest that are missing from the system.
+- **objectId** Unique value for each diagnostics session.
+- **publishedCount** How many drivers packages that were delivered by the device manifest that are published and available to be used on devices.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **scenarioId** Indicates the update scenario.
+- **sessionId** Unique value for each update session.
+- **summary** A summary string that contains some basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match on.
+- **summaryAppendError** A Boolean indicating if there was an error appending more information to the summary string.
+- **truncatedDeviceCount** How many devices are missing from the summary string due to there not being enough room in the string.
+- **truncatedDriverCount** How many driver packages are missing from the summary string due to there not being enough room in the string.
+- **unpublishedCount** How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices.
+- **updateId** Unique ID for each Update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
+
+This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **objectId** The unique GUID for each diagnostics session.
+- **relatedCV** A correlation vector value generated from the latest USO scan.
+- **result** Outcome of the initialization of the session.
+- **scenarioId** Identifies the Update scenario.
+- **sessionId** The unique value for each update session.
+- **updateId** The unique identifier for each Update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
+
+This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **deletedCorruptFiles** Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **objectId** Unique value for each Update Agent mode.
+- **packageCountOptional** Number of optional packages requested.
+- **packageCountRequired** Number of required packages requested.
+- **packageCountTotal** Total number of packages needed.
+- **packageCountTotalCanonical** Total number of canonical packages.
+- **packageCountTotalDiff** Total number of diff packages.
+- **packageCountTotalExpress** Total number of express packages.
+- **packageSizeCanonical** Size of canonical packages in bytes.
+- **packageSizeDiff** Size of diff packages in bytes.
+- **packageSizeExpress** Size of express packages in bytes.
+- **rangeRequestState** Represents the state of the download range request.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Result of the download request phase of update.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique ID for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
+
+This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **errorCode** The error code returned for the current session initialization.
+- **flightId** The unique identifier for each flight.
+- **flightMetadata** Contains the FlightId and the build being flighted.
+- **objectId** Unique value for each Update Agent mode.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Result of the initialize phase of the update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionData** Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique ID for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
+
+This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **errorCode** The error code returned for the current install phase.
+- **flightId** The unique identifier for each flight.
+- **objectId** The unique identifier for each diagnostics session.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **result** Outcome of the install phase of the update.
+- **scenarioId** The unique identifier for the update scenario.
+- **sessionId** The unique identifier for each update session.
+- **updateId** The unique identifier for each update.
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
+
+This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **flightId** The unique identifier for each flight.
+- **mode** The mode that is starting.
+- **objectId** The unique value for each diagnostics session.
+- **relatedCV** Correlation vector value generated from the latest USO scan.
+- **scenarioId** The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate.
+- **sessionId** Unique value for each Update Agent mode attempt.
+- **updateId** Unique identifier for each update.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog
+
+This event indicates that the Enhanced Engaged restart "first reminder" dialog box was displayed..
+
+The following fields are available:
+
+- **DeviceLocalTime** The local time on the device sending the event.
+- **ETag** OneSettings versioning value.
+- **ExitCode** Indicates how users exited the dialog box.
+- **RebootVersion** Version of DTE.
+- **UpdateId** The ID of the update that is pending restart to finish installation.
+- **UpdateRevision** The revision of the update that is pending restart to finish installation.
+- **UserResponseString** The option that user chose in this dialog box.
+- **UtcTime** The time that the dialog box was displayed, in Coordinated Universal Time.
+
+
+### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel
+
+This event indicates that Windows Update activity was blocked due to low battery level.
+
+The following fields are available:
+
+- **batteryLevel** The current battery charge capacity.
+- **batteryLevelThreshold** The battery capacity threshold to stop update activity.
+- **updatePhase** The current state of the update process.
+- **wuDeviceid** Device ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit
+
+This event indicates that DTU completed installation of the electronic software delivery (ESD), when Windows Update was already in Pending Commit phase of the feature update.
+
+The following fields are available:
+
+- **wuDeviceid** Device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.DTUEnabled
+
+This event indicates that Inbox DTU functionality was enabled.
+
+The following fields are available:
+
+- **wuDeviceid** Device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.DTUInitiated
+
+This event indicates that Inbox DTU functionality was intiated.
+
+The following fields are available:
+
+- **dtuErrorCode** Return code from creating the DTU Com Server.
+- **isDtuApplicable** Determination of whether DTU is applicable to the machine it is running on.
+- **wuDeviceid** Device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.FailedToAddTimeTriggerToScanTask
+
+This event indicated that USO failed to add a trigger time to a task.
+
+The following fields are available:
+
+- **errorCode** The Windows Update error code.
+- **wuDeviceid** The Windows Update device ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.StickUpdate
+
+This event is sent when the update service orchestrator (USO) indicates the update cannot be superseded by a newer update.
+
+The following fields are available:
+
+- **updateId** Identifier associated with the specific piece of content.
+- **wuDeviceid** Unique device ID controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours
+
+This event indicates that update activity was stopped due to active hours starting.
+
+The following fields are available:
+
+- **activeHoursEnd** The end of the active hours window.
+- **activeHoursStart** The start of the active hours window.
+- **updatePhase** The current state of the update process.
+- **wuDeviceid** The device identifier.
+
+
+### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel
+
+This event is sent when update activity was stopped due to a low battery level.
+
+The following fields are available:
+
+- **batteryLevel** The current battery charge capacity.
+- **batteryLevelThreshold** The battery capacity threshold to stop update activity.
+- **updatePhase** The current state of the update process.
+- **wuDeviceid** The device identifier.
+
+
+### Microsoft.Windows.Update.Orchestrator.UnstickUpdate
+
+This event is sent when the update service orchestrator (USO) indicates that the update can be superseded by a newer update.
+
+The following fields are available:
+
+- **updateId** Identifier associated with the specific piece of content.
+- **wuDeviceid** Unique device ID controlled by the software distribution client.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask
+
+This event is sent when MUSE broker schedules a task.
+
+The following fields are available:
+
+- **TaskArgument** The arguments with which the task is scheduled.
+- **TaskName** Name of the task.
+
+
+
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index 23b6540574..dc82af4768 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -61,6 +61,8 @@ The Diagnostic Data Viewer provides you with the following features to view and
- **View your diagnostic events.** In the left column, you can review your diagnostic events. These events reflect activities that occurred and were sent to Microsoft.
Selecting an event opens the detailed JSON view, which provides the exact details uploaded to Microsoft. Microsoft uses this info to continually improve the Windows operating system.
+
+ 
- **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text.
@@ -69,10 +71,12 @@ The Diagnostic Data Viewer provides you with the following features to view and
- **Filter your diagnostic event categories.** The apps Menu button opens the detailed menu. In here, you'll find a list of diagnostic event categories, which define how the events are used by Microsoft.
Selecting a check box lets you filter between the diagnostic event categories.
+
+ 
-- **Help to make your Windows experience better.** Microsoft samples diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.
+- **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.
- To signify your contribution, you’ll see this icon () if your device is part of the sampling group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon ().
+ To signify your contribution, you’ll see this icon () if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon ().
- **Provide diagnostic event feedback.** The **Feedback** icon opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events.
diff --git a/windows/privacy/images/ddv-data-viewing.png b/windows/privacy/images/ddv-data-viewing.png
index 88f45acf3b..b2f72cfc85 100644
Binary files a/windows/privacy/images/ddv-data-viewing.png and b/windows/privacy/images/ddv-data-viewing.png differ
diff --git a/windows/privacy/images/ddv-event-feedback.png b/windows/privacy/images/ddv-event-feedback.png
new file mode 100644
index 0000000000..61c1c15e99
Binary files /dev/null and b/windows/privacy/images/ddv-event-feedback.png differ
diff --git a/windows/privacy/images/ddv-event-view-basic.png b/windows/privacy/images/ddv-event-view-basic.png
new file mode 100644
index 0000000000..5668e13bec
Binary files /dev/null and b/windows/privacy/images/ddv-event-view-basic.png differ
diff --git a/windows/privacy/images/ddv-event-view-filter.png b/windows/privacy/images/ddv-event-view-filter.png
new file mode 100644
index 0000000000..addd53271d
Binary files /dev/null and b/windows/privacy/images/ddv-event-view-filter.png differ
diff --git a/windows/privacy/images/ddv-event-view.png b/windows/privacy/images/ddv-event-view.png
new file mode 100644
index 0000000000..264add2d9c
Binary files /dev/null and b/windows/privacy/images/ddv-event-view.png differ
diff --git a/windows/privacy/images/ddv-export.png b/windows/privacy/images/ddv-export.png
new file mode 100644
index 0000000000..25e62858db
Binary files /dev/null and b/windows/privacy/images/ddv-export.png differ
diff --git a/windows/privacy/images/ddv-settings-launch.png b/windows/privacy/images/ddv-settings-launch.png
index 4d4e26c382..dc105bfde3 100644
Binary files a/windows/privacy/images/ddv-settings-launch.png and b/windows/privacy/images/ddv-settings-launch.png differ
diff --git a/windows/privacy/images/ddv-settings-off.png b/windows/privacy/images/ddv-settings-off.png
index 12704b5e28..9c1e292e89 100644
Binary files a/windows/privacy/images/ddv-settings-off.png and b/windows/privacy/images/ddv-settings-off.png differ
diff --git a/windows/privacy/windows-diagnostic-data.md b/windows/privacy/windows-diagnostic-data.md
index 1766427ef8..dd435f2d40 100644
--- a/windows/privacy/windows-diagnostic-data.md
+++ b/windows/privacy/windows-diagnostic-data.md
@@ -14,6 +14,7 @@ ms.date: 03/13/2018
# Windows 10, version 1709 and newer diagnostic data for the Full level
Applies to:
+- Windows 10, version 1809
- Windows 10, version 1803
- Windows 10, version 1709
@@ -24,17 +25,11 @@ In addition, this article provides references to equivalent definitions for the
The data covered in this article is grouped into the following types:
- Common data (diagnostic header information)
-
- Device, Connectivity, and Configuration data
-
- Product and Service Usage data
-
- Product and Service Performance data
-
- Software Setup and Inventory data
-
- Browsing History data
-
- Inking, Typing, and Speech Utterance data
## Common data
@@ -44,9 +39,23 @@ Most diagnostic events contain a header of common data. In each example, the inf
Header data supports the use of data associated with all diagnostic events. Therefore, Common data is used to [provide](#provide) Windows 10, and may be used to [improve](#improve), [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) Microsoft and third-party products and services, depending on the uses described in the **Data Use** statements for each data category.
### Data Description for Common data type
-|Sub-type|Description and examples|
-|- |- |
-|Common Data|Information that is added to most diagnostic events, if relevant and available:
Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data)
Event collection time (8.2.3.2.2 Telemetry data)
User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic diagnostic data (8.2.5 Account data)
Xbox UserID (8.2.5 Account data)
Device ID -- This is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)
Device class -- Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)
Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)
Diagnostic event name, Event ID, ETW opcode, version, schema signature, keywords, and flags (8.2.4 Cloud service provider data)
HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service (8.2.4 Cloud service provider data)
Various IDs that are used to correlate and sequence related events together (8.2.4 Cloud service provider data)
|
+
+#### Common data type
+
+Information that is added to most diagnostic events, if relevant and available:
+
+- Diagnostic level -- Basic or Full, Sample level -- for sampled data, what sample level is this device opted into (8.2.3.2.4 Observed Usage of the Service Capability)
+- Operating system name, version, build, and locale (8.2.3.2.2 Telemetry data)
+- Event collection time (8.2.3.2.2 Telemetry data)
+- User ID -- a unique identifier associated with the user's Microsoft Account (if one is used) or local account. The user's Microsoft Account identifier is not collected from devices configured to send Basic - diagnostic data (8.2.5 Account data)
+- Xbox UserID (8.2.5 Account data)
+- Device ID -- This is not the user provided device name, but an ID that is unique for that device. (8.2.3.2.3 Connectivity data)
+- Device class -- Desktop, Server, or Mobile (8.2.3.2.3 Connectivity data)
+- Environment from which the event was logged -- Application ID of app or component that logged the event, Session GUID. Used to track events over a given period of time, such as the amount of time an app is running or between boots of the operating system (8.2.4 Cloud service provider data)
+- Diagnostic event name, Event ID, ETW opcode, version, schema signature, keywords, and flags (8.2.4 Cloud service provider data)
+- HTTP header information, including the IP address. This IP address is the source address that’s provided by the network packet header and received by the diagnostics ingestion service (8.2.4 Cloud service provider data)
+- Various IDs that are used to correlate and sequence related events together (8.2.4 Cloud service provider data)
+
## Device, Connectivity, and Configuration data
This type of data includes details about the device, its configuration and connectivity capabilities, and status. Device, Connectivity, and Configuration Data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.3 Connectivity data.
@@ -59,15 +68,11 @@ This type of data includes details about the device, its configuration and conne
- Device, Connectivity, and Configuration data is used to understand the unique device characteristics that can contribute to an error experienced on the device, to identify patterns, and to more quickly resolve problems that impact devices with unique hardware, capabilities, or settings. For example:
- Data about the use of cellular modems and their configuration on your devices is used to troubleshoot cellular modem issues.
-
- Data about the use of USB hubs use and their configuration on your devices is used to troubleshoot USB hub issues.
-
- Data about the use of connected Bluetooth devices is used to troubleshoot compatibility issues with Bluetooth devices.
- Data about device properties, such as the operating system version and available memory, is used to determine whether the device is due to, and able to, receive a Windows update.
-
- Data about device peripherals is used to determine whether a device has installed drivers that might be negatively impacted by a Windows update.
-
- Data about which devices, peripherals, and settings are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users.
**With (optional) Tailored experiences:**
@@ -78,13 +83,91 @@ If a user has enabled Tailored experiences on the device, [Pseudonymized](#pseud
- Data about device capabilities, such as whether the device is pen-enabled, is used to recommend (Microsoft and third-party) apps that are appropriate for the device. These may be free or paid apps.
### Data Description for Device, Connectivity, and Configuration data type
-|Sub-type|Description and examples|
-|- |- |
-|Device properties |Information about the operating system and device hardware, such as:
Operating system - version name, edition
Installation type, subscription status, and genuine operating system status
Processor architecture, speed, number of cores, manufacturer, and model
OEM details --manufacturer, model, and serial number
Device identifier and Xbox serial number
Firmware/BIOS operating system -- type, manufacturer, model, and version
Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
Storage -- total capacity and disk type
Battery -- charge capacity and InstantOn support
Hardware chassis type, color, and form factor
Is this a virtual machine?
|
-|Device capabilities|Information about the specific device capabilities, such as:
Camera -- whether the device has a front facing camera, a rear facing camera, or both.
Touch screen -- Whether the device has a touch screen? If yes, how many hardware touch points are supported?
Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
Trusted Platform Module (TPM) -- whether a TPM exists and if yes, what version
Virtualization hardware -- whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware
Voice -- whether voice interaction is supported and the number of active microphones
Number of displays, resolutions, and DPI
Wireless capabilities
OEM or platform face detection
OEM or platform video stabilization and quality-level set
Advanced Camera Capture mode (HDR versus Low Light), OEM versus platform implementation, HDR probability, and Low Light probability
|
-|Device preferences and settings |Information about the device settings and user preferences, such as:
User Settings -- System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
User-provided device name
Whether device is domain-joined, or cloud-domain joined (for example, part of a company-managed network)
Hashed representation of the domain name
MDM (mobile device management) enrollment settings and status
BitLocker, Secure Boot, encryption settings, and status
Windows Update settings and status
Developer Unlock settings and status
Default app choices
Default browser choice
Default language settings for app, input, keyboard, speech, and display
App store update settings
Enterprise OrganizationID, Commercial ID
|
-|Device peripherals |Information about the device peripherals, such as:
Peripheral name, device model, class, manufacturer, and description
Peripheral device state, install state, and checksum
Driver name, package name, version, and manufacturer
HWID - A hardware vendor-defined ID to match a device to a driver [INF file](https://msdn.microsoft.com/windows/hardware/drivers/install/hardware-ids)
Driver state, problem code, and checksum
Whether driver is kernel mode, signed, and image size
|
-|Device network info |Information about the device network configuration, such as:
Network system capabilities
Local or Internet connectivity status
Proxy, gateway, DHCP, DNS details, and addresses
Whether it's a paid or free network
Whether the wireless driver is emulated
Whether it's access point mode-capable
Access point manufacturer, model, and MAC address
WDI Version
Name of networking driver service
Wi-Fi Direct details
Wi-Fi device hardware ID and manufacturer
Wi-Fi scan attempt and item counts
Whether MAC randomization is supported and enabled
Number of supported spatial streams and channel frequencies
Whether Manual or Auto-connect is enabled
Time and result of each connection attempt
Airplane mode status and attempts
Interface description provided by the manufacturer
Data transfer rates
Cipher algorithm
Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
Mobile operator and service provider name
Available SSIDs and BSSIDs
IP Address type -- IPv4 or IPv6
Signal Quality percentage and changes
Hotspot presence detection and success rate
TCP connection performance
Miracast device names
Hashed IP address
+
+**Device properties sub-type:** Information about the operating system and device hardware
+
+- Operating system - version name, edition
+- Installation type, subscription status, and genuine operating system status
+- Processor architecture, speed, number of cores, manufacturer, and model
+- OEM details --manufacturer, model, and serial number
+- Device identifier and Xbox serial number
+- Firmware/BIOS operating system -- type, manufacturer, model, and version
+- Memory -- total memory, video memory, speed, and how much memory is available after the device has reserved memory
+- Storage -- total capacity and disk type
+- Battery -- charge capacity and InstantOn support
+- Hardware chassis type, color, and form factor
+- Is this a virtual machine?
+
+**Device capabilities sub-type:** Information about the capabilities of the device
+
+- Camera -- whether the device has a front facing camera, a rear facing camera, or both.
+- Touch screen -- Whether the device has a touch screen? If yes, how many hardware touch points are supported?
+- Processor capabilities -- CompareExchange128, LahfSahf, NX, PrefetchW, and SSE2
+- Trusted Platform Module (TPM) -- whether a TPM exists and if yes, what version
+- Virtualization hardware -- whether an IOMMU exists, whether it includes SLAT support, and whether virtualization is enabled in the firmware
+- Voice -- whether voice interaction is supported and the number of active microphones
+- Number of displays, resolutions, and DPI
+- Wireless capabilities
+- OEM or platform face detection
+- OEM or platform video stabilization and quality-level set
+- Advanced Camera Capture mode (HDR versus Low Light), OEM versus platform implementation, HDR probability, and Low Light probability
+
+**Device preferences and settings sub-type:** Information about the device settings and user preferences
+
+- User Settings -- System, Device, Network & Internet, Personalization, Cortana, Apps, Accounts, Time & Language, Gaming, Ease of Access, Privacy, Update & Security
+- User-provided device name
+- Whether device is domain-joined, or cloud-domain joined (for example, part of a company-managed network)
+- Hashed representation of the domain name
+- MDM (mobile device management) enrollment settings and status
+- BitLocker, Secure Boot, encryption settings, and status
+- Windows Update settings and status
+- Developer Unlock settings and status
+- Default app choices
+- Default browser choice
+- Default language settings for app, input, keyboard, speech, and display
+- App store update settings
+- Enterprise OrganizationID, Commercial ID
+
+**Device peripherals sub-type:** Information about the peripherals of the device
+
+- Peripheral name, device model, class, manufacturer, and description
+- Peripheral device state, install state, and checksum
+- Driver name, package name, version, and manufacturer
+- HWID - A hardware vendor-defined ID to match a device to a driver [INF file](https://docs.microsoft.com/windows-hardware/drivers/install/hardware-ids)
+- Driver state, problem code, and checksum
+- Whether driver is kernel mode, signed, and image size
+
+**Device network info sub-type:** Information about the device network configuration
+
+- Network system capabilities
+- Local or Internet connectivity status
+- Proxy, gateway, DHCP, DNS details, and addresses
+- Whether it's a paid or free network
+- Whether the wireless driver is emulated
+- Whether it's access point mode-capable
+- Access point manufacturer, model, and MAC address
+- WDI Version
+- Name of networking driver service
+- Wi-Fi Direct details
+- Wi-Fi device hardware ID and manufacturer
+- Wi-Fi scan attempt and item counts
+- Whether MAC randomization is supported and enabled
+- Number of supported spatial streams and channel frequencies
+- Whether Manual or Auto-connect is enabled
+- Time and result of each connection attempt
+- Airplane mode status and attempts
+- Interface description provided by the manufacturer
+- Data transfer rates
+- Cipher algorithm
+- Mobile Equipment ID (IMEI) and Mobile Country Code (MCCO)
+- Mobile operator and service provider name
+- Available SSIDs and BSSIDs
+- IP Address type -- IPv4 or IPv6
+- Signal Quality percentage and changes
+- Hotspot presence detection and success rate
+- TCP connection performance
+- Miracast device names
+- Hashed IP address
## Product and Service Usage data
This type of data includes details about the usage of the device, operating system, applications and services. Product and Service Usage data is equivalent to ISO/IEC 19944:2017, 8.2.3.2.4 Observed Usage of the Service Capability.
@@ -95,32 +178,60 @@ This type of data includes details about the usage of the device, operating syst
[Pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
- Data about the specific apps that are in-use when an error occurs is used to troubleshoot and repair issues with Windows features and Microsoft apps.
-
- Data about the specific apps that are most-used by customers, is used to prioritize Windows 10 improvements to determine the greatest positive impact to the most Windows 10 users.
-
- Data about whether devices have Suggestions turned off from the **Settings Phone** screen is to improve the Suggestions feature.
-
- Data about whether a user canceled the authentication process in their browser is used to help troubleshoot issues with and improve the authentication process.
-
- Data about when and what feature invoked Cortana is used to prioritize efforts for improvement and innovation in Cortana.
-
- Data about when a context menu in the photo app is closed is used to troubleshoot and improve the photo app.
**With (optional) Tailored experiences:**
If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Usage data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users. For example:
- If data shows that a user has not used a particular feature of Windows, we may recommend that the user try that feature.
-
- Data about which apps are most-used on a device is used to provide recommendations for similar or complementary (Microsoft or third-party) apps. These may be free or paid apps.
### Data Description for Product and Service Usage data type
-|Sub-type|Description and examples |
-|- |- |
-|App usage|Information about Windows and application usage, such as:
Operating system component and app feature usage
User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites
Time of and count of app and component launches, duration of use, session GUID, and process ID
App time in various states –- running in the foreground or background, sleeping, or receiving active user interaction
User interaction method and duration –- whether the user used a keyboard, mouse, pen, touch, speech, or game controller, and for how long
Cortana launch entry point and reason
Notification delivery requests and status
Apps used to edit images and videos
SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary lines
Incoming and outgoing calls and voicemail usage statistics on primary or secondary lines
Emergency alerts are received or displayed statistics
Content searches within an app
Reading activity -- bookmarked, printed, or had the layout changed
|
-|App or product state|Information about Windows and application state, such as:
Start Menu and Taskbar pins
Online and offline status
App launch state –- with deep-links, such as Groove launching with an audio track to play or MMS launching to share a picture
Personalization impressions delivered
Whether the user clicked on, or hovered over, UI controls or hotspots
User provided feedback, such as Like, Dislike or a rating
Caret location or position within documents and media files -- how much has been read in a book in a single session, or how much of a song has been listened to.
|
-|Purchasing|Information about purchases made on the device, such as:
Product ID, edition ID and product URI
Offer details -- price
Date and time an order was requested
Microsoft Store client type -- web or native client
Purchase quantity and price
Payment type -- credit card type and PayPal
|
-|Login properties|Information about logins on the device, such as:
Login success or failure
Login sessions and state
|
+
+**App usage sub-type:** Information about Windows and application usage
+
+- Operating system component and app feature usage
+- User navigation and interaction with app and Windows features. This could potentially include user input, such as name of a new alarm set, user menu choices, or user favorites
+- Time of and count of app and component launches, duration of use, session GUID, and process ID
+- App time in various states –- running in the foreground or background, sleeping, or receiving active user interaction
+- User interaction method and duration –- whether the user used a keyboard, mouse, pen, touch, speech, or game controller, and for how long
+- Cortana launch entry point and reason
+- Notification delivery requests and status
+- Apps used to edit images and videos
+- SMS, MMS, VCard, and broadcast message usage statistics on primary or secondary lines
+- Incoming and outgoing calls and voicemail usage statistics on primary or secondary lines
+- Emergency alerts are received or displayed statistics
+- Content searches within an app
+- Reading activity -- bookmarked, printed, or had the layout changed
+
+**App or product state sub-type:** Information about Windows and application state
+
+- Start Menu and Taskbar pins
+- Online and offline status
+- App launch state –- with deep-links, such as Groove launching with an audio track to play or MMS launching to share a picture
+- Personalization impressions delivered
+- Whether the user clicked on, or hovered over, UI controls or hotspots
+- User provided feedback, such as Like, Dislike or a rating
+- Caret location or position within documents and media files -- how much has been read in a book in a single session, or how much of a song has been listened to.
+
+**Purchasing sub-type:** Information about purchases made on the device
+
+- Product ID, edition ID and product URI
+- Offer details -- price
+- Date and time an order was requested
+- Microsoft Store client type -- web or native client
+- Purchase quantity and price
+- Payment type -- credit card type and PayPal
+
+**Login properties sub-type:** Information about logins on the device
+
+- Login success or failure
+- Login sessions and state
## Product and Service Performance data
This type of data includes details about the health of the device, operating system, apps, and drivers. Product and Service Performance data is equivalent to ISO/IEC 19944:2017 8.2.3.2.2 EUII Telemetry data.
@@ -131,35 +242,109 @@ This type of data includes details about the health of the device, operating sys
[Pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
- Data about the reliability of content that appears in the [Windows Spotlight](https://docs.microsoft.com/windows/configuration/windows-spotlight) (rotating lock screen images) is used for Windows Spotlight reliability investigations.
-
- Timing data about how quickly Cortana responds to voice commands is used to improve Cortana listening peformance.
-
- Timing data about how quickly the facial recognition feature starts up and finishes is used to improve facial recognition performance.
-
- Data about when an Application Window fails to appear is used to investigate issues with Application Window reliability and performance.
**With (optional) Tailored experiences:**
If a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [personalize](#personalize), [recommend](#recommend), and [offer](#offer) Microsoft products and services to Windows 10 users. Also, if a user has enabled Tailored experiences on the device, [pseudonymized](#pseudo) Product and Service Performance data from Windows 10 is used by Microsoft to [promote](#promote) third-party Windows apps, services, hardware, and peripherals to Windows 10 users.
- Data about battery performance on a device may be used to recommend settings changes that can improve battery performance.
-
- If data shows a device is running low on file storage, we may recommend Windows-compatible cloud storage solutions to free up space.
-
- If data shows the device is experiencing performance issues, we may provide recommendations for Windows apps that can help diagnose or resolve these issues. These may be free or paid apps.
**Microsoft doesn't use crash and hang dump data to [personalize](#personalize), [recommend](#recommend), [offer](#offer), or [promote](#promote) any product or service.**
### Data Description for Product and Service Performance data type
-|Sub-type|Description and examples |
-|- |- |
-|Device health and crash data|Information about the device and software health, such as:
Error codes and error messages, name and ID of the app, and process reporting the error
DLL library predicted to be the source of the error -- for example, xyz.dll
System generated files -- app or product logs and trace files to help diagnose a crash or hang
System settings, such as registry keys
User generated files -- files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files
Details and counts of abnormal shutdowns, hangs, and crashes
Crash failure data -- operating system, operating system component, driver, device, and 1st and 3rd-party app data
Crash and hang dumps, including:
The recorded state of the working memory at the point of the crash
Memory in-use by the kernel at the point of the crash.
Memory in-use by the application at the point of the crash
All the physical memory used by Windows at the point of the crash
Class and function name within the module that failed.
|
-|Device performance and reliability data|Information about the device and software performance, such as:
User interface interaction durations -- Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability
Device on and off performance -- Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)
In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction
User input responsiveness -- onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score
UI and media performance and glitches versus smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
Disk footprint -- Free disk space, out of memory conditions, and disk score
Excessive resource utilization -- components impacting performance or battery life through high CPU usage during different screen and power states
Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times
Device setup -- first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
Power and Battery life -- power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, auto-brightness details, time device is plugged into AC versus battery, and battery state transitions
Service responsiveness -- Service URI, operation, latency, service success and error codes, and protocol
Diagnostic heartbeat -- regular signal used to validate the health of the diagnostics system
|
-|Movies|Information about movie consumption functionality on the device. This isn't intended to capture user viewing, listening, or habits.
Video Width, height, color palette, encoding (compression) type, and encryption type
Instructions about how to stream content for the user -- the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth
URL for a specific two-second chunk of content if there is an error
Full-screen viewing mode details
|
-|Music & TV|Information about music and TV consumption on the device. This isn't intended to capture user viewing, listening, or habits.
Service URL for song being downloaded from the music service -- collected when an error occurs to facilitate restoration of service
Content type (video, audio, or surround audio)
Local media library collection statistics -- number of purchased tracks and number of playlists
Region mismatch -- User's operating system region and Xbox Live region
|
-|Reading|Information about reading consumption functionality on the device. This isn't intended to capture user viewing, listening, or habits.
App accessing content and status and options used to open a Microsoft Store book
Language of the book
Time spent reading content
Content type and size details
|
-|Photos App|Information about photos usage on the device. This isn't intended to capture user viewing, listening, or habits.
File source data -- local, SD card, network device, and OneDrive
Image and video resolution, video length, file sizes types, and encoding
Collection view or full screen viewer use and duration of view
|
-|On-device file query |Information about local search activity on the device, such as:
Kind of query issued and index type (ConstraintIndex or SystemIndex)
Number of items requested and retrieved
File extension of search result with which the user interacted
Launched item type, file extension, index of origin, and the App ID of the opening app
Name of process calling the indexer and the amount of time to service the query
A hash of the search scope (file, Outlook, OneNote, or IE history). The state of the indices (fully optimized, partially optimized, or being built)
|
-|Entitlements |Information about entitlements on the device, such as:
Service subscription status and errors
DRM and license rights details -- Groove subscription or operating system volume license
Entitlement ID, lease ID, and package ID of the install package
Entitlement revocation
License type (trial, offline versus online) and duration
License usage session
|
+
+**Device health and crash data sub-type:** Information about the device and software health
+
+- Error codes and error messages, name and ID of the app, and process reporting the error
+- DLL library predicted to be the source of the error -- for example, xyz.dll
+- System generated files -- app or product logs and trace files to help diagnose a crash or hang
+- System settings, such as registry keys
+- User generated files -- files that are indicated as a potential cause for a crash or hang. For example, .doc, .ppt, .csv files
+- Details and counts of abnormal shutdowns, hangs, and crashes
+- Crash failure data -- operating system, operating system component, driver, device, and 1st and 3rd-party app data
+- Crash and hang dumps, including:
+ - The recorded state of the working memory at the point of the crash
+ - Memory in-use by the kernel at the point of the crash.
+ - Memory in-use by the application at the point of the crash
+ - All the physical memory used by Windows at the point of the crash
+ - Class and function name within the module that failed.
+
+**Device performance and reliability data sub-type:** Information about the device and software performance
+
+- User interface interaction durations -- Start menu display times, browser tab switch times, app launch and switch times, and Cortana and Search performance and reliability
+- Device on and off performance -- Device boot, shutdown, power on and off, lock and unlock times, and user authentication times (fingerprint and face recognition durations)
+- In-app responsiveness -- time to set alarm, time to fully render in-app navigation menus, time to sync reading list, time to start GPS navigation, time to attach picture MMS, and time to complete a Microsoft Store transaction
+- User input responsiveness -- onscreen keyboard invocation times for different languages, time to show auto-complete words, pen or touch latencies, latency for handwriting recognition to words, Narrator screen reader responsiveness, and CPU score
+- UI and media performance and glitches versus smoothness -- video playback frame rate, audio glitches, animation glitches (stutter when bringing up Start), graphics score, time to first frame, play/pause/stop/seek responsiveness, time to render PDF, dynamic streaming of video from OneDrive performance
+- Disk footprint -- Free disk space, out of memory conditions, and disk score
+- Excessive resource utilization -- components impacting performance or battery life through high CPU usage during different screen and power states
+- Background task performance -- download times, Windows Update scan duration, Windows Defender Antivirus scan times, disk defrag times, mail fetch times, service startup and state transition times, and time to index on-device files for search results
+- Peripheral and devices -- USB device connection times, time to connect to a wireless display, printing times, network availability and connection times (time to connect to Wi-Fi, time to get an IP address from DHCP etc.), smart card authentication times, automatic brightness, and environmental response times
+- Device setup -- first setup experience times (time to install updates, install apps, connect to network, and so on), time to recognize connected devices (printer and monitor), and time to set up a Microsoft Account
+- Power and Battery life -- power draw by component (Process/CPU/GPU/Display), hours of time the screen is off, sleep state transition details, temperature and thermal throttling, battery drain in a power state (screen off or screen on), processes and components requesting power use while the screen is off, auto-brightness details, time device is plugged into AC versus battery, and battery state transitions
+- Service responsiveness -- Service URI, operation, latency, service success and error codes, and protocol
+- Diagnostic heartbeat -- regular signal used to validate the health of the diagnostics system
+
+**Movies sub-type:** Information about movie consumption functionality on the device
+
+> [!NOTE]
+> This isn't intended to capture user viewing, listening, or habits.
+
+- Video Width, height, color palette, encoding (compression) type, and encryption type
+- Instructions about how to stream content for the user -- the smooth streaming manifest of content file chunks that must be pieced together to stream the content based on screen resolution and bandwidth
+- URL for a specific two-second chunk of content if there is an error
+- Full-screen viewing mode details
+
+**Music & TV sub-type:** Information about music and TV consumption on the device
+
+> [!NOTE]
+> This isn't intended to capture user viewing, listening, or habits.
+
+- Service URL for song being downloaded from the music service -- collected when an error occurs to facilitate restoration of service
+- Content type (video, audio, or surround audio)
+- Local media library collection statistics -- number of purchased tracks and number of playlists
+- Region mismatch -- User's operating system region and Xbox Live region
+
+**Reading sub-type:** Information about reading consumption functionality on the device
+
+> [!NOTE]
+> This isn't intended to capture user viewing, listening, or habits.
+
+- App accessing content and status and options used to open a Microsoft Store book
+- Language of the book
+- Time spent reading content
+- Content type and size details
+
+**Photos app sub-type:** Information about photos usage on the device
+
+> [!NOTE]
+> This isn't intended to capture user viewing, listening, or habits.
+
+- File source data -- local, SD card, network device, and OneDrive
+- Image and video resolution, video length, file sizes types, and encoding
+- Collection view or full screen viewer use and duration of view
+
+**On-device file query sub-type:** Information about local search activity on the device
+
+- Kind of query issued and index type (ConstraintIndex or SystemIndex)
+- Number of items requested and retrieved
+- File extension of search result with which the user interacted
+- Launched item type, file extension, index of origin, and the App ID of the opening app
+- Name of process calling the indexer and the amount of time to service the query
+- A hash of the search scope (file, Outlook, OneNote, or IE history). The state of the indices (fully optimized, partially optimized, or being built)
+
+**Entitlements sub-type:** Information about entitlements on the device
+
+- Service subscription status and errors
+- DRM and license rights details -- Groove subscription or operating system volume license
+- Entitlement ID, lease ID, and package ID of the install package
+- Entitlement revocation
+- License type (trial, offline versus online) and duration
+- License usage session
## Software Setup and Inventory data
This type of data includes software installation and update information on the device. Software Setup and Inventory Data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.4 Observed Usage of the Service Capability.
@@ -170,11 +355,8 @@ This type of data includes software installation and update information on the d
[Pseudonymized](#pseudo) Software Setup and Inventory data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
- Data about the specific drivers that are installed on a device is used to understand whether there are any hardware or driver compatibility issues which should block or delay a Windows update.
-
- Data about when a download starts and finishes on a device is used to understand and address download problems.
-
- Data about the specific Microsoft Store apps that are installed on a device is used to determine which app updates to provide to the device.
-
- Data about the antimalware installed on a device is used to understand malware transmissions vectors.
**With (optional) Tailored experiences:**
@@ -183,10 +365,28 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- Data about the specific apps that are installed on a device is used to provide recommendations for similar or complementary apps in the Microsoft Store.
### Data Description for Software Setup and Inventory data type
-|Sub-type|Description and examples |
-|- |- |
-|Installed Applications and Install History|Information about apps, drivers, update packages, or operating system components installed on the device, such as:
App, driver, update package, or component’s Name, ID, or Package Family Name
Product, SKU, availability, catalog, content, and Bundle IDs
Operating system component, app or driver publisher, language, version and type (Win32 or UWP)
Install date, method, install directory, and count of install attempts
MSI package and product code
Original operating system version at install time
User, administrator, or mandatory installation or update
Installation type -- clean install, repair, restore, OEM, retail, upgrade, or update
|
-|Device update information |Information about Windows Update, such as:
Update Readiness analysis of device hardware, operating system components, apps, and drivers (progress, status, and results)
Number of applicable updates, importance, and type
Update download size and source -- CDN or LAN peers
Delay upgrade status and configuration
Operating system uninstall and rollback status and count
Windows Update server and service URL
Windows Update machine ID
Windows Insider build details
|
+
+**Installed applications and install history sub-type:** Information about apps, drivers, update packages, or operating system components installed on the device
+
+- App, driver, update package, or component’s Name, ID, or Package Family Name
+- Product, SKU, availability, catalog, content, and Bundle IDs
+- Operating system component, app or driver publisher, language, version and type (Win32 or UWP)
+- Install date, method, install directory, and count of install attempts
+- MSI package and product code
+- Original operating system version at install time
+- User, administrator, or mandatory installation or update
+- Installation type -- clean install, repair, restore, OEM, retail, upgrade, or update
+
+**Device update information sub-type:** Information about apps, drivers, update packages, or operating system components installed on the device
+
+- Update Readiness analysis of device hardware, operating system components, apps, and drivers (progress, status, and results)
+- Number of applicable updates, importance, and type
+- Update download size and source -- CDN or LAN peers
+- Delay upgrade status and configuration
+- Operating system uninstall and rollback status and count
+- Windows Update server and service URL
+- Windows Update machine ID
+- Windows Insider build details
## Browsing History data
This type of data includes details about web browsing in the Microsoft browsers. Browsing History data is equivalent to ISO/IEC 19944:2017 8.2.3.2.8 Client side browsing history.
@@ -197,13 +397,9 @@ This type of data includes details about web browsing in the Microsoft browsers.
[Pseudonymized](#pseudo) Browsing History data from Windows 10 is used by Microsoft to [provide](#provide) and [improve](#improve) Windows 10 and related Microsoft product and services. For example:
- Data about when the **Block Content** dialog box has been shown is used for investigations of blocked content.
-
- Data about potentially abusive or malicious domains is used to make updates to Microsoft Edge and Windows Defender SmartScreen to warn users about the domain.
-
- Data about when the **Address** bar is used for navigation purposes is used to improve the Suggested Sites feature and to understand and address problems arising from navigation.
-
- Data about when a Web Notes session starts is used to measure popular domains and URLs for the Web Notes feature.
-
- Data about when a default **Home** page is changed by a user is used to measure which default **Home** pages are the most popular and how often users change the default **Home** page.
**With (optional) Tailored experiences:**
@@ -212,9 +408,17 @@ If a user has enabled Tailored experiences on the device, [pseudonymized](#pseud
- We may recommend that a user download a compatible app from the Microsoft Store if they have browsed to the related website. For example, if a user uses the Facebook website, we may recommend the Facebook app.
### Data Description for Browsing History data type
-|Sub-type|Description and examples |
-|- |- |
-|Microsoft browser data|Information about **Address** bar and **Search** box performance on the device, such as:
Text typed in **Address** bar and **Search** box
Text selected for an **Ask Cortana** search
Service response time
Auto-completed text, if there was an auto-complete
Navigation suggestions provided based on local history and favorites
Browser ID
URLs (may include search terms)
Page title
|
+
+**Microsoft browser data sub-type:** Information about **Address** bar and **Search** box performance on the device
+
+- Text typed in **Address** bar and **Search** box
+- Text selected for an Ask Cortana search
+- Service response time
+- Auto-completed text, if there was an auto-complete
+- Navigation suggestions provided based on local history and favorites
+- Browser ID
+- URLs (may include search terms)
+- Page title
## Inking Typing and Speech Utterance data
This type of data gathers details about the voice, inking, and typing input features on the device. Inking, Typing and Speech Utterance data is a sub-type of ISO/IEC 19944:2017 8.2.3.2.1 End User Identifiable information.
@@ -225,13 +429,9 @@ This type of data gathers details about the voice, inking, and typing input feat
[Anonymized](#anon) Inking, Typing, and Speech Utterance data from Windows 10 is used by Microsoft to [improve](#improve) natural language capabilities in Microsoft products and services. For example:
- Data about words marked as spelling mistakes and replaced with another word from the context menu is used to improve the spelling feature.
-
- Data about alternate words shown and selected by the user after right-clicking is used to improve the word recommendation feature.
-
- Data about auto-corrected words that were restored back to the original word by the user is used to improve the auto-correct feature.
-
- Data about whether Narrator detected and recognized a touch gesture is used to improve touch gesture recognition.
-
- Data about handwriting samples sent from the Handwriting Panel is used to help Microsoft improve handwriting recognition.
**With (optional) Tailored experiences:**
@@ -239,26 +439,69 @@ This type of data gathers details about the voice, inking, and typing input feat
**Microsoft doesn't use Windows Inking, Typing, and Speech Utterance data for Tailored experiences.**
### Data Description for Inking, Typing, and Speech Utterance data type
-|Sub-type|Description and examples |
-|- |- |
-|Voice, inking, and typing|Information about voice, inking and typing features, such as:
Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it is used
Pen gestures (click, double click, pan, zoom, or rotate)
Palm Touch x,y coordinates
Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate
Ink strokes written, text before and after the ink insertion point, recognized text entered, input language -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
Text of speech recognition results -- result codes and recognized text
Language and model of the recognizer and the System Speech language
App ID using speech features
Whether user is known to be a child
Confidence and success or failure of speech recognition
|
+
+**Voice, inking, and typing sub-type:** Information about voice, inking and typing features
+
+- Type of pen used (highlighter, ball point, or pencil), pen color, stroke height and width, and how long it is used
+- Pen gestures (click, double click, pan, zoom, or rotate)
+- Palm Touch x,y coordinates
+- Input latency, missed pen signals, number of frames, strokes, first frame commit time, and sample rate
+- Ink strokes written, text before and after the ink insertion point, recognized text entered, input language -- processed to remove identifiers, sequencing information, and other data (such as email addresses and - numeric values), which could be used to reconstruct the original content or associate the input to the user
+- Text input from Windows 10 Mobile on-screen keyboards, except from password fields and private sessions -- processed to remove identifiers, sequencing information, and other data (such as email addresses and numeric values), which could be used to reconstruct the original content or associate the input to the user
+- Text of speech recognition results -- result codes and recognized text
+- Language and model of the recognizer and the System Speech language
+- App ID using speech features
+- Whether user is known to be a child
+- Confidence and success or failure of speech recognition
## ISO/IEC 19944:2017-specific terminology
-This table provides the ISO/IEC 19944:2017-specific definitions for use and de-identification qualifiers used in this article.
-|Term |ISO/IEC 19944:2017 Reference |Microsoft usage notes |
-|-|-|-|
-|Provide |9.3.2 Provide |Use of a specified data category by a Microsoft product or service to protect and provide the described service, including, (i) troubleshoot and fix issues with the product or service or (ii) provide product or service updates.|
-|Improve |9.3.3 Improve |Use of a specified data category to improve or increase the quality of a Microsoft product or service. Those improvements may be available to end users.|
-|Personalize |9.3.4 Personalize |Use of the specified data categories to create a customized experience for the end user in any Microsoft product or service.|
-|Recommend |9.3.4 Personalize |“Recommend” means use of the specified data categories to Personalize (9.3.4) the end user’s experience by recommending Microsoft products or services that can be accessed without the need to make a purchase or pay money.
Use of the specified data categories give recommendations about Microsoft products or services the end user may act on where the recommendation is (i) contextually relevant to the product or service in which it appears, (ii) that can be accessed without the need to make a purchase or pay money, and (iii) Microsoft receives no compensation for the placement.|
-|Offer |9.3.5 Offer upgrades or upsell |Implies the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.
Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service which is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.|
-|Promote|9.3.6 Market/advertise/promote|Use of the specified data categories to promote a product or service in or on a first-party Microsoft product or service.|
+This section provides the ISO/IEC 19944:2017-specific definitions for use and de-identification qualifiers used in this article.
-
+### Provide
-|Data identification qualifiers |ISO/IEC 19944:2017 Reference |Microsoft usage notes |
-|-|-|-|
-|Pseudonymized Data |8.3.3 Pseudonymized data|As defined|
-|Anonymized Data |8.3.5 Anonymized data|As defined|
-|Aggregated Data |8.3.6 Aggregated data|As defined|
\ No newline at end of file
+ISO/IEC 19944:2017 Reference: **9.3.2 Provide**
+
+Use of a specified data category by a Microsoft product or service to protect and provide the described service, including, (i) troubleshoot and fix issues with the product or service or (ii) provide product or service updates.
+
+### Improve
+
+ISO/IEC 19944:2017 Reference: **9.3.3 Improve**
+
+Use of a specified data category to improve or increase the quality of a Microsoft product or service. Those improvements may be available to end users.
+
+### Personalize
+
+ISO/IEC 19944:2017 Reference: **9.3.4 Personalize**
+
+Use of the specified data categories to create a customized experience for the end user in any Microsoft product or service.
+
+### Recommend
+
+ISO/IEC 19944:2017 Reference: **9.3.4 Personalize**
+
+“Recommend” means use of the specified data categories to Personalize (9.3.4) the end user’s experience by recommending Microsoft products or services that can be accessed without the need to make a purchase or pay money.
+
+Use of the specified data categories give recommendations about Microsoft products or services the end user may act on where the recommendation is (i) contextually relevant to the product or service in which it appears, (ii) that can be accessed without the need to make a purchase or pay money, and (iii) Microsoft receives no compensation for the placement.
+
+### Offer
+
+ISO/IEC 19944:2017 Reference: **9.3.5 Offer upgrades or upsell**
+
+Implies the source of the data is Microsoft products and services, and the upgrades offered come from Microsoft products and services that are relevant to the context of the current capability. The target audience for the offer is Microsoft customers.
+
+Specifically, use of the specified data categories to make an offer or upsell new capability or capacity of a Microsoft product or service which is (i) contextually relevant to the product or service in which it appears; (ii) likely to result in additional future revenue for Microsoft from end user; and (iii) Microsoft receives no consideration for placement.
+
+### Promote
+
+ISO/IEC 19944:2017 Reference: **9.3.6 Market/advertise/promote**
+
+Use of the specified data categories to promote a product or service in or on a first-party Microsoft product or service.
+
+### Data identification qualifiers
+
+Here are the list of data identification qualifiers and the ISO/IEC 19944:2017 reference:
+
+- **Pseudonymized Data** 8.3.3 Pseudonymized data. Microsoft usage notes are as defined.
+- **Anonymized Data** 8.3.5 Anonymized data. Microsoft usage notes are as defined.
+- **Aggregated Data** 8.3.6 Aggregated data. Microsoft usage notes are as defined.
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index 31116809dd..5bc351b6ed 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -8,33 +8,37 @@ ms.sitesec: library
ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
-ms.localizationpriority: medium
+localizationpriority: high
ms.date: 03/20/2018
---
# Multifactor Unlock
+**Applies to:**
+- Windows 10
+
**Requirements:**
* Windows Hello for Business deployment (Hybrid or On-premises)
-* Hybird Azure AD joined (Hybrid deployments)
+* Azure AD joined device (Cloud and Hybrid deployments)
+* Hybrid Azure AD joined (Hybrid deployments)
* Domain Joined (on-premises deployments)
* Windows 10, version 1709
* Bluetooth, Bluetooth capable phone - optional
Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
-Windows 10 offers Multifactor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices.
+Windows 10 offers Multi-factor device unlock by extending Windows Hello with trusted signals, administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices.
-Which organizations can take advantage of Multifactor unlock? Those who:
+Which organizations can take advantage of Multi-factor unlock? Those who:
* Have expressed that PINs alone do not meet their security needs.
* Want to prevent Information Workers from sharing credentials.
* Want their organizations to comply with regulatory two-factor authentication policy.
-* Want to retain the familiar Windows logon UX and not settle for a custom solution.
+* Want to retain the familiar Windows sign-in user experience and not settle for a custom solution.
-You enable multifactor unlock using Group Policy. The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.
+You enable multi-factor unlock using Group Policy. The **Configure device unlock factors** policy setting is located under **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**.
## The Basics: How it works
-First unlock factor credential provider and Second unlock credential provider are repsonsible for the bulk of the configuration. Each of these components contains a globally unqiue identifier (GUID) that represents a different Windows credential provider. With the policy setting enabled, users unlock the device using at least one credenital provider from each category before Windows allows the user to proceed to their desktop.
+First unlock factor credential provider and Second unlock credential provider are responsible for the bulk of the configuration. Each of these components contains a globally unique identifier (GUID) that represents a different Windows credential provider. With the policy setting enabled, users unlock the device using at least one credential provider from each category before Windows allows the user to proceed to their desktop.
The policy setting has three components:
* First unlock factor credential provider
@@ -60,7 +64,7 @@ Supported credential providers include:
The default credential providers for the **First unlock factor credential provider** include:
* PIN
* Fingerprint
-* Facial Recongition
+* Facial Recognition
The default credential providers for the **Second unlock factor credential provider** include:
* Trusted Signal
@@ -76,7 +80,7 @@ For example, if you include the PIN and fingerprint credential providers in both
The **Signal rules for device unlock** setting contains the rules the Trusted Signal credential provider uses to satisfy unlocking the device.
### Rule element
-You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported scheam version is 1.0.
+You represent signal rules in XML. Each signal rule has an starting and ending **rule** element that contains the **schemaVersion** attribute and value. The current supported schema version is 1.0.
**Example**
```
@@ -89,9 +93,10 @@ Each rule element has a **signal** element. All signal elements have a **type**
|Attribute|Value|
|---------|-----|
| type| "bluetooth" or "ipConfig" (Windows 10, version 1709)|
+| type| "wifi" (Windows 10, version 1803)
#### Bluetooth
-You define the bluetooth signal with additional attribute in the signal elment. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>".
+You define the bluetooth signal with additional attribute in the signal element. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>".
|Attribute|Value|Required|
|---------|-----|--------|
@@ -188,13 +193,61 @@ The IPv6 DNS server represented in Internet standard hexadecimal encoding. An IP
21DA:00D3:0000:2F3B:02AA:00FF:FE28:9C5A%2
```
##### dnsSuffix
-The fully qualified domain name of your
-s internal dns suffix where any part of the fully qualified domain name in this setting exists in the computer's primary dns suffix. The **signal** element may contain one or more **dnsSuffix** elements.
+The fully qualified domain name of your organizations internal DNS suffix where any part of the fully qualified domain name in this setting exists in the computer's primary DNS suffix. The **signal** element may contain one or more **dnsSuffix** elements.
**Example**
```
corp.contoso.com
```
+#### Wi-Fi
+
+**Applies to:**
+- Windows 10, version 1803
+
+You define Wi-Fi signals using one or more wifi elements. Each element has a string value. Wifi elements do not have attributes or nested elements.
+
+#### SSID
+Contains the service set identifier (SSID) of a wireless network. The SSID is the name of the wireless network. The SSID element is required.
+```
+corpnetwifi
+```
+
+#### BSSID
+Contains the basic service set identifier (BSSID) of a wireless access point. the BSSID is the mac address of the wireless access point. The BSSID element is optional.
+**Example**
+```
+12-ab-34-ff-e5-46
+```
+
+#### Security
+Contains the type of security the client uses when connecting to the wireless network. The security element is required and must contain one of the following values:
+
+|Value | Description|
+|:----:|:-----------|
+|Open| The wireless network is an open network that does not require any authentication or encryption.|
+|WEP| The wireless network is protected using Wired Equivalent Privacy.|
+|WPA-Personal| The wireless network is protected using Wi-Fi Protected Access.|
+|WPA-Enterprise| The wireless network is protected using Wi-Fi Protected Access-Enterprise.|
+|WPA2-Personal| The wireless network is protected using Wi-Fi Protected Access 2, which typically uses a pre-shared key.|
+|WPA2-Enterprise| The wireless network is protected using Wi-Fi Protected Access 2-Enterprise.|
+
+**Example**
+```
+WPA2-Enterprise
+```
+#### TrustedRootCA
+Contains the thumbprint of the trusted root certificate of the wireless network. This may be any valid trusted root certificate. The value is represented as hexadecimal string where each byte in the string is separated by a single space. This element is optional.
+**Example**
+```
+a2 91 34 aa 22 3a a2 3a 4a 78 a2 aa 75 a2 34 2a 3a 11 4a aa
+```
+#### Sig_quality
+Contains numeric value ranging from 0 to 100 to represent the wireless network's signal strength needed to be considered a trusted signal.
+**Example**
+```
+80
+```
+
### Sample Trusted Signal Congfigurations
These examples are wrapped for readability. Once properly formatted, the entire XML contents must be a single line.
@@ -240,7 +293,19 @@ This example configures the same as example 2 using compounding And elements. T
```
-
+#### Example 4
+This example configures Wi-Fi as a trusted signal (Windows 10, version 1803)
+```
+
+
+ contoso
+ 12-ab-34-ff-e5-46
+ WPA2-Enterprise
+ a2 91 34 aa 22 3a a2 3a 4a 78 a2 aa 75 a2 34 2a 3a 11 4a aa
+ 80
+
+
+```
## Deploying Multifactor Unlock
@@ -249,7 +314,7 @@ This example configures the same as example 2 using compounding And elements. T
### How to configure Multifactor Unlock policy settings
-You need a Windows 10, version 1709 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business Group Policy settings, which includes muiltifactor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1709.
+You need a Windows 10, version 1709 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business Group Policy settings, which includes multi-factor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1709.
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
@@ -278,7 +343,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H
11. Click **Ok** to close the **Group Policy Management Editor**. Use the **Group Policy Management Console** to deploy the newly created Group Policy object to your organization's computers.
## Troubleshooting
-Mulitfactor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
+Multi-factor unlock writes events to event log under **Application and Services Logs\Microsoft\Windows\HelloForBusiness** with the category name **Device Unlock**.
### Events
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 4aa79711f4..69c2f928e5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -9,15 +9,14 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
ms.localizationpriority: medium
-ms.date: 10/20/2017
+ms.date: 08/20/2018
---
# Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments
**Applies to**
-- Windows 10
-
-
->This section only applies to Hybrid and On-premises key trust deployments.
+- Windows 10, version 1702 or later
+- Hybrid or On-Premises deployment
+- Key trust
## How many is adequate
@@ -29,23 +28,23 @@ Determining an adequate number of Windows Server 2016 domain controllers is impo
Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following.
-
+
The environment changes. The first change includes DC1 upgraded to Windows Server 2016 to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following.
-
+
The Windows Server 2016 domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of the password authentication. Why? This behavior occurs because domain controllers 2- 10 only support password and certificate trust authentication; only a Windows Server 2016 domain controller supports authentication public key trust authentication. The Windows Server 2016 domain controller understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will be bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 domain controller is added, but without deploying Windows Hello for Business to anymore clients.
-
+
Upgrading another Windows Server 2016 domain controller distributes the public key trust authentication across two domain controllers--each supporting 50 percent of the load. But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2016 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016, but the number of WHFB clients remains the same.
-
+
Domain controllers 1 through 5 now share the public key trust authentication load where each domain controller handles 20 percent of the public key trust load but they each still handle 10 percent of the password and certificate trust authentication. These domain controllers still have a heavier load than domain controllers 6 through 10; however, the load is adequately distributed. Now look the scenario when half of the client computers are upgraded to Windows Hello for Business using a key-trust deployment.
-
+
You'll notice the distribution did not change. Each Windows Server 2016 domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentication decreased across the older domain controllers.
diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
index 11cf729dd4..4602d7703e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
+++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md
@@ -15,7 +15,6 @@ ms.date: 07/27/2017
**Applies to**
- Windows 10
-- Windows 10 Mobile
When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello.
diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
index 38f8220dc6..aa575dd8a2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
+++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md
@@ -7,15 +7,15 @@ ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
-author: DaniHalfin
+author: mikestephens-MS
+ms.author: mstephen
ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 07/27/2017
+ms.date: 08/19/2018
---
# Windows Hello biometrics in the enterprise
-**Applies to:**
+**Applies to:**
- Windows 10
Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.
@@ -82,7 +82,6 @@ To allow facial recognition, you must have devices with integrated special infra
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [PassportforWork CSP](https://go.microsoft.com/fwlink/p/?LinkId=708219)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index d4cda1fcb1..570b69dde7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -8,17 +8,18 @@ ms.sitesec: library
ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
-ms.localizationpriority: medium
-ms.date: 03/26/2018
+localizationpriority: high
+ms.date: 08/19/2018
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Certificate trust
-> This guide only applies to Windows 10, version 1703 or higher.
-Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-prem certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
+Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises certificate trust deployment uses Active Directory Federation Services roles for key registration, device registration, and as a certificate registration authority.
The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
@@ -43,7 +44,7 @@ Sign-in the federation server with _local admin_ equivalent credentials.
## Enroll for a TLS Server Authentication Certificate
-Windows Hello for Business on-prem deployments require a federation server for device registration, key registration, and authentication certificate enrollment. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-prem deployment of Windows Hello for Business does not need Internet connectivity.
+Windows Hello for Business on-premises deployments require a federation server for device registration, key registration, and authentication certificate enrollment. Typically, a federation service is an edge facing role. However, the federation services and instance used with the on-premises deployment of Windows Hello for Business does not need Internet connectivity.
The AD FS role needs a server authentication certificate for the federation services, but you can use a certificate issued by your enterprise (internal) certificate authority. The server authentication certificate should have the following names included in the certificate if you are requesting an individual certificate for each node in the federation farm:
* Subject Name: The internal FQDN of the federation server (the name of the computer running AD FS)
@@ -57,9 +58,9 @@ It’s recommended that you mark the private key as exportable so that the same
Be sure to enroll or import the certificate into the AD FS server’s computer certificate store. Also, ensure all nodes in the farm have the proper TLS server authentication certificate.
-### Internal Server Authentication Certificate Enrollment
+### Internal Web Server Authentication Certificate Enrollment
+Sign-in the federation server with domain administrator equivalent credentials.
-Sign-in the federation server with domain admin equivalent credentials.
1. Start the Local Computer **Certificate Manager** (certlm.msc).
2. Expand the **Personal** node in the navigation pane.
3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
@@ -135,7 +136,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
1. Open **Active Directory Users and Computers**.
2. Right-click the **Users** container, Click **New**. Click **User**.
3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**.
-4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** checkbox.
+4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** check box.
5. Click **Next** and then click **Finish**.
## Configure the Active Directory Federation Service Role
@@ -147,11 +148,11 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
Use the following procedures to configure AD FS when your environment uses **Windows Server 2012 or later Domain Controllers**. If you are not using Windows Server 2012 or later Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2008 or 2008R2 Domain Controllers)](#windows-server-2008-or-2008R2-domain-controllers) section.
-Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
-1. Start **Server Manager**.
-2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
- 
+Sign-in the federation server with _domain administrator_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
+1. Start **Server Manager**.
+2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
+
3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
4. Click **Next** on the **Connect to Active Directory Domain Services** page.
5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*.
@@ -160,35 +161,34 @@ Sign-in the federation server with _Domain Admin_ equivalent credentials. These
8. On the **Specify Service Account** page, select **Create a Group Managed Service Account**. In the **Account Name** box, type **adfssvc**.
9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
10. On the **Review Options** page, click **Next**.
-11. On the **Pre-requisite Checks** page, click **Configure**.
-12. When the process completes, click **Close**.
+11. On the **Pre-requisite Checks** page, click **Configure**.
+12. When the process completes, click **Close**.
### Windows Server 2008 or 2008 R2 Domain Controllers
Use the following procedures to configure AD FS when your environment uses **Windows Server 2008 or 2008 R2 Domain Controllers**. If you are not using Windows Server 2008 or 2008 R2 Domain Controllers, follow the procedures under the [Configure the Active Directory Federation Service Role (Windows Server 2012 or later Domain Controllers)](#windows-server-2012-or-later-domain-controllers) section.
-Sign-in the federation server with _Domain Admin_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
-1. Start **Server Manager**.
-2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
- 
+Sign-in the federation server with _domain administrator_ equivalent credentials. These instructions assume you are configuring the first federation server in a federation server farm.
+1. Start **Server Manager**.
+2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
+
3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
4. Click **Next** on the **Connect to Active Directory Domain Services** page.
5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net.
6. Select the federation service name from the **Federation Service Name** list.
7. Type the Federation Service Display Name in the text box. This is the name users see when signing in. Click **Next**.
-8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**.
- * In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**.
-9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
-10. On the **Review Options** page, click **Next**.
-11. On the **Pre-requisite Checks** page, click **Configure**.
-12. When the process completes, click **Close**.
-13. Do not restart the AD FS server. You will do this later.
+8. On the **Specify Service Account** page, Select **Use an existing domain user account or group Managed Service Account** and click **Select**. In the **Select User or Service Account** dialog box, type the name of the previously created AD FS service account (example adfssvc) and click **OK**. Type the password for the AD FS service account and click **Next**.
+9. On the **Specify Configuration Database** page, select **Create a database on this server using Windows Internal Database** and click **Next**.
+10. On the **Review Options** page, click **Next**.
+11. On the **Pre-requisite Checks** page, click **Configure**.
+12. When the process completes, click **Close**.
+13. Do not restart the AD FS server. You will do this later.
### Add the AD FS Service account to the KeyCredential Admin group and the Windows Hello for Business Users group
-The KeyCredential Admins global group provides the AD FS service with the permissions needed to perform key registration. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.
+The **KeyCredential Administrators** global group provides the AD FS service with the permissions needed to perform key registration. The Windows Hello for Business group provides the AD FS service with the permissions needed to enroll a Windows Hello for Business authentication certificate on behalf of the provisioning user.
Sign-in a domain controller or management workstation with _Domain Admin_ equivalent credentials.
1. Open **Active Directory Users and Computers**.
@@ -205,7 +205,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
### Configure Permissions for Key Registration
-Key Registration stores the Windows Hello for Business public key in Active Directory. In on-prem deployments, the Windows Server 2016 AD FS server registers the public key with the on-premises Active Directory.
+Key Registration stores the Windows Hello for Business public key in Active Directory. With on-premises deployments, the Windows Server 2016 AD FS server registers the public key with the on-premises Active Directory.
The key-trust model needs Windows Server 2016 domain controllers, which configures the key registration permissions automatically; however, the certificate-trust model does not and requires you to add the permissions manually.
@@ -217,7 +217,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
5. The **Select User, Computer, Service Account, or Group** dialog box appears. In the **Enter the object name to select** text box, type **KeyCredential Admins**. Click **OK**.
6. In the **Applies to** list box, select **Descendant User objects**.
7. Using the scroll bar, scroll to the bottom of the page and click **Clear all**.
-8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCredentialLink**.
+8. In the **Properties** section, select **Read msDS-KeyCredentialLink** and **Write msDS-KeyCrendentialLink**.
9. Click **OK** three times to complete the task.
## Configure the Device Registration Service
@@ -251,7 +251,7 @@ Before you continue with the deployment, validate your deployment progress by re
## Prepare and Deploy AD FS Registration Authority
-A registration authority is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certificate authority for issuance. The certificate authority issues the certificate, returns it to the registration authority, which returns the certificate to the requesting user. The Windows Hello for Business on-prem certificate-based deployment uses the Active Directory Federation Server (AD FS) as the certificate registration authority.
+A registration authority is a trusted authority that validates certificate request. Once it validates the request, it presents the request to the certificate authority for issuance. The certificate authority issues the certificate, returns it to the registration authority, which returns the certificate to the requesting user. The Windows Hello for Business on-premises certificate-based deployment uses the Active Directory Federation Server (AD FS) as the certificate registration authority.
### Configure Registration Authority template
@@ -263,22 +263,23 @@ The registration authority template you configure depends on the AD FS service c
>Follow the procedures below based on the domain controllers deployed in your environment. If the domain controller is not listed below, then it is not supported for Windows Hello for Business.
#### Windows 2012 or later domain controllers
+Sign-in a certificate authority or management workstations with _domain administrator_ equivalent credentials.
-Sign-in a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority Management** console.
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right click on the **Exchange Enrollment Agent (Offline request)** template details pane and click **Duplicate Template**.
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **WHFB Enrollment Agent** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs.
-6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
- **Note:** The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
+6. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
+> [!NOTE]
+> The preceding step is very important. Group Managed Service Accounts (GMSA) do not support the Build from this Active Directory information option and will result in the AD FS server failing to enroll the enrollment agent certificate. You must configure the certificate template with Supply in the request to ensure that AD FS servers can perform the automatic enrollment and renewal of the enrollment agent certificate.
7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
-8. On the **Security** tab, click **Add**.
-9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**.
-10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**.
-11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
-12. Close the console.
+8. On the **Security** tab, click **Add**.
+9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**.
+10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**.
+11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+12. Close the console.
#### Windows 2008 or 2008R2 domain controllers
@@ -298,7 +299,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
During Windows Hello for Business provisioning, the Windows 10, version 1703 client requests an authentication certificate from the Active Directory Federation Service, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring.
-Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
+Sign-in a certificate authority or management workstations with _domain administrator equivalent_ credentials.
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
@@ -318,7 +319,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq
#### Mark the template as the Windows Hello Sign-in template
-Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equivalent credentials.
+Sign-in to an **AD FS Windows Server 2016** computer with _enterprise administrator_ equivalent credentials.
1. Open an elevated command prompt.
2. Run `certutil –dsTemplate WHFBAuthentication msPKI-Private-Key-Flag +CTPRIVATEKEY_FLAG_HELLO_LOGON_KEY`
@@ -338,7 +339,7 @@ Sign-in a certificate authority or management workstations with _Enterprise Admi
### Configure the Registration Authority
-Sign-in the AD FS server with Domain Admin equivalent credentials.
+Sign-in the AD FS server with domain administrator equivalent credentials.
1. Open a **Windows PowerShell** prompt.
2. Type the following command
@@ -378,7 +379,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
2. Click **Manage** and then click **Add Roles and Features**.
3. Click **Next** On the **Before you begin** page.
4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**.
-5. On the **Select destination server** page, chosoe **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**.
+5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**.
6. On the **Select server roles** page, click **Next**.
7. Select **Network Load Balancing** on the **Select features** page.
8. Click **Install** to start the feature installation
@@ -412,7 +413,7 @@ Sign-in a node of the federation farm with _Admin_ equivalent credentials.
## Configure DNS for Device Registration
-Sign-in the domain controller or administrative workstation with Domain Admin equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
+Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
1. Open the **DNS Management** console.
2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**.
3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
index cad539f4e1..e8ac53a3f2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-deploy-mfa.md
@@ -9,14 +9,15 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
ms.localizationpriority: medium
-ms.date: 03/5/2018
+ms.date: 08/19/2018
---
# Configure or Deploy Multifactor Authentication Services
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Certificate trust
-> This guide only applies to Windows 10, version 1703 or higher.
On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter.
@@ -29,7 +30,7 @@ The Azure MFA Server and User Portal servers have several prerequisites and must
### Primary MFA Server
-The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writeable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers.
+The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers.
For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server.
@@ -54,7 +55,7 @@ A server authentication certificate should appear in the computer’s Personal c
#### Install the Web Server Role
-The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile App server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role.
+The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile Application server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role.
To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use.
@@ -89,7 +90,7 @@ Sign in the primary MFA server with _administrator_ equivalent credentials.
#### Configure the Web Service’s Security
-The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the Phonefactor Admins security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile App servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the Phonefactor Admins security group.
+The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the **Phonefactor Admins** security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile Application servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the **Phonefactor Admins** security group.
Sign in the domain controller with _domain administrator_ equivalent credentials.
@@ -160,7 +161,7 @@ A server authentication certificate should appear in the computer’s Personal c
#### Install the Web Server Role
-To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. However, do **not** install Security > Basic Authentication. The user portal server does not requiret this.
+To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. However, do **not** install Security > Basic Authentication. The user portal server does not require this.
#### Update the Server
@@ -172,7 +173,7 @@ To do this, please follow the instructions mentioned in the previous [Configure
#### Create WebServices SDK user account
-The User Portal and Mobile App web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server.
+The User Portal and Mobile Application web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server.
1. Open **Active Directory Users and Computers**.
2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**.
@@ -234,12 +235,12 @@ Sign-in the primary MFA server with MFA _administrator_ equivalent credentials.
2. Click **Company Settings**.
3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list.
4. In **User defaults**, select **Phone Call** or **Text Message**
- **Note:** You can use mobile app; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile app multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help.
+ **Note:** You can use the mobile application; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile application multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help.
5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge.
6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration.
7. Select **Fail Authentication** from the **When user is disabled** list. Users should provision their account through the user portal.
8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists.
-9. Under default PIN rules, Select the User can change PIN checkbox to enable users to change their PIN during multi-factor authentication and through the user portal.
+9. Under default PIN rules, Select the User can change PIN check box to enable users to change their PIN during multi-factor authentication and through the user portal.
10. Configure the minimum length for the PIN.
11. Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN.
12. Select the **Expiration days** check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid.
@@ -255,9 +256,9 @@ Now that you have imported or synchronized with your Azure Multi-Factor Authenti
With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on.
-The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile app). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication.
+The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile application). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication.
-If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile app for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal.
+If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile application for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal.
#### Settings
@@ -304,7 +305,7 @@ Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon.
3. Click the **Synchronization** tab.
4. Select **Use Active Directory**.
-5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the checkbox to improve performance.
+5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the check box to improve performance.
#### Synchronization
@@ -352,7 +353,7 @@ The Web Service SDK section allows the administrator to install the Multi-Factor
Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed.
-Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to intall the MFA Web Services SDK.
+Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to install the MFA Web Services SDK.
## Install Secondary MFA Servers
@@ -391,7 +392,7 @@ You previously configured the User Portal settings on the primary MFA server. T
Sign in the primary MFA server with _local administrator_ equivalent credentials.
1. Open Windows Explorer.
-2. Browse to the C:\Progam Files\MultiFactor Authentication Server folder.
+2. Browse to the C:\Program Files\MultiFactor Authentication Server folder.
3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server.
### Configure Virtual Directory name
@@ -410,7 +411,7 @@ Sign in the User Portal server with _local administrator_ equivalent credentials
2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**.
3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username.
4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
+5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
### Create a DNS entry for the User Portal web site
@@ -453,7 +454,7 @@ Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
3. On the Settings tab, type the URL your users use to access the User Portal. The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`.
The Multi-Factor Authentication Server uses this information when sending emails to users.
4. Select Allow users to log in and Allow user enrollment check boxes.
-5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile app later once you have deployed the Mobile app web service). Select Automatically trigger user’s default method.
+5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile application later once you have deployed the Mobile application web service). Select Automatically trigger user’s default method.
6. Select Allow users to select language.
7. Select Use security questions for fallback and select 4 from the Questions to answer list.
@@ -495,7 +496,7 @@ Sign in the primary AD FS server with _local administrator_ equivalent credentia
2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**.
3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username.
4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
+5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
### Edit the AD FS Adapter Windows PowerShell cmdlet
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
index e15da1d342..97f8ceee36 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md
@@ -6,17 +6,18 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
-author: DaniHalfin
ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 07/27/2017
+author: mikestephens-MS
+ms.author: mstephen
+ms.date: 08/20/2018
---
# Configure Windows Hello for Business Policy settings
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Certificate trust
-> This guide only applies to Windows 10, version 1703 or higher.
You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
@@ -103,7 +104,7 @@ The default configuration for Windows Hello for Business is to prefer hardware p
You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
-Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
+Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
### Use biometrics
@@ -132,7 +133,7 @@ In the Windows 10, version 1703, the PIN complexity Group Policy settings have m
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions)
* Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User)
-* Confirm you configure the Use Certificate enrollment for on-prem authentication policy setting.
+* Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting.
* Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User)
* Confirm you configured the proper security settings for the Group Policy object
* Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 2fa60f6b13..9c64a37ec4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -6,19 +6,20 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
-author: DaniHalfin
ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 07/27/2017
+author: mikestephens-MS
+ms.author: mstephen
+ms.date: 08/19/2018
---
# Validate Active Directory prerequisites
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Certificate trust
-> This guide only applies to Windows 10, version 1703 or higher.
-The key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step.
+The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 schema. If you already have a Windows Server 2016 domain controller in your forest, you can skip the next step.
Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.
@@ -28,7 +29,7 @@ To locate the schema master role holder, open and command prompt and type:
```Netdom query fsmo | findstr -i “schema”```
-
+
The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role.
@@ -36,7 +37,7 @@ The command should return the name of the domain controller where you need to ad
Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory.
-Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials.
+Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials.
1. Open an elevated command prompt.
2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
@@ -48,7 +49,7 @@ Sign-in to the domain controller hosting the schema master operational role usin
The Windows Server 2016 Active Directory Federation Services (AD FS) role registers the public key on the user object during provisioning. You assign write and read permission to this group to the Active Directory attribute to ensure the AD FS service can add and remove keys are part of its normal workflow.
-Sign-in a domain controller or management workstation with Domain Admin equivalent credentials.
+Sign-in a domain controller or management workstation with domain administrator equivalent credentials.
1. Open **Active Directory Users and Computers**.
2. Click **View** and click **Advance Features**.
@@ -61,7 +62,7 @@ Sign-in a domain controller or management workstation with Domain Admin equivale
The Windows Hello for Business Users group is used to make it easy to deploy Windows Hello for Business in phases. You assign Group Policy and Certificate template permissions to this group to simplify the deployment by simply adding the users to the group. This provides them the proper permissions to provision Windows Hello for Business and to enroll in the Windows Hello for Business authentication certificate.
-Sign-in a domain controller or management workstation with Domain Admin equivalent credentials.
+Sign-in a domain controller or management workstation with domain administrator equivalent credentials.
1. Open **Active Directory Users and Computers**.
2. Click **View** and click **Advanced Features**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
index 00290c9fef..63ea357adc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md
@@ -6,23 +6,24 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
-author: DaniHalfin
+author: mikestephens-MS
+ms.author: mstephen
ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 07/27/2017
+ms.date: 08/19/2018
---
# Validate and Deploy Multifactor Authentication Services (MFA)
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Certificate trust
-> This guide only applies to Windows 10, version 1703 or higher.
Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory.
Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected.
* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks.
-* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom apps. This protection is even extended to your high-volume, mission-critical scenarios.
+* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom applications. This protection is even extended to your high-volume, mission-critical scenarios.
* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards.
* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification.
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 802e517e38..294064bd90 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -6,17 +6,18 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
-author: DaniHalfin
-ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 09/01/2017
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
---
# Validate and Configure Public Key Infrastructure
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Certificate trust
-> This guide only applies to Windows 10, version 1703 or higher.
Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate.
@@ -60,7 +61,7 @@ Sign-in to a certificate authority or management workstations with _Domain Admin
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs.
**Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
@@ -120,16 +121,16 @@ Sign-in to the certificate authority or management workstation with _Enterprise
The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
-Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
-1. Open the **Certificate Authority** management console.
-2. Expand the parent node from the navigation pane.
-3. Click **Certificate Templates** in the navigation pane.
-4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
-5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
-6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list.
- * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.
+Sign-in to the certificate authority or management workstations with an _enterprise administrator_ equivalent credentials.
-7. Close the console.
+1. Open the **Certificate Authority** management console.
+2. Expand the parent node from the navigation pane.
+3. Click **Certificate Templates** in the navigation pane.
+4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
+5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list.
+ * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.
+7. Close the console.
### Configure Domain Controllers for Automatic Certificate Enrollment
@@ -163,7 +164,7 @@ You want to confirm your domain controllers enroll the correct certificates and
#### Use the Event Logs
-Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the CertificateServices-Lifecycles-System event log under Application and Services/Microsoft/Windows.
+Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers. Using the Event Viewer, navigate to the **CertificateServices-Lifecycles-System** event log under **Application and Services/Microsoft/Windows**.
Look for an event indicating a new certificate enrollment (autoenrollment). The details of the event include the certificate template on which the certificate was issued. The name of the certificate template used to issue the certificate should match the certificate template name included in the event. The certificate thumbprint and EKUs for the certificate are also included in the event. The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template.
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
index cdda9c2ea9..0945e7436d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md
@@ -6,17 +6,18 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
-author: DaniHalfin
ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 07/27/2017
+author: mikestephens-MS
+ms.author: mstephen
+ms.date: 08/19/2018
---
# On Premises Certificate Trust Deployment
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Certificate trust
-> This guide only applies to Windows 10, version 1703 or higher.
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment.
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
index 81601d68e7..d2b2d4db85 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md
@@ -9,15 +9,13 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
ms.localizationpriority: medium
-ms.date: 11/08/2017
+ms.date: 08/29/2018
---
# Windows Hello for Business Deployment Guide
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10, version 1703 or later
-> This guide only applies to Windows 10, version 1703 or higher.
Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair.
@@ -50,10 +48,11 @@ The trust model determines how you want users to authenticate to the on-premises
* The certificate trust model also supports enterprises which are not ready to deploy Windows Server 2016 Domain Controllers.
Following are the various deployment guides included in this topic:
-* [Hybrid Key Trust Deployment](hello-hybrid-key-trust.md)
-* [Hybrid Certificate Trust Deployment](hello-hybrid-cert-trust.md)
-* [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
-* [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
+- [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
+- [Hybrid Azure AD Joined Certificate Trust Deployment](hello-hybrid-cert-trust.md)
+- [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
+- [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
+- [On Premises Certificate Trust Deployment](hello-deployment-cert-trust.md)
## Provisioning
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
index 6a760736b9..1c7fd1f995 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md
@@ -9,18 +9,19 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
ms.localizationpriority: medium
-ms.date: 10/23/2017
+ms.date: 08/20/2018
---
# On Premises Key Trust Deployment
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Key trust
-> This guide only applies to Windows 10, version 1703 or higher.
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in an existing environment.
-Below, you can find all the infromation you need to deploy Windows Hello for Business in a key trust model in your on-premises environment:
+Below, you can find all the information you need to deploy Windows Hello for Business in a key trust model in your on-premises environment:
1. [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
2. [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
3. [Prepare and Deploy Windows Server 2016 Active Directory Federation Services](hello-key-trust-adfs.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index f98a329631..f5b102d219 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -10,14 +10,13 @@ ms.pagetype: security
author: DaniHalfin
ms.localizationpriority: medium
ms.author: daniha
-ms.date: 07/27/2017
+ms.date: 05/05/2018
---
# Windows Hello errors during PIN creation
**Applies to**
- Windows 10
-- Windows 10 Mobile
When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support.
diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md
index b25f03be7c..2aac336bfc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-event-300.md
+++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md
@@ -17,7 +17,7 @@ ms.date: 07/27/2017
**Applies to**
- Windows 10
-- Windows 10 Mobile
+
This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md
new file mode 100644
index 0000000000..2a7d32efaf
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-faq.md
@@ -0,0 +1,157 @@
+---
+title: Windows Hello for Business Frequently Asked Questions
+description: Windows Hello for Business FAQ
+keywords: identity, PIN, biometric, Hello, passport
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Windows Hello for Business Frequently Ask Questions
+
+**Applies to**
+- Windows 10
+
+## What about virtual smart cards?
+Windows Hello for Business is the modern, two-factor credential for Windows 10. Microsoft will be deprecating virtual smart cards in the future but not date at this time. Customers using Windows 10 and virtual smart cards should move to Windows Hello for Business. Microsoft will publish the date early to ensure customers have adequate lead time to move to Windows Hello for Business. Microsoft recommends new Windows 10 deployments to use Windows Hello for Business. Virtual smart card remain supported for Windows 7 and Windows 8.
+
+## What about convenience PIN?
+Microsoft is committed to its vision of a world without passwords. We recognize the *convenience* provided by convenience PIN, but it stills uses a password for authentication. Microsoft recommends customers using Windows 10 and convenience PINs should move to Windows Hello for Business. New Windows 10 deployments should deploy Windows Hello for Business and not convenience PINs. Microsoft will be deprecating convenience PINs in the future and will publish the date early to ensure customers have adequate lead time to deploy Windows Hello for Business.
+
+## Can I deploy Windows Hello for Business using System Center Configuration Manager?
+Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no long be supported after November 2018.
+
+## How many users can enroll for Windows Hello for Business on a single Windows 10 computer?
+The maximum number of supported enrollments on a single Windows 10 computer is 10. That enables 10 users to each enroll their face and up to 10 fingerprints. While we support 10 enrollments, we will strongly encourage the use of Windows Hello security keys for the shared computer scenario when they become available.
+
+## How can PIN be more secure than a Password?
+When using Windows Hello for Business, the PIN is not a symmetric key where is the password is a symmetric key. With passwords, there is a server that has some representation of the password. With Windows Hello for Business, the PIN is user provided entropy used to load the private key in the TPM. The server does not have a copy of the PIN. For that matter, the Windows client does not have a copy of the current PIN either. The user must provide the entropy, the TPM protected key, and the TPM that generated that key to successfully have access to the private key.
+
+The statement "PIN is stronger than Password" is not directed at the strength of the entropy used by the PIN. It is about the difference of providing entropy vs continuing the use of a symmetric key (the password). The TPM has anti-hammering features which thwart brute-force PIN attacks (an attackers continuous attempt to try all combination of PINs). Some organizations may worry about shoulder surfing. For those organizations, rather than increased the complexity of the PIN, implement the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
+
+## Why is the Key Admins group missing, I have Windows Server 2016 domain controller(s)?
+The **Key Admins** and **Enterprise Key Admins** groups are created when you install the first Windows Server 2016 domain controller into a domain. Domain controllers running previous versions of Windows Server cannot translate the security identifier (SID) to a name. To resolve this, transfer the PDC emulator domain role to a domain controller running Windows Server 2016.
+
+## Can I use convenience PIN with Azure AD?
+No. If you want to use PIN or biometrics with Azure Active Directory identities on Azure AD registered, Azure AD joined, or hybrid Azure AD joined devices, then you must deploy Windows Hello for Business.
+
+## Can I use an external camera when my laptop is closed or docked?
+No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further.
+
+## What is the password-less strategy?
+Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**
+
+[Microsoft's password-less strategy](hello-videos.md#microsofts-passwordless-strategy)
+
+## What is the user experience for Windows Hello for Business?
+The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.
+
+[Windows Hello for Business user enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience)
+
+## What happens when my user forgets their PIN?
+If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with the Fall Creators Update, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider.
+
+[Windows Hello for Business forgotten PIN user experience](hello-videos.md#windows-hello-for-business-forgotten-pin-user-experience)
+
+For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
+
+## What URLs do I need to allow for a hybrid deployment?
+Communicating with Azure Active Directory uses the following URLs:
+- enterpriseregistration.windows.net
+- login.microsoftonline.com
+- login.windows.net
+
+If your environment uses Microsoft Intune, you need these additional URLs:
+- enrollment.manage-beta.microsoft.com
+- enrollment.manage.microsoft.com
+- portal.manage-beta.microsoft.com
+- portal.manage.microsoft.com
+
+## What is the difference between non-destructive and destructive PIN Reset?
+Windows Hello for Business has two types of PIN reset: non-destructive and destructive. Organizations running Windows 10 Enterprise and Azure Active Directory can take advantage of the Microsoft PIN Reset service. Once on-boarded to a tenant and deployed to computers, users who have forgotten their PINs can authenticate to Azure, provided a second factor of authentication, and reset their PIN without re-provisioning a new Windows Hello for Business enrollment. This is a non-destructive PIN reset because the user does not delete the current credential and obtain a new one. Read [PIN Reset](hello-features.md#pin-reset) from our [Windows Hello for Business Features](hello-features.md) page for more information.
+
+Organizations that have the on-premises deployment of Windows Hello for Business, or those not using Windows 10 Enterprise can use destructive PIN reset. with destructive PIN reset, users that have forgotten their PIN can authenticate using their password, perform a second factor of authentication to re-provision their Windows Hello for Business credential. Re-provisioning deletes the old credential and requests a new credential and certificate. On-premises deployments need network connectivity to their domain controllers, Active Directory Federation Services, and their issuing certificate authority to perform a destructive PIN reset. Also, for hybrid deployments, destructive PIN reset is only supported with the certificate trust model and the latest updates to Active Directory Federation Services.
+
+## Which is better or more secure: Key trust or Certificate trust?
+The trust models of your deployment determine how you authenticate to Active Directory (on-premises). Both key trust and certificate trust use the same hardware backed, two-factor credential. The difference between the two trust types are:
+- Required domain controllers
+- Issuing end entity certificates
+
+The **key trust** model authenticates to Active Directory using a raw key. Windows Server 2016 domain controllers enables this authentication. Key trust authenticate does not require an enterprise issued certificate, therefore you do not need to issue certificates to your end users (domain controller certificates are still needed).
+The **certificate trust** model authenticates to Active Directory using a certificate. Because this authentication uses a certificate, domain controllers running previous versions of Windows Server can authenticate the user. Therefore, you need to issue certificates to your end users, but you do not need Windows Server 2016 domain controllers. The certificate used in certificate trust uses the TPM protected private key to request a certificate from your enterprise's issuing certificate authority.
+
+## Do I need Windows Server 2016 domain controllers?
+There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment
+
+## What attributes are synchronized by Azure AD Connect with Windows Hello for Business?
+Review [Azure AD Connect sync: Attributes synchronized to Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized) for a list of attributes that are sync based on scenarios. The base scenarios that include Windows Hello for Business are [Windows 10](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#windows-10) scenario and the [Device writeback](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-attributes-synchronized#device-writeback) scenario. Your environment may include additional attributes.
+
+## Is Windows Hello for Business multifactor authentication?
+Windows Hello for Business is two-factor authentication based the observed authentication factors of: something you have, something you know, and something part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
+
+## What are the biometric requirements for Windows Hello for Business?
+Read [Windows Hello biometric requirements](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) for more information.
+
+## Can I use PIN and biometrics to unlock my device?
+Starting in Windows 10, version 1709, you can use multi-factor unlock to require the user to provide an additional factor to unlock the device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. Read more about [multifactor unlock](feature-multifactor-unlock.md).
+
+## What is the difference between Windows Hello and Windows Hello for Business?
+Windows Hello represents the biometric framework provided in Windows 10. Windows Hello enables users to use biometrics to sign into their devices by securely storing their user name and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.
+
+## Why can I not enroll biometrics for my local built-in Administrator?
+Windows 10 does not allow the local administrator to enroll biometric gestures(face or fingerprint).
+
+## I have extended Active Directory to Azure Active Directory. Can I use the on-premises deployment model?
+No. If your organization is federated or using on-line services, such as Azure AD Connect, Office 365, or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organization who need more time before moving to the cloud and exclusively use Active Directory.
+
+## Does Windows Hello for Business prevent the use of simple PINs?
+Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. This prevents repeating numbers, sequential numbers and simple patterns.
+So, for example:
+* 1111 has a constant delta of 0, so it is not allowed
+* 1234 has a constant delta of 1, so it is not allowed
+* 1357 has a constant delta of 2, so it is not allowed
+* 9630 has a constant delta of -3, so it is not allowed
+* 1231 does not have a constant delta, so it is okay
+* 1593 does not have a constant delta, so it is okay
+
+This algorithm does not apply to alphanumeric PINs.
+
+## How does PIN caching work with Windows Hello for Business?
+
+Windows Hello for Business provides a PIN caching user experience using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting as long as the user is interactively signed-in. Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key.
+
+Beginning with Windows 10, version 1709, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations will not prompt the user for the PIN.
+
+The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process does not receive the PIN, but rather the ticket that grants them private key operations. Windows 10 does not provide any Group Policy settings to adjust this caching.
+
+## Can I disable the PIN while using Windows Hello for Business?
+No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurrence where you cannot authenticate with biometrics, you need a fall back mechanism that is not a password. The PIN is the fall back mechanism. Disabling or hiding the PIN credential provider disabled the use of biometrics.
+
+## How keys are protected?
+Wherever possible, Windows Hello for Business takes advantage of trusted platform module (TPM) 2.0 hardware to generate and protect keys. However, Windows Hello and Windows Hello for Business does not require a TPM. Administrators can choose to allow key operations in software
+
+Whenever possible, Microsoft strongly recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to re-authenticate to the IDP before the IDP allows him or her to re-register).
+
+## Can Windows Hello for Business work in air gapped environments?
+Yes. You can use the on-premises Windows Hello for Business deployment and combine it with a third-party MFA provider that does not require Internet connectivity to achieve an air-gapped Windows Hello for Business deployment.
+
+## Can I use third-party authentication providers with Windows Hello for Business?
+Yes, if you are federated hybrid deployment, you can use any third-party that provides an Active Directory Federation Services (AD FS) multi-factor authentication adapter. A list of third-party MFA adapters can be found [here](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods).
+
+## Does Windows Hello for Business work with third party federation servers?
+Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration)
+
+| Protocol | Description |
+| :---: | :--- |
+| [[MS-KPP]: Key Provisioning Protocol](https://msdn.microsoft.com/en-us/library/mt739755.aspx) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. |
+| [[MS-OAPX]: OAuth 2.0 Protocol Extensions](https://msdn.microsoft.com/en-us/library/dn392779.aspx)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. |
+| [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](https://msdn.microsoft.com/en-us/library/mt590278.aspx) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (The OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. |
+| [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/en-us/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the end user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider meta-data that enable the discovery of the issuer of access tokens and give additional information about provider capabilities. |
+
+## Does Windows Hello for Business work with Mac and Linux clients?
+Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration)
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-features.md b/windows/security/identity-protection/hello-for-business/hello-features.md
index 5f06ce94b9..5efa0cb2b4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-features.md
+++ b/windows/security/identity-protection/hello-for-business/hello-features.md
@@ -9,18 +9,21 @@ ms.sitesec: library
ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
-ms.localizationpriority: medium
-ms.date: 3/5/2018
+localizationpriority: high
+ms.date: 05/05/2018
---
# Windows Hello for Business Features
+**Applies to:**
+- Windows 10
+
Consider these additional features you can use after your organization deploys Windows Hello for Business.
-* [Conditional access](#conditional-access)
-* [Dynamic lock](#dynamic-lock)
-* [PIN reset](#pin-reset)
-* [Privileged credentials](#privileged-credentials)
-
+- [Conditional access](#conditional-access)
+- [Dynamic lock](#dynamic-lock)
+- [PIN reset](#pin-reset)
+- [Dual Enrollment](#dual-enrollment)
+- [Remote Desktop with Biometrics](#remote-desktop-with-biometrics)
## Conditional access
@@ -29,21 +32,20 @@ Consider these additional features you can use after your organization deploys W
* Hybrid Windows Hello for Business deployment
-In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, apps, and services from anywhere. With the proliferation of devices (including BYOD), work off corporate networks, and 3rd party SaaS apps, IT professionals are faced with two opposing goals:+
+In a mobile-first, cloud-first world, Azure Active Directory enables single sign-on to devices, applications, and services from anywhere. With the proliferation of devices (including BYOD), work off corporate networks, and 3rd party SaaS applications, IT professionals are faced with two opposing goals:+
* Empower the end users to be productive wherever and whenever
* Protect the corporate assets at any time
-To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain apps even for the right people? For example, it might be OK for you if the right people are accessing certain apps from a trusted network; however, you might not want them to access these apps from a network you don't trust. You can address these questions using conditional access.
+To improve productivity, Azure Active Directory provides your users with a broad range of options to access your corporate assets. With application access management, Azure Active Directory enables you to ensure that only the right people can access your applications. What if you want to have more control over how the right people are accessing your resources under certain conditions? What if you even have conditions under which you want to block access to certain applications even for the right people? For example, it might be OK for you if the right people are accessing certain applications from a trusted network; however, you might not want them to access these applications from a network you don't trust. You can address these questions using conditional access.
Read [Conditional access in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal) to learn more about Conditional Access. Afterwards, read [Getting started with conditional access in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-azure-portal-get-started) to start deploying Conditional access.
-
## Dynamic lock
**Requirements:**
* Windows 10, version 1703
-Dynamic lock enables you to configure Windows 10 devices to automatically lock when bluetooth paired device signal falls below the maximum Recieved Signal Stregnth Indicator (RSSI) value. You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Busines**. The name of the policy is **Configure dynamic lock factors**.
+Dynamic lock enables you to configure Windows 10 devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**.
The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value:
@@ -78,54 +80,78 @@ RSSI measurements are relative and lower as the bluetooth signals between the tw
## PIN reset
+**Applies to:**
+- Windows 10, version 1709 or later
+
+
### Hybrid Deployments
**Requirements:**
-* Azure Active Directory
-* Hybrid Windows Hello for Business deployment
-* Modern Management - Microsoft Intune, or compatible mobile device management (MDM)
-* Remote reset - Windows 10, version 1703
-* Reset above Lock - Windows 10, version 1709
+- Azure Active Directory
+- Hybrid Windows Hello for Business deployment
+- Azure AD registered, Azure AD joined, and Hybrid Azure AD joined
+- Windows 10, version 1709 or later, **Enterprise Edition**
-The Microsoft PIN reset services enables you to help users who have forgotten their PIN. Using Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables you to remotely push a PIN reset or enables users to reset their forgotten PIN above the lock screen without requiring reenrollment.
+The Microsoft PIN reset services enables you to help users who have forgotten their PIN. Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment.
+
+>[!IMPORTANT]
+> The Microsoft PIN Reset service only works with Windows 10, version 1709 or later **Enterprise Edition**. The feature does not work with the **Pro** edition.]
#### Onboarding the Microsoft PIN reset service to your Intune tenant
-Before you can remotely reset PINs, you must onboard the Microsoft PIN reset service to your Intune or MDM tenant, and configure devices you manage. Follow these instructions to get that set up:
+Before you can remotely reset PINs, you must on-board the Microsoft PIN reset service to your Azure Active Directory tenant, and configure devices you manage.
-#### Connect Intune with the PIN reset service
+#### Connect Azure Active Directory with the PIN reset service
-1. Visit [Microsoft PIN Reset Service Integration website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Intune tenant.
+1. Visit [Microsoft PIN Reset Service Integration website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the tenant administrator account you use to manage your Azure Active Directory tenant.
2. After you log in, click **Accept** to give consent for the PIN reset service to access your account.
+
+3. In the Azure portal, you can verify that the Microsoft PIN reset service is integrated from the **Enterprise applications**, **All applications** blade.
-3. In the Azure portal, you can verify that Intune and the PIN reset service were integrated from the Enterprise applications - All applications blade as shown in the following screenshot:
-
-4. Log in to [this website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent) using your Intune tenant admin credentials and, again, choose **Accept** to give consent for the service to access your account.
-#### Configure Windows devices to use PIN reset
+#### Configure Windows devices to use PIN reset using Group Policy
+You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
+1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
+2. Edit the Group Policy object from step 1.
+3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
+4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
+
+#### Configure Windows devices to use PIN reset using Microsoft Intune
To configure PIN reset on Windows devices you manage, use an [Intune Windows 10 custom device policy](https://docs.microsoft.com/en-us/intune/custom-settings-windows-10) to enable the feature. Configure the policy using the following Windows policy configuration service provider (CSP):
-- **For devices** - **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery**
+##### Create a PIN Reset Device configuration profile using Microsoft Intune
-*tenant ID* refers to your Azure Active Directory, Directory ID which you can obtain from the **Properties** page of Azure Active Directory.
-
-Set the value for this CSP to **True**.
-
-Read the [Steps to reset the passcode](https://docs.microsoft.com/en-us/intune/device-windows-pin-reset#steps-to-reset-the-passcode) section to remotely reset a PIN on an Intune managed device.
+1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account.
+2. You need your tenant ID to complete the following task. You can discovery your tenant ID viewing the **Properties** of your Azure Active Directory from the Azure Portal. You can also use the following command in a command Window on any Azure AD joined or hybrid Azure AD joined computer.
+```
+dsregcmd /status | findstr -snip "tenantid"
+```
+3. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. Click **Create profile**.
+4. Type **Use PIN Recovery** in the **Name** field. Select **Windows 10 and later** from the **Platform** list. Select **Custom** from the **Profile type** list.
+5. In the **Custom OMA-URI Settings** blade, Click **Add**.
+6. In the **Add Row** blade, type **PIN Reset Settings** in the **Name** field. In the **OMA-URI** field, type **./Device/Vendor/MSFT/PassportForWork/*tenant ID*/Policies/EnablePinRecovery** where *tenant ID* is your Azure Active Directory tenant ID from step 2.
+7. Select **Boolean** from the **Data type** list and select **True** from the **Value** list.
+8. Click **OK** to save the row configuration. Click **OK** to close the **Custom OMA-URI Settings blade. Click **Create** to save the profile.
+
+##### Assign the PIN Reset Device configuration profile using Microsoft Intune
+1. Sign-in to [Azure Portal](https://portal.azure.com) using a tenant administrator account.
+2. Navigate to the Microsoft Intune blade. Click **Device configuration**. Click **Profiles**. From the list of device configuration profiles, click the profile that contains the PIN reset configuration.
+3. In the device configuration profile, click **Assignments**.
+4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
### On-premises Deployments
** Requirements**
* Active Directory
* On-premises Windows Hello for Business deployment
-* Reset from settings - Windows 10, version 1703
-* Reset above Lock - Windows 10, version 1709
+* Reset from settings - Windows 10, version 1703, Professional
+* Reset above Lock - Windows 10, version 1709, Professional
-On-premises deployments provide users with the ability to reset forgotton PINs either through the settings page or from above the user's lock screen. Users must know or be provided their password for authentication, must perform a second factor of authentication, and then reprovision Windows Hello for Business.
+On-premises deployments provide users with the ability to reset forgotten PINs either through the settings page or from above the user's lock screen. Users must know or be provided their password for authentication, must perform a second factor of authentication, and then re-provision Windows Hello for Business.
>[!IMPORTANT]
->Users must have corporate network connectivity to domain controllers and the AD FS server to reset their PINs.
+>Users must have corporate network connectivity to domain controllers and the federation service to reset their PINs.
#### Reset PIN from Settings
1. Sign-in to Windows 10, version 1703 or later using an alternate credential.
@@ -136,20 +162,108 @@ On-premises deployments provide users with the ability to reset forgotton PINs e
1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
2. Enter your password and press enter.
3. Follow the instructions provided by the provisioning process
- 4. When finished, unlock your desktop using your newly creeated PIN.
+ 4. When finished, unlock your desktop using your newly created PIN.
>[!NOTE]
-> Visit the [Frequently Asked Questions](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-identity-verification#frequently-asked-questions) section of the Windows Hello for Business page and watch the **What happens when the user forgets their PIN?** video.
+> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video.
-## Privileged Credentials
+## Dual Enrollment
**Requirements**
* Hybrid and On-premises Windows Hello for Business deployments
-* Domain Joined or Hybrid Azure joined devices
+* Enterprise Joined or Hybrid Azure joined devices
* Windows 10, version 1709
-The privileged credentials scenario enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
+> [!NOTE]
+> This feature was previously known as **Privileged Credential** but was renamed to **Dual Enrollment** to prevent any confusion with the **Privileged Access Workstation** feature.
-By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, Allow enumeration of emulated smart card for all users, you can configure a device to all this enumeration on selected devices.
+> [!IMPORTANT]
+> Dual enrollment does not replace or provide the same security as Privileged Access Workstations feature. Microsoft encourages enterprises to use the Privileged Access Workstations for their privileged credential users. Enterprises can consider Windows Hello for Business dual enrollment in situations where the Privileged Access feature cannot be used. Read [Privileged Access Workstations](https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/privileged-access-workstations) for more information.
-With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal workflow such as email, but can launch Microsoft Managment Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternativing between privileged and non-privileged workloads.
+Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device.
+
+By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices.
+
+With this setting, administrative users can sign-in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign-in and out, or use fast user switching when alternating between privileged and non-privileged workloads.
+
+> [!IMPORTANT]
+> You must configure a Windows 10 computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation.
+
+### Configure Windows Hello for Business Dual Enroll
+In this task you will
+- Configure Active Directory to support Domain Administrator enrollment
+- Configure Dual Enrollment using Group Policy
+
+#### Configure Active Directory to support Domain Administrator enrollment
+The designed Windows for Business configuration has you give the **Key Admins** (or **KeyCredential Admins** when using domain controllers prior to Windows Server 2016) group read and write permissions to the msDS-KeyCredentialsLink attribute. You provided these permissions at root of the domain and use object inheritance to ensure the permissions apply to all users in the domain regardless of their location within the domain hierarchy.
+
+Active Directory Domain Services uses AdminSDHolder to secure privileged users and groups from unintentional modification by comparing and replacing the security on privileged users and groups to match those defined on the AdminSDHolder object on an hourly cycle. For Windows Hello for Business, your domain administrator account may receive the permissions but will they will disappear from the user object unless you give the AdminSDHolder read and write permissions to the msDS-KeyCredential attribute.
+
+Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+
+1. Type the following command to add the **allow** read and write property permissions for msDS-KeyCredentialLink attribute for the **Key Admins** (or **KeyCredential Admins**) group on the AdminSDHolder object.
+```dsacls "CN=AdminSDHolder,CN=System,**DC=domain,DC=com**" /g "**[domainName\keyAdminGroup]**":RPWP,msDS-KeyCredentialLink```
+where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and **domainName\keyAdminGroup]** is the NetBIOS name of your domain and the name of the group you use to give access to keys based on your deployment. For example:
+```dsacls "CN=AdminSDHolder,CN=System,DC=corp,DC=mstepdemo,DC=net /g "mstepdemo\Key Admins":RPWP,msDS-KeyCredentialLink```
+2. To trigger security descriptor propagation, open **ldp.exe**.
+3. Click **Connection** and select **Connect...** Next to **Server**, type the name of the domain controller that holds the PDC role for the domain. Next to **Port**, type **389** and click **OK**.
+4. Click **Connection** and select **Bind...** Click **OK** to bind as the currently signed-in user.
+5. Click **Browser** and select **Modify**. Leave the **DN** text box blank. Next to **Attribute**, type **RunProtectAdminGroupsTask**. Next to **Values**, type **1**. Click **Enter** to add this to the **Entry List**.
+6. Click **Run** to start the task.
+7. Close LDP.
+
+#### Configuring Dual Enrollment using Group Policy
+You configure Windows 10 to support dual enrollment using the computer configuration portion of a Group Policy object.
+
+1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users.
+2. Edit the Group Policy object from step 1.
+3. Enable the **Allow enumeration of emulated smart cards for all users** policy setting located under **Computer Configuration->Administrative Templates->Windows Components->Windows Hello for Business**.
+4. Close the Group Policy Management Editor to save the Group Policy object. Close the GPMC.
+5. Restart computers targeted by this Group Policy object.
+
+The computer is ready for dual enrollment. Sign-in as the privileged user first and enroll for Windows Hello for Business. Once completed, sign-out and sign-in as the non-privileged user and enroll for Windows Hello for Business. You can now use your privileged credential to perform privileged tasks without using your password and without needing to switch users.
+
+## Remote Desktop with Biometrics
+
+> [!Warning]
+> Some information relates to pre-released product that may change before it is commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+**Requirements**
+- Hybrid and On-premises Windows Hello for Business deployments
+- Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices
+- Certificate trust deployments
+- Biometric enrollments
+- Windows 10, version 1809
+
+Users using earlier versions of Windows 10 could remote desktop to using Windows Hello for Business but were limited to the using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809.
+
+> [!IMPORTANT]
+> The remote desktop with biometrics feature only works with certificate trust deployments. The feature takes advantage of the redirected smart card capabilities of the remote desktop protocol. Microsoft continues to investigate supporting this feature for key trust deployments.
+
+### How does it work
+It start with creating cryptographic keys. Windows generates and stores cryptographic keys using a software component called a key storage provider (KSP). Software-based keys are created and stored using the Microsoft Software Key Storage Provider. Smart card keys are created and stored using the Microsoft Smart Card Key Storage Provider. Keys created and protected by Windows Hello for Business are created and stored using the Microsoft Passport Key Storage Provider.
+
+A certificate on a smart card starts with creating an asymmetric key pair using the Microsoft Smart Card KSP. Windows requests a certificate based on the key pair from your enterprises issuing certificate authority, which returns a certificate that is stored in the user's Personal certificate store. The private key remains on the smart card and the public key is stored with the certificate. Metadata on the certificate (and the key) store the key storage provider used to create the key (remember the certificate contains the public key).
+
+This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide this complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card).
+
+Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN.
+
+### Compatibility
+Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates. You can relax knowing a Group Policy setting and a [MDM URI](https://docs.microsoft.com/en-us/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
+
+
+
+> [!IMPORTANT]
+> The remote desktop with biometric feature does not work with [Dual Enrollment](#dual-enrollment) feature or scenarios where the user provides alternative credentials. Microsoft continues to investigate supporting the feature.\
+
+## Related topics
+
+- [Windows Hello for Business](hello-identity-verification.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
new file mode 100644
index 0000000000..7ae1ab1d14
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -0,0 +1,91 @@
+---
+title: How Windows Hello for Business works - Authentication
+description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Windows Hello for Business and Authentication
+
+**Applies to:**
+- Windows 10
+
+Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.
+Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
+
+[Azure AD join authentication to Azure Active Directory](#Azure-AD-join-authentication-to-Azure-Active-Directory)
+[Azure AD join authentication to Active Direcotry using a Key](#Azure-AD-join-authentication-to-Active-Direcotry-using-a-Key)
+[Azure AD join authentication to Active Directory using a Certificate](#Azure-AD-join-authentication-to-Active-Directory-using-a-Certificate)
+[Hybrid Azure AD join authentication using a Key](#Hybrid-Azure-AD-join-authentication-using-a-Key)
+[Hybrid Azure AD join authentication using a Certificate](#Hybrid-Azure-AD-join-authentication-using-a-Certificate)
+
+
+## Azure AD join authentication to Azure Active Directory
+
+
+| Phase | Description |
+| :----: | :----------- |
+|A | Authentication begins when the users dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider.|
+|B | The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce. The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory.|
+|C | Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider.|
+|D | The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM.|
+|E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+
+[Return to top](#Windows-Hello-for-Business-and-Authentication)
+## Azure AD join authentication to Active Directory using a Key
+
+
+
+| Phase | Description |
+| :----: | :----------- |
+|A | Authentication to Active Directory from a Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses metadata from the Windows Hello for Business key to get a hint of the user's domain. Using the hint, the provider uses the DClocator service to locate a 2016 domain controller. After the provider locates an active 2016 domain controller, the provider uses the private key to sign the Kerberos pre-authentication data.|
+|B | The Kerberos provider sends the signed pre-authentication data and its public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ. The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+
+
+[Return to top](#Windows-Hello-for-Business-and-Authentication)
+## Azure AD join authentication to Active Directory using a Certificate
+
+
+| Phase | Description |
+| :----: | :----------- |
+|A | Authentication to Active Directory from a Azure AD joined device begins with the user first attempts to use a resource that needs Kerberos authentication. The Kerberos security support provider, hosted in lsass, uses information from the certificate to get a hint of the user's domain. Kerberos can use the distinguished name of the user found in the subject of the certificate, or it can use the user principal name of the user found in the subject alternate name of the certificate. Using the hint, the provider uses the DClocator service to locate a domain controller. After the provider locates an active domain controller, the provider use the private key to sign the Kerberos pre-authentication data.|
+|B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ. The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating. After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+
+[Return to top](#Windows-Hello-for-Business-and-Authentication)
+## Hybrid Azure AD join authentication using a Key
+
+
+| Phase | Description |
+| :----: | :----------- |
+|A | Authentication begins when the users dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
+|B | The Kerberos provider sends the signed pre-authentication data and the user's public key (in the form of a self-signed certificate) to the Key Distribution Center (KDC) service running on the 2016 domain controller in the form of a KERB_AS_REQ. The 2016 domain controller determines the certificate is a self-signed certificate. It retrieves the public key from the certificate included in the KERB_AS_REQ and searches for the public key in Active Directory. It validates the UPN for authentication request matches the UPN registered in Active Directory and validates the signed pre-authentication data using the public key from Active Directory. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
+|D | After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+|E | Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.|
+|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider. The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM. The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
+
+[Return to top](#Windows-Hello-for-Business-and-Authentication)
+## Hybrid Azure AD join authentication using a Certificate
+
+
+| Phase | Description |
+| :----: | :----------- |
+|A | Authentication begins when the users dismisses the lock screen, which triggers winlogon to show the Windows Hello for Business credential provider. The user provides their Windows Hello gesture (PIN or biometrics). The credential provider packages these credentials and returns them to winlogon. Winlogon passes the collected credentials to lsass. Lsass passes the collected credentials to the Kerberos security support provider. The Kerberos provider gets domain hints from the domain joined workstation to locate a domain controller for the user.|
+|B | The Kerberos provider sends the signed pre-authentication data and user's certificate, which includes the public key, to the Key Distribution Center (KDC) service running on the domain controller in the form of a KERB_AS_REQ. The domain controller determines the certificate is not self-signed certificate. The domain controller ensures the certificate chains to trusted root certificate, is within its validity period, can be used for authentication, and has not been revoked. It retrieves the public key and UPN from the certificate included in the KERB_AS_REQ and searches for the UPN in Active Directory. It validates the signed pre-authentication data using the public key from the certificate. On success, the KDC returns a TGT to the client with its certificate in a KERB_AS_REP.|
+|C | The Kerberos provider ensures it can trust the response from the domain controller. First, it ensures the KDC certificate chains to a root certificate that is trusted by the device. Next, it ensures the certificate is within its validity period and that it has not be revoked. The Kerberos provider then verifies the certificate has the KDC Authentication present and that the subject alternate name listed in the KDC's certificate matches the domain name to which the user is authenticating.
+|D | After passing this criteria, Kerberos returns the TGT to lsass, where it is cached and used for subsequent service ticket requests.|
+|E | Lsass informs winlogon of the success authentication. Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.|
+|F | While Windows loads the user's desktop, lsass passes the collected credentials to the Cloud Authentication security support provider, referred to as the Cloud AP provider. The Cloud AP provider requests a nonce from Azure Active Directory. Azure AD returns a nonce.|
+|G | The Cloud AP provider signs the nonce using the user's private key and returns the signed nonce to the Azure Active Directory. Azure Active Directory validates the signed nonce using the user's securely registered public key against the nonce signature. After validating the signature, Azure AD then validates the returned signed nonce. After validating the nonce, Azure AD creates a PRT with session key that is encrypted to the device's transport key and returns it to the Cloud AP provider. The Cloud AP provider receives the encrypted PRT with session key. Using the device's private transport key, the Cloud AP provider decrypt the session key and protects the session key using the device's TPM. The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT.|
+
+[Return to top](#Windows-Hello-for-Business-and-Authentication)
+
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
new file mode 100644
index 0000000000..d2f8d995f9
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-device-registration.md
@@ -0,0 +1,87 @@
+---
+title: How Windows Hello for Business works - Device Registration
+description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Windows Hello for Business and Device Registration
+
+**Applies to:**
+- Windows 10
+
+Device Registration is a prerequisite to Windows Hello for Business provisioning. Device registration occurs regardless of a cloud, hybrid, or on-premises deployments. For cloud and hybrid deployments, devices register with Azure Active Directory. For on-premises deployments, devices registered with the enterprise device registration service hosted by Active Directory Federation Services (AD FS).
+
+[Azure AD joined in Managed environments](#Azure-AD-joined-in-Managed-environments)
+[Azure AD joined in Federated environments](#Azure-AD-joined-in-Federated-environments)
+[Hybrid Azure AD joined in Managed environments](#HybridAzure-AD-joined-in-Managed-environments)
+[Hybrid Azure AD joined in Federated environments](#Hybrid-Azure-AD-joined-in-Federated-environments)
+
+
+
+
+## Azure AD joined in Managed environments
+
+
+| Phase | Description |
+| :----: | :----------- |
+|A | The most common way Azure AD joined devices register with Azure is during the out-of-box-experience (OOBE) where it loads the Azure AD join web application in the Cloud Experience Host (CXH) application. The application sends a GET request to the Azure OpenID configuration endpoint to discover authorization endpoints. Azure returns the OpenID configuration, which includes the authorization endpoints, to application as JSON document.|
+|B | The application builds a sign-in request for the authorization end point and collects user credentials.|
+|C | After the user provides their user name (in UPN format), the application sends a GET request to Azure to discover corresponding realm information for the user. This determines if the environment is managed or federated. Azure returns the information in a JSON object. The application determines the environment is managed (non-federated). The last step in this phase has the application create an authentication buffer and if in OOBE, temporarily caches it for automatic sign-in at the end of OOBE. The application POSTs the credentials to Azure Active Directory where they are validated. Azure Active Directory returns an ID token with claims.|
+|D | The application looks for MDM terms of use (the mdm_tou_url claim). If present, the application retrieves the terms of use from the claim's value, present the contents to the user, and waits for the user to accept the terms of use. This step is optional and skipped if the claim is not present or if the claim value is empty.|
+|E | The application sends a device registration discovery request to the Azure Device Registration Service (ADRS). Azure DRS returns a discovery data document, which returns tenant specific URIs to complete device registration.|
+|F | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).|
+|G | The application sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
+|H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the process continues with MDM enrollment.|
+
+[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+## Azure AD joined in Federated environments
+
+
+| Phase | Description |
+| :----: | :----------- |
+|A | The most common way Azure AD joined devices register with Azure is during the out-of-box-experience (OOBE) where it loads the Azure AD join web application in the Cloud Experience Host (CXH) application. The application sends a GET request to the Azure OpenID configuration endpoint to discover authorization endpoints. Azure returns the OpenID configuration, which includes the authorization endpoints, to application as JSON document.|
+|B | The application builds a sign-in request for the authorization end point and collects user credentials.|
+|C | After the user provides their user name (in UPN format), the application sends a GET request to Azure to discover corresponding realm information for the user. This determines if the environment is managed or federated. Azure returns the information in a JSON object. The application determines the environment is managed (non-federated). The application redirects to the AuthURL value (on-premises STS sign-in page) in the returned JSON realm object. The application collects credentials through the STS web page.|
+|D | The application POST the credential to the on-premises STS, which may require additional factors of authentication. The on-premises STS authenticates the user and returns a token. The application POSTs the token to Azure Active Directory for authentication. Azure Active Directory validates the token and returns an ID token with claims.|
+|E | The application looks for MDM terms of use (the mdm_tou_url claim). If present, the application retrieves the terms of use from the claim's value, present the contents to the user, and waits for the user to accept the terms of use. This step is optional and skipped if the claim is not present or if the claim value is empty.|
+|F | The application sends a device registration discovery request to the Azure Device Registration Service (ADRS). Azure DRS returns a discovery data document, which returns tenant specific URIs to complete device registration.|
+|G | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).|
+|H | The application sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
+|I | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the process continues with MDM enrollment.|
+
+[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+## Hybrid Azure AD joined in Managed environments
+
+
+| Phase | Description |
+| :----: | :----------- |
+| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.|
+|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.|
+|C | For the managed environment, the task creates an initial authentication credential in the form of a self-signed certificate. The task write the certificate to the userCertificate attribute on the computer object in Active Directory using LDAP.
+|D |The computer cannot authenticate to Azure DRS until a device object representing the computer that includes the certificate on the userCertificate attribute is created in Azure Active Directory. Azure AD Connect detects an attribute change. On the next synchronization cycle, Azure AD Connect sends the userCertificate, object GUID, and computer SID to Azure DRS. Azure DRS uses the attribute information to create a device object in Azure Active Directory.|
+|E | The Automatic Device Join task triggers with each user sign-in and tries to authenticate the computer to Azure Active Directory using the corresponding private key of the public key in the userCertificate attribute. Azure Active Directory authenticates the computer and issues a ID token to the computer.|
+|F | The task creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).|
+|G | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then updates the device object in Azure Active Directory and sends the device ID and the device certificate to the client.|
+|H | Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.|
+
+[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
+## Hybrid Azure AD joined in Federated environments
+
+
+| Phase | Description |
+| :----: | :----------- |
+| A | The user signs in to a domain joined Windows 10 computers using domain credentials. This can be user name and password or smart card authentication. The user sign-in triggers the Automatic Device Join task.|
+|B | The task queries Active Directory using the LDAP protocol for the keywords attribute on service connection point stored in the configuration partition in Active Directory (CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=corp,DC=contoso,DC=com). The value returned in the keywords attribute determines if device registration is directed to Azure Device Registration Service (ADRS) or the enterprise device registration service hosted on-premises.|
+|C | For the federated environments, the computer authenticates the enterprise device registration endpoint using Windows integrated authentication. The enterprise device registration service creates and returns a token that includes claims for the object GUID, computer SID, and domain joined state. The task submits the token and claims to Azure Active Directory where it is validated. Azure Active Directory returns an ID token to the running task.
+|D | The application creates TPM bound (preferred) RSA 2048 bit key-pair known as the device key (dkpub/dkpriv). The application create a certificate request using dkpub and the public key and signs the certificate request with using dkpriv. Next, the application derives second key pair from the TPM's storage root key. This is the transport key (tkpub/tkpriv).|
+|E | To provide SSO for on-premises federated application, the task requests an enterprise PRT from the on-premises STS. Windows Server 2016 running the Active Directory Federation Services role validate the request and return it the running task.|
+|F | The task sends a device registration request to Azure DRS that includes the ID token, certificate request, tkpub, and attestation data. Azure DRS validates the ID token, creates a device ID, and creates a certificate based on the included certificate request. Azure DRS then writes a device object in Azure Active Directory and sends the device ID and the device certificate to the client. Device registration completes by receiving the device ID and the device certificate from Azure DRS. The device ID is saved for future reference (viewable from dsregcmd.exe /status), and the device certificate is installed in the Personal store of the computer. With device registration complete, the task exits.|
+|G |If device write-back is enabled, on it's next synchronization cycle, Azure AD Connect requests updates from Azure Active Directory. Azure Active Directory correlates the device object with a matching synchronized computer object. Azure AD Connect receives the device object that includes the object GUID and computer SID and writes the device object to Active Directory.|
+
+[Return to top](#Windows-Hello-for-Business-and-Device-Registration)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
new file mode 100644
index 0000000000..2251f953d0
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -0,0 +1,145 @@
+---
+title: How Windows Hello for Business works - Provisioning
+description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Windows Hello for Business Provisioning
+
+**Applies to:**
+- Windows 10
+
+Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on:
+- How the device is joined to Azure Active Directory
+- The Windows Hello for Business deployment type
+- If the environment is managed or federated
+
+[Azure AD joined provisioning in a Managed environment](#Azure-AD-joined-provisioning-in-a-Managed-environment)
+[Azure AD joined provisioning in a Federated environment](#Azure-AD-joined-provisioning-in-a-Federated-environment)
+[Hybrid Azure AD joined provisioning in a Key Trust deployment](#Hybrid-Azure-AD-joined-provisioning-in-a-Key-Trust-deployment)
+[Hybrid Azure AD joined provisioning in a Certificate Trust deployment](#Hybrid-Azure-AD-joined-provisioning-in-a-Certificate-Trust-deployment)
+[Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment](#Hybrid-Azure-AD-joined-provisioning-in-a-synchronous-Certificate-Trust-deployment)
+[Domain joined provisioning in an On-premises Key Trust deployment](#Domain-joined-provisioning-in-an-Onpremises-Key-Trust-deployment)
+[Domain joined provisioning in an On-premises Certificate Trust deployment](#Domain-joined-provisioning-in-an-Onpremises-Certificate-Trust-deployment)
+
+
+
+## Azure AD joined provisioning in a Managed environment
+
+
+| Phase | Description |
+| :----: | :----------- |
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in. Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid. Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.|
+
+
+[Return to top](#Windows-Hello-for-Business-Provisioning)
+## Azure AD joined provisioning in a Federated environment
+
+
+| Phase | Description |
+| :----: | :----------- |
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in. In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication. Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid. The on-premises STS server issues a enterprise token on successful MFA. The application sends the token to Azure Active Directory. Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns key ID to the application which signals the end of user provisioning and the application exits.|
+
+[Return to top](#Windows-Hello-for-Business-Provisioning)
+## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed envrionment
+
+
+| Phase | Description |
+| :----: | :----------- |
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in. Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid. Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application which signals the end of user provisioning and the application exits.|
+|D | Azure AD Connect requests updates on its next synchronization cycle. Azure Active Directory sends the user's public key that was securely registered through provisioning. AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory.|
+> [!IMPORTANT]
+> The newly provisionied user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
+
+
+
+
+[Return to top](#Windows-Hello-for-Business-Provisioning)
+## Hybrid Azure AD joined provisioning in a Certificate Trust deployment in a Managed environment
+
+
+| Phase | Description |
+| :----: | :----------- |
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in. Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid. Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID to the application, which represents the end of user key registration.|
+|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned. The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm. After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.|
+|E | The registration authority validates the public key in the certificate request matches a registered key for the user. If the public key in the certificate is not found in the list of registered public keys, certificate enrollment is deferred until Phase F completes. The application is informed of the deferment and exits to the user's desktop. The automatic certificate enrollment client triggers the Azure AD Web Account Manager plug-in to retry the certificate enrollment at 24, 85, 145, 205, 265, and 480 minutes after phase C successfully completes. The user must remain signed in for automatic certificate enrollment to trigger certificate enrollment. If the user signs out, automatic certificate enrollment is triggered approximately 30 minutes after the user's next sign in. After validating the public key, the registration authority signs the certificate request using its enrollment agent certificate.|
+|G |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
+|H | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning.|
+|F | Azure AD Connect requests updates on its next synchronization cycle. Azure Active Directory sends the user's public key that was securely registered through provisioning. AAD Connect receives the public key and writes it to user's msDS-KeyCredentialLink attribute in Active Directory.|
+> [!IMPORTANT]
+> The newly provisionied user will not be able to sign in using Windows Hello for Business until Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory.
+
+
+[Return to top](#Windows-Hello-for-Business-Provisioning)
+## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Managed environmnet
+
+
+| Phase | Description |
+| :----: | :----------- |
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in. Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services provides the second factor of authentication. If the user has performed Azure MFA within the last 10 minutes, such as when registering the device from the out-of-box-experience (OOBE), then they are not prompted for MFA because the current MFA remains valid. Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration.|
+|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned. The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm. After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.|
+|E | The registration authority validates the public key in the certificate request matches a registered key for the user. If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure. After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate.|
+|F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
+|G | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning.|
+> [!IMPORTANT]
+> Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow.
+
+
+[Return to top](#Windows-Hello-for-Business-Provisioning)
+## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment
+
+
+| Phase | Description |
+| :----: | :----------- |
+| A|The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Azure Device Registration Service (ADRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in. In a federated environment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication. Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA services (or a third party MFA service) provides the second factor of authentication. The on-premises STS server issues a enterprise token on successful MFA. The application sends the token to Azure Active Directory. Azure Active Directory validates the access token request and the MFA claim associated with it, creates an ADRS access token, and returns it to the application. |
+|B | After receiving a ADRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
+|C | The application sends the ADRS token, ukpub, attestation data, and device information to ADRS for user key registration. Azure DRS validates the MFA claim remains current. On successful validation, Azure DRS locates the user's object in Azure Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. Azure Active Directory returns a key ID and a key receipt to the application, which represents the end of user key registration.|
+|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned. The application sends the key receipt and certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm. After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.|
+|E | The registration authority validates the public key in the certificate request matches a registered key for the user. If the public key in the certificate is not found in the list of registered public keys, it then validates the key receipt to confirm the key was securely registered with Azure. After validating the key receipt or public key, the registration authority signs the certificate request using its enrollment agent certificate.|
+|F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
+|G | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning.|
+> [!IMPORTANT]
+> Synchronous certificate enrollment does not depend on Azure AD Connect to syncrhonize the user's public key to issue the Windows Hello for Business authentication certificate. Users can sign-in using the certificate immediately after provisioning completes. Azure AD Connect continues to synchronize the public key to Active Directory, but is not show in this flow.
+
+[Return to top](#Windows-Hello-for-Business-Provisioning)
+## Domain joined provisioning in an On-premises Key Trust deployment
+
+
+| Phase | Description |
+| :----: | :----------- |
+|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in. In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication. Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA server (or a third party MFA service) provides the second factor of authentication. The on-premises STS server issues a enterprise DRS token on successful MFA.|
+| B| After receiving a EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
+|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
+
+
+[Return to top](#Windows-Hello-for-Business-Provisioning)
+## Domain joined provisioning in an On-premises Certificate Trust deployment
+
+
+| Phase | Description |
+| :----: | :----------- |
+|A| The provisioning application hosted in the Cloud Experience Host (CXH) starts provisioning by requesting an access token for the Enterprise Device Registration Service (EDRS). The application makes the request using the Azure Active Directory Web Account Manager plug-in. In an on-premises deployment, the plug-in sends the token request to the on-premises STS, such as Active Directory Federation Services. The on-premises STS authenticates the user and determines if the user should perform another factor of authentication. Users must provide two factors of authentication. In this phase, the user has already provided one factor of authentication, typically user name and password. Azure MFA server (or a third party MFA service) provides the second factor of authentication. The on-premises STS server issues a enterprise DRS token on successful MFA.|
+| B| After receiving a EDRS access token, the application detects if the device has a Windows Hello biometric compatible sensor. If the application detects a biometric sensor, it gives the user the choice to enroll biometrics. After completing or skipping biometric enrollment, the application requires the user to create a PIN and the default (and fall-back gesture when used with biometrics). The user provides and confirms their PIN. Next, the application requests a Windows Hello for Business key pair from the key pre-generation pool, which includes attestation data. This is the user key (ukpub/ukpriv).|
+|C | The application sends the EDRS token, ukpub, attestation data, and device information to the Enterprise DRS for user key registration. Enterprise DRS validates the MFA claim remains current. On successful validation, the Enterprise DRS locates the user's object in Active Directory, writes the key information to a multi-values attribute. The key information includes a reference to the device from which it was created. The Enterprise DRS returns a key ID to the application, which represents the end of user key registration.|
+|D | The certificate request portion of provisioning begins after the application receives a successful response from key registration. The application creates a PKCS#10 certificate request. The key used in the certificate request is the same key that was securely provisioned. The application sends the certificate request, which includes the public key, to the certificate registration authority hosted on the Active Directory Federation Services (AD FS) farm. After receiving the certificate request, the certificate registration authority queries Active Directory for the msDS-KeyCredentailsLink for a list of registered public keys.|
+|E | The registration authority validates the public key in the certificate request matches a registered key for the user. After validating the public key, the registration authority signs the certificate request using its enrollment agent certificate.|
+|F |The registration authority sends the certificate request to the enterprise issuing certificate authority. The certificate authority validates the certificate request is signed by a valid enrollment agent and, on success, issues a certificate and returns it to the registration authority that then returns the certificate to the application.|
+|G | The application receives the newly issued certificate and installs the it into the Personal store of the user. This signals the end of provisioning.|
+
+[Return to top](#Windows-Hello-for-Business-Provisioning)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
new file mode 100644
index 0000000000..7297f63ac7
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-tech-deep-dive.md
@@ -0,0 +1,44 @@
+---
+title: How Windows Hello for Business works - Techincal Deep Dive
+description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, key-trust, works
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Technical Deep Dive
+
+**Applies to:**
+- Windows 10
+
+Windows Hello for Business authentication works through collection of components and infrastructure working together. You can group the infrastructure and components in three categories:
+- [Registration](#Registration)
+- [Provisioning](#Provisioning)
+- [Authentication](#Authentication)
+
+## Registration
+
+Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
+
+[How Device Registration Works](hello-how-it-works-device-registration.md)
+
+
+## Provisioning
+
+Provisioning is when the user uses one form of authentication to request a new Windows Hello for Business credential. Typically the user signs in to Windows using user name and password. The provisioning flow requires a second factor of authentication before it will create a strong, two-factor Windows Hello for Business credential.
+After successfully completing the second factor of authentication, the user is asked to enroll biometrics (if available on the device) and create PIN as a backup gesture. Windows then registers the public version of the Windows Hello for Business credential with the identity provider.
+For cloud and hybrid deployments, the identity provider is Azure Active Directory and the user registers their key with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the user registers their key with the enterprise device registration service hosted on the federation servers.
+Provision can occur automatically through the out-of-box-experience (OOBE) on Azure Active Directory joined devices, or on hybrid Azure Active Directory joined devices where the user or device is influenced by Windows Hello for Business policy settings. Users can start provisioning through **Add PIN** from Windows Settings. Watch the [Windows Hello for Business enrollment experience](hello-videos.md#windows-hello-for-business-user-enrollment-experience) from our [Videos](hello-videos.md) page.
+
+[How Windows Hello for Business provisioning works](hello-how-it-works-provisioning.md)
+
+## Authentication
+
+Authentication using Windows Hello for Business is the goal, and the first step in getting to a passwordless environment. With the device registered, and provisioning complete. Users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is avaiable on most computers and devices. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. The PIN nor the private portion of the credential are never sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
+
+[How Windows Hello for Business authentication works](hello-how-it-works-authentication.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
new file mode 100644
index 0000000000..e48b498d4e
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -0,0 +1,313 @@
+---
+title: How Windows Hello for Business works - Technology and Terms
+description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Technology and Terms
+
+**Applies to:**
+- Windows 10
+
+- [Attestation Identity Keys](#Attestation-Identity-Keys)
+- [Azure AD Joined](#Azure-AD-Joined)
+- [Azure AD Registered](#Azure-AD-Registered)
+- [Certificate Trust](#Certificate-Trust)
+- [Cloud Deployment](#Cloud-Deployment)
+- [Deployment Type](#Deployment-Type)
+- [Endorsement Key](#Endorsement-Key)
+- [Federated Environment](#Federated-Environment)
+- [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined)
+- [Hybrid Deployment](#Hybrid-Deployment)
+- [Join Type](#Join-Type)
+- [Key Trust](#Key-Trust)
+- [Managed Environment](#Managed-Environment)
+- [On-premises Deployment](#Onpremises-Deployment)
+- [Pass-through Authentication](#Passthrough-Authentication)
+- [Password Hash Synchronization](#Password-Hash-Synchronization)
+- [Primary Refresh Token](#Primary-Refresh-Token)
+- [Storage Root Key](#Storage-Root-Key)
+- [Trust Type](#Trust-Type)
+- [Trusted Platform Module](#Trusted-Platform-Module)
+
+
+## Attestation Identity Keys
+Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
+
+> [!NOTE]
+> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
+> The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
+
+Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft
+Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10 device.
+
+Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
+
+In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate.
+
+### Related topics
+[Endorsement Key](#Endorsement-Key), [Storage Root Key](#Storage-Root-Key), [Trusted Platform Module](#Trusted-Platform-Module)
+
+### More information
+- [Windows Client Certificate Enrollment Protocol: Glossary](https://msdn.microsoft.com/en-us/library/cc249746.aspx#gt_70efa425-6b46-462f-911d-d399404529ab)
+- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
+
+
+[Return to Top](#Technology-and-Terms)
+## Azure AD Joined
+Azure AD Join is intended for organizations that desire to be cloud-first or cloud-only. There is no restriction on the size or type of organizations that can deploy Azure AD Join. Azure AD Join works well even in an hybrid environment and can enable access to on-premise applications and resources.
+### Related topics
+[Join Type](#Join-Type), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined)
+
+### More information
+ - [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction).
+
+[Return to Top](#Technology-and-Terms)
+## Azure AD Registered
+The goal of Azure AD registered devices is to provide you with support for the Bring Your Own Device (BYOD) scenario. In this scenario, a user can access your organization's Azure Active Directory controlled resources using a personal device.
+### Related topics
+[Azure AD Joined](#Azure-AD-Joined), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), [Join Type](#Join-Type)
+
+### More information
+- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction)
+
+
+[Return to Top](#Technology-and-Terms)
+## Certificate Trust
+The certificate trust model uses a securely issued certificate based on the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and is compatible with Windows Server 2008 R2 and later domain controllers.
+
+### Related topics
+[Deployment Type](#Deployment-Type), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), [Hybrid Deployment](#Hybrid-Deployment), [Key Trust](#Key-Trust), [On-premises Deployment](#Onpremises-Deployment), [Trust Type](#Trust-Type)
+
+### More information
+- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
+
+[Return to Top](#Technology-and-Terms)
+## Cloud Deployment
+The Windows Hello for Business Cloud deployment is exclusively for organizations using cloud-based identities and resources. Device management is accomplished using Intune or a modern management alternative. Cloud deployments use Azure AD joined or Azure AD registered device join types.
+
+### Related topics
+[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Deployment Type](#Deployment-Type), [Join Type](#Join-Type)
+
+[Return to Top](#Technology-and-Terms)
+## Deployment Type
+Windows Hello for Business has three deployment models to accommodate the needs of different organizations. The three deployment models include:
+- Cloud
+- Hybrid
+- On-Premises
+
+### Related topics
+[Cloud Deployment](#Cloud-Deployment), [Hybrid Deployment](#Hybrid-Deployment), [On-premises Deployment](#Onpremises-Deployment)
+
+### More information
+- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
+
+[Return to Top](#Technology-and-Terms)
+## Endorsement Key
+
+The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits).
+
+The endorsement key public key is generally used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs.
+
+The endorsement key acts as an identity card for the TPM.
+
+The endorsement key is often accompanied by one or two digital certificates:
+
+- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
+- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
+For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
+
+### Related topics
+[Attestation Identity Keys](#Attestation-Identity-Keys), [Storage Root Key](#Storage-Root-Key), [Trusted Platform Module](#Trusted-Platform-Module)
+
+### More information
+- [Understand the TPM endorsement key](https://go.microsoft.com/fwlink/p/?LinkId=733952).
+- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
+
+[Return to Top](#Technology-and-Terms)
+## Federated Environment
+Primarily for large enterprise organizations with more complex authentication requirements, on-premises directory objects are synchronized with Azure Active Directory and users accounts are managed on-premises. With AD FS, users have the same password on-premises and in the cloud and they do not have to sign in again to use Office 365 or other Azure-based applications. This federated authentication model can provide additional authentication requirements, such as smart card-based authentication or a third-party multi-factor authentication and is typically required when organizations have an authentication requirement not natively supported by Azure AD.
+
+### Related topics
+[Hybrid Deployment](#Hybrid-Deployment), [Managed Environment](#Managed-Environment), [Pass-through authentication](#Passthrough-authentication), [Password Hash Sync](#Password-Hash-Sync)
+
+### More information
+- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn)
+
+[Return to Top](#Technology-and-Terms)
+## Hybrid Azure AD Joined
+For more than a decade, many organizations have used the domain join to their on-premises Active Directory to enable:
+- IT departments to manage work-owned devices from a central location.
+- Users to sign in to their devices with their Active Directory work or school accounts.
+Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use System Center Configuration Manager (SCCM) or group policy (GP) to manage them.
+If your environment has an on-premises AD footprint and you also want benefit from the capabilities provided by Azure Active Directory, you can implement hybrid Azure AD joined devices. These are devices that are both, joined to your on-premises Active Directory and your Azure Active Directory.
+
+### Related topics
+[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Hybrid Deployment](#Hybrid-Deployment)
+
+### More information
+- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction)
+
+[Return to Top](#Technology-and-Terms)
+## Hybrid Deployment
+The Windows Hello for Business hybrid deployment is for organizations that have both on-premises and cloud resources that are accessed using a managed or federated identity that is synchronized with Azure Active Directory. Hybrid deployments support devices that are Azure AD registered, Azure AD joined, and hybrid Azure AD joined. The Hybrid deployment model supports two trust types for on-premises authentication, key trust and certificate trust.
+
+### Related topics
+[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined),
+
+### More information
+- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
+
+[Return to Top](#Technology-and-Terms)
+## Join type
+Join type is how devices are associated with Azure Active Directory. For a device to authenticate to Azure Active Directory it must be registered or joined.
+Registering a device to Azure AD enables you to manage a device's identity. When a device is registered, Azure AD device registration provides the device with an identity that is used to authenticate the device when a user signs-in to Azure AD. You can use the identity to enable or disable a device.
+When combined with a mobile device management(MDM) solution such as Microsoft Intune, the device attributes in Azure AD are updated with additional information about the device. This allows you to create conditional access rules that enforce access from devices to meet your standards for security and compliance. For more information on enrolling devices in Microsoft Intune, see Enroll devices for management in Intune .
+Joining a device is an extension to registering a device. This means, it provides you with all the benefits of registering a device and in addition to this, it also changes the local state of a device. Changing the local state enables your users to sign-in to a device using an organizational work or school account instead of a personal account.
+
+### Related topics
+[Azure AD Joined](#Azure-AD-Joined), [Azure AD Registered](#Azure-AD-Registered), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined)
+
+### More information
+- [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction)
+
+[Return to Top](#Technology-and-Terms)
+## Key Trust
+The key trust model uses the user's Windows Hello for Business identity to authenticate to on-premises Active Directory. The certificate trust model is supported in hybrid and on-premises deployments and requires Windows Server 2016 domain controllers.
+
+### Related topics
+[Certificate Trust](#Certificate-Trust), [Deployment Type](#Deployment-Type), [Hybrid Azure AD Joined](#Hybrid-Azure-AD-Joined), [Hybrid Deployment](#Hybrid-Deployment), [On-premises Deployment](#Onpremises-Deployment), [Trust Type](#Trust-Type), [Trust Type](#Trust-Type)
+
+### More information
+- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
+
+[Return to Top](#Technology-and-Terms)
+## Managed Environment
+Managed environments are for non-federated environments where Azure Active Directory manages the authentication using technologies such as Password Hash Synchronization and Pass-through Authentication rather than a federation service such as Active Directory Federation Services.
+
+### Related topics
+[Federated Environment](#Federated-Environment), [Pass-through authentication](#Passthrough-authentication), [Password Hash Synchronization](#Password-Hash-Synchronization)
+
+[Return to Top](#Technology-and-Terms)
+## On-premises Deployment
+The Windows Hello for Business on-premises deployment is for organizations that exclusively have on-premises resources that are accessed using Active Directory identities. On-premises deployments support domain joined devices. The on-premises deployment model supports two authentication trust types, key trust and certificate trust.
+
+### Related topics
+[Cloud Deployment](#Cloud-Deployment), [Deployment Type](#Deployment-Type), [Hybrid Deployment](#Hybrid-Deployment)
+
+### More information
+- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
+
+[Return to Top](#Technology-and-Terms)
+## Pass-through authentication
+Provides a simple password validation for Azure AD authentication services using a software agent running on one or more on-premises servers to validate the users directly with your on-premises Active Directory. With pass-through authentication (PTA), you synchronize on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Allows your users to sign in to both on-premises and Office 365 resources and applications using their on-premises account and password. This configuration validates users' passwords directly against your on-premises Active Directory without sending password hashes to Office 365. Companies with a security requirement to immediately enforce on-premises user account states, password policies, and logon hours would use this authentication method. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
+
+### Related topics
+[Federated Environment](#Federated-Environment), [Managed Environment](#Managed-Environment), [Password Hash Synchronization](#Password-Hash-Synchronization)
+
+
+### More information
+- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn)
+
+[Return to Top](#Technology-and-Terms)
+## Password Hash Sync
+The simplest way to enable authentication for on-premises directory objects in Azure AD. With password hash sync (PHS), you synchronize your on-premises Active Directory user account objects with Office 365 and manage your users on-premises. Hashes of user passwords are synchronized from your on-premises Active Directory to Azure AD so that the users have the same password on-premises and in the cloud. When passwords are changed or reset on-premises, the new password hashes are synchronized to Azure AD so that your users can always use the same password for cloud resources and on-premises resources. The passwords are never sent to Azure AD or stored in Azure AD in clear text. Some premium features of Azure AD, such as Identity Protection, require PHS regardless of which authentication method is selected. With seamless single sign-on, users are automatically signed in to Azure AD when they are on their corporate devices and connected to your corporate network.
+
+### Related topics
+[Federated Environment](#Federated-Environment), [Managed Environment](#Managed-Environment), [Pass-through authentication](#Passthrough-authentication)
+
+### More information
+- [Choosing the right authentication method for your Azure Active Directory hybrid identity solution](https://docs.microsoft.com/en-us/azure/security/azure-ad-choose-authn)
+
+[Return to Top](#Technology-and-Terms)
+## Primary Refresh Token
+SSO relies on special tokens obtained for each of the types of applications above. These are in turn used to obtain access tokens to specific applications. In the traditional Windows Integrated authentication case using Kerberos, this token is a Kerberos TGT (ticket-granting ticket). For Azure AD and AD FS applications we call this a Primary Refresh Token (PRT). This is a [JSON Web Token](http://openid.net/specs/draft-jones-json-web-token-07.html) containing claims about both the user and the device.
+
+The PRT is initially obtained during Windows Logon (user sign-in/unlock) in a similar way the Kerberos TGT is obtained. This is true for both Azure AD joined and domain joined devices. In personal devices registered with Azure AD, the PRT is initially obtained upon Add Work or School Account (in a personal device the account to unlock the device is not the work account but a consumer account e.g. hotmail.com, live.com, outlook.com, etc.).
+
+The PRT is needed for SSO. Without it, the user will be prompted for credentials when accessing applications every time. Please also note that the PRT contains information about the device. This means that if you have any [device-based conditional access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-policy-connected-applications) policy set on an application, without the PRT, access will be denied.
+
+[Return to Top](#Technology-and-Terms)
+## Storage Root Key
+The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken.
+
+### Related topics
+[Attestation Identity Keys](#Attestation-Identity-Keys), [Endorsement Key](#Endorsement-Key), [Trusted Platform Module](#Trusted-Platform-Module)
+
+### More information
+[TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
+
+[Return to Top](#Technology-and-Terms)
+## Trust type
+The trust type determines how a user authenticates to the Active Directory to access on-premises resources. There are two trust types, key trust and certificate trust. The hybrid and on-premises deployment models support both trust types. The trust type does not affect authentication to Azure Active Directory. Windows Hello for Business authentication to Azure Active Directory always uses the key, not a certificate (excluding smart card authentication in a federated environment).
+
+### Related topics
+[Certificate Trust](#Certificate-Trust), [Hybrid Deployment](#Hybrid-Deployment), [Key Trust](#Key-Trust), [On-premises Deployment](#Onpremises-Deployment)
+
+### More information
+- [Windows Hello for Business Planning Guide](hello-planning-guide.md)
+
+[Return to Top](#Technology-and-Terms)
+## Trusted Platform Module
+
+A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
+
+Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
+
+A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other:
+- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
+- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
+
+Windows10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
+
+Windows10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows10 supports only TPM 2.0.
+
+TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
+
+- Update cryptography strength to meet modern security needs
+ - Support for SHA-256 for PCRs
+ - Support for HMAC command
+- Cryptographic algorithms flexibility to support government needs
+ - TPM 1.2 is severely restricted in terms of what algorithms it can support
+ - TPM 2.0 can support arbitrary algorithms with minor updates to the TCG specification documents
+- Consistency across implementations
+ - The TPM 1.2 specification allows vendors wide latitude when choosing implementation details
+ - TPM 2.0 standardizes much of this behavior
+
+In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device. A TPM incorporates in a single component:
+- A RSA 2048-bit key generator
+- A random number generator
+- Nonvolatile memory for storing EK, SRK, and AIK keys
+- A cryptographic engine to encrypt, decrypt, and sign
+- Volatile memory for storing the PCRs and RSA keys
+
+
+### Related topics
+[Attestation Identity Keys](#Attestation-Identity-Keys), [Endorsement Key](#Endorsement-Key), [Storage Root Key](#Storage-Root-Key)
+
+### More information
+- [TPM Library Specification](https://trustedcomputinggroup.org/resource/tpm-library-specification/)
+
+[Return to Top](#Technology-and-Terms)
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index e1e4b79c14..8f2df655ab 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -1,114 +1,32 @@
---
-title: How Windows Hello for Business works (Windows 10)
+title: How Windows Hello for Business works
description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: DaniHalfin
-ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 10/16/2017
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 05/05/2018
---
# How Windows Hello for Business works
**Applies to**
-- Windows 10
-- Windows 10 Mobile
-
-Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
-
-## Register a new user or device
-
-A goal of device registration is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Windows Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Windows Hello as registration.
-
-> [!NOTE]
->This is separate from the organizational configuration required to use Windows Hello with Active Directory or Azure Active Directory (Azure AD); that configuration information is in [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md). Organizational configuration must be completed before users can begin to register.
-
- The registration process works like this:
-
-1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it.
-2. To sign in using that account, the user has to enter the existing credentials for it. The identity provider (IDP) that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends.
-3. When the user has provided the proof to the IDP, the user enables PIN authentication. The PIN will be associated with this particular credential. When the user sets the PIN, it becomes usable immediately
-
-The PIN chosen is associated with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are:
-
-- A user who upgrades from the Windows 8.1 operating system will sign in by using the existing enterprise password. That triggers a second authentication factor from the IDP side (if required); after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
-- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
-- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
-
-When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and protects this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. Each unique gesture generates a unique protector key. The protector key securely wraps the authentication key. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
-
-At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely sign in to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures.
-
-## What’s a container?
-
-You’ll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
-
-The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD.
-
-It’s important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Windows Hello stores are protected without the creation of actual containers or folders.
-
-The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container.
-
-
-
-Containers can contain several types of key material:
-
-- An authentication key, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
-- Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked.
-- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
- - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](https://technet.microsoft.com/library/hh831498.aspx). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
- - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI.
-
-## How keys are protected
-
-Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
-
-Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
-
-
-## Authentication
-
-When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
-
-These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Microsoft Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
-
-For example, the authentication process for Azure Active Directory works like this:
-
-1. The client sends an empty authentication request to the IDP. (This is merely for the handshake process.)
-2. The IDP returns a challenge, known as a nonce.
-3. The device signs the nonce with the appropriate private key.
-4. The device returns the original nonce, the signed nonce, and the ID of the key used to sign the nonce.
-5. The IDP fetches the public key that the key ID specified, uses it to verify the signature on the nonce, and verifies that the nonce the device returned matches the original.
-6. If all the checks in step 5 succeed, the IDP returns two data items: a symmetric key, which is encrypted with the device’s public key, and a security token, which is encrypted with the symmetric key.
-7. The device uses its private key to decrypt the symmetric key, and then uses that symmetric key to decrypt the token.
-8. The device makes a normal authentication request for the original resource, presenting the token from the IDP as its proof of authentication.
-
-When the IDP validates the signature, it is verifying that the request came from the specified user and device. The private key specific to the device signs the nonce, which allows the IDP to determine the identity of the requesting user and device so that it can apply policies for content access based on user, device type, or both together. For example, an IDP could allow access to one set of resources only from mobile devices and a different set from desktop devices.
-
-
-## The infrastructure
-
-Windows Hello depends on having compatible IDPs available to it. As of this writing, that means you have four deployment possibilities:
-
-- Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to users. You can use NDES to register devices directly, or Microsoft Intune where it’s available to manage mobile device participation in Windows Hello.
-- The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Windows Hello IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 domain controllers required.
-- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document.
-
-
-
-
-
-
-
-
-
-
+- Windows 10
+Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
+Watch this quick video where Pieter Wigleven gives a simple explanation of how Windows Hello for Business works and some of its supporting features.
+> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
+## Technical Deep Dive
+Windows Hello for Business is a distributed system that uses several components to accomplish device registration, provisioning, and authentication. Use this section to gain a better understanding of each of the components and how they support Windows Hello for Business.
+- [Technology and Terminology](hello-how-it-works-technology.md)
+- [Device Registration](hello-how-it-works-device-registration.md)
+- [Provisioning](hello-how-it-works-provisioning.md)
+- [Authentication](hello-how-it-works-authentication.md)
## Related topics
@@ -119,4 +37,4 @@ Windows Hello depends on having compatible IDPs available to it. As of this writ
- [Windows Hello and password changes](hello-and-password-changes.md)
- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
-- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
new file mode 100644
index 0000000000..fab2f25e0b
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -0,0 +1,329 @@
+---
+title: Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
+description: Azure Active Directory joined devices in a hybrid Deployment for on-premises single sign-on
+keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business
+
+**Applies to**
+- Windows 10
+- Azure Active Directory joined
+- Hybrid Deployment
+- Key trust model
+
+## Prerequisites
+
+Before adding Azure Active Directory (Azure AD) joined devices to your existing hybrid deployment, you need to verify the existing deployment can support Azure AD joined devices. Unlike hybrid Azure AD joined devices, Azure AD joined devices do not have a relationship with your Active Directory domain. This factor changes the way in which users authenticate to Active Directory. Validate the following configurations to ensure they support Azure AD joined devices.
+
+- Azure Active Directory Connect synchronization
+- Device Registration
+- Certificate Revocation List (CRL) Distribution Point (CDP)
+- 2016 Domain Controllers
+- Domain Controller certificate
+
+### Azure Active Directory Connect synchronization
+Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure. To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate. Ensure you have Azure AD Connect installed and functioning properly. To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect).
+
+If you upgraded your Active Directory schema to the Windows Server 2016 schema after installing Azure AD Connect, run Azure AD Connect and run **Refresh directory schema** from the list of tasks.
+
+
+### Azure Active Directory Device Registration
+A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration. A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory. For more information about device registration, read [Introduction to device management in Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/devices/overview).
+
+You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory.
+
+
+### CRL Distribution Point (CDP)
+
+Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list. During certificate validation, Windows 10 consults the CRL distribution point within the certificate to get a list of revoked certificates. Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid.
+
+
+
+The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory. You can determine this because the value in the URL begins with **ldap**. Using Active Directory for domain joined devices provides a highly available CRL distribution point. However, Azure Active Directory joined devices and users on Azure Active Directory joined devices cannot read data from Active Directory, and certificate validation does not provide an opportunity to authenticate prior to reading the certificate revocation list. This becomes a circular problem as the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user cannot read Active Directory because they have not authenticated.
+
+To resolve this issue, the CRL distribution point must be a location that is accessible by Azure Active Directory joined devices that does not require authentication. The easiest solution is to publish the CRL distribution point on a web server that uses HTTP (not HTTPS).
+
+If your CRL distribution point does not list an HTTP distribution point, then you need to reconfigure the issuing certificate authority to include an HTTP CRL distribution point, preferably first in the list of distribution points.
+
+### Windows Server 2016 Domain Controllers
+If you are interested in configuring your environment to use the Windows Hello for Business key rather than a certificate, then your environment must have an adequate number of Windows Server 2016 domain controllers. Only Windows Server 2016 domain controllers are capable of authenticating user with a Windows Hello for Business key. What do we mean by adequate? We are glad you asked. Read [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+
+If you are interested in configuring your environment to use the Windows Hello for Business certificate rather than key, then you are the right place. The same certificate configuration on the domain controllers is needed, whether you are using Windows Server 2016 domain controllers or domain controllers running earlier versions of Windows Server. You can simply ignore the Windows Server 2016 domain controller requirement.
+
+### Domain Controller Certificates
+
+Certificate authorities write CRL distribution points in certificates as they are issued. If the distribution point changes, then previously issued certificates must be reissued for the certificate authority to include the new CRL distribution point. The domain controller certificate is one the critical components of Azure AD joined devices authenticating to Active Directory
+
+#### Why does Windows need to validate the domain controller certifcate?
+
+Windows Hello for Business enforces the strict KDC validation security feature, which enforces a more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met:
+
+- The domain controller has the private key for the certificate provided.
+- The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**.
+- The domain controller's certificate has the **KDC Authentication** enhanced key usage.
+- The domain controller's certificate's subject alternate name has a DNS Name that matches the name of the domain.
+
+## Configuring a CRL Distribution Point for an issuing certificate authority
+
+Use this set of procedures to update your certificate authority that issues your domain controller certificates to include an http-based CRL distribution point.
+
+Steps you will perform include:
+
+- [Configure Internet Information Services to host CRL distribution point](#configure-internet-information-services-to-host-crl-distribution-point)
+- [Prepare a file share to host the certificate revocation list](#prepare-a-file-share-to-host-the-certificate-revocation-list)
+- [Configure the new CRL distribution point in the issuing certificate authority](#Configure-the-new-crl-distribution-point-in-the-issuing-certificate-authority)
+- [Publish CRL](#publish-a-new-crl)
+- [Reissue domain controller certificates](#reissue-domain-controller-certificates)
+
+
+### Configure Internet Information Services to host CRL distribution point
+
+You need to host your new certificate revocation list of a web server so Azure AD joined devices can easily validate certificates without authentication. You can host these files on web servers many ways. The following steps is just one and may be useful for those unfamiliar with adding a new CRL distribution point.
+
+> [!IMPORTANT]
+> Do not configure the IIS server hosting your CRL distribution point to use https or a server authentication certificate. Clients should access the distribution point using http.
+
+#### Installing the Web Server
+
+1. Sign-in to your server as a local administrator and start **Server Manager** if it did not start during your sign in.
+2. Click the **Local Server** node in the navigation pane. Click **Manage** and click **Add Roles and Features**.
+3. In the **Add Role and Features Wizard**, click **Server Selection**. Verify the selected server is the local server. Click **Server Roles**. Select the check box next to **Web Server (IIS)**.
+4. Click **Next** through the remaining options in the wizard, accepting the defaults, and install the Web Server role.
+
+#### Configure the Web Server
+
+1. From **Windows Administrative Tools**, Open **Internet Information Services (IIS) Manager**.
+2. Expand the navigation pane to show **Default Web Site**. Select and then right-click **Default Web site** and click **Add Virtual Directory...**.
+3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**. For physical path, type or browse for the physical file location where you will host the certificate revocation list. For this example, the path **c:\cdp** is used. Click **OK**.
+
+> [!NOTE]
+> Make note of this path as you will use it later to configure share and file permissions.
+
+4. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Directory Browsing** in the content pane. Click **Enable** in the details pane.
+5. Select **CDP** under **Default Web Site** in the navigation pane. Double-click **Configuration Editor**.
+6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**.
+
+In the list of named value-pairs in the content pane, configure **allowDoubleEscapting** to **True**. Click **Apply** in the actions pane.
+
+7. Close **Internet Information Services (IIS) Manager**.
+
+#### Create a DNS resource record for the CRL distribution point URL
+
+1. On your DNS server or from an administrative workstation, open **DNS Manager** from **Administrative Tools**.
+2. Expand **Forward Lookup Zones** to show the DNS zone for your domain. Right-click your domain name in the navigation pane and click **New Host (A or AAAA)...**.
+3. In the **New Host** dialog box, type **crl** in **Name**. Type the IP address of the web server you configured in **IP Address**. Click **Add Host**. Click **OK** to close the **DNS** dialog box. Click **Done**.
+
+4. Close the **DNS Manager**.
+
+### Prepare a file share to host the certificate revocation list
+
+These procedures configure NTFS and share permissions on the web server to allow the certificate authority to automatically publish the certificate revocation list.
+
+#### Configure the CDP file share
+
+1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
+2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**.
+3. Select **Share this folder**. Type **cdp$** in **Share name:**. Click **Permissions**.
+
+4. In the **Permissions for cdp$** dialog box, click **Add**.
+5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**, and then click **OK**.
+7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then click **Check Names**. Click **OK**.
+8. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**.
+
+9. In the **Advanced Sharing** dialog box, click **OK**.
+
+#### Disable Caching
+1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
+2. Right-click the **cdp** folder and click **Properties**. Click the **Sharing** tab. Click **Advanced Sharing**.
+3. Click **Caching**. Select **No files or programs from the shared folder are available offline**.
+
+4. Click **OK**.
+
+#### Configure NTFS permission for the CDP folder
+
+1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
+2. Right-click the **cdp** folder and click **Properties**. Click the **Security** tab.
+3. On the **Security** tab, click Edit.
+5. In the **Permissions for cdp** dialog box, click **Add**.
+
+6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**. In the **Object Types** dialog box, select **Computers**. Click **OK**.
+7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then click **Check Names**. Click **OK**.
+8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**.
+9. Click **Close** in the **cdp Properties** dialog box.
+
+
+### Configure the new CRL distribution point and Publishing location in the issuing certifcate authority
+
+The web server is ready to host the CRL distribution point. Now, configure the issuing certificate authority to publish the CRL at the new location and to include the new CRL distribution point
+
+
+#### Configure the CRL distribution Point
+1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
+2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
+3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
+4. On the **Extensions** tab, click **Add**. Type **http://crl.[domainname]/cdp/** in **location**. For example, *http://crl.corp.contoso.com/cdp/* or *http://crl.contoso.com/cdp/* (do not forget the trailing forward slash).
+
+5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**.
+6. Type **.crl** at the end of the text in **Location**. Click **OK**.
+7. Select the CDP you just created.
+
+8. Select **Include in CRLs. Clients use this to find Delta CRL locations**.
+9. Select **Include in the CDP extension of issued certificates**.
+10. Click **Apply** save your selections. Click **No** when ask to restart the service.
+
+> [!NOTE]
+> Optionally, you can remove unused CRL distribution points and publishing locations.
+
+#### Configure the CRL publishing location
+
+1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
+2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
+3. Click **Extensions**. On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
+4. On the **Extensions** tab, click **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\** (do not forget the trailing backwards slash).
+5. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**. Select **\** from the **Variable** list and click **Insert**.
+6. Type **.crl** at the end of the text in **Location**. Click **OK**.
+7. Select the CDP you just created.
+
+8. Select **Publish CRLs to this location**.
+9. Select **Publish Delta CRLs to this location**.
+10. Click **Apply** save your selections. Click **Yes** when ask to restart the service. Click **OK** to close the properties dialog box.
+
+### Publish a new CRL
+
+1. On the issuing certificate authority, sign-in as a local administrator. Start the **Certificate Authority** console from **Administrative Tools**.
+2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and click **Publish**
+
+3. In the **Publish CRL** dialog box, select **New CRL** and click **OK**.
+
+#### Validate CDP Publishing
+
+Validate your new CRL distribution point is working.
+
+1. Open a web browser. Navigate to **http://crl.[yourdomain].com/cdp**. You should see two files created from publishing your new CRL.
+
+
+### Reissue domain controller certificates
+
+With the CA properly configured with a valid HTTP-based CRL distribution point, you need to reissue certificates to domain controllers as the old certificate does not have the updated CRL distribution point.
+
+1. Sign-in a domain controller using administrative credentials.
+2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer.
+3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
+
+4. Right-click the selected certificate. Hover over **All Tasks** and then select **Renew Certificate with New Key...**. In the **Certificate Enrollment** wizard, click **Next**.
+
+5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available. Click **Enroll**.
+6. After the enrollment completes, click **Finish** to close the wizard.
+7. Repeat this procedure on all your domain controllers.
+
+> [!NOTE]
+> You can configure domain controllers to automatically enroll and renew their certificates. Automatic certificate enrollment helps prevent authentication outages due to expired certificates. Refer to the [Windows Hello Deployment Guides](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-deployment-guide) to learn how to deploy automatic certificate enrollment for domain controllers.
+
+> [!IMPORTANT]
+> If you are not using automatic certificate enrollment, create a calendar reminder to alert you two months before the certificate expiration date. Send the reminder to multiple people in the organization to ensure more than one or two people know when these certificates expire.
+
+#### Validate CDP in the new certificate
+
+1. Sign-in a domain controller using administrative credentials.
+2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer.
+3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
+4. Click the **Details** tab. Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list. Select **CRL Distribution Point**.
+5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Click **OK**.
+
+
+
+## Configure and Assign a Trusted Certificate Device Configuration Profile
+
+Your domain controllers have new certificate that include the new CRL distribution point. Next, you need your enterprise root certificate so you can deploy it to Azure AD joined devices. Deploying the enterprise root certificates to the device, ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD joined devices do not trust domain controller certificates and authentication fails.
+
+Steps you will perform include:
+- [Export Enterprise Root certificate](#export-enterprise-root-certificate)
+- [Create and Assign a Trust Certificate Device Configuration Profile](#create-and-assign-a-trust-certificate-device-configuration-profile)
+
+### Export Enterprise Root certificate
+
+1. Sign-in a domain controller using administrative credentials.
+2. Open the **Run** dialog box. Type **certlm.msc** to open the **Certificate Manager** for the local computer.
+3. In the navigation pane, expand **Personal**. Click **Certificates**. In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
+4. Click the **Certification Path** tab. In the **Certifcation path** view, select the top most node and click **View Certificate**.
+
+5. In the new **Certificate** dialog box, click the **Details** tab. Click **Copy to File**.
+
+6. In the **Certificate Export Wizard**, click **Next**.
+7. On the **Export File Format** page of the wizard, click **Next**.
+8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box.
+
+9. Click **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**.
+
+### Create and Assign a Trust Certificate Device Configuration Profile
+
+A **Trusted Certificate** device configuration profile is how you deploy trusted certificates to Azure AD joined devices.
+
+1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**.
+2. Click **Device configuration**. In the **Device Configuration** blade, click **Create profile**.
+
+3. In the **Create profle** blade, type **Enterprise Root Certificate** in **Name**. Provide a description. Select **Windows 10 and later** from the **Platform** list. Select **Trusted certificate** from the **Profile type** list. Click **Configure**.
+4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate). Click **OK**. Click **Create**.
+
+5. In the **Enterprise Root Certificate** blade, click **Assignmnets**. In the **Include** tab, select **All Devices** from the **Assign to** list. Click **Save**.
+
+6. Sign out of the Microsoft Azure Portal.
+
+## Configure Windows Hello for Business Device Enrollment
+
+Sign-in a workstation with access equivalent to a _domain user_.
+
+1. Sign-in to the [Azure Portal](https://portal.azure.com/).
+2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
+3. Click **device enrollment**.
+4. Click **Windows enrollment**
+5. Under **Windows enrollment**, click **Windows Hello for Business**.
+
+6. Under **Priority**, click **Default**.
+7. Under **All users and all devices**, click **Settings**.
+8. Select **Enabled** from the **Configure Windows Hello for Business** list.
+9. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software based keys.
+10. Type the desired **Minimum PIN length** and **Maximum PIN length**.
+> [!IMPORTANT]
+> The default minimum PIN length for Windows Hello for Business on Windows 10 is 6. Microsoft Intune defaults the minimum PIN length to 4, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to 6.
+
+
+
+11. Select the appropriate configuration for the following settings.
+ * **Lowercase letters in PIN**
+ * **Uppercase letters in PIN**
+ * **Special characters in PIN**
+ * **PIN expiration (days)**
+ * **Remember PIN history**
+> [!NOTE]
+> The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
+
+12. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**.
+13. Select **No** to **Allow phone sign-in**. This feature has been deprecated.
+14. Click **Save**
+15. Sign-out of the Azure portal.
+
+## Section Review
+> [!div class="checklist"]
+> * Configure Internet Information Services to host CRL distribution point
+> * Prepare a file share to host the certificate revocation list
+> * Configure the new CRL distribution point in the issuing certificate authority
+> * Publish CRL
+> * Reissue domain controller certificates
+> * Export Enterprise Root certificate
+> * Create and Assign a Trust Certificate Device Configuration Profile
+> * Configure Windows Hello for Business Device Enrollment
+
+If you plan on using certificates for on-premises single-sign on, perform the additional steps in [Using Certificates for On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md).
+
+
+
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
new file mode 100644
index 0000000000..d47f46ccc8
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -0,0 +1,689 @@
+---
+title: Using Certificates for AADJ On-premises Single-sign On single sign-on
+description: Azure Active Directory joined devices in a hybrid Deployment for on-premises single sign-on
+keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Using Certificates for AADJ On-premises Single-sign On
+
+**Applies to**
+- Windows 10
+- Azure Active Directory joined
+- Hybrid Deployment
+- Certificate trust
+
+If you plan to use certificates for on-premises single-sign on, then follow these **additional** steps to configure the environment to enroll Windows Hello for Business certificates for Azure AD joined devices.
+
+> [!IMPORTANT]
+> Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue.
+
+Steps you will perform include:
+- [Prepare Azure AD Connect](#prepare-azure-ad-connect)
+- [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account)
+- [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority)
+- [Install the Network Device Enrollment Services Role](#install-and-configure-the-ndes-role)
+- [Configure Network Device Enrollment Services to work with Microsoft Intune](#configure-network-device-enrollment-services-to-work-with-microsoft-intune)
+- [Download, Install and Configure the Intune Certificate Connector](#download-install-and-configure-the-intune-certificate-connector)
+- [Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile](#create-and-assign-a-simple-certificate-enrollment-protocol-scep-certificate-profile)
+
+## Requirements
+You need to install and configure additional infrastructure to provide Azure AD joined devices with on-premises single-sign on.
+
+- An existing Windows Server 2012 R2 or later Enterprise Certificate Authority
+- A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role
+
+### High Availaibilty
+The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority.
+
+The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion).
+
+The Network Device Enrollment Service (NDES) server role can issue up to three unique certificate templates. The server role accomplishes this by mapping the purpose of the certificate request to a configured certificate template. The certificate request purpose has three options:
+
+- Signature
+- Encryption
+- Signature and Encryption
+
+If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificates templates to reduce the number of certificate templates.
+
+### Network Requirements
+All communication occurs securely over port 443.
+
+## Prepare Azure AD Connect
+Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name.
+
+Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller.
+
+To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules need to for these attributes.
+
+### Verify AAD Connect version
+Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_.
+
+1. Open **Syncrhonization Services** from the **Azure AD Connect** folder.
+2. In the **Syncrhonization Service Manager**, click **Help** and then click **About**.
+3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version.
+
+### Verify the onPremisesDistinguishedName attribute is synchronized
+The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer.
+
+1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/
+2. Click **Login** and provide Azure credentials
+3. In the Azure AD Graph Explorer URL, type **https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go**
+4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user.
+
+
+## Prepare the Network Device Enrollment Services (NDES) Service Account
+
+### Create the NDES Servers global security group
+The deployment uses the **NDES Servers** security group to assign the NDES service the proper user right assignments.
+
+Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+
+1. Open **Active Directory Users and Computers**.
+2. Expand the domain node from the navigation pane.
+3. Right-click the **Users** container. Hover over **New** and click **Group**.
+4. Type **NDES Servers** in the **Group Name** text box.
+5. Click **OK**.
+
+### Add the NDES server to the NDES Servers global security group
+Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+
+1. Open **Active Directory Users and Computers**.
+2. Expand the domain node from the navigation pane.
+3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**.
+4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog.
+
+> [!NOTE]
+> For high-availabilty, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.
+
+### Create the NDES Service Account
+The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it is preferential to run services using a Group Managed Service Account (GMSA). While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector was not designed nor tested using a GMSA and is considered an unsupported configuration. The deployment uses a normal services account.
+
+Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+
+1. In the navigation pane, expand the node that has your domain name. Select **Users**.
+2. Right-click the **Users** container. Hover over **New** and then select **User**. Type **NDESSvc** in **Full Name** and **User logon name**. Click **Next**.
+3. Type a secure password in **Password**. Confirm the secure password in **Confirm Password**. Clear **User must change password at next logon**. Click **Next**.
+4. Click **Finish**.
+
+> [!IMPORTANT]
+> Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires.
+
+### Create the NDES Service User Rights Group Policy object
+The Group Policy object ensures the NDES Service account has the proper user right assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through Group Policy.
+
+Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
+
+1. Start the **Group Policy Management Console** (gpmc.msc)
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+3. Right-click **Group Policy object** and select **New**.
+4. Type **NDES Service Rights** in the name box and click **OK**.
+5. In the content pane, right-click the **NDES Service Rights** Group Policy object and click **Edit**.
+6. In the navigation pane, expand **Policies** under **Computer Configuration**.
+7. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**.
+8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings**. and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice.
+9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings**. and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice.
+10. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings**. and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** three times.
+11. Close the **Group Policy Management Editor**.
+
+### Configure security for the NDES Service User Rights Group Policy object
+The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group.
+
+Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+
+1. Start the **Group Policy Management Console** (gpmc.msc)
+2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+3. Double-click the **NDES Service User Rights** Group Policy object.
+4. In the **Security Filtering** section of the content pane, click **Add**. Type **NDES Servers** or the name of the security group you previously created and click **OK**.
+5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**.
+6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**.
+
+### Deploy the NDES Service User Rights Group Policy object
+The application of the **NDES Service User Rights** Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all computers. However, the security group filtering ensures only computers included in the **NDES Servers** global security group receive and apply the Group Policy object, which results in providing the **NDESSvc** service account with the proper user rights.
+
+Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
+
+1. Start the **Group Policy Management Console** (gpmc.msc)
+2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO**
+3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**.
+
+> [!IMPORTANT]
+> Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object.
+
+## Prepare Active Directory Certificate Authority
+You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role. In this task, you will
+
+- Configure the certificate authority to let Intune provide validity periods
+- Create an NDES-Intune Authentication Certificate template
+- Create an Azure AD joined Windows Hello for Business authentication certificate template
+- Publish certificate templates
+
+### Configure the certificate authority to let Intune provide validity periods
+When deploying certificates using Microsoft Intune, you have the option of providing the validity period in the SCEP certificate profile rather than relying on the validity period in the certificate template. If you need to issue the same certificate with different validity periods, it may be advantageous to use the SCEP profile, given the limited number of certificates a single NDES server can issue.
+
+> [!NOTE]
+> Skip this step if you do not want to enable Microsoft Intune to specify the validity period of the certificate. Without this configuiration, the certificate request uses the validity period configured in the certificate template.
+
+Sign-in to the issuing certificate authority with access equivalent to _local administrator_.
+
+1. Open and elevated command prompt. Type the command
+```
+certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
+```
+2. Restart the **Active Directory Certificate Services** service.
+
+### Create an NDES-Intune authentication certificate template
+NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client. The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point.
+
+Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials.
+
+1. Open the **Certificate Authority** management console.
+2. Right-click **Certificate Templates** and click **Manage**.
+3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**.
+4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
+ **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
+5. On the **Subject** tab, select **Supply in the request**.
+6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
+7. On the **Security** tab, click **Add**.
+8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
+9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+10. Click on the **Apply** to save changes and close the console.
+
+### Create an Azure AD joined Windows Hello for Business authentication certificate template
+During Windows Hello for Business provisioning, Windows 10 requests an authentication certificate from the Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server.
+
+Sign-in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
+
+1. Open the **Certificate Authority** management console.
+2. Right-click **Certificate Templates** and click **Manage**.
+3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
+ **Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
+6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
+8. On the **Subject** tab, select **Supply in the request**.
+9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**.
+10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**.
+12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for the **Read**, **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
+13. Close the console.
+
+### Publish certificate templates
+The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
+
+> [!Important]
+> Ensure you publish the **AADJ WHFB Authentication** certificate templates to the certificate authority that Microsoft Intune uses by way of the NDES servers. The NDES configuration asks you to choose a certificate authority from which it requests certificates. You need to publish that cerificate templates to that issuing certificate authority. The **NDES-Intune Authentication** certificate is directly enrolled and can be published to any certificate authority.
+
+Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+
+1. Open the **Certificate Authority** management console.
+2. Expand the parent node from the navigation pane.
+3. Click **Certificate Templates** in the navigation pane.
+4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
+5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+6. Close the console.
+
+## Install and Configure the NDES Role
+This section includes the following topics:
+* Install the Network Device Enrollment Service Role
+* Configure the NDES service account
+* Configure the NDES role and Certificate Templates
+* Create a Web Application Proxy for the Internal NDES URL.
+* Enroll for an NDES-Intune Authentication Certificate
+* Configure the Web Server Certificate for NDES
+* Verify the configuration
+
+### Install the Network Device Enrollment Services Role
+Install the Network Device Enrollment Service role on a computer other than the issuing certificate authority.
+
+Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+
+1. Open **Server Manager** on the NDES server.
+2. Click **Manage**. Click **Add Roles and Features**.
+3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**.
+
+4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list.
+
+Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
+
+5. On the **Features** page, expand **.NET Framework 3.5 Features**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Expand **.NET Framework 4.5 Features**. Expand **WCF Services**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
+
+6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**. Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**.
+
+7. Click **Next** on the **Web Server Role (IIS)** page.
+8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**.
+ * **Web Server > Security > Request Filtering**
+ * **Web Server > Application Development > ASP.NET 3.5**.
+ * **Web Server > Application Development > ASP.NET 4.5**. .
+ * **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility**
+ * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
+
+9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**.
+> [!Important]
+> The .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \:\\Sources\SxS\
+
+
+### Configure the NDES service account
+This task adds the NDES service account to the local IIS_USRS group. The task also configures the NDES service account for Kerberos authentication and delegation
+
+#### Add the NDES service account to the IIS_USRS group
+Sign-in the NDES server with access equivalent to _local administrator_.
+
+1. Start the **Local Users and Groups** management console (lusrmgr.msc).
+2. Select **Groups** from the navigation pane. Double-click the IIS_IUSRS group.
+3. In the **IIS_IUSRS Properties** dialog box, click **Add**. Type **NDESSvc** or the name of your NDES service account. Click **Check Names** to verify the name and then click **OK**. Click **OK** to close the properties dialog box.
+4. Close the management console.
+
+#### Register a Service Principal Name on the NDES Service account
+Sign-in the NDES server with a access equivalent to _Domain Admins_.
+
+1. Open an elevated command prompt.
+2. Type the following command to register the service principal name
+```setspn -s http/[FqdnOfNdesServer] [DomainName\\NdesServiceAccount]```
+where **[FqdnOfNdesServer]** is the fully qualified domain name of the NDES server and **[DomainName\NdesServiceAccount]** is the domain name and NDES service account name separated by a backslash (\\). An example of the command looks like the following.
+```setspn -s http/ndes.corp.contoso.com contoso\ndessvc```
+
+> [!NOTE]
+> If you use the same service account for multiple NDES Servers, repeat the following task for each NDES server under which the NDES service runs.
+
+
+
+#### Configure the NDES Service account for delegation
+The NDES service enrolls certificates on behalf of users. Therefore, you want to limit the actions it can perform on behalf of the user. You do this through delegation.
+
+Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
+
+1. Open **Active Directory Users and Computers**
+2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab.
+
+3. Select **Trust this user for delegation to specified services only**.
+4. Select **Use any authentication protocol**.
+5. Click **Add**.
+6. Click **Users or Computers...** Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Avaiable services** list, select **HOST**. Click **OK**.
+
+7. Repeat steps 5 and 6 for each NDES server using this service account.8. Click **Add**.
+8. Click **Users or computers...** Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices. From the **Available services** list, select **dcom**. Hold the **CTRL** key and select **HOST**. Click **OK**.
+9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
+
+10. Click **OK**. Close **Active Directory Users and Computers**.
+
+### Configure the NDES Role and Certificate Templates
+This task configures the NDES role and the certificate templates the NDES server issues.
+
+#### Configure the NDES Role
+Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+
+> [!NOTE]
+> If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point.
+
+
+
+1. Click the **Configure Active Directory Certificate Services on the destination server** link.
+2. On the **Credentials** page, click **Next**.
+
+3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next**
+
+4. On the **Service Account for NDES** page, select **Specify service account (recommended)**. Click **Select...** Type the user name and password for the NDES service account in the **Windows Security** dialog box. Click **Next**.
+
+5. On the **CA for NDES** page, select **CA name**. Click **Select...**. Select the issuing certificate authority from which the NDES server requests certificates. Click **Next**.
+
+6. On the **RA Information**, click **Next**.
+7. On the **Cryptography for NDES** page, click **Next**.
+8. Review the **Confirmation** page. Click **Configure**.
+
+8. Click **Close** after the configuration completes.
+
+#### Configure Certificate Templates on NDES
+A single NDES server can request a maximum of three certificate template. The NDES server determines which certificate to issue based on the incoming certificate request that is assigned in the Microsoft Intune SCEP certificate profile. The Microsoft Intune SCEP certificate profile has three values.
+* Digital Signature
+* Key Encipherment
+* Key Encipherment, Digital Signature
+
+Each value maps to a registry value name in the NDES server. The NDES server translate an incoming SCEP provide value into the correspond certificate template. The table belows shows the SCEP profile value to the NDES certificate template registry value name
+
+|SCEP Profile Key usage| NDES Registry Value Name|
+|:----------:|:-----------------------:|
+|Digital Signature|SignatureTemplate|
+|Key Encipherment|EncryptionTemplate|
+|Key Encipherment Digital Signature|GeneralPurposeTemplate|
+
+Ideally, you should match the certificate request with registry value name to keep the configuration intuitive (encryption certificates use the encryptionTemplate, signature certificates use the signature template, etc.). A result of this intuitive design is the potential exponential growth in NDES server. Imagine an organization that needs to issue nine unique signature certificates across their enterprise.
+
+ If the need arises, you can configure a signature certificate in the encryption registry value name or an encryption certificate in the signature registry value to maximize the use of your NDES infrastructure. This unintuitive design requires current and accurate documentation of the configuration to ensure the SCEP certificate profile is configured to enroll the correct certificate, regardless of the actual purpose. Each organization needs to balance ease of configuration and administration with additional NDES infrastructure and the management overhead that comes with it.
+
+Sign-in to the NDES Server with _local administrator_ equivalent credentials.
+
+1. Open an elevated command prompt.
+2. Using the table above, decide which registry value name you will use to request Windows Hello for Business authentication certificates for Azure AD joined devices.
+3. Type the following command
+```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v [registryValueName] /t REG_SZ /d [certificateTemplateName]```
+where **registryValueName** is one of the three value names from the above table and where **certificateTemplateName** is the name of the certificate template you created for Windows Hello for Business Azure AD joined devices. Example:
+```reg add HKLM\Software\Microsoft\Cryptography\MSCEP /v SignatureTemplate /t REG_SZ /d AADJWHFBAuthentication```
+4. Type **Y** when the command asks for permission to overwrite the existing value.
+5. Close the command prompt.
+
+> [!IMPORTANT]
+> Use the **name** of the certificate template; not the **display name**. The certificate template name does not include spaces. You can view the certificate names by looking at the **General** tab of the certificate template's properties in the **Certifcates Templates** management console (certtmpl.msc).
+
+### Create a Web Application Proxy for the internal NDES URL.
+Certificate enrollment for Azure AD joined devices occurs over the Internet. As a result, the internal NDES URLs must be accessible externally. You can do this easily and securely using Azure Active Directory Application Proxy. Azure AD Application Proxy provides single sign-on and secure remote access for web applications hosted on-premises, such as Network Device Enrollment Services.
+
+Ideally, you configure your Microsoft Intune SCEP certificate profile to use multiple external NDES URLs. This enables Microsoft Intune to round-robin load balance the certificate requests to identically configured NDES Servers (each NDES server can accommodate approximately 300 concurrent requests). Microsoft Intune sends these requests to Azure AD Application Proxies.
+
+Azure AD Application proxies are serviced by lightweight Application Proxy Connector agents. These agents are installed on your on-premises, domain joined devices and make authenticated secure outbound connection to Azure, waiting to process requests from Azure AD Application Proxies. You can create connector groups in Azure Active Directory to assign specific connectors to service specific applications.
+
+Connector group automatically round-robin, load balance the Azure AD Application proxy requests to the connectors within the assigned connector group. This ensures Windows Hello for Business certificate requests have multiple dedicated Azure AD Application Proxy connectors exclusively available to satisfy enrollment requests. Load balancing the NDES servers and connectors should ensure users enroll their Windows Hello for Business certificates in a timely manner.
+
+#### Download and Install the Application Proxy Connector Agent
+Sign-in a workstation with access equivalent to a _domain user_.
+
+1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
+3. Under **MANAGE**, click **Application proxy**.
+4. Click **Download connector service**. Click **Accept terms & Download**. Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
+
+5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
+> [!IMPORTANT]
+> Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy. Strategtically locate Azure AD application proxy connectors throughout your organization to ensure maximum availablity. Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
+
+6. Start **AADApplicationProxyConnectorInstaller.exe**.
+7. Read the license terms and then select **I agree to the license terms and conditions**. Click **Install**.
+
+8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
+
+9. When the installation completes. Read the information regarding outbound proxy servers. Click **Close**.
+
+10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.
+
+#### Create a Connector Group
+Sign-in a workstation with access equivalent to a _domain user_.
+
+1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
+3. Under **MANAGE**, click **Application proxy**.
+
+4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
+
+5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests.
+6. Click **Save**.
+
+#### Create the Azure Application Proxy
+Sign-in a workstation with access equivalent to a _domain user_.
+
+1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
+3. Under **MANAGE**, click **Application proxy**.
+4. Click **Configure an app**.
+5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**. Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server. Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
+6. Next to **Internal Url**, type the internal fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy. For example, https://ndes.corp.mstepdemo.net). This must match the internal DNS name of the NDES server and ensure you prefix the Url with **https**.
+7. Under **Internal Url**, select **https://** from the first list. In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy. In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy. It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
+
+8. Select **Passthrough** from the **Pre Authentication** list.
+9. Select **NDES WHFB Connectors** from the **Connector Group** list.
+10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**. Under the **Translate URLLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
+11. Click **Add**.
+12. Sign-out of the Azure Portal.
+> [!IMPORTANT]
+> Write down the internal and external URLs. You will need this information when you enroll the NDES-Intune Authentication certificate.
+
+
+### Enroll the NDES-Intune Authentication certificate
+This task enrolls a client and server authentication certificate used by the Intune connector and the NDES server.
+
+Sign-in the NDES server with access equivalent to _local administrators_.
+
+1. Start the Local Computer **Certificate Manager** (certlm.msc).
+2. Expand the **Personal** node in the navigation pane.
+3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
+4. Click **Next** on the **Before You Begin** page.
+5. Click **Next** on the **Select Certificate Enrollment Policy** page.
+6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box.
+7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
+ 
+8. Under **Subject name**, select **Common Name** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**.
+9. Under **Alternative name**, select **DNS** from the **Type** list. Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**). Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished.
+9. Click **Enroll**
+10. Repeat these steps for all NDES Servers used to request Windows Hello for Business authentication certificates for Azure AD joined devices.
+
+### Configure the Web Server Role
+This task configures the Web Server role on the NDES server to use the server authentication certificate.
+
+Sign-in the NDES server with access equivalent to _local administrator_.
+
+1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
+2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
+
+3. Click **Bindings...*** under **Actions**. Click **Add**.
+
+4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
+5. Select the certificate you previously enrolled from the **SSL certificate** list. Select **OK**.
+
+6. Select **http** from the **Site Bindings** list. Click **Remove**.
+7. Click **Close** on the **Site Bindings** dialog box.
+8. Close **Internet Information Services (IIS) Manager**.
+
+### Verify the configuration
+This task confirms the TLS configuration for the NDES server.
+
+Sign-in the NDES server with access equivalent to _local administrator_.
+
+#### Disable Internet Explorer Enhanced Security Configuration
+1. Open **Server Manager**. Click **Local Server** from the navigation pane.
+2. Click **On** next to **IE Enhanced Security Configuration** in the **Properties** section.
+3. In the **Internet Explorer Enhanced Security Configuration** dialog, under **Administrators**, select **Off**. Click **OK**.
+4. Close **Server Manager**.
+
+#### Test the NDES web server
+1. Open **Internet Explorer**.
+2. In the navigation bar, type
+```https://[fqdnHostName]/certsrv/mscep/mscep.dll```
+where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
+
+A web page similar to the following should appear in your web browser. If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
+
+
+
+Confirm the web site uses the server authentication certificate.
+
+
+
+## Configure Network Device Enrollment Services to work with Microsoft Intune
+You have successfully configured the Network Device Enrollment Services. You must now modify the configuration to work with the Intune Certificate Connector. In this task, you will enable the NDES server and http.sys to handle long URLs.
+
+- Configure NDES to support long URLs
+
+### Configure NDES and HTTP to support long URLs
+Sign-in the NDES server with access equivalent to _local administrator_.
+
+#### Configure the Default Web Site
+1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
+2. Expand the node that has the name of the NDES server. Expand **Sites** and select **Default Web Site**.
+3. In the content pane, double-click **Request Filtering**. Click **Edit Feature Settings...** in the action pane.
+
+4. Select **Allow unlisted file name extensions**.
+5. Select **Allow unlisted verbs**.
+6. Select **Allow high-bit characters**.
+7. Type **30000000** in **Maximum allowed content length (Bytes)**.
+8. Type **65534** in **Maximum URL length (Bytes)**.
+9. Type **65534** in **Maximum query string (Bytes)**.
+10. Click **OK**. Close **Internet Information Services (IIS) Manager**.
+
+#### Configure Parameters for HTTP.SYS
+1. Open an elevated command prompt.
+2. Run the following commands
+```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxFieldLength /t REG_DWORD /d 65534```
+```reg add HKLM\CurrentControlSet\Services\HTTP\Parameters /v MaxRequestBytes /t REG_DWORD /d 65534```
+3. Restart the NDES server.
+
+## Download, Install and Configure the Intune Certificate Connector
+The Intune Certificate Connector application enables Microsoft Intune to enroll certificates using your on-premises PKI for users on devices managed by Microsoft Intune.
+
+### Download Intune Certificate Connector
+Sign-in a workstation with access equivalent to a _domain user_.
+
+1. Sign-in to the [Azure Portal](https://portal.azure.com/).
+2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
+
+3. Select **Device Configuration**, and then select **Certificate Authority**.
+
+4. Click **Add**, and then click **Download the certificate connector software** under the **Steps to install connector for SCEP** section.
+
+5. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
+6. Sign-out of the Azure Portal.
+
+### Install the Intune Certificate Connector
+Sign-in the NDES server with access equivalent to _domain administrator_.
+
+1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
+2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server.
+3. On the **Microsoft Intune** page, click **Next**.
+
+4. Read the **End User License Agreement**. Click **Next** to accept the agreement and to proceed with the installation.
+5. On the **Destination Folder** page, click **Next**.
+6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.
+
+7. On the **Client certificate for Microsoft Intune** page, Click **Select**. Select the certificate previously enrolled for the NDES server. Click **Next**.
+
+> [!NOTE]
+> The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate. However, the application rembers the selection and shows it in the next page.
+
+8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
+9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
+
+> [!NOTE]
+> You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder
+
+10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.
+
+
+### Configure the Intune Certificate Connector
+Sign-in the NDES server with access equivalent to _domain administrator_.
+
+1. The **NDES Connector** user interface should be open from the last task.
+> [!NOTE]
+> If the **NDES Connector** user interface is not open, you can start it from **\\NDESConnectorUI\NDESConnectorUI.exe**.
+
+2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect. Click **Apply**
+
+
+3. Click **Sign-in**. Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
+
+> [!IMPORTANT]
+> The user account must have a valid Intune licenese asssigned. If the user account does not have a valid Intune license, the sign-in fails.
+
+4. Optionally, you can configure the NDES Connector for certificate revocation. If you want to do this, continue to the next task. Otherwise, Click **Close**, restart the **Intune Connector Service** and the **World Wide Web Publishing Service**, and skip the next task.
+
+
+### Configure the NDES Connector for certificate revocation (**Optional**)
+Optionally (not required), you can configure the Intune connector for certificate revocation when a device is wiped, unenrolled, or when the certificate profile falls out of scope for the targeted user (users is removed, deleted, or the profile is deleted).
+
+#### Enabling the NDES Service account for revocation
+Sign-in the certificate authority used by the NDES Connector with access equivalent to _domain administrator_.
+
+1. Start the **Certification Authority** management console.
+2. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
+3. Click the **Security** tab. Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account). Click *Check Names*. Click **OK**. Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission. Click **OK**.
+
+4. Close the **Certification Authority**
+
+#### Enable the NDES Connector for certificate revocation
+Sign-in the NDES server with access equivalent to _domain administrator_.
+
+1. Open the **NDES Connector** user interface (**\\NDESConnectorUI\NDESConnectorUI.exe**).
+2. Click the **Advanced** tab. Select **Specify a different account username and password**. TYpe the NDES service account username and password. Click **Apply**. Click **OK** to close the confirmation dialog box. Click **Close**.
+
+3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**.
+
+### Test the NDES Connector
+Sign-in the NDES server with access equivalent to _domain admin_.
+
+1. Open a command prompt.
+2. Type the following command to confirm the NDES Connector's last connection time is current.
+```reg query hklm\software\Micosoft\MicrosoftIntune\NDESConnector\ConnectionStatus```
+3. Close the command prompt.
+4. Open **Internet Explorer**.
+5. In the navigation bar, type
+```https://[fqdnHostName]/certsrv/mscep/mscep.dll```
+where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
+A web page showing a 403 error (similar to the following) should appear in your web browser. If you do not see similar page, or you get a **503 Service unavailable**, ensure the NDES Service account as the proper user rights. You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
+
+6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**.
+
+## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
+
+### Create an AADJ WHFB Certificate Users Group
+Sign-in a workstation with access equivalent to a _domain user_.
+
+1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
+2. Select **All Services**. Type **Azure Active Directory** to filter the list of services. Under **SERVICES**, Click **Azure Active Directory**.
+3. Click **Groups**. Click **New group**.
+4. Select **Security** from the **Group type** list.
+5. Under **Group Name**, type the name of the group. For example, **AADJ WHFB Certificate Users**.
+6. Provide a **Group description**, if applicable.
+7. Select **Assigned** from the **Membership type** list.
+
+8. Click **Members**. Use the **Select members** pane to add members to this group. When finished click **Select**.
+9. Click **Create**.
+
+### Create a SCEP Certificte Profile
+Sign-in a workstation with access equivalent to a _domain user_.
+
+1. Sign-in to the [Azure Portal](https://portal.azure.com/).
+2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
+3. Select **Device Configuration**, and then click **Profiles**.
+4. Select **Create Profile**.
+
+5. Next to **Name**, type **WHFB Certificate Enrollment**.
+6. Next to **Description**, provide a description meaningful for your environment.
+7. Select **Windows 10 and later** from the **Platform** list.
+8. Select **SCEP certificate** from the **Profile** list.
+
+9. The **SCEP Certificate** blade should open. Configure **Certificate validity period** to match your organization.
+> [!IMPORTANT]
+ > Remember that you need to configure your certificate authority to allow Microsoft Intune to configure certificate validity.
+
+10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
+11. Select **Custom** from the **Subject name format** list.
+12. Next to **Custom**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
+13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
+14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority.
+
+15. Under **Extended key usage**, type **Smart Card Logon** under **Name. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
+16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
+
+17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests amongst the URLs listed in the SCEP certificate profile.
+18. Click **OK**.
+19. Click **Create**.
+
+### Assign Group to the WHFB Certificate Enrollment Certificate Profile
+Sign-in a workstation with access equivalent to a _domain user_.
+
+1. Sign-in to the [Azure Portal](https://portal.azure.com/).
+2. Select **All Services**. Type **Intune** to filter the list of services. Click **Microsoft Intune**.
+3. Select **Device Configuration**, and then click **Profiles**.
+4. Click **WHFB Certificate Enrollment**.
+
+5. Click **Assignments**.
+6. In the **Assignments** pane, Click **Include**. Select **Selected Groups** from the **Assign to** list. Click **Select groups to include**.
+
+7. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
+8. Click **Save**.
+
+You have successfully completed the configuration. Add users that need to enroll a Windows Hello for Business authentication certificate to the **AADJ WHFB Certificate Users** group. This group, combined with the device enrollment Windows Hello for Business configuration prompts the user to enroll for Windows Hello for Business and enroll a certificate that can be used to authentication to on-premises resources.
+
+## Section Review
+> [!div class="checklist"]
+> * Requirements
+> * Prepare Azure AD Connect
+> * Prepare the Network Device Enrollment Services (NDES) Service Acccount
+> * Prepare Active Directory Certificate Authority
+> * Install and Configure the NDES Role
+> * Configure Network Device Enrollment Services to work with Microsoft Intune
+> * Download, Install, and Configure the Intune Certificate Connector
+> * Create and Assign a Simple Certificate Enrollment Protocol (SCEP Certificate Profile)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
new file mode 100644
index 0000000000..9145280789
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md
@@ -0,0 +1,45 @@
+---
+title: Azure AD Join Single Sign-on Deployment Guides
+description: Azure Active Directory joined devices in a hybrid Deployment for on-premises single sign-on
+keywords: identity, PIN, biometric, Hello, passport, AADJ, SSO,
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Azure AD Join Single Sign-on Deployment Guides
+
+**Applies to**
+- Windows 10
+- Azure Active Directory joined
+- Hybrid deployment
+
+Windows Hello for Business combined with Azure Active Directory joined devices makes it easy for users to securely access cloud-based resources using a strong, two-factor credential. Some resources may remain on-premises as enterprises transition resources to the cloud and Azure AD joined devices may need to access these resources. With additional configurations to your current hybrid deployment, you can provide single sign-on to your on-premises resources for Azure Active Directory joined devices using Windows Hello for Business, using a key or a certificate.
+
+## Key vs. Certificate
+
+Enterprises can use either a key or a certificate to provide single-sign on for on-premises resources. Both types of authentication provide the same security; one is not more secure than the other.
+
+When using a key, the on-premises environment needs an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+
+When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement. However, single-sign on using a key requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business. Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM). Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector.
+
+To deploy single sign-on for Azure AD joined devices using keys, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md).
+To deploy single sign-on for Azure AD joined devices using, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md).
+
+## Related topics
+
+- [Windows Hello for Business](hello-identity-verification.md)
+- [How Windows Hello for Business works](hello-how-it-works.md)
+- [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
+- [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
+- [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
+
+
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
index 9ce7a7999e..33d6215205 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-new-install.md
@@ -9,24 +9,25 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
ms.localizationpriority: medium
-ms.date: 10/20/2017
+ms.date: 08/19/2018
---
# Windows Hello for Business Certificate Trust New Installation
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Certificate trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
-Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technolgies
+Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid certificate trust deployments of Windows Hello for Business rely on these technologies
* [Active Directory](#active-directory)
* [Public Key Infrastructure](#public-key-infrastructure)
* [Azure Active Directory](#azure-active-directory)
-* [Active Directory Federation Services](#active-directory-federation-services)
+* [Multi-factor Authentication Services](#multi-factor-authentication-services)
-New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) section to prepare your Windows Hello for Business deployment by configuring Azure device registration.
+New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md) section to prepare your Windows Hello for Business deployment by configuring Azure device registration.
The new installation baseline begins with a basic Active Directory deployment and enterprise PKI. This document expects you have Active Directory deployed using Windows Server 2008 R2 or later domain controllers.
@@ -68,7 +69,7 @@ Sign-in using _Enterprise Admin_ equivalent credentials on Windows Server 2012 o
Install-AdcsCertificateAuthority
```
-## Configure a Production Public Key Infrastructure
+### Configure a Production Public Key Infrastructure
If you do have an existing public key infrastructure, please review [Certification Authority Guidance](https://technet.microsoft.com/library/hh831574.aspx) from Microsoft TechNet to properly design your infrastructure. Then, consult the [Test Lab Guide: Deploying an AD CS Two-Tier PKI Hierarchy](https://technet.microsoft.com/library/hh831348.aspx) for instructions on how to configure your public key infrastructure using the information from your design session.
@@ -91,8 +92,8 @@ The next step of the deployment is to follow the [Creating an Azure AD tenant](h
> * Create an Azure Active Directory Tenant.
> * Purchase the appropriate Azure Active Directory subscription or licenses, if necessary.
-## Multifactor Authentication Services ##
-Windows Hello for Business uses multifactor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multifactor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA
+## Multifactor Authentication Services
+Windows Hello for Business uses multi-factor authentication during provisioning and during user initiated PIN reset scenarios, such as when a user forgets their PIN. There are two preferred multi-factor authentication configurations with hybrid deployments—Azure MFA and AD FS using Azure MFA
Review the [What is Azure Multi-Factor Authentication](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication) topic to familiarize yourself its purpose and how it works.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 8a9bbb737d..6a8e0bd587 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -9,19 +9,20 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
ms.localizationpriority: medium
-ms.date: 03/26/2018
+ms.date: 08/18/2018
---
# Configure Device Registration for Hybrid Windows Hello for Business
**Applies to**
-- Windows 10
-
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
-
-You're environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Certificate trust
+
+Your environment is federated and you are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration and device write-back to enable proper device authentication.
+
> [!IMPORTANT]
-> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.
+> If your environment is not federated, review the [New Installation baseline](hello-hybrid-cert-new-install.md) section of this deployment document to learn how to federate your environment for your Windows Hello for Business deployment.
Use this three phased approach for configuring device registration.
1. [Configure devices to register in Azure](#configure-azure-for-device-registration)
@@ -37,17 +38,17 @@ Use this three phased approach for configuring device registration.
> You can learn about this and more by reading [Introduction to Device Management in Azure Active Directory.](https://docs.microsoft.com/en-us/azure/active-directory/device-management-introduction)
## Configure Azure for Device Registration
-Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
+Begin configuring device registration to support Hybrid Windows Hello for Business by configuring device registration capabilities in Azure AD.
-To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/)
+To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/)
## Configure Active Directory to support Azure device synchronization
-Azure Active Directory is now configured for device registration. Next, you need to configure the on-premises Active Directory to support synchronizing hybrid Azure AD joined devices. Begin with upgrading the Active Directory Schema
+Azure Active Directory is now configured for device registration. Next, you need to configure the on-premises Active Directory to support synchronizing hybrid Azure AD joined devices. Begin with upgrading the Active Directory Schema
-### Upgrading Active Directory to the Windows Server 2016 Schema
+### Upgrading Active Directory to the Windows Server 2016 Schema
-To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016.
+To use Windows Hello for Business with Hybrid Azure AD joined devices, you must first upgrade your Active Directory schema to Windows Server 2016.
> [!IMPORTANT]
> If you already have a Windows Server 2016 domain controller in your forest, you can skip **Upgrading Active Directory to the Windows Server 2016 Schema** (this section).
@@ -58,17 +59,17 @@ To locate the schema master role holder, open and command prompt and type:
```Netdom query fsmo | findstr -i schema```
-
+
The command should return the name of the domain controller where you need to adprep.exe. Update the schema locally on the domain controller hosting the Schema master role.
#### Updating the Schema
-Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory.
+Windows Hello for Business uses asymmetric keys as user credentials (rather than passwords). During enrollment, the public key is registered in an attribute on the user object in Active Directory. The schema update adds this new attribute to Active Directory.
Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role.
-Sign-in to the domain controller hosting the schema master operational role using Enterprise Admin equivalent credentials.
+Sign-in to the domain controller hosting the schema master operational role using enterprise administrator equivalent credentials.
1. Open an elevated command prompt.
2. Type ```cd /d x:\support\adprep``` where *x* is the drive letter of the DVD or mounted ISO.
@@ -86,7 +87,7 @@ Review the [AD FS Design guide](https://docs.microsoft.com/en-us/windows-server/
Once you have your AD FS design ready, review [Deploying a Federation Server farm](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/deploying-a-federation-server-farm) to configure AD FS in your environment.
> [!IMPORTANT]
-> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures.
+> During your AD FS deployment, skip the **Configure a federation server with Device Registration Service** and the **Configure Corporate DNS for the Federation Service and DRS** procedures.
The AD FS farm used with Windows Hello for Business must be Windows Server 2016 with minimum update of [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889). If your AD FS farm is not running the AD FS role with updates from Windows Server 2016, then read [Upgrading to AD FS in Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/upgrading-to-ad-fs-in-windows-server-2016)
@@ -95,87 +96,87 @@ Federation server proxies are computers that run AD FS software that have been c
Use the [Setting of a Federation Proxy](https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/checklist--setting-up-a-federation-server-proxy) checklist to configure AD FS proxy servers in your environment.
### Deploy Azure AD Connect
-Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771).
+Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771).
-When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**.
+When you are ready to install, follow the **Configuring federation with AD FS** section of [Custom installation of Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-get-started-custom). Select the **Federation with AD FS** option on the **User sign-in** page. At the **AD FS Farm** page, select the use an existing option and click **Next**.
-### Create AD objects for AD FS Device Authentication
-If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.
+### Create AD objects for AD FS Device Authentication
+If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.
> [!NOTE]
-> The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1.
+> The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below. Otherwise you can skip step 1.
1. Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**.
-
-2. On your AD FS primary server, ensure you are logged in as AD DS user with Enterprise Admin (EA ) privileges and open an elevated Windows PowerShell prompt. Then, run the following commands:
-
- `Import-module activedirectory`
- `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" `
+
+2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt. Then, run the following commands:
+
+ `Import-module activedirectory`
+ `PS C:\> Initialize-ADDeviceRegistration -ServiceAccountName "" `
3. On the pop-up window click **Yes**.
> [!NOTE]
> If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$"
-
+
-The above PSH creates the following objects:
+The above PSH creates the following objects:
-- RegisteredDevices container under the AD domain partition
-- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
-- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration
+- RegisteredDevices container under the AD domain partition
+- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
+- Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration
-
+
4. Once this is done, you will see a successful completion message.
-
+
-### Create Service Connection Point (SCP) in Active Directory
-If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS
+### Create Service Connection Point (SCP) in Active Directory
+If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS
1. Open Windows PowerShell and execute the following:
-
- `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" `
+
+ `PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1" `
> [!NOTE]
> If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep
-
+
-2. Provide your Azure AD global administrator credentials
+2. Provide your Azure AD global administrator credentials
`PS C:>$aadAdminCred = Get-Credential`
-
+
-3. Run the following PowerShell command
+3. Run the following PowerShell command
- `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred `
+ `PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred `
Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory.
+
+The above commands enable Windows 10 clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS.
-The above commands enable Windows 10 clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS.
-
-### Prepare AD for Device Write Back
+### Prepare AD for Device Write Back
To ensure AD DS objects and containers are in the correct state for write back of devices from Azure AD, do the following.
-1. Open Windows PowerShell and execute the following:
+1. Open Windows PowerShell and execute the following:
- `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName -AdConnectorAccount [AD connector account name] `
+ `PS C:>Initialize-ADSyncDeviceWriteBack -DomainName -AdConnectorAccount [AD connector account name] `
-Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format
+Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory in domain\accountname format
-The above command creates the following objects for device write back to AD DS, if they do not exist already, and allows access to the specified AD connector account name
+The above command creates the following objects for device write back to AD DS, if they do not exist already, and allows access to the specified AD connector account name
-- RegisteredDevices container in the AD domain partition
-- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
+- RegisteredDevices container in the AD domain partition
+- Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration
-### Enable Device Write Back in Azure AD Connect
-If you have not done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets
+### Enable Device Write Back in Azure AD Connect
+If you have not done so before, enable device write back in Azure AD Connect by running the wizard a second time and selecting **"Customize Synchronization Options"**, then checking the box for device write back and selecting the forest in which you have run the above cmdlets
## Configure AD FS to use Azure registered devices
@@ -205,7 +206,7 @@ If you are already issuing an ImmutableID claim (e.g., alternate login ID) you n
* `http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID`
In the following sections, you find information about:
-
+
- The values each claim should have
- How a definition would look like in AD FS
@@ -220,12 +221,12 @@ The definition helps you to verify whether the values are present or if you need
@RuleName = "Issue account type for domain-joined computers"
c:[
- Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
- Value =~ "-515$",
+ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
+ Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
- Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
+ Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value = "DJ"
);
@@ -235,35 +236,35 @@ The definition helps you to verify whether the values are present or if you need
@RuleName = "Issue object GUID for domain-joined computers"
c1:[
- Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
- Value =~ "-515$",
+ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
+ Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
- &&
+ &&
c2:[
- Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
+ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
- store = "Active Directory",
- types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"),
- query = ";objectguid;{0}",
+ store = "Active Directory",
+ types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"),
+ query = ";objectguid;{0}",
param = c2.Value
);
-
+
#### Issue objectSID of the computer account on-premises
**`http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid`** - This claim must contain the **objectSid** value of the on-premises computer account. In AD FS, you can add an issuance transform rule that looks like this:
@RuleName = "Issue objectSID for domain-joined computers"
c1:[
- Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
- Value =~ "-515$",
+ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
+ Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
- &&
+ &&
c2:[
- Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
+ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(claim = c2);
@@ -275,41 +276,41 @@ The definition helps you to verify whether the values are present or if you need
@RuleName = "Issue account type with the value User when its not a computer"
NOT EXISTS(
[
- Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
+ Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "DJ"
]
)
=> add(
- Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
+ Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value = "User"
);
-
+
@RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
c1:[
Type == "http://schemas.xmlsoap.org/claims/UPN"
]
- &&
+ &&
c2:[
- Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
+ Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "User"
]
=> issue(
- Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
+ Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
Value = regexreplace(
- c1.Value,
- ".+@(?.+)",
+ c1.Value,
+ ".+@(?.+)",
"http://${domain}/adfs/services/trust/"
)
);
-
+
@RuleName = "Issue issuerID for domain-joined computers"
c:[
- Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
- Value =~ "-515$",
+ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
+ Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
- Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
+ Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
Value = "http:///adfs/services/trust/"
);
@@ -319,8 +320,8 @@ In the claim above,
- `$` is the AD FS service URL
- `` is a placeholder you need to replace with one of your verified domain names in Azure AD
-For more details about verified domain names, see [Add a custom domain name to Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-add-domain).
-To get a list of your verified company domains, you can use the [Get-MsolDomain](https://docs.microsoft.com/en-us/powershell/module/msonline/get-msoldomain?view=azureadps-1.0) cmdlet.
+For more details about verified domain names, see [Add a custom domain name to Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-add-domain).
+To get a list of your verified company domains, you can use the [Get-MsolDomain](https://docs.microsoft.com/en-us/powershell/module/msonline/get-msoldomain?view=azureadps-1.0) cmdlet.
#### Issue ImmutableID for computer when one for users exist (e.g. alternate login ID is set)
@@ -328,19 +329,19 @@ To get a list of your verified company domains, you can use the [Get-MsolDomain]
@RuleName = "Issue ImmutableID for computers"
c1:[
- Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
- Value =~ "-515$",
+ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
+ Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
- ]
- &&
+ ]
+ &&
c2:[
- Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
+ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
- store = "Active Directory",
- types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"),
- query = ";objectguid;{0}",
+ store = "Active Directory",
+ types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"),
+ query = ";objectguid;{0}",
param = c2.Value
);
@@ -351,45 +352,45 @@ The following script helps you with the creation of the issuance transform rules
$multipleVerifiedDomainNames = $false
$immutableIDAlreadyIssuedforUsers = $false
$oneOfVerifiedDomainNames = 'example.com' # Replace example.com with one of your verified domains
-
+
$rule1 = '@RuleName = "Issue account type for domain-joined computers"
c:[
- Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
- Value =~ "-515$",
+ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
+ Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
- Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
+ Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value = "DJ"
);'
$rule2 = '@RuleName = "Issue object GUID for domain-joined computers"
c1:[
- Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
- Value =~ "-515$",
+ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
+ Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
- &&
+ &&
c2:[
- Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
+ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
- store = "Active Directory",
- types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"),
- query = ";objectguid;{0}",
+ store = "Active Directory",
+ types = ("http://schemas.microsoft.com/identity/claims/onpremobjectguid"),
+ query = ";objectguid;{0}",
param = c2.Value
);'
$rule3 = '@RuleName = "Issue objectSID for domain-joined computers"
c1:[
- Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
- Value =~ "-515$",
+ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
+ Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
- &&
+ &&
c2:[
- Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
+ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(claim = c2);'
@@ -399,41 +400,41 @@ The following script helps you with the creation of the issuance transform rules
$rule4 = '@RuleName = "Issue account type with the value User when it is not a computer"
NOT EXISTS(
[
- Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
+ Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "DJ"
]
)
=> add(
- Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
+ Type = "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value = "User"
);
-
+
@RuleName = "Capture UPN when AccountType is User and issue the IssuerID"
c1:[
Type == "http://schemas.xmlsoap.org/claims/UPN"
]
- &&
+ &&
c2:[
- Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
+ Type == "http://schemas.microsoft.com/ws/2012/01/accounttype",
Value == "User"
]
=> issue(
- Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
+ Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
Value = regexreplace(
- c1.Value,
- ".+@(?.+)",
+ c1.Value,
+ ".+@(?.+)",
"http://${domain}/adfs/services/trust/"
)
);
-
+
@RuleName = "Issue issuerID for domain-joined computers"
c:[
- Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
- Value =~ "-515$",
+ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
+ Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
- Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
+ Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid",
Value = "http://' + $oneOfVerifiedDomainNames + '/adfs/services/trust/"
);'
}
@@ -442,32 +443,32 @@ The following script helps you with the creation of the issuance transform rules
if ($immutableIDAlreadyIssuedforUsers -eq $true) {
$rule5 = '@RuleName = "Issue ImmutableID for computers"
c1:[
- Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
- Value =~ "-515$",
+ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid",
+ Value =~ "-515$",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
- ]
- &&
+ ]
+ &&
c2:[
- Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
+ Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname",
Issuer =~ "^(AD AUTHORITY|SELF AUTHORITY|LOCAL AUTHORITY)$"
]
=> issue(
- store = "Active Directory",
- types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"),
- query = ";objectguid;{0}",
+ store = "Active Directory",
+ types = ("http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"),
+ query = ";objectguid;{0}",
param = c2.Value
);'
}
- $existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules
+ $existingRules = (Get-ADFSRelyingPartyTrust -Identifier urn:federation:MicrosoftOnline).IssuanceTransformRules
$updatedRules = $existingRules + $rule1 + $rule2 + $rule3 + $rule4 + $rule5
- $crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules
+ $crSet = New-ADFSClaimRuleSet -ClaimRule $updatedRules
- Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString
+ Set-AdfsRelyingPartyTrust -TargetIdentifier urn:federation:MicrosoftOnline -IssuanceTransformRules $crSet.ClaimRulesString
-#### Remarks
+#### Remarks
- This script appends the rules to the existing rules. Do not run the script twice because the set of rules would be added twice. Make sure that no corresponding rules exist for these claims (under the corresponding conditions) before running the script again.
@@ -475,28 +476,28 @@ The following script helps you with the creation of the issuance transform rules
c:[Type == "http://schemas.xmlsoap.org/claims/UPN"]
- => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/"));
+ => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/issuerid", Value = regexreplace(c.Value, ".+@(?.+)", "http://${domain}/adfs/services/trust/"));
- If you have already issued an **ImmutableID** claim for user accounts, set the value of **$immutableIDAlreadyIssuedforUsers** in the script to **$true**.
-#### Configure Device Authentication in AD FS
-Using an elevated PowerShell command window, configure AD FS policy by executing the following command
+#### Configure Device Authentication in AD FS
+Using an elevated PowerShell command window, configure AD FS policy by executing the following command
-`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod All`
+`PS C:>Set-AdfsGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true -DeviceAuthenticationMethod All`
-#### Check your configuration
+#### Check your configuration
For your reference, below is a comprehensive list of the AD DS devices, containers and permissions required for device write-back and authentication to work
-- object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=<domain>
- - read access to the AD FS service account
+- object of type ms-DS-DeviceContainer at CN=RegisteredDevices,DC=<domain>
+ - read access to the AD FS service account
- read/write access to the Azure AD Connect sync AD connector account
- Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain>
- Container Device Registration Service DKM under the above container
-
-
-- object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain>
- - read/write access to the specified AD connector account name on the new object
+
+
+- object of type serviceConnectionpoint at CN=<guid>, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain>
+ - read/write access to the specified AD connector account name on the new object
- object of type msDS-DeviceRegistrationServiceContainer at CN=Device Registration Services,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=<domain>
- object of type msDS-DeviceRegistrationService in the above container
@@ -513,4 +514,4 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. Configure Azure Device Registration (*You are here*)
5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
-6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
\ No newline at end of file
+6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index ffcdd3cdc3..3885bdbc50 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -9,16 +9,16 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
ms.localizationpriority: medium
-ms.date: 03/26/2018
+ms.date: 08/19/2018
---
# Hybrid Windows Hello for Business Prerequisites
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Certificate trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
-
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
@@ -32,7 +32,7 @@ The distributed systems on which these technologies were built involved several
## Directories ##
Hybrid Windows Hello for Business needs two directories: on-premises Active Directory and a cloud Azure Active Directory. The minimum required domain controller, domain functional level, and forest functional level for Windows Hello for Business deployment is Windows Server 2008 R2.
-A hybrid Windows Hello for Busines deployment needs an Azure Active Directory subscription. Different deployment configurations are supported by different Azure subscriptions. The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature. Other deployments, such as the hybrid key-trust deployment, may not require Azure Active Directory premium subscription.
+A hybrid Windows Hello for Business deployment needs an Azure Active Directory subscription. Different deployment configurations are supported by different Azure subscriptions. The hybrid-certificate trust deployment needs an Azure Active Directory premium subscription because it uses the device write-back synchronization feature. Other deployments, such as the hybrid key-trust deployment, may not require Azure Active Directory premium subscription.
Windows Hello for Business can be deployed in any environment with Windows Server 2008 R2 or later domain controllers. Azure device registration and Windows Hello for Business require the Windows Server 2016 Active Directory schema.
@@ -103,7 +103,7 @@ Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Auth
## Device Registration ##
-Organizations wanting to deploy hybrid certificate trust need thier domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory.
+Organizations wanting to deploy hybrid certificate trust need their domain joined devices to register to Azure Active Directory. Just as a computer has an identity in Active Directory, that same computer has an identity in the cloud. This ensures that only approved computers are used with that Azure Active Directory. Each computer registers its identity in Azure Active Directory.
Hybrid certificate trust deployments need the device write back feature. Authentication to the Windows Server 2016 Active Directory Federation Services needs both the user and the computer to authenticate. Typically the users are synchronized, but not devices. This prevents AD FS from authenticating the computer and results in Windows Hello for Business certificate enrollment failures. For this reason, Windows Hello for Business deployments need device writeback, which is an Azure Active Directory premium feature.
@@ -132,7 +132,7 @@ If your environment is already federated and supports Azure device registration,
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
-2. Prerequistes (*You are here*)
+2. Prerequisites (*You are here*)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index 97b72c76a3..30efcbd805 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -14,9 +14,9 @@ ms.date: 09/08/2017
# Hybrid Azure AD joined Certificate Trust Deployment
**Applies to**
-- Windows 10
-
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Certificate trust
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid certificate trust scenario.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index effbe6b03a..124a34248b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -9,16 +9,16 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
ms.localizationpriority: medium
-ms.date: 03/26/2018
+ms.date: 08/19/2018
---
# Hybrid Windows Hello for Business Provisioning
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Certificate trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
-
## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
@@ -45,7 +45,7 @@ The provisioning flow has all the information it needs to complete the Windows H
* A fresh, successful multi-factor authentication
* A validated PIN that meets the PIN complexity requirements
-The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect syncrhonizes the user's key to the on-prem Active Directory.
+The remainder of the provisioning includes Windows Hello for Business requesting an asymmetric key pair for the user, preferably from the TPM (or required if explicitly set through policy). Once the key pair is acquired, Windows communicates with Azure Active Directory to register the public key. AAD Connect synchronizes the user's key to the on-premises Active Directory.
> [!IMPORTANT]
> The following is the enrollment behavior prior to Windows Server 2016 update [KB4088889 (14393.2155)](https://support.microsoft.com/en-us/help/4088889).
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
index 80b5408547..4395d9c432 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
@@ -9,20 +9,21 @@ ms.pagetype: security, mobile
ms.localizationpriority: medium
author: mikestephens-MS
ms.author: mstephen
-ms.date: 10/23/2017
+ms.date: 08/19/2018
---
# Configuring Windows Hello for Business: Active Directory
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Certificate trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
The key synchronization process for the hybrid deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema.
### Creating Security Groups
-Windows Hello for Business uses several security groups to simplify the deployment and managment.
+Windows Hello for Business uses several security groups to simplify the deployment and management.
> [!Important]
> If your environment has one or more Windows Server 2016 domain controllers in the domain to which you are deploying Windows Hello for Business, then skip the **Create the KeyCredentials Admins Security Group**. Domains that include Windows Server 2016 domain controllers use the KeyAdmins group, which is created during the installation of the first Windows Server 2016 domain controller.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index dd6f6d5b50..25208af1bd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -9,18 +9,17 @@ ms.pagetype: security, mobile
ms.localizationpriority: medium
author: mikestephens-MS
ms.author: mstephen
-ms.date: 03/26/2018
+ms.date: 08/20/2018
---
# Configure Windows Hello for Business: Active Directory Federation Services
**Applies to**
-- Windows10
+- Windows10, version 1703 or later
+- Hybrid deployment
+- Certificate trust
## Federation Services
-
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
-
-The Windows Server 2016 Active Directory Fedeartion Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
+The Windows Server 2016 Active Directory Federation Server Certificate Registration Authority (AD FS RA) enrolls for an enrollment agent certificate. Once the registration authority verifies the certificate request, it signs the certificate request using its enrollment agent certificate and sends it to the certificate authority.
The Windows Hello for Business Authentication certificate template is configured to only issue certificates to certificate requests that have been signed with an enrollment agent certificate.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index ce00462dc9..7464c27892 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -14,9 +14,10 @@ ms.date: 10/23/2017
# Configure Hybrid Windows Hello for Business: Directory Synchronization
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Certificate trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
## Directory Synchronization
@@ -77,5 +78,5 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. [Configure Azure Device Registration](hello-hybrid-cert-trust-devreg.md)
-5. Configure Windows Hello for Business settings: Directory Syncrhonization (*You are here*)
+5. Configure Windows Hello for Business settings: Directory Synchronization (*You are here*)
6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 1508af5827..f14eedf3af 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -9,23 +9,24 @@ ms.pagetype: security, mobile
ms.localizationpriority: medium
author: mikestephens-MS
ms.author: mstephen
-ms.date: 11/08/2017
+ms.date: 08/19/2018
---
# Configure Hybrid Windows Hello for Business: Public Key Infrastructure
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid Deployment
+- Certificate Trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
-Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certifcates to validate the name of the server to which they are connecting and to encyrpt the data that flows them and the client computer.
+Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer.
-All deployments use enterprise issed certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificate to registration authorites to provide defenese-in-depth security for issueing user authentication certificates.
+All deployments use enterprise issued certificates for domain controllers as a root of trust. Hybrid certificate trust deployments issue users sign-in certificate that enables them to authenticate using Windows Hello for Business credentials to non-Windows Server 2016 domain controllers. Additionally, hybrid certificate trust deployments issue certificate to registration authorities to provide defense-in-depth security for issuing user authentication certificates.
-## Certifcate Templates
+## Certificate Templates
-This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authtority.
+This section has you configure certificate templates on your Windows Server 2012 or later issuing certificate authority.
### Domain Controller certificate template
@@ -42,7 +43,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs.
**Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
@@ -55,7 +56,7 @@ Many domain controllers may have an existing domain controller certificate. The
The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later).
-The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template.
+The auto-enrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template.
Sign-in a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
@@ -73,7 +74,7 @@ The certificate template is configured to supersede all the certificate template
### Enrollment Agent certificate template
-Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate lifecycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
+Active Directory Federation Server used for Windows Hello for Business certificate enrollment performs its own certificate life-cycle management. Once the registration authority is configured with the proper certificate template, the AD FS server attempts to enroll the certificate on the first certificate request or when the service first starts.
Approximately 60 days prior to enrollment agent certificate's expiration, the AD FS service attempts to renew the certificate until it is successful. If the certificate fails to renew, and the certificate expires, the AD FS server will request a new enrollment agent certificate. You can view the AD FS event logs to determine the status of the enrollment agent certificate.
@@ -96,7 +97,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
8. On the **Security** tab, click **Add**.
9. Click **Object Types**. Select the **Service Accounts** check box and click **OK**.
10. Type **adfssvc** in the **Enter the object names to select** text box and click **OK**.
-11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+11. Click the **adfssvc** from the **Group or users names** list. In the **Permissions for adfssvc** section, select the **Allow** check box for the **Enroll** permission. Excluding the **adfssvc** user, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
12. Close the console.
#### Creating an Enrollment Agent certificate for typical Service Acconts
@@ -128,7 +129,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin eq
**Note:** If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
-8. On the **Issuance Requirements** tab, select the T**his number of authorized signatures** check box. Type **1** in the text box.
+8. On the **Issuance Requirements** tab, select the **This number of authorized signatures** check box. Type **1** in the text box.
* Select **Application policy** from the **Policy type required in signature**. Select **Certificate Request Agent** from in the **Application policy** list. Select the **Valid existing certificate** option.
9. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **Fully distinguished name** from the **Subject name format** list if **Fully distinguished name** is not already selected. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**.
10. On the **Request Handling** tab, select the **Renew with same key** check box.
@@ -145,13 +146,25 @@ Sign-in to an **AD FS Windows Server 2016** computer with _Enterprise Admin_ equ
>[!NOTE]
>If you gave your Windows Hello for Business Authentication certificate template a different name, then replace **WHFBAuthentication** in the above command with the name of your certificate template. It's important that you use the template name rather than the template display name. You can view the template name on the **General** tab of the certificate template using the Certificate Template management console (certtmpl.msc). Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on our Windows Server 2012 or later certificate authority.
-Publish Templates
+
+## Publish Templates
### Publish Certificate Templates to a Certificate Authority
The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
-### Unpublish Superseded Certificate Templates
+#### Publish Certificate Templates to the Certificate Authority
+
+Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
+1. Open the **Certificate Authority** management console.
+2. Expand the parent node from the navigation pane.
+3. Click **Certificate Templates** in the navigation pane.
+4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
+5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, **WHFB Enrollment Agent** and **WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+6. Close the console.
+
+
+#### Unpublish Superseded Certificate Templates
The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates.
@@ -169,9 +182,9 @@ Sign-in to the certificate authority or management workstation with _Enterprise
> [!div class="checklist"]
> * Domain Controller certificate template
> * Configure superseded domain controller certificate templates
-> * Enrollment Agent certifcate template
+> * Enrollment Agent certificate template
> * Windows Hello for Business Authentication certificate template
-> * Mark the certifcate template as Windows Hello for Business sign-in template
+> * Mark the certificate template as Windows Hello for Business sign-in template
> * Publish Certificate templates to certificate authorities
> * Unpublish superseded certificate templates
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index 933756d930..9728d0ac98 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -9,14 +9,15 @@ ms.pagetype: security, mobile
ms.localizationpriority: medium
author: mikestephens-MS
ms.author: mstephen
-ms.date: 11/08/2017
+ms.date: 08/19/2018
---
# Configure Hybrid Windows Hello for Business: Group Policy
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Certificate trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
## Policy Configuration
@@ -25,7 +26,7 @@ Install the Remote Server Administration Tools for Windows 10 on a computer runn
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
-Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) autoamtically request and renew the correct domain controller certifcate.
+Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate.
Domain joined clients of hybrid certificate-based deployments of Windows Hello for Business needs three Group Policy settings:
* Enable Windows Hello for Business
@@ -145,7 +146,7 @@ The default configuration for Windows Hello for Business is to prefer hardware p
You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
-Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
+Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
#### Use biometrics
@@ -171,7 +172,7 @@ Starting with Windows 10, version 1703, the PIN complexity Group Policy settings
## Add users to the Windows Hello for Business Users group
-Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Wwindows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business.
+Users must receive the Windows Hello for Business group policy settings and have the proper permission to enroll for the Windows Hello for Business Authentication certificate. You can provide users with these settings and permissions by adding the group used synchronize users to the Windows Hello for Business Users group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business.
### Section Review
> [!div class="checklist"]
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
index fac7f81257..f3f298b684 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@@ -9,14 +9,15 @@ ms.pagetype: security, mobile
ms.localizationpriority: medium
author: mikestephens-MS
ms.author: mstephen
-ms.date: 10/23/2017
+ms.date: 08/19/2018
---
# Configure Windows Hello for Business
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Certificate trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
You're environment is federated and you are ready to configure your hybrid environment for Windows Hello for business using the certificate trust model.
> [!IMPORTANT]
@@ -28,7 +29,7 @@ The configuration for Windows Hello for Business is grouped in four categories.
* [Active Directory Federation Services](hello-hybrid-cert-whfb-settings-adfs.md)
* [Group Policy](hello-hybrid-cert-whfb-settings-policy.md)
-For the most efficent deployment, configure these technologies in order beginning with the Active Directory configuration
+For the most efficient deployment, configure these technologies in order beginning with the Active Directory configuration
> [!div class="step-by-step"]
[Configure Active Directory >](hello-hybrid-cert-whfb-settings-ad.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index f986fd3e0e..8ec23ffcaa 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -9,16 +9,17 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
ms.localizationpriority: medium
-ms.date: 03/26/2018
+ms.date: 08/19/2018
---
# Windows Hello for Business Key Trust New Installation
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Key trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
-Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technolgies
+Windows Hello for Business involves configuring distributed technologies that may or may not exist in your current infrastructure. Hybrid key trust deployments of Windows Hello for Business rely on these technologies
* [Active Directory](#active-directory)
* [Public Key Infrastructure](#public-key-infrastructure)
@@ -26,7 +27,7 @@ Windows Hello for Business involves configuring distributed technologies that ma
* [Active Directory Federation Services](#active-directory-federation-services)
-New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your exsting envrionment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) section to prepare your Windows Hello for Business deployment by configuring directory synchronization.
+New installations are considerably more involved than existing implementations because you are building the entire infrastructure. Microsoft recommends you review the new installation baseline to validate your existing environment has all the needed configurations to support your hybrid certificate trust Windows Hello for Business deployment. If your environment meets these needs, you can read the [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md) section to prepare your Windows Hello for Business deployment by configuring directory synchronization.
The new installation baseline begins with a basic Active Directory deployment and enterprise PKI.
@@ -142,8 +143,8 @@ Alternatively, you can configure Windows Server 2016 Active Directory Federation
## Follow the Windows Hello for Business hybrid key trust deployment guide
-1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
+1. [Overview](hello-hybrid-key-trust.md)
+2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
3. New Installation Baseline (*You are here*)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index 45f22f940d..c4ddccad00 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -9,15 +9,15 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
ms.localizationpriority: medium
-ms.date: 10/20/2017
+ms.date: 08/19/2018
---
# Configure Device Registration for Hybrid key trust Windows Hello for Business
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Key trust
-
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
You are ready to configure device registration for your hybrid environment. Hybrid Windows Hello for Business deployment needs device registration to enable proper device authentication.
@@ -34,7 +34,7 @@ Begin configuring device registration to support Hybrid Windows Hello for Busine
To do this, follow the **Configure device settings** steps under [Setting up Azure AD Join in your organization](https://azure.microsoft.com/en-us/documentation/articles/active-directory-azureadjoin-setup/)
-Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page. In the **Configuration steps** section, identify you configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a checkmark.
+Next, follow the guidance on the [How to configure hybrid Azure Active Directory joined devices](https://docs.microsoft.com/en-us/azure/active-directory/device-management-hybrid-azuread-joined-devices-setup) page. In the **Configuration steps** section, identify you configuration at the top of the table (either **Windows current and password hash sync** or **Windows current and federation**) and perform only the steps identified with a check mark.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
index bf7954d10e..041c3f0a23 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
@@ -8,29 +8,34 @@ ms.sitesec: library
ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
-ms.localizationpriority: medium
-ms.date: 10/20/2017
+localizationpriority: high
+ms.date: 08/19/2018
---
# Configure Directory Synchronization for Hybrid key trust Windows Hello for Business
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Key trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
-
-You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises.
+
+You are ready to configure directory synchronization for your hybrid environment. Hybrid Windows Hello for Business deployment needs both a cloud and an on-premises identity to authenticate and access resources in the cloud or on-premises.
## Deploy Azure AD Connect
-Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](https://go.microsoft.com/fwlink/?LinkId=615771).
+Next, you need to synchronizes the on-premises Active Directory with Azure Active Directory. To do this, first review the [Integrating on-prem directories with Azure Active Directory](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect) and [hardware and prerequisites](https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-prerequisites) needed and then [download the software](http://go.microsoft.com/fwlink/?LinkId=615771).
-
+
+> [!NOTE]
+> If you installed Azure AD Connect prior to upgrading the schema, you will need to re-run the Azure AD Connect installation and refresh the on-premises AD schema to ensure the synchronization rule for msDS-KeyCredentialLink is configured.
+
+
## Follow the Windows Hello for Business hybrid key trust deployment guide
-1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequistes](hello-hybrid-cert-trust-prereqs.md)
-3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
+1. [Overview](hello-hybrid-key-trust.md)
+2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+3. [New Installation Baseline](hello-hybrid-key-new-install.md)
4. Configure Directory Synchronization (*You are here*)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
6. [Configure Windows Hello for Business settings](hello-hybrid-key-whfb-settings.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index 59977cb224..00a4885e90 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -8,22 +8,22 @@ ms.sitesec: library
ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
-ms.localizationpriority: medium
-ms.date: 11/17/2017
+localizationpriority: high
+ms.date: 08/20/2018
---
# Hybrid Key trust Windows Hello for Business Prerequisites
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Key trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
-
Hybrid environments are distributed systems that enable organizations to use on-premises and Azure-based identities and resources. Windows Hello for Business uses the existing distributed system as a foundation on which organizations can provide two-factor authentication that provides a single sign-in like experience to modern resources.
The distributed systems on which these technologies were built involved several pieces of on-premises and cloud infrastructure. High-level pieces of the infrastructure include:
* [Directories](#directories)
-* [Public Key Infrastructure](#public-key-infrastructure)
+* [Public Key Infrastucture](#public-key-infastructure)
* [Directory Synchronization](#directory-synchronization)
* [Federation](#federation)
* [MultiFactor Authetication](#multifactor-authentication)
@@ -58,7 +58,7 @@ The minimum required enterprise certificate authority that can be used with Wind
> [!IMPORTANT]
> For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
-> * Install the root certificate authority certificate for your organization in the user's trusted root certificate store.
+> * Install the root certificate authority certificate for your organization in the user's trusted root certifcate store.
> * Publish your certificate revocation list to a location that is available to Azure AD joined devices, such as a web-based url.
### Section Review
@@ -91,15 +91,15 @@ You can deploy Windows Hello for Business key trust in non-federated and federat
## Multifactor Authentication ##
-Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their username and password as one factor, but needs a second factor of authentication.
+Windows Hello for Business is a strong, two-factor credential the helps organizations reduce their dependency on passwords. The provisioning process lets a user enroll in Windows Hello for Business using their user name and password as one factor, but needs a second factor of authentication.
-Hybrid Windows Hello for Business deployments can use Azure’s Multifactor Authentication service or they can use multifactor authentication provides by Windows Server 2012 R2 or later Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multifactor authentication into AD FS.
+Hybrid Windows Hello for Business deployments can use Azure’s Multi-factor Authentication service or they can use multi-factor authentication provides by Windows Server 2012 R2 or later Active Directory Federation Services, which includes an adapter model that enables third parties to integrate their multi-factor authentication into AD FS.
### Section Review
> [!div class="checklist"]
> * Azure MFA Service
> * Windows Server 2016 AD FS and Azure (optional, if federated)
-> * Windows Server 2016 AD FS and third-party MFA Adapter (optional, if federated)
+> * Windows Server 2016 AD FS and third party MFA Adapter (optional, if federated)
@@ -114,9 +114,9 @@ Organizations wanting to deploy hybrid key trust need their domain joined device
### Next Steps ###
-Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Baseline**.
+Follow the Windows Hello for Business hybrid key trust deployment guide. For proof-of-concepts, labs, and new installations, choose the **New Installation Basline**.
-For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Synchronization**.
+For environments transitioning from on-premises to hybrid, start with **Configure Azure Directory Syncrhonization**.
For federated and non-federated environments, start with **Configure Windows Hello for Business settings**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index 397e878d3c..8fb2bf361a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -9,14 +9,14 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
ms.localizationpriority: medium
-ms.date: 10/20/2017
+ms.date: 08/20/2018
---
# Hybrid Azure AD joined Key Trust Deployment
**Applies to**
-- Windows 10
-
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Key trust
Windows Hello for Business replaces username and password sign-in to Windows with strong user authentication based on asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid key trust scenario.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index ce0710525a..fecb1059be 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -9,16 +9,16 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
ms.localizationpriority: medium
-ms.date: 10/20/2017
+ms.date: 08/20/2018
---
# Hybrid Windows Hello for Business Provisioning
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Key trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
-
## Provisioning
The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
index 8b9848f45c..c2821a19f1 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
@@ -9,21 +9,22 @@ ms.pagetype: security, mobile
ms.localizationpriority: medium
author: mikestephens-MS
ms.author: mstephen
-ms.date: 10/23/2017
+ms.date: 08/20/2018
---
# Configuring Hybrid key trust Windows Hello for Business: Active Directory
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Key trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
Configure the appropriate security groups to efficiently deploy Windows Hello for Business to users.
### Creating Security Groups
-Windows Hello for Business uses a security group to simplify the deployment and managment.
+Windows Hello for Business uses a security group to simplify the deployment and management.
#### Create the Windows Hello for Business Users Security Group
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index 2059a8d2ff..4679d66c11 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -9,14 +9,15 @@ ms.pagetype: security, mobile
ms.localizationpriority: medium
author: mikestephens-MS
ms.author: mstephen
-ms.date: 10/23/2017
+ms.date: 08/19/2018
---
# Configure Hybrid Windows Hello for Business: Directory Synchronization
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Key trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
## Directory Syncrhonization
@@ -54,5 +55,5 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
-6. Configure Windows Hello for Business settings: Directory Syncrhonization (*You are here*)
+6. Configure Windows Hello for Business settings: Directory Synchronization (*You are here*)
7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 7fa866d652..21befdf74e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -9,15 +9,16 @@ ms.pagetype: security, mobile
ms.localizationpriority: medium
author: mikestephens-MS
ms.author: mstephen
-ms.date: 10/23/2017
+ms.date: 08/19/2018
---
# Configure Hybrid Windows Hello for Business: Public Key Infrastructure
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid Deployment
+- Key trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
Windows Hello for Business deployments rely on certificates. Hybrid deployments uses publicly issued server authentication certificates to validate the name of the server to which they are connecting and to encrypt the data that flows them and the client computer.
@@ -42,7 +43,7 @@ Sign-in a certificate authority or management workstations with _Domain Admin_ e
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise's needs.
**Note**If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
@@ -76,6 +77,17 @@ The certificate template is configured to supersede all the certificate template
The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
+Sign-in to the certificate authority or management workstations with an _enterprise administrator_ equivalent credentials.
+
+1. Open the **Certificate Authority** management console.
+2. Expand the parent node from the navigation pane.
+3. Click **Certificate Templates** in the navigation pane.
+4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
+5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)** template you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+6. If you published the **Domain Controller Authentication (Kerberos)** certificate template, then you should unpublish the certificate templates you included in the superseded templates list.
+ * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation.
+7. Close the console.
+
### Unpublish Superseded Certificate Templates
The certificate authority only issues certificates based on published certificate templates. For defense in depth security, it is a good practice to unpublish certificate templates that the certificate authority is not configured to issue. This includes the pre-published certificate template from the role installation and any superseded certificate templates.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index 4ddb7eed9d..1a0b808710 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -6,17 +6,18 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
-ms.localizationpriority: medium
+localizationpriority: high
author: mikestephens-MS
ms.author: mstephen
-ms.date: 10/23/2017
+ms.date: 08/20/2018
---
# Configure Hybrid Windows Hello for Business: Group Policy
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Key trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
## Policy Configuration
@@ -36,7 +37,7 @@ Domain controllers automatically request a certificate from the *Domain Controll
To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU.
-#### Create a Domain Controller Automatic Certificate Enrollment Group Policy object
+#### Create a Domain Controller Automatic Certifiacte Enrollment Group Policy object
Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
@@ -47,7 +48,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**.
6. In the navigation pane, expand **Policies** under **Computer Configuration**.
7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**.
-8. In the details pane, right-click **Certificate Services Client - Auto-Enrollment** and select **Properties**.
+8. In the details pane, right-click **Certificate Services Client � Auto-Enrollment** and select **Properties**.
9. Select **Enabled** from the **Configuration Model** list.
10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box.
11. Select the **Update certificates that use certificate templates** check box.
@@ -58,7 +59,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
1. Start the **Group Policy Management Console** (gpmc.msc)
-2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO**
+2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO�**
3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**.
### Windows Hello for Business Group Policy
@@ -67,7 +68,7 @@ The Windows Hello for Business Group Policy object delivers the correct Group Po
#### Enable Windows Hello for Business
-The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled.
+The Enable Windows Hello for Business Group Policy setting is the configuration needed for Windows to determine if a user should be attempt to enroll for Windows Hello for Business. A user will only attempt enrollment if this policy setting is configured to enabled.
You can configure the Enable Windows Hello for Business Group Policy setting for computer or users. Deploying this policy setting to computers results in ALL users that sign-in that computer to attempt a Windows Hello for Business enrollment. Deploying this policy setting to a user results in only that user attempting a Windows Hello for Business enrollment. Additionally, you can deploy the policy setting to a group of users so only those users attempt a Windows Hello for Business enrollment. If both user and computer policy settings are deployed, the user policy setting has precedence.
@@ -103,13 +104,13 @@ The application of the Windows Hello for Business Group Policy object uses secur
2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO**
3. In the **Select GPO** dialog box, select **Enable Windows Hello for Business** or the name of the Windows Hello for Business Group Policy object you previously created and click **OK**.
-Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All other users ignore the Group Policy object.
+Just to reassure, linking the **Windows Hello for Business** Group Policy object to the domain ensures the Group Policy object is in scope for all domain users. However, not all users will have the policy settings applied to them. Only users who are members of the Windows Hello for Business group receive the policy settings. All others users ignore the Group Policy object.
## Other Related Group Policy settings
### Windows Hello for Business
-There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting so they are applicable to any user that sign-in from a computer with these policy settings.
+There are other Windows Hello for Business policy settings you can configure to manage your Windows Hello for Business deployment. These policy settings are computer-based policy setting; so they are applicable to any user that sign-in from a computer with these policy settings.
#### Use a hardware security device
@@ -117,7 +118,7 @@ The default configuration for Windows Hello for Business is to prefer hardware p
You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
-Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
+Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
#### Use biometrics
@@ -144,7 +145,7 @@ Windows 10 provides eight PIN Complexity Group Policy settings that give you gra
## Add users to the Windows Hello for Business Users group
-Users must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business. You can provide users with these settings and permissions by adding the users or groups to the **Windows Hello for Business Users** group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business.
+Users must receive the Windows Hello for Business group policy settings and have the proper permission to provision Windows Hello for Business . You can provide users with these settings and permissions by adding the users or groups to the **Windows Hello for Business Users** group. Users and groups who are not members of this group will not attempt to enroll for Windows Hello for Business.
### Section Review
> [!div class="checklist"]
@@ -163,9 +164,9 @@ Users must receive the Windows Hello for Business group policy settings and have
## Follow the Windows Hello for Business hybrid key trust deployment guide
1. [Overview](hello-hybrid-cert-trust.md)
-2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
+2. [Prerequistes](hello-hybrid-key-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
5. [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
6. Configure Windows Hello for Business policy settings (*You are here*)
-7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
+7. [Sign-in and Provision](hello-hybrid-key-whfb-provision.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index 05697bb83f..c28c97dce0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -9,14 +9,15 @@ ms.pagetype: security, mobile
ms.localizationpriority: medium
author: mikestephens-MS
ms.author: mstephen
-ms.date: 10/23/2017
+ms.date: 08/19/2018
---
# Configure Hybrid Windows Hello for Business key trust settings
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- Hybrid deployment
+- Key trust
->This guide only applies to Hybrid deployments for Windows 10, version 1703 or higher.
You are ready to configure your hybrid key trust environment for Windows Hello for Business.
@@ -29,7 +30,7 @@ The configuration for Windows Hello for Business is grouped in four categories.
* [Public Key Infrastructure](hello-hybrid-key-whfb-settings-pki.md)
* [Group Policy](hello-hybrid-key-whfb-settings-policy.md)
-For the most efficent deployment, configure these technologies in order beginning with the Active Directory configuration
+For the most efficient deployment, configure these technologies in order beginning with the Active Directory configuration
> [!div class="step-by-step"]
[Configure Active Directory >](hello-hybrid-key-whfb-settings-ad.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 3a148d65c9..34a61661eb 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -9,8 +9,8 @@ ms.sitesec: library
ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
-ms.localizationpriority: medium
-ms.date: 03/26/2018
+localizationpriority: high
+ms.date: 05/05/2018
---
# Windows Hello for Business
@@ -34,7 +34,7 @@ Windows Hello addresses the following problems with passwords:
* Windows 10, version 1511 or later
* Microsoft Azure Account
* Azure Active Directory
-* Azure Multifactor authentication
+* Azure Multi-factor authentication
* Modern Management (Intune or supported third-party MDM), *optional*
* Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
@@ -53,7 +53,7 @@ The table shows the minimum requirements for each deployment.
| Azure Account | Azure Account | Azure Account | Azure Account |
| Azure Active Directory | Azure Active Directory | Azure Active Directory | Azure Active Directory |
| Azure AD Connect | Azure AD Connect | Azure AD Connect | Azure AD Connect |
-| Azure AD Premium, optional | Azure AD Premium, needed for device writeback | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment |
+| Azure AD Premium, optional | Azure AD Premium, needed for device write-back | Azure AD Premium, optional for automatic MDM enrollment | Azure AD Premium, optional for automatic MDM enrollment |
### On-premises Deployments
The table shows the minimum requirements for each deployment.
@@ -68,85 +68,3 @@ The table shows the minimum requirements for each deployment.
| Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/en-us/help/4088889) | Windows Server 2016 AD FS with [KB4088889 update](https://support.microsoft.com/en-us/help/4088889) |
| AD FS with Azure MFA Server, orAD FS with 3rd Party MFA Adapter | AD FS with Azure MFA Server, orAD FS with 3rd Party MFA Adapter |
| Azure Account, optional for Azure MFA billing | Azure Account, optional for Azure MFA billing |
-
-## Frequently Asked Questions
-
-### Can I deploy Windows Hello for Business using System Center Configuration Manager?
-Windows Hello for Business deployments using System Center Configuration Manager need to move to the hybrid deployment model that uses Active Directory Federation Services. Deployments using System Center Configuration Manager will no long be supported after November 2018.
-
-### What is the password-less strategy?
-
-Watch Senior Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**
-
-> [!VIDEO https://www.youtube.com/embed/mXJS615IGLM]
-
-### What is the user experience for Windows Hello for Business?
-The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.
-
-> [!VIDEO https://www.youtube.com/embed/FJqHPTZTpNM]
-
-
-
-> [!VIDEO https://www.youtube.com/embed/etXJsZb8Fso]
-
-
-
-
-### What happens when my user forgets their PIN?
-
-If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with the Fall Creators Update, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider.
-
-> [!VIDEO https://www.youtube.com/embed/KcVTq8lTlkI]
-
-For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can onboard their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
-
-### Do I need Windows Server 2016 domain controllers?
-There are many deployment options from which to choose. Some of those options require an adequate number of Windows Server 2016 domain controllers in the site where you have deployed Windows Hello for Business. There are other deployment options that use existing Windows Server 2008 R2 or later domain controllers. Choose the deployment option that best suits your environment
-
-### Is Windows Hello for Business multifactor authentication?
-Windows Hello for Business is two-factor authentication based the observed authentication factors of: something you have, something you know, and something part of you. Windows Hello for Business incorporates two of these factors: something you have (the user's private key protected by the device's security module) and something you know (your PIN). With the proper hardware, you can enhance the user experience by introducing biometrics. Using biometrics, you can replace the "something you know" authentication factor with the "something that is part of you" factor, with the assurances that users can fall back to the "something you know factor".
-
-### Can I use PIN and biometrics to unlock my device?
-Starting in Windows 10, version 1709, you can use multifactor unlock to require the user to provide an additional factor to unlock the device. Authentication remains two-factor, but another factor is required before Windows allows the user to reach the desktop. Read more about [multifactor unlock](https://docs.microsoft.com/en-us/windows/access-protection/hello-for-business/hello-features#multifactor-unlock) in [Windows Hello for Business Features](#hello-features.md)
-
-### What is the difference between Windows Hello and Windows Hello for Business
-Windows Hello represents the biometric framework provided in Windows 10. Windows Hello enables users to use biometrics to sign into their devices by securely storing their username and password and releasing it for authentication when the user successfully identifies themselves using biometrics. Windows Hello for Business uses asymmetric keys protected by the device's security module that requires a user gesture (PIN or biometrics) to authenticate.
-
-### I have extended Active Directory to Azure Active Directory. Can I use the on-prem deployment model?
-No. If your organization is federated or using online services, such as Office 365 or OneDrive, then you must use a hybrid deployment model. On-premises deployments are exclusive to organization who need more time before moving to the cloud and exclusively use Active Directory.
-
-### Does Windows Hello for Business prevent the use of simple PINs?
-Yes. Our simple PIN algorithm looks for and disallows any PIN that has a constant delta from one digit to the next. This prevents repeating numbers, sequential numbers and simple patterns.
-So, for example:
-* 1111 has a constant delta of 0, so it is not allowed
-* 1234 has a constant delta of 1, so it is not allowed
-* 1357 has a constant delta of 2, so it is not allowed
-* 9630 has a constant delta of -3, so it is not allowed
-* 1231 does not have a constant delta, so it is okay
-* 1593 does not have a constant delta, so it is okay
-
-This algorithm does not apply to alphanumeric PINs.
-
-### How does PIN caching work with Windows Hello for Business?
-Windows Hello for Business provides a PIN caching user experience using a ticketing system. Rather than caching a PIN, processes cache a ticket they can use to request private key operations. Azure AD and Active Directory sign-in keys are cached under lock. This means the keys remain available for use without prompting as long as the user is interactively signed-in. Microsoft Account sign-in keys are considered transactional keys, which means the user is always prompted when accessing the key.
-
-Beginning with Windows 10, Fall Creators Update, Windows Hello for Business used as a smart card (smart card emulation that is enabled by default) provides the same user experience of default smart card PIN caching. Each process requesting a private key operation will prompt the user for the PIN on first use. Subsequent private key operations will not prompt the user for the PIN.
-
-The smart card emulation feature of Windows Hello for Business verifies the PIN and then discards the PIN in exchange for a ticket. The process does not receive the PIN, but rather the ticket that grants them private key operations. Windows 10 does not provide any Group Policy settings to adjust this caching.
-
-### Can I disable the PIN while using Windows Hello for Business?
-No. The movement away from passwords is accomplished by gradually reducing the use of the password. In the occurence where you cannot authenticate with biometrics, you need a fall back mechansim that is not a password. The PIN is the fall back mechansim. Disabling or hiding the PIN credential provider disabled the use of biometrics.
-
-### Does Windows Hello for Business work with third party federation servers?
-Windows Hello for Business can work with any third-party federation servers that support the protocols used during provisioning experience. Interested third-parties can inquiry at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration)
-
-| Protocol | Description |
-| :---: | :--- |
-| [[MS-KPP]: Key Provisioning Protocol](https://msdn.microsoft.com/en-us/library/mt739755.aspx) | Specifies the Key Provisioning Protocol, which defines a mechanism for a client to register a set of cryptographic keys on a user and device pair. |
-| [[MS-OAPX]: OAuth 2.0 Protocol Extensions](https://msdn.microsoft.com/en-us/library/dn392779.aspx)| Specifies the OAuth 2.0 Protocol Extensions, which are used to extend the OAuth 2.0 Authorization Framework. These extensions enable authorization features such as resource specification, request identifiers, and login hints. |
-| [[MS-OAPXBC]: OAuth 2.0 Protocol Extensions for Broker Clients](https://msdn.microsoft.com/en-us/library/mt590278.aspx) | Specifies the OAuth 2.0 Protocol Extensions for Broker Clients, extensions to RFC6749 (The OAuth 2.0 Authorization Framework) that allow a broker client to obtain access tokens on behalf of calling clients. |
-| [[MS-OIDCE]: OpenID Connect 1.0 Protocol Extensions](https://msdn.microsoft.com/en-us/library/mt766592.aspx) | Specifies the OpenID Connect 1.0 Protocol Extensions. These extensions define additional claims to carry information about the end user, including the user principal name, a locally unique identifier, a time for password expiration, and a URL for password change. These extensions also define additional provider metadata that enable the discovery of the issuer of access tokens and give additional information about provider capabilities. |
-
-### Does Windows Hello for Business work with Mac and Linux clients?
-Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can inqury at [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration)
-
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 03cf30c20c..125313997c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -9,16 +9,17 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
ms.localizationpriority: medium
-ms.date: 03/26/2018
+ms.date: 08/19/2018
---
# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Key trust
-> This guide only applies to Windows 10, version 1703 or higher.
-Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-prem key trust deployment uses Active Directory Federation Services roles for key registration and device registration.
+Windows Hello for Business works exclusively with the Active Directory Federation Service role included with Windows Server 2016 and requires an additional server update. The on-premises key trust deployment uses Active Directory Federation Services roles for key registration and device registration.
The following guidance describes deploying a new instance of Active Directory Federation Services 2016 using the Windows Information Database as the configuration database, which is ideal for environments with no more than 30 federation servers and no more than 100 relying party trusts.
@@ -59,7 +60,7 @@ Be sure to enroll or import the certificate into the AD FS server’s computer c
### Internal Server Authentication Certificate Enrollment
-Sign-in the federation server with domain admin equivalent credentials.
+Sign-in the federation server with domain administrator equivalent credentials.
1. Start the Local Computer **Certificate Manager** (certlm.msc).
2. Expand the **Personal** node in the navigation pane.
3. Right-click **Personal**. Select **All Tasks** and **Request New Certificate**.
@@ -134,7 +135,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
1. Open **Active Directory Users and Computers**.
2. Right-click the **Users** container, Click **New**. Click **User**.
3. In the **New Object – User** window, type **adfssvc** in the **Full name** text box. Type **adfssvc** in the **User logon name** text box. Click **Next**.
-4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** checkbox.
+4. Enter and confirm a password for the **adfssvc** user. Clear the **User must change password at next logon** check box.
5. Click **Next** and then click **Finish**.
## Configure the Active Directory Federation Service Role
@@ -253,7 +254,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
2. Click **Manage** and then click **Add Roles and Features**.
3. Click **Next** On the **Before you begin** page.
4. On the **Select installation type** page, select **Role-based or feature-based installation** and click **Next**.
-5. On the **Select destination server** page, chosoe **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**.
+5. On the **Select destination server** page, choose **Select a server from the server pool**. Select the federation server from the **Server Pool** list. Click **Next**.
6. On the **Select server roles** page, click **Next**.
7. Select **Network Load Balancing** on the **Select features** page.
8. Click **Install** to start the feature installation
@@ -287,7 +288,7 @@ Sign-in a node of the federation farm with _Admin_ equivalent credentials.
## Configure DNS for Device Registration
-Sign-in the domain controller or administrative workstation with Domain Admin equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
+Sign-in the domain controller or administrative workstation with domain administrator equivalent credentials. You’ll need the Federation service name to complete this task. You can view the federation service name by clicking **Edit Federation Service Properties** from the **Action** pan of the **AD FS** management console, or by using `(Get-AdfsProperties).Hostname.` (PowerShell) on the AD FS server.
1. Open the **DNS Management** console.
2. In the navigation pane, expand the domain controller name node and **Forward Lookup Zones**.
3. In the navigation pane, select the node that has the name of your internal Active Directory domain name.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
index cd5414603f..67a8061c4d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-deploy-mfa.md
@@ -9,14 +9,15 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
ms.localizationpriority: medium
-ms.date: 10/10/2017
+ms.date: 08/19/2018
---
# Configure or Deploy Multifactor Authentication Services
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Key trust
-> This guide only applies to Windows 10, version 1703 or higher.
On-premises deployments must use the On-premises Azure MFA Server using the AD FS adapter model Optionally, you can use a third-party MFA server that provides an AD FS Multifactor authentication adapter.
@@ -29,7 +30,7 @@ The Azure MFA Server and User Portal servers have several perquisites and must h
### Primary MFA Server
-The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writeable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers.
+The Azure MFA server uses a primary and secondary replication model for its configuration database. The primary Azure MFA server hosts the writable partition of the configuration database. All secondary Azure MFA servers hosts read-only partitions of the configuration database. All production environment should deploy a minimum of two MFA Servers.
For this documentation, the primary MFA uses the name **mf*a*** or **mfa.corp.contoso.com**. All secondary servers use the name **mfa*n*** or **mfa*n*.corp.contoso.com**, where *n* is the number of the deployed MFA server.
@@ -54,7 +55,7 @@ A server authentication certificate should appear in the computer’s Personal c
#### Install the Web Server Role
-The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile App server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role.
+The Azure MFA server does not require the Web Server role, however, User Portal and the optional Mobile Application server communicate with the MFA server database using the MFA Web Services SDK. The MFA Web Services SDK uses the Web Server role.
To install the Web Server (IIS) role, please follow [Installing IIS 7 on Windows Server 2008 or Windows Server 2008 R2](https://docs.microsoft.com/iis/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2) or [Installing IIS 8.5 on Windows Server 2012 R2](https://docs.microsoft.com/iis/install/installing-iis-85/installing-iis-85-on-windows-server-2012-r2) depending on the host Operating System you're going to use.
@@ -89,7 +90,7 @@ Sign in the primary MFA server with _administrator_ equivalent credentials.
#### Configure the Web Service’s Security
-The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the Phonefactor Admins security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile App servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the Phonefactor Admins security group.
+The Azure MFA Server service runs in the security context of the Local System. The MFA User Portal gets its user and configuration information from the Azure MFA server using the MFA Web Services. Access control to the information is gated by membership to the Phonefactor Admins security group. You need to configure the Web Service’s security to ensure the User Portal and the Mobile Application servers can securely communicate to the Azure MFA Server. Also, all User Portal server administrators must be included in the Phonefactor Admins security group.
Sign in the domain controller with _domain administrator_ equivalent credentials.
@@ -160,7 +161,7 @@ A server authentication certificate should appear in the computer’s Personal c
#### Install the Web Server Role
-To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. However, do **not** install Security > Basic Authentication. The user portal server does not requiret this.
+To do this, please follow the instructions mentioned in the previous [Install the Web Server Role](#install-the-web-server-role) section. However, do **not** install Security > Basic Authentication. The user portal server does not require this.
#### Update the Server
@@ -172,7 +173,7 @@ To do this, please follow the instructions mentioned in the previous [Configure
#### Create WebServices SDK user account
-The User Portal and Mobile App web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server.
+The User Portal and Mobile Application web services need to communicate with the configuration database hosted on the primary MFA server. These services use a user account to communicate to authenticate to the primary MFA server. You can think of the WebServices SDK account as a service account used by other servers to access the WebServices SDK on the primary MFA server.
1. Open **Active Directory Users and Computers**.
2. In the navigation pane, expand the node with the organization’s Active Directory domain name. Right-click the **Users** container, select **New**, and select **User**.
@@ -234,12 +235,12 @@ Sign-in the primary MFA server with MFA _administrator_ equivalent credentials.
2. Click **Company Settings**.
3. On the **General** Tab, select **Fail Authentication** from the **When internet is not accessible** list.
4. In **User defaults**, select **Phone Call** or **Text Message**
- **Note:** You can use mobile app; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile app multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help.
+ **Note:** You can use mobile application; however, the configuration is beyond the scope of this document. Read [Getting started the MFA Server Mobile App Web Service](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice) to configure and use mobile application multi-factor authentication or the Install User Portal topic in the Multi-Factor Server help.
5. Select **Enable Global Services** if you want to allow Multi-Factor Authentications to be made to telephone numbers in rate zones that have an associated charge.
6. Clear the **User can change phone** check box to prevent users from changing their phone during the Multi-Factor Authentication call or in the User Portal. A consistent configuration is for users to change their phone numbers in Active Directory and let those changes synchronize to the multi-factor server using the Synchronization features in Directory Integration.
7. Select **Fail Authentication** from the **When user is disabled** list. Users should provision their account through the user portal.
8. Select the appropriate language from the **Phone call language**, **Text message language**, **Mobile app language**, and **OATH token language** lists.
-9. Under default PIN rules, Select the User can change PIN checkbox to enable users to change their PIN during multi-factor authentication and through the user portal.
+9. Under default PIN rules, Select the User can change PIN check box to enable users to change their PIN during multi-factor authentication and through the user portal.
10. Configure the minimum length for the PIN.
11. Select the **Prevent weak PINs** check box to reject weak PINs. A weak PIN is any PIN that could be easily guessed by a hacker: 3 sequential digits, 3 repeating digits, or any 4 digit subset of user phone number are not allowed. If you clear this box, then there are no restrictions on PIN format. For example: User tries to reset PIN to 1235 and is rejected because it's a weak PIN. User will be prompted to enter a valid PIN.
12. Select the **Expiration days** check box if you want to expire PINs. If enabled, provide a numeric value representing the number of days the PIN is valid.
@@ -255,9 +256,9 @@ Now that you have imported or synchronized with your Azure Multi-Factor Authenti
With the Azure Multi-Factor Authentication Server there are various ways to configure your users for using multi-factor authentication. For instance, if you know the users’ phone numbers or were able to import the phone numbers into the Azure Multi-Factor Authentication Server from their company’s directory, the email will let users know that they have been configured to use Azure Multi-Factor Authentication, provide some instructions on using Azure Multi-Factor Authentication and inform the user of the phone number they will receive their authentications on.
-The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile app). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication.
+The content of the email will vary depending on the method of authentication that has been set for the user (e.g. phone call, SMS, mobile application). For example, if the user is required to use a PIN when they authenticate, the email will tell them what their initial PIN has been set to. Users are usually required to change their PIN during their first authentication.
-If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile app for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal.
+If users’ phone numbers have not been configured or imported into the Azure Multi-Factor Authentication Server, or users are pre-configured to use the mobile application for authentication, you can send them an email that lets them know that they have been configured to use Azure Multi-Factor Authentication and it will direct them to complete their account enrollment through the Azure Multi-Factor Authentication User Portal. A hyperlink will be included that the user clicks on to access the User Portal. When the user clicks on the hyperlink, their web browser will open and take them to their company’s Azure Multi-Factor Authentication User Portal.
#### Settings
@@ -304,7 +305,7 @@ Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
2. From the **Multi-Factor Authentication Server** window, click the **Directory Integration** icon.
3. Click the **Synchronization** tab.
4. Select **Use Active Directory**.
-5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the checkbox to improve performance.
+5. Select **Include trusted domains** to have the Multi-Factor Authentication Server attempt to connect to domains trusted by the current domain, another domain in the forest, or domains involved in a forest trust. When not importing or synchronizing users from any of the trusted domains, clear the check box to improve performance.
#### Synchronization
@@ -352,7 +353,7 @@ The Web Service SDK section allows the administrator to install the Multi-Factor
Remember the Web Services SDK is only need on the primary Multi-Factor to easily enable other servers access to the configuration information. The prerequisites section guided you through installing and configuring the items needed for the Web Services SDK, however the installer will validate the prerequisites and make suggest any corrective action needed.
-Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to intall the MFA Web Services SDK.
+Please follow the instructions under [Install the web service SDK](https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-server-webservice#install-the-web-service-sdk) to install the MFA Web Services SDK.
## Install Secondary MFA Servers
@@ -391,7 +392,7 @@ You previously configured the User Portal settings on the primary MFA server. T
Sign in the primary MFA server with _local administrator_ equivalent credentials.
1. Open Windows Explorer.
-2. Browse to the C:\Progam Files\MultiFactor Authentication Server folder.
+2. Browse to the C:\Program Files\MultiFactor Authentication Server folder.
3. Copy the **MultiFactorAuthenticationUserPortalSetup64.msi** file to a folder on the User Portal server.
### Configure Virtual Directory name
@@ -410,7 +411,7 @@ Sign in the User Portal server with _local administrator_ equivalent credentials
2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**.
3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username.
4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
+5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from **“http://localhost:4898/PfWsSdk.asmx”** to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **web.config** file after changes have been made.
### Create a DNS entry for the User Portal web site
@@ -453,7 +454,7 @@ Sign in the primary MFA server with _MFA administrator_ equivalent credentials.
3. On the Settings tab, type the URL your users use to access the User Portal. The URL should begin with https, such as `https://mfaportal.corp.contoso.com/mfa`.
The Multi-Factor Authentication Server uses this information when sending emails to users.
4. Select Allow users to log in and Allow user enrollment check boxes.
-5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile app later once you have deployed the Mobile app web service). Select Automatically trigger user’s default method.
+5. Select Allow users to select method. Select Phone call and select Text message (you can select Mobile application later once you have deployed the Mobile application web service). Select Automatically trigger user’s default method.
6. Select Allow users to select language.
7. Select Use security questions for fallback and select 4 from the Questions to answer list.
@@ -495,7 +496,7 @@ Sign in the primary AD FS server with _local administrator_ equivalent credentia
2. Locate the **USE_WEB_SERVICE_SDK** key and change the value from **false** to **true**.
3. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_USERNAME** key and set the value to the username of the Web Service SDK account in the **PhoneFactor Admins** security group. Use a qualified username, like domain\username or machine\username.
4. Locate the **WEB_SERVICE_SDK_AUTHENTICATION_PASSWORD** key and set the value to the password of the Web Service SDK account in the **PhoneFactor Admins** security group.
-5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
+5. Locate the **pfup_pfwssdk_PfWsSdk** setting and change the value from “http://localhost:4898/PfWsSdk.asmx” to the URL of the Web Service SDK that is running on the Azure Multi-Factor Authentication Server (e.g. https://computer1.domain.local/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx). Since SSL is used for this connection, refer to the Web Service SDK by server name, not IP address, since the SSL certificate was issued for the server name. If the server name does not resolve to an IP address from the Internet-facing server, add an entry to the hosts file on that server to map the name of the Azure Multi-Factor Authentication Server to its IP address. Save the **MultiFactorAuthenticationAdfsAdapter.config** file after changes have been made.
### Edit the AD FS Adapter Windows PowerShell cmdlet
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index 69e6e36112..bbc808feae 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -9,14 +9,15 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
ms.localizationpriority: medium
-ms.date: 10/10/2017
+ms.date: 08/19/2018
---
# Configure Windows Hello for Business Policy settings
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Key trust
-> This guide only applies to Windows 10, version 1703 or higher.
You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/en-us/download/details.aspx?id=45520).
Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
@@ -76,7 +77,7 @@ The default configuration for Windows Hello for Business is to prefer hardware p
You can enable and deploy the **Use a hardware security device** Group Policy Setting to force Windows Hello for Business to only create hardware protected credentials. Users that sign-in from a computer incapable of creating a hardware protected credential do not enroll for Windows Hello for Business.
-Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiven during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
+Another policy setting becomes available when you enable the **Use a hardware security device** Group Policy setting that enables you to prevent Windows Hello for Business enrollment from using version 1.2 Trusted Platform Modules (TPM). Version 1.2 TPMs typically perform cryptographic operations slower than version 2.0 TPMs and are more unforgiving during anti-hammering and PIN lockout activities. Therefore, some organization may want not want slow sign-in performance and management overhead associated with version 1.2 TPMs. To prevent Windows Hello for Business from using version 1.2 TPMs, simply select the TPM 1.2 check box after you enable the Use a hardware security device Group Policy object.
### Use biometrics
@@ -105,7 +106,7 @@ In the Windows 10, version 1703, the PIN complexity Group Policy settings have m
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions)
* Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User)
-* Confirm you configure the Use Certificate enrollment for on-prem authentication policy setting.
+* Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting.
* Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User)
* Confirm you configured the proper security settings for the Group Policy object
* Removed the allow permission for Apply Group Policy for Domain Users (Domain Users must always have the read permissions)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index da6751970c..9c5067319d 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -8,19 +8,21 @@ ms.sitesec: library
ms.pagetype: security, mobile
author: DaniHalfin
ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 10/23/2017
+author: mikestephens-MS
+ms.author: mstephen
+ms.date: 08/19/2018
---
# Validate Active Directory prerequisites
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Key trust
-> This guide only applies to Windows 10, version 1703 or higher.
Key trust deployments need an adequate number of 2016 domain controllers to ensure successful user authentication with Windows Hello for Business. To learn more about domain controller planning for key trust deployments, read the [Windows Hello for Business planning guide](hello-planning-guide.md), the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) section.
-The key registration process for the On-prem deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
+The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory schema. The key-trust model receives the schema extension when the first Windows Server 2016 domain controller is added to the forest. The minimum required domain functional and forest functional levels for Windows Hello for Business deployment is Windows Server 2008 R2.
## Create the Windows Hello for Business Users Security Global Group
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index 8980d9d210..f657b6ca14 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -9,20 +9,21 @@ ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
ms.localizationpriority: medium
-ms.date: 10/10/2017
+ms.date: 08/19/2018
---
# Validate and Deploy Multifactor Authentication Services (MFA)
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Key trust
-> This guide only applies to Windows 10, version 1703 or higher.
Windows Hello for Business requires all users perform an additional factor of authentication prior to creating and registering a Windows Hello for Business credential. Windows Hello for Business deployments use Azure Multi-Factor Authentication (Azure MFA) services for the secondary authentication. On-Premises deployments use Azure MFA server, an on-premises implementation that do not require synchronizing Active Directory credentials to Azure Active Directory.
Azure Multi-Factor Authentication is an easy to use, scalable, and reliable solution that provides a second method of authentication so your users are always protected.
* **Easy to Use** - Azure Multi-Factor Authentication is simple to set up and use. The extra protection that comes with Azure Multi-Factor Authentication allows users to manage their own devices. Best of all, in many instances it can be set up with just a few simple clicks.
-* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom apps. This protection is even extended to your high-volume, mission-critical scenarios.
+* **Scalable** - Azure Multi-Factor Authentication uses the power of the cloud and integrates with your on-premises AD and custom applications. This protection is even extended to your high-volume, mission-critical scenarios.
* **Always Protected** - Azure Multi-Factor Authentication provides strong authentication using the highest industry standards.
* **Reliable** - We guarantee 99.9% availability of Azure Multi-Factor Authentication. The service is considered unavailable when it is unable to receive or process verification requests for the two-step verification.
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index 2d65964f36..764dacd461 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -8,15 +8,16 @@ ms.sitesec: library
ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
-ms.localizationpriority: medium
-ms.date: 10/10/2017
+localizationpriority: high
+ms.date: 08/19/2018
---
# Validate and Configure Public Key Infrastructure
**Applies to**
-- Windows 10
+- Windows 10, version 1703 or later
+- On-premises deployment
+- Key trust
-> This guide only applies to Windows 10, version 1703 or higher.
Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller.
@@ -60,7 +61,7 @@ Sign-in to a certificate authority or management workstations with _Domain Admin
1. Open the **Certificate Authority** management console.
2. Right-click **Certificate Templates** and click **Manage**.
3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
-4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs.
**Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index 499d76b162..f367ae301e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -17,7 +17,6 @@ ms.date: 10/18/2017
**Applies to**
- Windows 10
-- Windows 10 Mobile
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index e37f8cbe0f..0d044aa31e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -6,15 +6,15 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, mobile
-author: DaniHalfin
-ms.localizationpriority: medium
-ms.date: 07/27/2017
+author: mikestephens-MS
+ms.author: mstephen
+ms.localizationpriority: high
+ms.date: 05/05/2018
---
# Windows Hello for Business Overview
**Applies to**
- Windows 10
-- Windows 10 Mobile
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
@@ -53,15 +53,14 @@ Windows stores biometric data that is used to implement Windows Hello securely o
- Windows Hello for Business, which is configured by Group Policy or mobile device management (MDM) policy, uses key-based or certificate-based authentication.
-- Currently Active Directory accounts using Windows Hello are not backed by key-based or certificate-based authentication. Support for key-based or certificate-based authentication is on the roadmap for a future release.
## Benefits of Windows Hello
Reports of identity theft and large-scale hacking are frequent headlines. Nobody wants to be notified that their user name and password have been exposed.
-You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone. Because they're stored on the server, a server breach can reveal those stored credentials.
+You may wonder [how a PIN can help protect a device better than a password](hello-why-pin-is-better-than-password.md). Passwords are shared secrets; they are entered on a device and transmitted over the network to the server. An intercepted account name and password can be used by anyone, anywhere. Because they're stored on the server, a server breach can reveal those stored credentials.
-In Windows 10, Windows Hello replaces passwords. When the identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services.
+In Windows 10, Windows Hello replaces passwords. When the identity provider supports keys, the Windows Hello provisioning process creates a cryptographic key pair bound to the Trusted Platform Module (TPM), if a device has a TPM 2.0, or in software. Access to these keys and obtaining a signature to validate user possession of the private key is enabled only by the PIN or biometric gesture. The two-step verification that takes place during Windows Hello enrollment creates a trusted relationship between the identity provider and the user when the public portion of the public/private key pair is sent to an identity provider and associated with a user account. When a user enters the gesture on the device, the identity provider knows from the combination of Hello keys and gesture that this is a verified identity and provides an authentication token that allows Windows 10 to access resources and services.
>[!NOTE]
>Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password.
@@ -79,8 +78,8 @@ Windows Hello helps protect user identities and user credentials. Because the us
- Windows Hello credentials are based on certificate or asymmetrical key pair. Windows Hello credentials can be bound to the device, and the token that is obtained using the credential is also bound to the device.
- Identity provider (such as Active Directory, Azure AD, or a Microsoft account) validates user identity and maps the Windows Hello public key to a user account during the registration step.
- Keys can be generated in hardware (TPM 1.2 or 2.0 for enterprises, and TPM 2.0 for consumers) or software, based on the policy.
-- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (Windows Hello). The Windows Hello gesture does not roam between devices and is not shared with the server; it is stored locally on a device.
-- Private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
+- Authentication is the two-factor authentication with the combination of a key or certificate tied to a device and something that the person knows (a PIN) or something that the person is (biometrics). The Windows Hello gesture does not roam between devices and is not shared with the server. Biometrics templates are stored locally on a device. The PIN is never stored or shared.
+- The private key never leaves a device when using TPM. The authenticating server has a public key that is mapped to the user account during the registration process.
- PIN entry and biometric gesture both trigger Windows 10 to use the private key to cryptographically sign data that is sent to the identity provider. The identity provider verifies the user's identity and authenticates the user.
- Personal (Microsoft account) and corporate (Active Directory or Azure AD) accounts use a single container for keys. All keys are separated by identity providers' domains to help ensure user privacy.
- Certificate private keys can be protected by the Windows Hello container and the Windows Hello gesture.
@@ -99,17 +98,12 @@ Windows Hello for Business can use either keys (hardware or software) or certifi
[Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
-[What's new in Active Directory Domain Services (AD DS) in Windows Server Technical Preview](https://go.microsoft.com/fwlink/p/?LinkId=708533)
-
[Windows Hello face authentication](https://go.microsoft.com/fwlink/p/?LinkId=626024)
-[Biometrics hardware guidelines](https://go.microsoft.com/fwlink/p/?LinkId=626995)
-
[Windows 10: Disrupting the Revolution of Cyber-Threats with Revolutionary Security!](https://go.microsoft.com/fwlink/p/?LinkId=533890)
[Windows 10: The End Game for Passwords and Credential Theft?](https://go.microsoft.com/fwlink/p/?LinkId=533891)
-[Authenticating identities without passwords through Windows Hello for Business](https://go.microsoft.com/fwlink/p/?LinkId=616778)
## Related topics
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index e13cabd2e5..b762cb48f0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -8,8 +8,8 @@ ms.sitesec: library
ms.pagetype: security, mobile
author: mikestephens-MS
ms.author: mstephen
-ms.localizationpriority: medium
-ms.date: 03/26/2018
+localizationpriority: high
+ms.date: 08/19/2018
---
# Planning a Windows Hello for Business Deployment
@@ -73,7 +73,7 @@ A deployment's trust type defines how each Windows Hello for Business client aut
The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during an in-box provisioning experience, which requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
-The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the in-box provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers. Users can authentice using their certificate to any Windows Server 2008 R2 or later domain controller.
+The certificate trust type issues authentication certificates to end users. Users authenticate using a certificate requested using a hardware-bound key created during the in-box provisioning experience. Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers. Users can authenticate using their certificate to any Windows Server 2008 R2 or later domain controller.
#### Device registration
@@ -85,9 +85,9 @@ The in-box Windows Hello for Business provisioning experience creates a hardware
#### Multifactor authentication
-The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The inbox provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.
+The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication. The in-box provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.
-Cloud only and hybrid deployments provide many choices for multifactor authentication. On-premises deployments must use a multifactor authentication that provides an AD FS multifactor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multifactor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
+Cloud only and hybrid deployments provide many choices for multi-factor authentication. On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
>[!NOTE]
> Azure Multi-Factor Authentication is available through:
>* Microsoft Enterprise Agreement
@@ -128,7 +128,7 @@ Hybrid and on-premises deployments include Active Directory as part of their inf
### Public Key Infrastructure
-The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-prem deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
+The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
### Cloud
@@ -163,7 +163,7 @@ Choose a trust type that is best suited for your organizations. Remember, the t
One trust model is not more secure than the other. The major difference is based on the organization comfort with deploying Windows Server 2016 domain controllers and not enrolling users with end entity certificates (key-trust) against using existing domain controllers (Windows Server 2008R2 or later) and needing to enroll certificates for all their users (certificate trust).
-Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accomodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployements includes a certificate registration authority. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
+Because the certificate trust types issues certificates, there is more configuration and infrastructure needed to accommodate user certificate enrollment, which could also be a factor to consider in your decision. Additional infrastructure needed for certificate-trust deployments includes a certificate registration authority. Hybrid Azure AD joined devices managed by Group Policy need the Windows Server 2016 AD FS role to issue certificates. Hybrid Azure AD joined devices and Azure AD joined devices managed by Intune or a compatible MDM need the Windows Server NDES server role to issue certificates.
If your organization wants to use the key trust type, write **key trust** in box **1b** on your planning worksheet. Write **Windows Server 2016** in box **4d**. Write **N/A** in box **5b**.
@@ -187,17 +187,17 @@ If box **1a** on your planning worksheet reads **on-premises**, write **AD FS**
### Directory Synchronization
-Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair). Some operations require writing or reading user data to or from the directory. For example, reading the user’s phone number to perform multifactor authentication during provisioning or writing the user’s public key.
+Windows Hello for Business is strong user authentication, which usually means there is an identity (a user or username) and a credential (typically a key pair). Some operations require writing or reading user data to or from the directory. For example, reading the user’s phone number to perform multi-factor authentication during provisioning or writing the user’s public key.
If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **1e**. User information is written directly to Azure Active Directory and there is not another directory with which the information must be synchronized.
If box **1a** on your planning worksheet reads **hybrid**, then write **Azure AD Connect** in box **1e** on your planning worksheet.
-If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multifactor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multifactor authentication while the user’s credential remain on the on-premises network.
+If box **1a** on your planning worksheet reads **on-premises**, then write **Azure MFA Server**. This deployment exclusively uses Active Directory for user information with the exception of the multi-factor authentication. The on-premises Azure MFA server synchronizes a subset of the user information, such as phone number, to provide multi-factor authentication while the user’s credential remain on the on-premises network.
### Multifactor Authentication
-The goal of Windows Hello for Business is to move user authentication away from passwords to a strong, key-based user authentication. Passwords are weak credentials and cannot be trusted by themselves as an attacker with a stolen password could be attempting to enroll in Windows Hello for Business. To keep the transition from a weak to a strong credential secure, Windows Hello for Business relies on multifactor authentication during provisioning to have some assurances that the user identity provisioning a Windows Hello for Business credential is the proper identity.
+The goal of Windows Hello for Business is to move user authentication away from passwords to a strong, key-based user authentication. Passwords are weak credentials and cannot be trusted by themselves as an attacker with a stolen password could be attempting to enroll in Windows Hello for Business. To keep the transition from a weak to a strong credential secure, Windows Hello for Business relies on multi-factor authentication during provisioning to have some assurances that the user identity provisioning a Windows Hello for Business credential is the proper identity.
If box **1a** on your planning worksheet reads **cloud only**, then your only option is to use the Azure MFA cloud service. Write **Azure MFA** in box **1f** on your planning worksheet.
@@ -311,9 +311,9 @@ Windows Hello for Business does not require an Azure AD premium subscription. H
If box **1a** on your planning worksheet reads **on-premises**, write **No** in box **6c** on your planning worksheet.
-If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account (additional costs needed for multifactor authentication).
+If box **1a** on your planning worksheet reads **hybrid** and box **1b** reads **key trust**, write **No** in box **6c** on your planning worksheet. You can deploy Windows Hello for Business using the free Azure Active Directory account (additional costs needed for multi-factor authentication).
-If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device writeback—an Azure AD Premium feature.
+If box **5b** on your planning worksheet reads **AD FS RA**, write **Yes** in box **6c** on your planning worksheet. Enrolling a certificate using the AD FS registration authority requires devices to authenticate to the AD FS server, which requires device write-back, an Azure AD Premium feature.
Modern managed devices do not require an Azure AD premium subscription. By forgoing the subscription, your users must manually enroll devices in the modern management software, such as Intune or a supported third-party MDM.
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index df783bb5d9..363636202f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -7,17 +7,16 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: DaniHalfin
+author: mikestephens-MS
+ms.author: mstephen
ms.localizationpriority: medium
-ms.author: daniha
-ms.date: 07/27/2017
+ms.date: 08/19/2018
---
# Prepare people to use Windows Hello
**Applies to**
- Windows 10
-- Windows 10 Mobile
When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
@@ -37,7 +36,7 @@ Next, they select a way to connect. Tell the people in your enterprise which opt
-They sign in, and are then asked to verify their identity. People have options to choose from, such as a text message, phone call, or authentication app. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
+They sign in, and are then asked to verify their identity. People have options to choose from a text message, phone call, or the authentication application. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
After Hello is set up, people use their PIN to unlock the device, and that will automatically log them on.
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
new file mode 100644
index 0000000000..6c6251b3f1
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -0,0 +1,46 @@
+---
+title: Windows Hello for Business Videos
+description: Windows Hello for Business Videos
+keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/19/2018
+---
+# Windows Hello for Business Videos
+
+**Applies to**
+- Windows 10
+
+## Overview of Windows Hello for Business and Features
+
+Watch Pieter Wigleven explain Windows Hello for Business, Multi-factor Unlock, and Dynamic Lock
+> [!VIDEO https://www.youtube.com/embed/G-GJuDWbBE8]
+
+## Microsoft's passwordless strategy
+
+Watch Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**
+
+> [!VIDEO https://www.youtube.com/embed/mXJS615IGLM]
+
+## Windows Hello for Business user enrollment experience
+
+The user experience for Windows Hello for Business occurs after user sign-in, after you deploy Windows Hello for Business policy settings to your environment.
+
+> [!VIDEO https://www.youtube.com/embed/FJqHPTZTpNM]
+
+
+
+> [!VIDEO https://www.youtube.com/embed/etXJsZb8Fso]
+
+## Windows Hello for Business forgotten PIN user experience
+
+If the user can sign-in with a password, they can reset their PIN by clicking the "I forgot my PIN" link in settings. Beginning with the Fall Creators Update, users can reset their PIN above the lock screen by clicking the "I forgot my PIN" link on the PIN credential provider.
+
+> [!VIDEO https://www.youtube.com/embed/KcVTq8lTlkI]
+
+For on-premises deployments, devices must be well connected to their on-premises network (domain controllers and/or certificate authority) to reset their PINs. Hybrid customers can on-board their Azure tenant to use the Windows Hello for Business PIN reset service to reset their PINs without access to their corporate network.
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index d0cd963ed7..c7eae511cd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -17,7 +17,6 @@ ms.date: 10/23/2017
**Applies to**
- Windows 10
-- Windows 10 Mobile
Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png b/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png
new file mode 100644
index 0000000000..2a5658b1a9
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/AADConnectSchema.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/Certificate-CDP.png b/windows/security/identity-protection/hello-for-business/images/aadj/Certificate-CDP.png
new file mode 100644
index 0000000000..34a1cf932a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/Certificate-CDP.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png
new file mode 100644
index 0000000000..88aaf424f0
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-00.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png
new file mode 100644
index 0000000000..3d547d05fc
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/IntuneWHFBPolicy-01.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/cdp-disable-caching.png b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-disable-caching.png
new file mode 100644
index 0000000000..bb66d1a699
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-disable-caching.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-complete-http.png b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-complete-http.png
new file mode 100644
index 0000000000..2d4f57993d
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-complete-http.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-complete-unc.png b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-complete-unc.png
new file mode 100644
index 0000000000..edeb6d971e
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-complete-unc.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-new-location.png b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-new-location.png
new file mode 100644
index 0000000000..a56d495089
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-extension-new-location.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/cdp-ntfs-permissions.png b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-ntfs-permissions.png
new file mode 100644
index 0000000000..79a72ae29f
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-ntfs-permissions.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/cdp-share-permissions.png b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-share-permissions.png
new file mode 100644
index 0000000000..30da456ff0
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-share-permissions.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/cdp-sharing.png b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-sharing.png
new file mode 100644
index 0000000000..4efa6708c6
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/cdp-sharing.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/certlm-cert-path-tab.png b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-cert-path-tab.png
new file mode 100644
index 0000000000..9f19625b42
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-cert-path-tab.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/certlm-export-root-certificate.png b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-export-root-certificate.png
new file mode 100644
index 0000000000..fa835f58dc
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-export-root-certificate.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/certlm-personal-store.png b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-personal-store.png
new file mode 100644
index 0000000000..daa8efae51
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-personal-store.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/certlm-renew-with-new-key.png b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-renew-with-new-key.png
new file mode 100644
index 0000000000..efad4471ca
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-renew-with-new-key.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/certlm-root-cert-details-tab.png b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-root-cert-details-tab.png
new file mode 100644
index 0000000000..4f34de2e73
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/certlm-root-cert-details-tab.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/dc-cert-with-new-cdp.png b/windows/security/identity-protection/hello-for-business/images/aadj/dc-cert-with-new-cdp.png
new file mode 100644
index 0000000000..174ee56fd0
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/dc-cert-with-new-cdp.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/dns-new-host-dialog.png b/windows/security/identity-protection/hello-for-business/images/aadj/dns-new-host-dialog.png
new file mode 100644
index 0000000000..4076e6ad33
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/dns-new-host-dialog.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/dsregcmd.png b/windows/security/identity-protection/hello-for-business/images/aadj/dsregcmd.png
new file mode 100644
index 0000000000..cacbcf0737
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/dsregcmd.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/iis-add-virtual-directory.png b/windows/security/identity-protection/hello-for-business/images/aadj/iis-add-virtual-directory.png
new file mode 100644
index 0000000000..b33235ec14
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/iis-add-virtual-directory.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/iis-config-editor-allowDoubleEscaping.png b/windows/security/identity-protection/hello-for-business/images/aadj/iis-config-editor-allowDoubleEscaping.png
new file mode 100644
index 0000000000..20fbffbd85
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/iis-config-editor-allowDoubleEscaping.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/iis-config-editor-requestFiltering.png b/windows/security/identity-protection/hello-for-business/images/aadj/iis-config-editor-requestFiltering.png
new file mode 100644
index 0000000000..8c057c4d29
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/iis-config-editor-requestFiltering.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png
new file mode 100644
index 0000000000..caacf8a566
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-device-config-profile.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png
new file mode 100644
index 0000000000..226f85eeb0
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/intune-create-trusted-certificate-profile.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png b/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png
new file mode 100644
index 0000000000..067c109808
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/intune-device-config-enterprise-root-assignment.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/publish-new-crl.png b/windows/security/identity-protection/hello-for-business/images/aadj/publish-new-crl.png
new file mode 100644
index 0000000000..b9176ebfc4
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/publish-new-crl.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadj/validate-cdp-using-browser.png b/windows/security/identity-protection/hello-for-business/images/aadj/validate-cdp-using-browser.png
new file mode 100644
index 0000000000..59ff4c01d2
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadj/validate-cdp-using-browser.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png
new file mode 100644
index 0000000000..c2a4f36704
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureADCreateWHFBCertGroup.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureADCreateWHFBCertGroup.png
new file mode 100644
index 0000000000..c54b8061cd
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureADCreateWHFBCertGroup.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png
new file mode 100644
index 0000000000..1e8f3268a2
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png
new file mode 100644
index 0000000000..23e573ba1a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png
new file mode 100644
index 0000000000..2482c97c25
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png
new file mode 100644
index 0000000000..3a31bdd905
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png
new file mode 100644
index 0000000000..336da91706
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png
new file mode 100644
index 0000000000..9a78424978
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png
new file mode 100644
index 0000000000..c620c6593c
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png
new file mode 100644
index 0000000000..f2c38239f3
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-01.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png
new file mode 100644
index 0000000000..74cea5f0b5
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-02.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png
new file mode 100644
index 0000000000..e95fd1b9ba
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorConfig-04.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png
new file mode 100644
index 0000000000..c973e43aec
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-01.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png
new file mode 100644
index 0000000000..70aaa2db9d
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-03.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png
new file mode 100644
index 0000000000..eadf1eb285
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-05.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png
new file mode 100644
index 0000000000..56cced034f
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-06.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png
new file mode 100644
index 0000000000..e4e4555942
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneCertConnectorInstall-07.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneConfigCertRevocation-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneConfigCertRevocation-02.png
new file mode 100644
index 0000000000..1f5512c1a5
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneConfigCertRevocation-02.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png
new file mode 100644
index 0000000000..390bfecafd
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCertAuthority.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png
new file mode 100644
index 0000000000..a136973f04
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDeviceConfigurationCreateProfile.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png
new file mode 100644
index 0000000000..c78baecd49
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneDownloadCertConnector.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png
new file mode 100644
index 0000000000..96fe45bbcf
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-00.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png
new file mode 100644
index 0000000000..004d3a3f25
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-01.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png
new file mode 100644
index 0000000000..9d66d330fd
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-03.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png
new file mode 100644
index 0000000000..dea61f116e
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfile-04.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png
new file mode 100644
index 0000000000..831e12fe59
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/IntuneWHFBScepProfileAssignment.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png
new file mode 100644
index 0000000000..21f4159d80
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/MicrosoftIntuneConsole.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Bindings-Add-443.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Bindings-Add-443.png
new file mode 100644
index 0000000000..00b75cbcd4
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Bindings-Add-443.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Bindings.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Bindings.png
new file mode 100644
index 0000000000..89335a38fe
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Bindings.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Console.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Console.png
new file mode 100644
index 0000000000..d1e5d924a5
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-Console.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-RequestFiltering.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-RequestFiltering.png
new file mode 100644
index 0000000000..100c33218b
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-IIS-RequestFiltering.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-01-show-Cert.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-01-show-Cert.png
new file mode 100644
index 0000000000..0e90f4ed40
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-01-show-Cert.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-01.png
new file mode 100644
index 0000000000..475313433f
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-01.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png
new file mode 100644
index 0000000000..49c4dee983
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDES-https-website-test-after-Intune-Connector.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png
new file mode 100644
index 0000000000..a97f9f579a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png
new file mode 100644
index 0000000000..a66dcb1d27
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png
new file mode 100644
index 0000000000..fe3e125013
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png
new file mode 100644
index 0000000000..9e17a4353a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png
new file mode 100644
index 0000000000..c7015d5153
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png
new file mode 100644
index 0000000000..d71124ff6b
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png
new file mode 100644
index 0000000000..f2ee619ccc
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png
new file mode 100644
index 0000000000..ac473ff1f1
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png
new file mode 100644
index 0000000000..42f44f1450
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png
new file mode 100644
index 0000000000..2aaf619b44
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png
new file mode 100644
index 0000000000..0ec08ecbc0
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig06.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png
new file mode 100644
index 0000000000..e049986459
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png
new file mode 100644
index 0000000000..03a63b4da1
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png
new file mode 100644
index 0000000000..a4081da362
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png
new file mode 100644
index 0000000000..deaef2b720
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png
new file mode 100644
index 0000000000..81b0b2f36a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png
new file mode 100644
index 0000000000..cd64efd4f8
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png
new file mode 100644
index 0000000000..e7016550bc
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png
new file mode 100644
index 0000000000..fa38ebce96
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/dc-chart1.png b/windows/security/identity-protection/hello-for-business/images/dc-chart1.png
deleted file mode 100644
index f5c8d3f2f3..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/dc-chart1.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/dc-chart2.png b/windows/security/identity-protection/hello-for-business/images/dc-chart2.png
deleted file mode 100644
index ff99966521..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/dc-chart2.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/dc-chart3.png b/windows/security/identity-protection/hello-for-business/images/dc-chart3.png
deleted file mode 100644
index bb0f940660..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/dc-chart3.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/dc-chart4.png b/windows/security/identity-protection/hello-for-business/images/dc-chart4.png
deleted file mode 100644
index ecdab58907..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/dc-chart4.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/dc-chart5.png b/windows/security/identity-protection/hello-for-business/images/dc-chart5.png
deleted file mode 100644
index 5671c2ecf7..0000000000
Binary files a/windows/security/identity-protection/hello-for-business/images/dc-chart5.png and /dev/null differ
diff --git a/windows/security/identity-protection/hello-for-business/images/four-steps-passwordless.png b/windows/security/identity-protection/hello-for-business/images/four-steps-passwordless.png
new file mode 100644
index 0000000000..8552a3ee2f
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/four-steps-passwordless.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-certtrust-kerb.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-certtrust-kerb.png
new file mode 100644
index 0000000000..344be6aa22
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-certtrust-kerb.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloud.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloud.png
new file mode 100644
index 0000000000..751e2fbe99
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-cloud.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-keytrust-kerb.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-keytrust-kerb.png
new file mode 100644
index 0000000000..095ebc3417
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-aadj-keytrust-kerb.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-certtrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-certtrust.png
new file mode 100644
index 0000000000..905d36fa8f
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-certtrust.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-keytrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-keytrust.png
new file mode 100644
index 0000000000..7f82cda5ae
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/auth-haadj-keytrust.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png
new file mode 100644
index 0000000000..454fe3df0a
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-federated.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png
new file mode 100644
index 0000000000..7f9774389c
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-aadj-managed.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png
new file mode 100644
index 0000000000..df7973e2ca
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-federated.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png
new file mode 100644
index 0000000000..eb3458bf76
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/devreg-hybrid-haadj-managed.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-federated.png
new file mode 100644
index 0000000000..dd7eee063e
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-federated.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-managed.png
new file mode 100644
index 0000000000..3e67ac6b42
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-aadj-managed.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png
new file mode 100644
index 0000000000..6011b3c66e
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-certtrust-managed.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-federated.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-federated.png
new file mode 100644
index 0000000000..b7f4927730
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-federated.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png
new file mode 100644
index 0000000000..ac1752b75b
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-instant-certtrust-managed.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-keytrust-managed.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-keytrust-managed.png
new file mode 100644
index 0000000000..5bf7d96a34
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-haadj-keytrust-managed.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-certtrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-certtrust.png
new file mode 100644
index 0000000000..6afa492270
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-certtrust.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-keytrust.png b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-keytrust.png
new file mode 100644
index 0000000000..3e051918ce
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/howitworks/prov-onprem-keytrust.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/00-HideCredProv.png b/windows/security/identity-protection/hello-for-business/images/passwordless/00-HideCredProv.png
new file mode 100644
index 0000000000..fd9085fbd1
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/00-HideCredProv.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/00-SCRIL-dsa.png b/windows/security/identity-protection/hello-for-business/images/passwordless/00-SCRIL-dsa.png
new file mode 100644
index 0000000000..6b19520041
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/00-SCRIL-dsa.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/00-securityPolicy-2016.png b/windows/security/identity-protection/hello-for-business/images/passwordless/00-securityPolicy-2016.png
new file mode 100644
index 0000000000..1ec0fe5a29
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/00-securityPolicy-2016.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/00-securityPolicy.png b/windows/security/identity-protection/hello-for-business/images/passwordless/00-securityPolicy.png
new file mode 100644
index 0000000000..9731de1222
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/00-securityPolicy.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/00-updatedSecurityPolicyText.png b/windows/security/identity-protection/hello-for-business/images/passwordless/00-updatedSecurityPolicyText.png
new file mode 100644
index 0000000000..5935422718
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/00-updatedSecurityPolicyText.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/01-HideCredProv.png b/windows/security/identity-protection/hello-for-business/images/passwordless/01-HideCredProv.png
new file mode 100644
index 0000000000..21329d0ffa
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/01-HideCredProv.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/01-SCRIL-ADAC-2012.png b/windows/security/identity-protection/hello-for-business/images/passwordless/01-SCRIL-ADAC-2012.png
new file mode 100644
index 0000000000..9e3a5509a9
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/01-SCRIL-ADAC-2012.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/01-SCRIL-ADAC-2016.png b/windows/security/identity-protection/hello-for-business/images/passwordless/01-SCRIL-ADAC-2016.png
new file mode 100644
index 0000000000..b4e1575d05
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/01-SCRIL-ADAC-2016.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/passwordless/02-Rotate-SCRIL-2016.png b/windows/security/identity-protection/hello-for-business/images/passwordless/02-Rotate-SCRIL-2016.png
new file mode 100644
index 0000000000..9b068a70a2
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/passwordless/02-Rotate-SCRIL-2016.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/plan/dc-chart1.png b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart1.png
new file mode 100644
index 0000000000..8133c22b66
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart1.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/plan/dc-chart2.png b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart2.png
new file mode 100644
index 0000000000..66f3d18bf2
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart2.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/plan/dc-chart3.png b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart3.png
new file mode 100644
index 0000000000..c3e127c0c2
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart3.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/plan/dc-chart4.png b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart4.png
new file mode 100644
index 0000000000..4559b432aa
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart4.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/plan/dc-chart5.png b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart5.png
new file mode 100644
index 0000000000..b8e2bea022
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/plan/dc-chart5.png differ
diff --git a/windows/security/identity-protection/hello-for-business/images/rdpbio/RDPBioPolicySetting.png b/windows/security/identity-protection/hello-for-business/images/rdpbio/RDPBioPolicySetting.png
new file mode 100644
index 0000000000..06a2ab8543
Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/rdpbio/RDPBioPolicySetting.png differ
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
new file mode 100644
index 0000000000..0836a4dfc0
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -0,0 +1,291 @@
+---
+title: Password-less Strategy
+description: Reducing Password Usage Surface
+keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security, mobile
+author: mikestephens-MS
+ms.author: mstephen
+localizationpriority: high
+ms.date: 08/20/2018
+---
+# Password-less Strategy
+
+## Four steps to Password-less
+
+Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password-less.
+
+
+
+### 1. Develop a password replacement offering
+Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single-sign on to Azure Active Directory and Active Directory.
+
+Deploying Windows Hello for Business is the first step towards password-less. With Windows Hello for Business deployed, it coexists with password nicely. Users are likely to useWindows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
+
+### 2. Reduce user-visible password surface area
+With Windows Hello for Business and passwords coexisting in your environment, the next step towards password-less is to reduce the password surface. The environment and workflows need to stop asking for passwords. The goal of this step is to achieve a state where the user knows they have a password, but they never user it. This state helps decondition users from providing a password any time a password prompt shows on their computer. This is a how passwords are phished. Users who rarely, it at all, use their password are unlikely to provide it. Password prompts are no longer the norm.
+
+### 3. Transition into a password-less deployment
+Once the user-visible password surface has been eliminated, your organization can begin to transition those users into a password-less world. A world where:
+ - the user never types their password
+ - the user never changes their password
+ - the user does not know their password
+
+In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business.
+
+### 4. Eliminate passwords from the identity directory
+The final step of the password-less story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly password-less environment.
+
+## Methodology
+The four steps to password-less provides a overall view of how Microsoft envisions the road to password-less. But the road to password-less is frequently traveled and derailed by many. The scope of work is vast and filled with many challenges and frustrations. Nearly everyone wants the instant gratification of password-less, but can easily become overwhelmed in any of the steps. You are not alone and Microsoft understands. While there are many ways to accomplish password-less, here is one recommendation based on several years of research, investigation, and customer conversations.
+
+### Prepare for the Journey
+The road to password-less is a journey. The duration of that journey varies from each organization. It is important for IT decision makers to understand the criteria that influences the length of the journey.
+
+The most intuitive answer is the size of the organization, and that would be correct. However, what exactly determines size. One way to break down the size of the organization is:
+- Number of departments
+- Organization or department hierarchy
+- Number and type of applications and services
+- Number of work personas
+
+- Organization's IT structure
+
+#### Number of departments
+The number of departments within an organization varies. Most organizations have a common set of departments such as executive leadership, human resources, accounting, sales, and marketing. Other organizations will have those departments and additional ones such research and development or support. Small organizations may not segment their departments this explicitly while larger ones may. Additionally, there may be sub-departments, and sub-departments of those sub-departments as well.
+
+You need to know all the departments within your organization and you need to know which departments use computers and which do not. It is fine if a department does not use computer (probably rare, but acceptable). This is one less department with which you need to concern yourself. Nevertheless, ensure this department is in your list and you have assessed it is not applicable for password-less.
+
+Your count of the departments must be thorough and accurate, as well as knowing the stakeholders for those departments that will you and your staff on the road to password-less. Realistically, many of us lose sight of our organization chart and how it grows or shrinks over time. This is why you need to inventory all of them. Also, do not forget to include external departments such as vendors or federated partners. If your organizations goes password-less, but partners continue to use passwords and then access your corporate resources, you should know about it and include them in your password-less strategy.
+
+#### Organization or department hierarchy
+Organization and department hierarchy is the management layers within the departments or the organization as a whole. How the device is used, what applications and how they are used most likely differ between each department, but also within the structure of the department. To determine the correct password-less strategy, you need to know these differences across your organization. An executive leader is likely to use their device differently than a member of middle management in the sales department. Both of those use cases are likely different than how an individual contributor in the customer service department uses their device.
+
+#### Number and type of applications and services
+The number of applications within an organization is simply astonishing and rarely is there one centralized list that is accurate. Applications and services are the most critical item in your password-less assessment. Applications and services take considerable effort to move to a different type of authentication. That is not to say changing policies and procedures is not a daunting task, but there is something to be said of updating a company's set of standard operating procedure and security policies compared to changing 100 lines (or more) of authentication code in the critical path of your internally developed CRM application.
+
+Capturing the number of applications used is easier once you have the departments, their hierarchy, and their stakeholders. In this approach, you should have an organized list of departments and the hierarchy in each. You can now associate the applications that are used by all levels within each department. You'll also want to document whether the application is internally developed or commercially available off-the-shelf (COTS). If the later, document the manufacture and the version. Also, do not forget web-based applications or services when inventorying applications.
+
+#### Number of work personas
+Work personas is where the three previous efforts converge. You know the departments, the organizational levels within each department, the numbers of applications used by each, respectively, and the type of application. From this you want to create a work persona.
+
+A work persona classifies a category of user, title or role (individual contributor, manager, middle manager, etc), within a specific department to a collection of applications used. There is a high possibility and probability that you will have many work personas. These work personas will become units of work an you will refer to them in documentation and in meetings. You need to give them a name.
+
+Give your personas easy and intuitive name like Abby Accounting, Mark Marketing, or Sue Sales. If the organization levels are common across departments then decide on a first name that represents the common levels in a department. For example, Abby could be the first name of an individual contributor in any given department, while the first name Sue could represent someone from middle management in any given department. Additionally, you can use suffixes such as (I, II, Senior, etc.) to further define departmental structure for a given persona.
+
+Ultimately, create a naming convention that does not require your stakeholders and partners to read through a long list of tables or that needs a secret decoder ring. Also, if possible, try to keep the references as names of people. After all, you are talking about a person, who is in that department, who uses that specific software.
+
+#### Organization's IT structure
+IT department structures can vary more than the organization. Some IT departments are centralized while others are decentralized. Also, the road to password-less will likely have you interacting with the client authentication team, the deployment team, the security team, the PKI team, the Active Directory team, the cloud team, and the list continues. Most of these teams will be your partner on your journey to password-less. Ensure there is a password-less stakeholder on each of these teams and that the effort is understood and funded.
+
+#### Assess your Organization
+You have a ton of information. You have created your work personas, you identified your stakeholders throughout the different IT groups. Now what?
+
+By now you can see why its a journey and not a weekend project. You need to investigate user-visible password surfaces for each of your work personas. Once you identified the password surfaces, you need to mitigate them. Resolving some password surfaces are simple-- meaning a solution already exists in the environment and its a matter of moving users to it. Resolution to some passwords surfaces may exist, but are not deployed in your environment. That resolution results in a project that must be planned, tested, and then deployed. That is likely to span multiple IT departments with multiple people, and potentially one or more distributed systems. Those types of projects take time and need dedicated cycles. This same sentiment is true with in-house software development. Even with agile development methodologies, changing the way someone authenticates to an application is critical. Without the proper planning and testing, it has the potential to severely impact productivity.
+
+How long does it take to reach password-less? The answer is "it depends". It depends on the organizational alignment of a password-less strategy. Top-down agreement that password-less is the organization's goal makes conversations much easier. Easier conversations means less time spent convincing people and more time spent moving forward toward the goal. Top-down agreement on password-less as a priority within the ranks of other on-going IT projects helps everyone understand how to prioritize existing projects. Agreeing on priorities should reduce and minimize manager and executive level escalations. After these organizational discussions, modern project management techniques are used to continue the password-less effort. The organization allocates resources based on the priority (after they agreed on the strategy). Those resources will:
+- work through the work personas
+- organize and deploy user acceptance testing
+- evaluate user acceptance testing results for user-visible password surfaces
+- work with stakeholders to create solutions that mitigate user-visible password surfaces
+- add the solution to the project backlog and prioritize against other projects
+- deploy solution
+- User acceptance testing to confirm the solution mitigates the user-visible password surface
+- Repeat as needed
+
+Your organization's journey to password-less may take some time to get there. Counting the number of work personas and the number of applications is probably a good indicator of the investment. Hopefully, your organization is growing, which means that the list of personas and the list of applications is unlikely to shrink. If the work to go password-less today is *n*, then it is likely that to go password-less tomorrow is *n x 2* or perhaps more, *n x n*. Do not let the size or duration of the project be a distraction. As you progress through each work persona, the actions and tasks will become more familiar for you and your stakeholders. Scope the project to sizable, realistic phases, pick the correct work personas, and soon you will see parts of your organization transition to password-less.
+
+### Where to start?
+What is the best guidance for kicking off the journey to password-less? You will want to show you management a proof of concept as soon as possible. Ideally, you want to show this at each step of your password-less journey. Keeping password-less top of mind and showing consistent progress keeps everyone focused.
+
+#### Work persona
+You begin with your work personas. These were part of your preparation process. They have a persona name, such as Abby Accounting II, or any other naming convention your organization defined. That work persona includes a list of all the applications that Abby uses to perform her assigned duties in the accounting department. To start, you need to pick a work persona. This is the targeted work persona you will enable to climb the password-less steps.
+
+> [!IMPORTANT]
+> Avoid using any work personas from your IT department. This is probably the worst way to start the password-less journey. IT roles are very difficult and time consuming. IT workers typically have multiple credentials, run a multitude of scripts and custom applications, and are the worst offenders of password usage. It is better to save these work personas for the middle or end of your journey.
+
+Review your collection of work personas. Early in your password-less journey, identify personas that have the fewest applications. These work personas could represent an entire department or two. These are the perfect work personas for your proof-of-concept or pilot.
+
+Most organizations host their proof of concept in a test lab or environment. To do that with password-less may be more challenging and take more time. To test in a lab, you must first duplicate the environment of the targeted persona. This could be a few days or several weeks depending on the complexity of targeted work persona.
+
+You will want to balance testing in a lab with providing results to management quickly. Continuing to show forward progress on your password-less journey is always good thing. If there are ways you can test in production with low or now risk, that may be advantageous to your time line.
+
+## The Process
+
+The journey to password-less is to take each work persona through each password-less step. In the begging, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow. The process looks something like
+
+1. Password-less replacement offering (Step 1)
+ 1. Identify test users that represent the targeted work persona.
+ 2. Deploy Windows Hello for Business to test users.
+ 3. Validate password and Windows Hello for Business work.
+2. Reduce User-visible Password Surface (Step 2)
+ 1. Survey test user workflow for password usage.
+ 2. Identify password usage and plan, develop, and deploy password mitigations.
+ 3. Repeat until all user password usage is mitigated.
+ 4. Remove password capabilities from the Windows.
+ 5. Validate **all** workflows do not need passwords.
+3. Transition into a password-less (Step 3)
+ 1. Awareness campaign and user education.
+ 2. Including remaining users that fit the work persona.
+ 3. Validate **all** users of the work personas do not need passwords.
+ 4. Configure user accounts to disallow password authentication.
+
+After successfully moving a work persona to password-less, you can prioritize the remaining work personas, and repeat the process.
+
+### Password-less replacement offering (Step 1)
+THe first step to password-less is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory.
+
+#### Identify test users that represent the targeted work persona
+A successful transition to password-less heavily relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or to accurately validate them. You need to enlist the help of users that fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process.
+
+#### Deploy Windows Hello for Business to test users
+Next, you will want to plan your Windows Hello for Business deployment. Your test users will need an alternative way to sign-in during step 2 of the password-less journey. Use the [Windows Hello for Business Planning Guide](hello-planning-guide.md) to help learn which deployment is best for your environment. Next, use the [Windows Hello for Business deployment guides](hello-deployment-guide.md) to deploy Windows Hello for Business.
+
+With the Windows Hello for Business infrastructure in place, you can limit Windows Hello for Business enrollments to the targeted work personas. The great news is you will only need to deploy the infrastructure once. When other targeted work personas need to provision Windows Hello for Business, you can simply add them to a group. You will use the first work persona to validate your Windows Hello for Business deployment.
+
+> [!NOTE]
+> There are many different ways to connect a device to Azure. Deployments may vary based on how the device is joined to Azure Active Directory. Review your planning guide and deployment guide to ensure additional infrastructure is not needed for an additional Azure joined devices.
+
+#### Validate password and Windows Hello for Business work
+In this first step, passwords and Windows Hello for Business must coexist. You want to validate that while your targeted work personas can sign in and unlock using Windows Hello for Business, but they can also sign-in, unlock, and use passwords as needed. Reducing the user-visible password surface too soon can create frustration and confusion with your targeted user personas.
+
+### Reduce User-visible Password Surface (Step 2)
+Before you move to step 2, ensure you have:
+- selected your targeted work persona.
+- identified your test users that represented the targeted work persona.
+- deployed Windows Hello for Business to test users.
+- validated passwords and Windows Hello for Business both work for the test users.
+
+#### Survey test user workflow for password usage
+Now is the time to learn more about the targeted work persona. You have a list of applications they use, but you do not know what, why, when, and how frequently. This information is important as your further your progress through step 2.
+
+Test users create the workflows associated with the targeted work persona. Their initial goal is to do one simply task. Document password usage. This list is not a comprehensive one, but it gives you an idea of the type of information you want. The general idea is to learn about all the scenarios in which that work persona encounters a password. A good approach is:
+- What is the name of the application that asked for a password?.
+- Why do they use the application that asked for a password? (Example: is there more than one application that can do the same thing?).
+- What part of their workflow makes them use the application? Try to be as specific as possible (I use application x to issue credit card refunds for amounts over y.).
+- How frequently do you use this application in a given day? week?
+- Is the password you type into the application the same as the password you use to sign-in to Windows?
+
+Some organizations will empower their users to write this information while some may insist on having a member of the IT department shadow them. An objective viewer may notice a password prompt that the user overlooks simply because of muscle memory. As previously mentioned, this information is critical. You could miss one password prompt which could delay the transition to password-less.
+
+#### Identify password usage and plan, develop, and deploy password mitigations
+Your test users have provided you valuable information that describes the how, what, why and when they use a password. It is now time for your team to identify each of these password use cases and understand why the user must use a password.
+
+Create a master list of the scenarios. Each scenario should have a clear problem statement. Name the scenario with a one-sentence summary of the problem statement. Include in the scenario the results of your team's investigation as to why the user is prompted by a password. Include relevant, but accurate details. If its policy or procedure driven, then include the name and section of the policy that dictates why the workflow uses a password.
+
+Keep in mind your test users will not uncover all scenarios. Some scenarios you will need to force on your users because they low percentage scenarios. Remember to include scenarios like:
+- Provisioning a new brand new user without a password.
+- Users who forget the PIN or other remediation flows when the strong credential is unusable.
+
+Next, review your master list of scenarios. You can start with the workflows that are dictated by process or policy or, you can begin with workflows that need technical solutions-- whichever of the two is easier or quicker. This will certainly vary by organization.
+
+Start mitigating password usages based on the workflows of your targeted personas. Document the mitigation as a solution to your scenario. Don't worry about the implementation details for the solution. A overview of the changes needed to reduce the password usages is all you need. If there are technical changes needed either infrastructure or code changes-- the exact details will likely be included in the project documentation. However your organization tracks projects, create a new project in that system. Associate your scenario to that project and start the processes needed to get that project funded.
+
+Mitigating password usage with applications is one or the more challenging obstacle in the journey to password-less. If your organization develops the application, then you are in better shape the common-off-the-shelf software (COTS).
+
+The ideal mitigation for applications that prompt the user for a password is to enable those enable those applications to use an existing authenticated identity, such as Azure Active Directory or Active Directory. Work with the applications vendors to have them add support for Azure identities. For on-premises applications, have the application use Windows integrated authentication. The goal for your users should be a seamless single sign-on experience where each user authenticates once-- when they sign-in to Windows. Use this same strategy for applications that store their own identities in their own databases.
+
+Each scenario on your master list should now have a problem statement, an investigation as to why the password was used, and a mitigation plan on how to make the password usage go away. Armed with this data, one-by-one, close the gaps on user-visible passwords. Change policies and procedures as needed, make infrastructure changes where possible. Convert in-house applications to use federated identities or Windows integrated authentication. Work with third-party software vendors to update their software to support federated identities or Windows integrated authenticate.
+
+#### Repeat until all user password usage is mitigated
+Some or all of your mitigations are in place. You need to validate your solutions have solved their problem statements. This is where you rely on your test users. You want to keep a good portion of your first test users, but this is a good opportunity to replace a few or add a few. Survey test users workflow for password usage. If all goes well, you have closed most or all the gaps. A few are likely to remain. Evaluate your solutions and what went wrong, change your solution as needed until you reach a solution that removes your user's need to type a password. If your stuck, others might be too. Use the forums from various sources or your network of IT colleague to describe your problem and see how others are solving it. If your out of options, contact Microsoft for assistance.
+
+#### Remove password capabilities from the Windows
+You believe you have mitigates all the password usage for the targeted work persona. Now comes the true test-- configure Windows so the user cannot use a password.
+
+Windows provides two ways to prevent your users from using passwords. You can use an interactive logon security policy to only allow Windows Hello for Business sign-in and unlocks, or you can exclude the password credential provider.
+
+##### Security Policy
+You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**. The name of the policy setting depends on the version of the operating systems you use to configure Group Policy.
+
+
+**Windows Server 2016 and earlier**
+The policy name for these operating systems is **Interactive logon: Require smart card**.
+
+
+**Windows 10, version 1703 or later using Remote Server Administrator Tools**
+The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**.
+
+
+When you enables this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
+
+#### Excluding the password credential provider
+You can use Group Policy to deploy an administrative template policy settings to the computer. This policy settings is found under **Computer Configuration > Policies > Administrative Templates > Logon**
+
+
+The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**.
+
+
+Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
+
+#### Validate all workflows do not need passwords
+This is the big moment. You have identified password usage, developed solutions to mitigate password usage, and have removed or disabled password usage from Windows. In this configuration, your users will not be able to use a passwords. Users will be blocked is any of their workflows ask them for a password. Ideally, your test users should be able to complete all the work flows of the targeted work persona without any password usage. Do not forget those low percentage work flows, such as provisioning a new user or a user that forgot their PIN or cannot use their strong credential. Ensure those scenarios are validated as well.
+
+### Transition into a password-less deployment (Step 3)
+Congratulations! You are ready to transition one or more portions of your organization to a password-less deployment. You have validated the targeted work-persona is ready to go where the user no longer needs to know or use their password. You are just few steps away from declaring success.
+
+#### Awareness and user education
+In this last step, you are going to include the remaining users that fit the targeted work persona to the wonderful world of password-less. Before you do this, you want to invest in an awareness campaign.
+
+An awareness campaign is introduces the users to the new way of authenticating to their device, such as using Windows Hello for Business. The idea of the campaign is to positively promote the change to the users in advance. Explain the value and why your company is changing. The campaign should provide dates and encourage questions and feedback. This campaign can coincide user education, where you can show the users the changes and, if your environment allows, enable the users to try the experience out.
+
+#### Including remaining users that fit the work persona
+You have implemented the awareness campaign for the targeted users. These users are informed and ready to transition to password-less. Add the remaining users that match the targeted work persona to your deployment.
+
+#### Validate **all** users of the work personas do not need passwords.
+You have successfully transitioned all users for the targeted work persona to password-less. Monitor the users within the work persona to ensure they do not encounter any issues while working in a password-less environment.
+
+Track all reported issues. Set priority and severity to each reported issue and have your team triage the issues appropriately. As you triage issues, some things to consider are:
+- Is the reporting user performing a task outside the work persona?
+- Is the reported issue affecting the entire work persona, or only specific users?
+- Is the outage a result of a misconfiguration?
+- Is the outage a overlooked gap from step 2?
+
+Each organization's priority and severity will differ however most organizations consider work stoppages fairly significant. Your team should pre-define levels of priority and severity. With each of these levels, create service level agreements (SLAs) for each combination of severity and priority and hold everyone accountable to those agreements. Reactive planning enables people to spend more time on the issue and resolving it and less time on process.
+
+Resolve the issues per your service level agreements. Higher severity items may require returning some or all of the user's password surface. Clearly this is not the end goal but, do not let this slow your password-less momentum. Refer to how you reduced the user's password surface in step 2 and progress forward to a solution, deploying that solution and validating.
+
+#### Configure user accounts to disallow password authentication.
+You transitioned all the users for the targeted work persona to a password-less environment and you have successfully validated all their workflows. The last step to complete the password-less transition is to remove the user's knowledge of the password and prevent the authenticating authority from accepting passwords.
+
+You can change the user's password to random data and prevent domain controllers from allowing users to use passwords for interactive sign-ins using an account configuration on the user object.
+
+The account options on a user account includes an option -- **Smart card is required for interactive logon**, also known as (SCRIL).
+
+> [!NOTE]
+> Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller.
+
+
+**SCRIL setting for a user on Active Directory Users and Computers.**
+
+When you configure an user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users is effectively password-less because:
+- the do not know their password.
+- their password is 128 random bits of data and is likely to include non-typable characters.
+- the user is not asked to change their password
+- domain controllers do not allow passwords for interactive authentication
+
+
+**SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012.**
+
+> [!NOTE]
+> Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically.
+
+
+**SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016.**
+
+> [!NOTE]
+> Windows Hello for Business was formerly known as Microsoft Passport.
+
+##### Automatic password change for SCRIL configured users
+Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for a SCRIL enabled users by configuring the domain to automatically change the password for SCRIL users.
+
+In this configuration, passwords for SCRIL configured users expired based on Active Directory password policy settings. When the SCRIL user authentication from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or experience any authentication outages.
+
+
+> [!NOTE]
+> Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability with while reducing the usage surface while Microsoft continues to close the gaps to remove the password completely.
+
+## The Road Ahead
+The information presented here is just the beginning. We will update this guide with improved tool and methods and scenarios, like Azure AD joined and MDM managed environments, As we continue to invest in password-less, we would love to hear from you. Your feedback is important. Send us an email at [pwdless@microsoft.com](mailto:pwdless@microsoft.com?subject=Passwordless%20Feedback).
+
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
new file mode 100644
index 0000000000..ec19abbc74
--- /dev/null
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -0,0 +1,122 @@
+---
+title: How Windows Hello for Business works (Windows 10)
+description: Explains registration, authentication, key material, and infrastructure for Windows Hello for Business.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: DaniHalfin
+ms.localizationpriority: high
+ms.author: daniha
+ms.date: 10/16/2017
+---
+# How Windows Hello for Business works
+
+**Applies to**
+- Windows 10
+- Windows 10 Mobile
+
+Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
+
+## Register a new user or device
+
+A goal of device registration is to allow a user to open a brand-new device, securely join an organizational network to download and manage organizational data, and create a new Windows Hello gesture to secure the device. Microsoft refers to the process of setting up a device for use with Windows Hello as registration.
+
+> [!NOTE]
+>This is separate from the organizational configuration required to use Windows Hello with Active Directory or Azure Active Directory (Azure AD); that configuration information is in [Manage Windows Hello for Business in your organization](../hello-manage-in-organization.md). Organizational configuration must be completed before users can begin to register.
+
+ The registration process works like this:
+
+1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it.
+2. To sign in using that account, the user has to enter the existing credentials for it. The identity provider (IDP) that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends.
+3. When the user has provided the proof to the IDP, the user enables PIN authentication. The PIN will be associated with this particular credential. When the user sets the PIN, it becomes usable immediately
+
+The PIN chosen is associated with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are:
+
+- A user who upgrades from the Windows 8.1 operating system will sign in by using the existing enterprise password. That triggers a second authentication factor from the IDP side (if required); after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
+- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
+- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
+
+When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and protects this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. Each unique gesture generates a unique protector key. The protector key securely wraps the authentication key. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
+
+At this point, the user has a PIN gesture defined on the device and an associated protector key for that PIN gesture. That means he or she is able to securely sign in to the device with the PIN and thus that he or she can establish a trusted session with the device to add support for a biometric gesture as an alternative for the PIN. When you add a biometric gesture, it follows the same basic sequence: the user authenticates to the system by using his or her PIN, and then registers the new biometric (“smile for the camera!”), after which Windows generates a unique key pair and stores it securely. Future sign-ins can then use either the PIN or the registered biometric gestures.
+
+## What’s a container?
+
+You’ll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
+
+The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD.
+
+It’s important to keep in mind that there are no physical containers on disk, in the registry, or elsewhere. Containers are logical units used to group related items. The keys, certificates, and credentials Windows Hello stores are protected without the creation of actual containers or folders.
+
+The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container.
+
+
+
+Containers can contain several types of key material:
+
+- An authentication key, which is always an asymmetric public–private key pair. This key pair is generated during registration. It must be unlocked each time it’s accessed, by using either the user’s PIN or a previously generated biometric gesture. The authentication key exists until the user resets the PIN, at which time a new key will be generated. When the new key is generated, all the key material that the old key previously protected must be decrypted and re-encrypted using the new key.
+- Virtual smart card keys are generated when a virtual smart card is generated and stored securely in the container. They’re available whenever the user’s container is unlocked.
+- The IDP key. These keys can be either symmetric or asymmetric, depending on which IDP you use. A single container may contain zero or more IDP keys, with some restrictions (for example, the enterprise container can contain zero or one IDP keys). IDP keys are stored in the container. For certificate-based Windows Hello for Work, when the container is unlocked, applications that require access to the IDP key or key pair can request access. IDP keys are used to sign or encrypt authentication requests or tokens sent from this device to the IDP. IDP keys are typically long-lived but could have a shorter lifetime than the authentication key. Microsoft accounts, Active Directory accounts, and Azure AD accounts all require the use of asymmetric key pairs. The device generates public and private keys, registers the public key with the IDP (which stores it for later verification), and securely stores the private key. For enterprises, the IDP keys can be generated in two ways:
+ - The IDP key pair can be associated with an enterprise Certificate Authority (CA) through the Windows Network Device Enrollment Service (NDES), described more fully in [Network Device Enrollment Service Guidance](https://technet.microsoft.com/library/hh831498.aspx). In this case, Windows Hello requests a new certificate with the same key as the certificate from the existing PKI. This option lets organizations that have an existing PKI continue to use it where appropriate. Given that many applications, such as popular virtual private network systems, require the use of certificates, when you deploy Windows Hello in this mode, it allows a faster transition away from user passwords while still preserving certificate-based functionality. This option also allows the enterprise to store additional certificates in the protected container.
+ - The IDP can generate the IDP key pair directly, which allows quick, lower-overhead deployment of Windows Hello in environments that don’t have or need a PKI.
+
+## How keys are protected
+
+Any time key material is generated, it must be protected against attack. The most robust way to do this is through specialized hardware. There’s a long history of using hardware security modules (HSMs) to generate, store, and process keys for security-critical applications. Smart cards are a special type of HSM, as are devices that are compliant with the Trusted Computing Group TPM standard. Wherever possible, the Windows Hello for Work implementation takes advantage of onboard TPM hardware to generate and protect keys. However, Windows Hello and Windows Hello for Work do not require an onboard TPM. Administrators can choose to allow key operations in software, in which case any user who has (or can escalate to) administrative rights on the device can use the IDP keys to sign requests. As an alternative, in some scenarios, devices that don’t have a TPM can be remotely authenticated by using a device that does have a TPM, in which case all the sensitive operations are performed with the TPM and no key material is exposed.
+
+Whenever possible, Microsoft recommends the use of TPM hardware. The TPM protects against a variety of known and potential attacks, including PIN brute-force attacks. The TPM provides an additional layer of protection after an account lockout, too. When the TPM has locked the key material, the user will have to reset the PIN (which means he or she will have to use MFA to reauthenticate to the IDP before the IDP allows him or her to re-register). Resetting the PIN means that all keys and certificates encrypted with the old key material will be removed.
+
+
+## Authentication
+
+When a user wants to access protected key material, the authentication process begins with the user entering a PIN or biometric gesture to unlock the device, a process sometimes called releasing the key. Think of it like using a physical key to unlock a door: before you can unlock the door, you need to remove the key from your pocket or purse. The user's PIN unlocks the protector key for the container on the device. When that container is unlocked, applications (and thus the user) can use whatever IDP keys reside inside the container.
+
+These keys are used to sign requests that are sent to the IDP, requesting access to specified resources. It’s important to understand that although the keys are unlocked, applications cannot use them at will. Applications can use specific APIs to request operations that require key material for particular actions (for example, decrypt an email message or sign in to a website). Access through these APIs doesn’t require explicit validation through a user gesture, and the key material isn’t exposed to the requesting application. Rather, the application asks for authentication, encryption, or decryption, and the Windows Hello layer handles the actual work and returns the results. Where appropriate, an application can request a forced authentication even on an unlocked device. Windows prompts the user to reenter the PIN or perform an authentication gesture, which adds an extra level of protection for sensitive data or actions. For example, you can configure the Microsoft Store to require reauthentication any time a user purchases an application, even though the same account and PIN or gesture were already used to unlock the device.
+
+For example, the authentication process for Azure Active Directory works like this:
+
+1. The client sends an empty authentication request to the IDP. (This is merely for the handshake process.)
+2. The IDP returns a challenge, known as a nonce.
+3. The device signs the nonce with the appropriate private key.
+4. The device returns the original nonce, the signed nonce, and the ID of the key used to sign the nonce.
+5. The IDP fetches the public key that the key ID specified, uses it to verify the signature on the nonce, and verifies that the nonce the device returned matches the original.
+6. If all the checks in step 5 succeed, the IDP returns two data items: a symmetric key, which is encrypted with the device’s public key, and a security token, which is encrypted with the symmetric key.
+7. The device uses its private key to decrypt the symmetric key, and then uses that symmetric key to decrypt the token.
+8. The device makes a normal authentication request for the original resource, presenting the token from the IDP as its proof of authentication.
+
+When the IDP validates the signature, it is verifying that the request came from the specified user and device. The private key specific to the device signs the nonce, which allows the IDP to determine the identity of the requesting user and device so that it can apply policies for content access based on user, device type, or both together. For example, an IDP could allow access to one set of resources only from mobile devices and a different set from desktop devices.
+
+
+## The infrastructure
+
+Windows Hello depends on having compatible IDPs available to it. As of this writing, that means you have four deployment possibilities:
+
+- Use an existing Windows-based PKI centered around Active Directory Certificate Services. This option requires additional infrastructure, including a way to issue certificates to users. You can use NDES to register devices directly, or Microsoft Intune where it’s available to manage mobile device participation in Windows Hello.
+- The normal discovery mechanism that clients use to find domain controllers and global catalogs relies on Domain Name System (DNS) SRV records, but those records don’t contain version data. Windows 10 computers will query DNS for SRV records to find all available Active Directory servers, and then query each server to identify those that can act as Windows Hello IDPs. The number of authentication requests your users generate, where your users are located, and the design of your network all drive the number of Windows Server 2016 domain controllers required.
+- Azure AD can act as an IDP either by itself or alongside an on-premises AD DS forest. Organizations that use Azure AD can register devices directly without having to join them to a local domain by using the capabilities the Azure AD Device Registration service provides. In addition to the IDP, Windows Hello requires an MDM system. This system can be the cloud-based Intune if you use Azure AD, or an on-premises System Center Configuration Manager deployment that meets the system requirements described in the Deployment requirements section of this document.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+## Related topics
+
+- [Windows Hello for Business](../hello-identity-verification.md)
+- [Manage Windows Hello for Business in your organization](../hello-manage-in-organization.md)
+- [Why a PIN is better than a password](../hello-why-pin-is-better-than-password.md)
+- [Prepare people to use Windows Hello](../hello-prepare-people-to-use.md)
+- [Windows Hello and password changes](../hello-and-password-changes.md)
+- [Windows Hello errors during PIN creation](../hello-errors-during-pin-creation.md)
+- [Event ID 300 - Windows Hello successfully created](../hello-event-300.md)
+- [Windows Hello biometrics in the enterprise](../hello-biometrics-in-enterprise.md)
diff --git a/windows/security/identity-protection/hello-for-business/toc.md b/windows/security/identity-protection/hello-for-business/toc.md
index ae838d1fcc..de55fa465e 100644
--- a/windows/security/identity-protection/hello-for-business/toc.md
+++ b/windows/security/identity-protection/hello-for-business/toc.md
@@ -2,6 +2,12 @@
## [Windows Hello for Business Overview](hello-overview.md)
## [How Windows Hello for Business works](hello-how-it-works.md)
+### [Technical Deep Dive](hello-how-it-works.md#technical-deep-dive)
+#### [Technology and Terminology](hello-how-it-works-technology.md)
+#### [Device Registration](hello-how-it-works-device-registration.md)
+#### [Provisioning](hello-how-it-works-provisioning.md)
+#### [Authentication](hello-how-it-works-authentication.md)
+
## [Manage Windows Hello for Business in your organization](hello-manage-in-organization.md)
## [Why a PIN is better than a password](hello-why-pin-is-better-than-password.md)
## [Prepare people to use Windows Hello](hello-prepare-people-to-use.md)
@@ -14,7 +20,7 @@
## [Windows Hello for Business Deployment Guide](hello-deployment-guide.md)
### [Hybrid Azure AD Joined Key Trust Deployment](hello-hybrid-key-trust.md)
-#### [Prerequistes](hello-hybrid-key-trust-prereqs.md)
+#### [Prerequisites](hello-hybrid-key-trust-prereqs.md)
#### [New Installation Baseline](hello-hybrid-key-new-install.md)
#### [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
#### [Configure Azure Device Registration](hello-hybrid-key-trust-devreg.md)
@@ -28,6 +34,10 @@
#### [Configure Windows Hello for Business policy settings](hello-hybrid-cert-whfb-settings.md)
#### [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
+### [Azure AD Join Single Sign-on Deployment Guides](hello-hybrid-aadj-sso.md)
+#### [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md)
+#### [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md)
+
### [On Premises Key Trust Deployment](hello-deployment-key-trust.md)
#### [Validate Active Directory prerequisites](hello-key-trust-validate-ad-prereq.md)
#### [Validate and Configure Public Key Infrastructure](hello-key-trust-validate-pki.md)
@@ -44,4 +54,9 @@
#### [Configure Windows Hello for Business Policy settings](hello-cert-trust-policy-settings.md)
## [Windows Hello for Business Features](hello-features.md)
-### [Multifactor Unlock](feature-multifactor-unlock.md)
\ No newline at end of file
+### [Multifactor Unlock](feature-multifactor-unlock.md)
+
+## [Windows Hello for Business Frequently Asked Questions (FAQ)](hello-faq.md)
+### [Windows Hello for Business Videos](hello-videos.md)
+
+##[Password-less Strategy](passwordless-strategy.md)
\ No newline at end of file
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index b5020571a1..15f9ab184e 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: operate
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 09/19/2018
---
# How User Account Control works
@@ -156,36 +156,40 @@ To better understand each component, review the table below:
Check UAC slider level
-
UAC has four levels of notification to choose from and a slider to use to select the notification level:
+
UAC has a slider to select from four levels of notification.
-
-
High
-
If the slider is set to Always notify, the system checks whether the secure desktop is enabled.
-
-
-
Medium
-
If the slider is set to Notify me only when programs try to make changes to my computer, the User Account Control: Only elevate executable files that are signed and validated policy setting is checked:
+
Always notify will:
-
-
If the policy setting is enabled, the public key infrastructure (PKI) certification path validation is enforced for a given file before it is permitted to run.
-
-
-
If the policy setting is not enabled (default), the PKI certification path validation is not enforced before a given file is permitted to run. The User Account Control: Switch to the secure desktop when prompting for elevation Group Policy setting is checked.
-
+
Notify you when programs try to install software or make changes to your computer.
+
Notify you when you make changes to Windows settings.
+
Freeze other tasks until you respond.
+
Recommended if you often install new software or visit unfamiliar websites.
-
-
Low
-
If the slider is set to Notify me only when apps try to make changes to my computer (do not dim by desktop), the CreateProcess is called.
-
-
-
Never Notify
-
If the slider is set to Never notify me when, UAC prompt will never notify when an app is trying to install or trying to make any change on the computer.
-
Important
This setting is not recommended. This setting is the same as setting the User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode policy setting to Elevate without prompting.
-
-
-
+
Notify me only when programs try to make changes to my computer will:
+
+
Notify you when programs try to install software or make changes to your computer.
+
Not notify you when you make changes to Windows settings.
+
Freeze other tasks until you respond.
+
Recommended if you do not often install apps or visit unfamiliar websites.
+
+
Notify me only when programs try to make changes to my computer (do not dim my desktop) will:
+
+
Notify you when programs try to install software or make changes to your computer.
+
Not notify you when you make changes to Windows settings.
+
Not freeze other tasks until you respond.
+
+
Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.
+
+
Never notify (Disable UAC) will:
+
+
Not notify you when programs try to install software or make changes to your computer.
+
Not notify you when you make changes to Windows settings.
+
Not freeze other tasks until you respond.
+
+
Not recommended due to security concerns.
+
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index c0e5e23158..0854da77c6 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -187,7 +187,7 @@ The registry keys are found in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Wind
| Registry key | Group Policy setting | Registry setting |
| - | - | - |
| FilterAdministratorToken | [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | 0 (Default) = Disabled 1 = Enabled |
-| EnableUIADesktopToggle | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to prompt-for-elevation-without-using-the-secure-desktop) | 0 (Default) = Disabled 1 = Enabled |
+| EnableUIADesktopToggle | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | 0 (Default) = Disabled 1 = Enabled |
| ConsentPromptBehaviorAdmin | [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | 0 = Elevate without prompting 1 = Prompt for credentials on the secure desktop 2 = Prompt for consent on the secure desktop 3 = Prompt for credentials 4 = Prompt for consent 5 (Default) = Prompt for consent for non-Windows binaries |
| ConsentPromptBehaviorUser | [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | 0 = Automatically deny elevation requests 1 = Prompt for credentials on the secure desktop 3 (Default) = Prompt for credentials |
| EnableInstallerDetection | [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | 1 = Enabled (default for home) 0 = Disabled (default for enterprise) |
diff --git a/windows/security/information-protection/TOC.md b/windows/security/information-protection/TOC.md
index b9c98da745..00aaec6903 100644
--- a/windows/security/information-protection/TOC.md
+++ b/windows/security/information-protection/TOC.md
@@ -22,14 +22,13 @@
### [BitLocker Group Policy settings](bitlocker\bitlocker-group-policy-settings.md)
### [BCD settings and BitLocker](bitlocker\bcd-settings-and-bitlocker.md)
### [BitLocker Recovery Guide](bitlocker\bitlocker-recovery-guide-plan.md)
-### [Protect BitLocker from pre-boot attacks](bitlocker\protect-bitlocker-from-pre-boot-attacks.md)
-#### [Types of attacks for volume encryption keys](bitlocker\types-of-attacks-for-volume-encryption-keys.md)
-#### [BitLocker Countermeasures](bitlocker\bitlocker-countermeasures.md)
-#### [Choose the Right BitLocker Countermeasure](bitlocker\choose-the-right-bitlocker-countermeasure.md)
+### [BitLocker Countermeasures](bitlocker\bitlocker-countermeasures.md)
### [Protecting cluster shared volumes and storage area networks with BitLocker](bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)
## [Encrypted Hard Drive](encrypted-hard-drive.md)
+## [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md)
+
## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
### [Create a Windows Information Protection (WIP) policy using Microsoft Intune](windows-information-protection\overview-create-wip-policy.md)
#### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)
@@ -62,9 +61,6 @@
### [How Windows 10 uses the TPM](tpm/how-windows-uses-the-tpm.md)
### [TPM Group Policy settings](tpm/trusted-platform-module-services-group-policy-settings.md)
### [Back up the TPM recovery information to AD DS](tpm/backup-tpm-recovery-information-to-ad-ds.md)
-### [Manage TPM commands](tpm/manage-tpm-commands.md)
-### [Manage TPM lockout](tpm/manage-tpm-lockout.md)
-### [Change the TPM owner password](tpm/change-the-tpm-owner-password.md)
### [View status, clear, or troubleshoot the TPM](tpm/initialize-and-configure-ownership-of-the-tpm.md)
### [Understanding PCR banks on TPM 2.0 devices](tpm/switch-pcr-banks-on-tpm-2-0-devices.md)
### [TPM recommendations](tpm/tpm-recommendations.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index ea8973ef41..91d9c277db 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -7,137 +7,185 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
-ms.date: 10/27/2017
+ms.date: 09/06/2018
---
+
# BitLocker Countermeasures
**Applies to**
- Windows 10
-Windows uses technologies including TPM, Secure Boot, Trusted Boot, and Early Launch Antimalware (ELAM) to protect against attacks on the BitLocker encryption key.
-BitLocker is part of a strategic approach to securing mobile data through encryption technology. Data on a lost or stolen computer is vulnerable to unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer. Today, BitLocker helps mitigate unauthorized data access on lost or stolen computers before the operating system is started by:
+Windows uses technologies including Trusted Platform Module (TPM), Secure Boot, and Measured Boot to help protect BitLocker encryption keys against attacks.
+BitLocker is part of a strategic approach to securing data against offline attacks through encryption technology.
+Data on a lost or stolen computer is vulnerable.
+For example, there could be unauthorized access, either by running a software attack tool against it or by transferring the computer’s hard disk to a different computer.
-- **Encrypting the hard drives on your computer.** For example, you can turn on BitLocker for your operating system drive, a fixed data drive, or a removable data drive (such as a USB flash drive). Turning on BitLocker for your operating system drive encrypts all system files on the operating system drive, including the swap files and hibernation files.
-- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to help ensure that your data is accessible only if the computer’s boot components appear unaltered and the encrypted disk is located in the original computer.
+BitLocker helps mitigate unauthorized data access on lost or stolen computers before the authorized operating system is started by:
-The sections that follow provide more detailed information about the different technologies that Windows uses to protect against attacks on the BitLocker encryption key in four different boot phases: before startup, during pre-boot, during startup, and finally after startup.
+- **Encrypting volumes on your computer.** For example, you can turn on BitLocker for your operating system volume, or a volume on a fixed or removable data drive (such as a USB flash drive, SD card, and so on). Turning on BitLocker for your operating system volume encrypts all system files on the volume, including the paging files and hibernation files. The only exception is for the System partition, which includes the Windows Boot Manager and minimal boot collateral required for decryption of the operating system volume after the key is unsealed.
+- **Ensuring the integrity of early boot components and boot configuration data.** On devices that have a TPM version 1.2 or higher, BitLocker uses the enhanced security capabilities of the TPM to make data accessible only if the computer’s BIOS firmware code and configuration, original boot sequence, boot components, and BCD configuration all appear unaltered and the encrypted disk is located in the original computer. On systems that leverage TPM PCR[7], BCD setting changes deemed safe are permitted to improve usability.
+
+The next sections provide more details about how Windows protects against various attacks on the BitLocker encryption keys in Windows 10, Windows 8.1, and Windows 8.
-### Protection before startup
+For more information about how to enable the best overall security configuration for devices beginning with Windows 10 version 1803, see [Standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure).
-Before Windows starts, you must rely on security features implemented as part of the device hardware, including TPM and Secure Boot. Fortunately, many modern computers feature TPM.
+## Protection before startup
-#### Trusted Platform Module
+Before Windows starts, you must rely on security features implemented as part of the device hardware and firmware, including TPM and Secure Boot. Fortunately, many modern computers feature a TPM and Secure Boot.
-Software alone isn’t sufficient to protect a system. After an attacker has compromised software, the software might be unable to detect the compromise. Therefore, a single successful software compromise results in an untrusted system that might never be detected. Hardware, however, is much more difficult to modify.
+### Trusted Platform Module
-A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer and communicates with the rest of the system through a hardware bus. Physically, TPMs are designed to be tamper-proof. If an attacker tries to physically retrieve data directly from the chip, they’ll probably destroy the chip in the process.
-By binding the BitLocker encryption key with the TPM and properly configuring the device, it’s nearly impossible for an attacker to gain access to the BitLocker-encrypted data without obtaining an authorized user’s credentials. Therefore, computers with a TPM can provide a high level of protection against attacks that attempt to directly retrieve the BitLocker encryption key.
-For more info about TPM, see [Trusted Platform Module](/windows/device-security/tpm/trusted-platform-module-overview).
+A TPM is a microchip designed to provide basic security-related functions, primarily involving encryption keys.
+On some platforms, TPM can alternatively be implemented as a part of secure firmware.
+BitLocker binds encryption keys with the TPM to ensure that a computer has not been tampered with while the system was offline.
+For more info about TPM, see [Trusted Platform Module](https://docs.microsoft.com/windows/device-security/tpm/trusted-platform-module-overview).
-#### UEFI and Secure Boot
+### UEFI and Secure Boot
-No operating system can protect a device when the operating system is offline. For that reason, Microsoft worked closely with hardware vendors to require firmware-level protection against boot and rootkits that might compromise an encryption solution’s encryption keys.
+Unified Extensible Firmware Interface (UEFI) is a programmable boot environment that initializes devices and starts the operating system’s bootloader.
-The UEFI is a programmable boot environment introduced as a replacement for BIOS, which has for the most part remained unchanged for the past 30 years. Like BIOS, PCs start UEFI before any other software; it initializes devices, and UEFI then starts the operating system’s bootloader. As part of its introduction into the pre–operating system environment, UEFI serves a number of purposes, but one of the key benefits is to protect newer devices against a sophisticated type of malware called a bootkit through the use of its Secure Boot feature.
+The UEFI specification defines a firmware execution authentication process called [Secure Boot](https://docs.microsoft.com/windows/security/information-protection/secure-the-windows-10-boot-process).
+Secure Boot blocks untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
-Recent implementations of UEFI (starting with version 2.3.1) can verify the digital signatures of the device’s firmware before running it. Because only the PC’s hardware manufacturer has access to the digital certificate required to create a valid firmware signature, UEFI can prevent firmware-based bootkits. Thus, UEFI is the first link in the chain of trust.
+By default, BitLocker provides integrity protection for Secure Boot by utilizing the TPM PCR[7] measurement.
+An unauthorized EFI firmware, EFI boot application, or bootloader cannot run and acquire the BitLocker key.
-Secure Boot is the foundation of platform and firmware security and was created to enhance security in the pre-boot environment regardless of device architecture. Using signatures to validate the integrity of firmware images before they are allowed to execute, Secure Boot helps reduce the risk of bootloader attacks. The purpose of Secure Boot is to block untrusted firmware and bootloaders (signed or unsigned) from being able to start on the system.
-With the legacy BIOS boot process, the pre–operating system environment is vulnerable to attacks by redirecting bootloader handoff to possible malicious loaders. These loaders could remain undetected to operating system and antimalware software. The diagram in Figure 1 contrasts the BIOS and UEFI startup processes.
+### BitLocker and reset attacks
-
+To defend against malicious reset attacks, BitLocker leverages the TCG Reset Attack Mitigation, also known as MOR bit (Memory Overwrite Request), before extracting keys into memory.
-**Figure 1.** The BIOS and UEFI startup processes
+>[!NOTE]
+>This does not protect against physical attacks where an attacker opens the case and attacks the hardware.
-With Secure Boot enabled, UEFI, in coordination with the TPM, can examine the bootloader and determine whether it’s trustworthy. To determine whether the bootloader is trustworthy, UEFI examines the bootloader’s digital signature.
-Using the digital signature, UEFI verifies that the bootloader was signed using a trusted certificate.
+## Security policies
-If the bootloader passes these two tests, UEFI knows that the bootloader isn’t a bootkit and starts it. At this point, Trusted Boot takes over, and the Windows bootloader, using the same cryptographic technologies that UEFI used to verify the bootloader, then verifies that the Windows system files haven’t been changed.
+The next sections cover pre-boot authentication and DMA policies that can provide additional protection for BitLocker.
-Starting with Windows 8, certified devices must meet several requirements related to UEFI-based Secure Boot:
+### Pre-boot authentication
-- They must have Secure Boot enabled by default.
-- They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed).
-- They must allow the user to configure Secure Boot to trust other signed bootloaders.
-- Except for Windows RT devices, they must allow the user to completely disable Secure Boot.
+Pre-boot authentication with BitLocker is a policy setting that requires the use of either user input, such as a PIN, a startup key, or both to authenticate prior to making the contents of the system drive accessible.
+The Group Policy setting is [Require additional authentication at startup](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol1arequire-additional-authentication-at-startup) and the corresponding setting in the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) is SystemDrivesRequireStartupAuthentication.
-These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems:
+BitLocker accesses and stores the encryption keys in memory only after pre-boot authentication is completed.
+If Windows can’t access the encryption keys, the device can’t read or edit the files on the system drive. The only option for bypassing pre-boot authentication is entering the recovery key.
-- **Use an operating system with a certified bootloader.** Microsoft can analyze and sign non-Microsoft bootloaders so that they can be trusted. The Linux community is using this process to enable Linux to take advantage of
-Secure Boot on Windows-certified devices.
-
-- **Configure UEFI to trust your custom bootloader.** Your device can trust a signed, non-certified bootloader that you specify in the UEFI database, allowing you to run any operating system, including homemade operating systems.
-- **Turn off Secure Boot.** You can turn off Secure Boot. This does not help protect you from bootkits, however.
-
-To prevent malware from abusing these options, the user has to manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings.
-Any device that doesn’t require Secure Boot or a similar bootloader-verification technology, regardless of the architecture or operating system, is vulnerable to bootkits, which can be used to compromise the encryption solution.
-UEFI is secure by design, but it’s critical to protect the Secure Boot configuration by using password protection. In addition, although several well-publicized attacks against UEFI have occurred, they were exploiting faulty UEFI implementations. Those attacks are ineffective when UEFI is implemented properly.
-
-For more information about Secure Boot, refer to [Securing the Windows 8.1 Boot Process](https://technet.microsoft.com/windows/dn168167.aspx).
-
-### Protection during pre-boot: Pre-boot authentication
-
-Pre-boot authentication with BitLocker is a process that requires the use of either a Trusted Platform Module (TPM), user input, such as a PIN, or both, depending on hardware and operating system configuration, to authenticate prior to making the contents of the system drive accessible. In the case of BitLocker, BitLocker encrypts the entire drive, including all system files. BitLocker accesses and stores the encryption key in memory only after a pre-boot authentication is completed using one or more of the following options: Trusted Platform Module (TPM), user provides a specific PIN, USB startup key.
-
-If Windows can’t access the encryption key, the device can’t read or edit the files on the system drive. Even if an attacker takes the disk out of the PC or steals the entire PC, they won’t be able to read or edit the files without the encryption key. The only option for bypassing pre-boot authentication is entering the highly complex, 48-digit recovery key.
-
-The BitLocker pre-boot authentication capability is not specifically designed to prevent the operating system from starting: That’s merely a side effect of how BitLocker protects data confidentiality and system integrity. Pre-boot authentication is designed to prevent the encryption key from being loaded to system memory on devices that are vulnerable to certain types of cold boot attacks. Many modern devices prevent an attacker from easily removing the memory, and Microsoft expects those devices to become even more common in the future.
+Pre-boot authentication is designed to prevent the encryption keys from being loaded to system memory without the trusted user supplying another authentication factor such as a PIN or startup key.
+This helps mitigate DMA and memory remanence attacks.
On computers with a compatible TPM, operating system drives that are BitLocker-protected can be unlocked in four ways:
-- **TPM-only.** Using TPM-only validation does not require any interaction with the user to decrypt and provide access to the drive. If the TPM validation succeeds, the user logon experience is the same as a standard logon. If the TPM is missing or changed or if the TPM detects changes to critical operating system startup files, BitLocker enters its recovery mode, and the user must enter a recovery password to regain access to the data.
-- **TPM with startup key.** In addition to the protection that the TPM provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key.
-- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN.
-- **TPM with startup key and PIN.** In addition to the core component protection that the TPM provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive, because the correct PIN is also required.
+- **TPM-only.** Using TPM-only validation does not require any interaction with the user to unlock and provide access to the drive. If the TPM validation succeeds, the user sign in experience is the same as a standard logon. If the TPM is missing or changed or if BitLocker detects changes to the BIOS or UEFI code or configuration, critical operating system startup files, or the boot configuration, BitLocker enters recovery mode, and the user must enter a recovery password to regain access to the data. This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.
+- **TPM with startup key.** In addition to the protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, referred to as a startup key. Data on the encrypted volume cannot be accessed without the startup key.
+- **TPM with PIN.** In addition to the protection that the TPM provides, BitLocker requires that the user enter a PIN. Data on the encrypted volume cannot be accessed without entering the PIN. TPMs also have [anti-hammering protection](https://docs.microsoft.com/windows/security/hardware-protection/tpm/tpm-fundamentals#anti-hammering) that is designed to prevent brute force attacks that attempt to determine the PIN.
+- **TPM with startup key and PIN.** In addition to the core component protection that the TPM-only provides, part of the encryption key is stored on a USB flash drive, and a PIN is required to authenticate the user to the TPM. This configuration provides multifactor authentication so that if the USB key is lost or stolen, it cannot be used for access to the drive, because the correct PIN is also required.
-For many years, Microsoft has recommended using pre-boot authentication to protect against DMA and memory remanence attacks. Today, Microsoft only recommends using pre-boot authentication on PCs where the mitigations described in this document cannot be implemented. These mitigations may be inherent to the device or may come by way of configurations that IT can provision to devices and Windows itself.
+In the following Group Policy example, TPM + PIN is required to unlock an operating system drive:
-Although effective, pre-boot authentication is inconvenient to users. In addition, if a user forgets their PIN or loses their startup key, they’re denied access to their data until they can contact their organization’s support team to obtain a recovery key. Today, most new PCs running Windows 10, Windows 8.1, or Windows 8 provide sufficient protection against DMA attacks without requiring pre-boot authentication. For example, most modern PCs include USB port options (which are not vulnerable to DMA attacks) but do not include FireWire or Thunderbolt ports (which are vulnerable to DMA attacks).
+
-BitLocker-encrypted devices with DMA ports enabled, including FireWire or Thunderbolt ports, should be configured with pre-boot authentication if they are running Windows 10, Windows 7, Windows 8, or Windows 8.1 and disabling the ports using policy or firmware configuration is not an option. Many customers find that the DMA ports on their devices are never used, and they choose to eliminate the possibility of an attack by disabling the DMA ports themselves, either at the hardware level or through Group Policy.
-Many new mobile devices have the system memory soldered to the motherboard, which helps prevent the cold boot–style attack, where the system memory is frozen, removed, and then placed into another device. Those devices, and most PCs, can still be vulnerable when booting to a malicious operating system, however.
+Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup.
+Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured.
-You can mitigate the risk of booting to a malicious operating system:
+On the other hand, Pre-boot authentication prompts can be inconvenient to users.
+In addition, users who forget their PIN or lose their startup key are denied access to their data until they can contact their organization’s support team to obtain a recovery key.
+Pre-boot authentication can also make it more difficult to update unattended desktops and remotely administered servers because a PIN needs to be entered when a computer reboots or resumes from hibernation.
-- **Windows 10 (without Secure Boot), Windows 8.1 (without Secure Boot), Windows 8 (without UEFI-based Secure Boot), or Windows 7 (with or without a TPM).** Disable booting from external media, and require a firmware password to prevent the attacker from changing that option.
-- **Windows 10, Windows 8.1, or Windows 8 (certified or with Secure Boot).** Password protect the firmware, and do not disable Secure Boot.
+To address these issues, you can deploy [BitLocker Network Unlock](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock).
+Network Unlock allows systems within the physical enterprise security perimeter that meet the hardware requirements and have BitLocker enabled with TPM+PIN to boot into Windows without user intervention.
+It requires direct ethernet connectivity to an enterprise Windows Deployment Services (WDS) server.
-### Protection During Startup
+### Protecting Thunderbolt and other DMA ports
-During the startup process, Windows 10 uses Trusted Boot and Early Launch Antimalware (ELAM) to examine the integrity of every component. The sections that follow describe these technologies in more detail.
+There are a few different options to protect DMA ports, such as Thunderbolt™3.
+Beginning with Windows 10 version 1803, new Intel-based devices have kernel protection against DMA attacks via Thunderbolt™ 3 ports enabled by default.
+This kernel DMA protection is available only for new systems beginning with Windows 10 version 1803, as it requires changes in the system firmware and/or BIOS.
-**Trusted Boot**
+You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled:
-Trusted Boot takes over where UEFI-based Secure Boot leaves off—during the operating system initialization phase. The bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM driver. If a file has been modified or is not properly signed with a Microsoft signature, Windows detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.
+
-Windows 10 uses Trusted Boot on any hardware platform: It requires neither UEFI nor a TPM. However, without Secure Boot, it’s possible for malware to compromise the startup process prior to Windows starting, at which point Trusted Boot protections could be bypassed or potentially disabled.
+If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
-**Early Launch Antimalware**
+1. Require a password for BIOS changes
+2. Intel Thunderbolt Security must be set to User Authorization in BIOS settings
+3. Additional DMA security may be added by deploying policy (beginning with Windows 10 version 1607):
-Because UEFI-based Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel or other Windows startup components, the next opportunity for malware to start is by infecting a non-Microsoft boot-related driver. Traditional antimalware apps don’t start until after the boot-related drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work.
+ - MDM: [DataProtection/AllowDirectMemoryAccess](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dataprotection#dataprotection-allowdirectmemoryaccess) policy
+ - Group Policy: [Disable new DMA devices when this computer is locked](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#disable-new-dma-devices-when-this-computer-is-locked) (This setting is not configured by default.)
-Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. ELAM checks the integrity of non-Microsoft drivers to determine whether the drivers are trustworthy. Because Windows needs to start as fast as possible, ELAM cannot be a complicated process of checking the driver files against known malware signatures. Instead, ELAM has the simple task of examining every boot driver and determining whether it is on the list of trusted drivers. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits. ELAM also allows the registered antimalware provider to scan drivers that are loaded after the boot process is complete.
+For Thunderbolt v1 and v2 (DisplayPort Connector), refer to the “Thunderbolt Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
+For SBP-2 and 1394 (a.k.a. Firewire), refer to the “SBP-2 Mitigation” section in [KB 2516445](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d).
+
+## Attack countermeasures
-Windows Defender in Windows 10 supports ELAM, as do Microsoft System Center 2012 Endpoint Protection and non-Microsoft antimalware apps.
+This section covers countermeasures for specific types attacks.
-To do this, ELAM loads an antimalware driver before drivers that are flagged as boot-start can be executed. This approach provides the ability for an antimalware driver to register as a trusted boot-critical driver. It is launched during the Trusted Boot process, and with that, Windows ensures that it is loaded before any other non-Microsoft software.
+### Bootkits and rootkits
-With this solution in place, boot drivers are initialized based on the classification that the ELAM driver returns according to an initialization policy. IT pros have the ability to change this policy through Group Policy.
-ELAM classifies drivers as follows:
+A physically-present attacker might attempt to install a bootkit or rootkit-like piece of software into the boot chain in an attempt to steal the BitLocker keys.
+The TPM should observe this installation via PCR measurements, and the BitLocker key will not be released.
+This is the default configuration.
-- **Good.** The driver has been signed and has not been tampered with.
-- **Bad.** The driver has been identified as malware. It is recommended that you not allow known bad drivers to be initialized.
-- **Bad but required for boot.** The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
-- **Unknown.** This driver has not been attested to by your malware-detection application or classified by the ELAM boot-start driver.
+A BIOS password is recommended for defense-in-depth in case a BIOS exposes settings that may weaken the BitLocker security promise.
+Intel Boot Guard and AMD Hardware Verified Boot support stronger implementations of Secure Boot that provide additional resilience against malware and physical attacks.
+Intel Boot Guard and AMD Hardware Verified Boot are part of platform boot verification [standards for a highly secure Windows 10 device](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-highly-secure).
-While the features listed above protect the Windows boot process from malware threats that could compromise BitLocker security, it is important to note that DMA ports may be enabled during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port related policies that have been configured. This period of time where the encryption key could be exposed to a DMA attack could be less than a minute on recent devices or longer depending on system performance. The use of pre-boot authentication with a PIN can be used to successfully mitigate against an attack.
+### Brute force attacks against a PIN
+Require TPM + PIN for anti-hammering protection.
-### Protection After Startup: eliminate DMA availability
+### DMA attacks
-Windows Modern Standby–certified devices do not have DMA ports, eliminating the risk of DMA attacks. On other devices, you can disable FireWire, Thunderbolt, or other ports that support DMA.
+See [Protecting Thunderbolt and other DMA ports](#protecting-thunderbolt-and-other-dma-ports) earlier in this topic.
-## See also
-- [Types of Attacks for Volume Encryption Keys](types-of-attacks-for-volume-encryption-keys.md)
-- [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md)
-- [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
-- [BitLocker overview](bitlocker-overview.md)
+### Paging file, crash dump, and Hyberfil.sys attacks
+These files are secured on an encrypted volume by default when BitLocker is enabled on OS drives.
+It also blocks automatic or manual attempts to move the paging file.
+
+### Memory remanence
+
+Enable Secure Boot and require a password to change BIOS settings.
+For customers requiring protection against these advanced attacks, configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
+
+## Attacker countermeasures
+
+The following sections cover mitigations for different types of attackers.
+
+### Attacker without much skill or with limited physical access
+
+Physical access may be limited by a form factor that does not expose buses and memory.
+For example, there are no external DMA-capable ports, no exposed screws to open the chassis, and memory is soldered to the mainboard.
+This attacker of opportunity does not use destructive methods or sophisticated forensics hardware/software.
+
+Mitigation:
+- Pre-boot authentication set to TPM only (the default)
+
+### Attacker with skill and lengthy physical access
+
+Targeted attack with plenty of time; this attacker will open the case, will solder, and will use sophisticated hardware or software.
+
+Mitigation:
+- Pre-boot authentication set to TPM with a PIN protector (with a sophisticated alphanumeric PIN to help the TPM anti-hammering mitigation).
+
+ -And-
+
+- Disable Standby power management and shut down or hibernate the device before it leaves the control of an authorized user. This can be set using Group Policy:
+
+ - Computer Configuration|Policies|Administrative Templates|Windows Components|File Explorer|Show hibernate in the power options menu
+ - Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settings|Allow standby states (S1-S3) when sleeping (plugged in)
+ - Computer Configuration|Policies|Administrative Templates|System|Power Management|Sleep Settings|Allow standby states (S1-S3) when sleeping (on battery)
+
+These settings are **Not configured** by default.
+
+For some systems, bypassing TPM-only may require opening the case, and may require soldering, but could possibly be done for a reasonable cost. Bypassing a TPM with a PIN protector would cost much more, and require brute forcing the PIN. With a sophisticated enhanced PIN, it could be nearly impossible. The Group Policy setting for [enhanced PIN](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#a-href-idbkmk-unlockpol2aallow-enhanced-pins-for-startup) is:
+
+Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption|Operating System Drives|Allow enhanced PINs for startup
+
+This setting is **Not configured** by default.
+
+For secure administrative workstations, Microsoft recommends TPM with PIN protector and disable Standby power management and shut down or hibernate the device.
+
+## See also
+
+- [Blocking the SBP-2 driver and Thunderbolt controllers to reduce 1394 DMA and Thunderbolt DMA threats to BitLocker](https://support.microsoft.com/help/2516445/blocking-the-sbp-2-driver-and-thunderbolt-controllers-to-reduce-1394-d)
+- [BitLocker Group Policy settings](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings)
+- [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
\ No newline at end of file
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index 691e7ec1de..430fd8fbe7 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: brianlic-msft
-ms.date: 07/27/2018
+ms.date: 09/17/2018
---
# BitLocker Management for Enterprises
@@ -21,7 +21,7 @@ Though much Windows BitLocker [documentation](bitlocker-overview.md) has been pu
Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
-Enterprises can use [Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
+Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/en-us/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
## Managing devices joined to Azure Active Directory
diff --git a/windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure.md b/windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure.md
deleted file mode 100644
index c1b351b15e..0000000000
--- a/windows/security/information-protection/bitlocker/choose-the-right-bitlocker-countermeasure.md
+++ /dev/null
@@ -1,138 +0,0 @@
----
-title: Choose the right BitLocker countermeasure (Windows 10)
-description: This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks.
-ms.assetid: b0b09508-7885-4030-8c61-d91458afdb14
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
-ms.date: 10/27/2017
----
-
-# Choose the right BitLocker countermeasure
-
-**Applies to**
-- Windows 10
-
-This section outlines the best countermeasures you can use to protect your organization from bootkits and rootkits, brute force sign-in, Direct Memory Access (DMA) attacks, Hyberfil.sys attacks, and memory remanence attacks.
-You can use BitLocker to protect your Windows 10 PCs. Whichever operating system you’re using, Microsoft and Windows-certified devices provide countermeasures to address attacks and improve your data security. In most cases, this protection can be implemented without the need for pre-boot authentication.
-
-Tables 1 and 2 summarize the recommended mitigations for different types of attacks against PCs running recent versions of Windows. The orange blocks indicate that the system requires additional configuration from the default settings.
-
-
-
-
-
-
-
-
-
-
-
Windows 8.1 without TPM
-
-
Windows 8.1 Certified (with TPM)
-
-
-
-
Bootkits and Rootkits
-
Without TPM, boot integrity checking is not available
-
Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings
-
-
-
-
Brute Force Sign-in
-
Secure by default, and can be improved with account lockout Group Policy
-
Secure by default, and can be improved with account lockout and device lockout Group Policy settings
-
-
-
-
DMA Attacks
-
If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in
-
If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in
-
-
-
-
Hyberfil.sys Attacks
-
Secure by default; hyberfil.sys secured on encrypted volume
-
Secure by default; hyberfil.sys secured on encrypted volume
-
-
-
-
Memory Remanence Attacks
-
Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication
-
Password protect the firmware and ensure Secure Boot is enabled. If an attack is viable, consider pre-boot authentication
-
-
-
-**Table 1.** How to choose the best countermeasures for Windows 8.1
-
-
-
-
-
-
-
-
-
-
-
Windows 10 without TPM
-
-
Windows 10 Certified (with TPM)
-
-
-
-
Bootkits and Rootkits
-
Without TPM, boot integrity checking is not available
-
Secure by default when UEFI-based Secure Boot is enabled and a firmware password is required to change settings
-
-
-
-
Brute Force Sign-in
-
Secure by default, and can be improved with account lockout Group Policy
-
Secure by default, and can be improved with account lockout and device lockout Group Policy settings
-
-
-
-
DMA Attacks
-
If policy is deployed, secure by default for all lost or stolen devices because new DMA devices are granted access only when an authorized user is signed in
-
Secure by default; certified devices do not expose vulnerable DMA busses. Can be additionally secured by deploying policy to restrict DMA devices:
Secure by default; hyberfil.sys secured on encrypted volume
-
Secure by default; hyberfil.sys secured on encrypted volume
-
-
-
-
Memory Remanence Attacks
-
Password protect the firmware and disable booting from external media. If an attack is viable, consider pre-boot authentication
-
Password protect the firmware and ensure Secure Boot is enabled. The most effective mitigation, which we advise for high-security devices, is to configure a TPM+PIN protector, disable Standby power management, and shut down or hibernate the device before it leaves the control of an authorized user.
-
-
-
-**Table 2.** How to choose the best countermeasures for Windows 10
-
-The latest Modern Standby devices, primarily tablets, are designed to be secure by default against all attacks that might compromise the BitLocker encryption key. Other Windows devices can be secure by default too. DMA port–based attacks, which represent the attack vector of choice, are not possible on Modern Standby devices because these port types are prohibited. The inclusion of DMA ports on even non-Modern Standby devices is extremely rare on recent devices, particularly on mobile ones. This could change if Thunderbolt is broadly adopted, so IT should consider this when purchasing new devices. In any case, DMA ports can be disabled entirely, which is an increasingly popular option because the use of DMA ports is infrequent in the non-developer space. To prevent DMA port usage unless an authorized user is signed in, you can set the DataProtection/AllowDirectMemoryAccess policy by using Mobile Device Management (MDM) or the Group Policy setting **Disable new DMA devices when this computer is locked** (beginning with Windows 10, version 1703). This setting is **Not configured** by default. The path to the Group Policy setting is:
-
-**Computer Configuration|Administrative Templates|Windows Components|BitLocker Drive Encryption**
-
-Memory remanence attacks can be mitigated with proper configuration; in cases where the system memory is fixed and non-removable, they are not possible using published techniques. Even in cases where system memory can be removed and loaded into another device, attackers will find the attack vector extremely unreliable, as has been shown in the DRDC Valcartier group’s analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)).
-
-Windows 7 PCs share the same security risks as newer devices but are far more vulnerable to DMA and memory remanence attacks, because Windows 7 devices are more likely to include DMA ports, lack support for UEFI-based Secure Boot, and rarely have fixed memory. To eliminate the need for pre-boot authentication on Windows 7 devices, disable the ability to boot to external media, password-protect the BIOS configuration, and disable the DMA ports. If you believe that your devices may be a target of a memory remanence attack, where the system memory may be removed and put into another computer to gain access to its contents, consider testing your devices to determine whether they are susceptible to this type of attack.
-
-In the end, many customers will find that pre-boot authentication improves security only for a shrinking subset of devices within their organization. Microsoft recommends a careful examination of the attack vectors and mitigations
-outlined in this document along with an evaluation of your devices before choosing to implement pre-boot authentication, which may not enhance the security of your devices and instead will only compromise the user experience and add to support costs.
-
-## See also
-- [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md)
-- [BitLocker Countermeasures](bitlocker-countermeasures.md)
-- [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
-- [BitLocker overview](bitlocker-overview.md)
-
-
diff --git a/windows/security/information-protection/bitlocker/images/kernel-dma-protection.png b/windows/security/information-protection/bitlocker/images/kernel-dma-protection.png
new file mode 100644
index 0000000000..297809afdc
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/kernel-dma-protection.png differ
diff --git a/windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png b/windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png
new file mode 100644
index 0000000000..94d0720c76
Binary files /dev/null and b/windows/security/information-protection/bitlocker/images/pre-boot-authentication-group-policy.png differ
diff --git a/windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md b/windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md
deleted file mode 100644
index d67cd69a82..0000000000
--- a/windows/security/information-protection/bitlocker/protect-bitlocker-from-pre-boot-attacks.md
+++ /dev/null
@@ -1,43 +0,0 @@
----
-title: Protect BitLocker from pre-boot attacks (Windows 10)
-description: This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration.
-ms.assetid: 24d19988-fc79-4c45-b392-b39cba4ec86b
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
-ms.date: 04/19/2017
----
-# Protect BitLocker from pre-boot attacks
-
-
-**Applies to**
-- Windows 10
-
-This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration.
-
-BitLocker uses encryption to protect the data on your drive, but BitLocker security is only effective when the encryption key is protected. Many users have relied on pre-boot authentication to protect the operating system’s integrity, disk encryption solution (for example, encryption keys), and the PC’s data from offline attacks. With pre-boot authentication, users must provide some form of credential before unlocking encrypted volumes and starting
-Windows. Typically, they authenticate themselves using a PIN or a USB flash drive as a key.
-
-Full-volume encryption using BitLocker Drive Encryption is vital for protecting data and system integrity on devices running the Windows 10, Windows 8.1, Windows 8, or Windows 7 operating system. It is equally important to protect the BitLocker encryption key. On Windows 7 devices, sufficiently protecting that key often required pre-boot authentication, which many users find inconvenient and complicates device management.
-
-Pre-boot authentication provides excellent startup security, but it inconveniences users and increases IT management costs. Every time the PC is unattended, the device must be set to hibernate (in other words, shut down and powered off); when the computer restarts, users must authenticate before the encrypted volumes are unlocked. This requirement increases restart times and prevents users from accessing remote PCs until they can physically access the computer to authenticate, making pre-boot authentication unacceptable in the modern IT world, where users expect their devices to turn on instantly and IT requires PCs to be constantly connected to the network.
-
-If users lose their USB key or forget their PIN, they can’t access their PC without a recovery key. With a properly configured infrastructure, the organization’s support will be able to provide the recovery key, but doing so increases support costs, and users might lose hours of productive work time.
-
-Starting with Windows 8, Secure Boot and Windows Trusted Boot startup process ensures operating system integrity, allowing Windows to start automatically while minimizing the risk of malicious startup tools and rootkits. In addition, many modern devices are fundamentally physically resistant to sophisticated attacks against the computer’s memory, and now Windows authenticates the user before making devices that may represent a threat to the device and encryption keys available for use.
-
-## In this topic
-
-The sections that follow help you understand which PCs still need pre-boot authentication and which can meet your security requirements without the inconvenience of it.
-
-- [Types of attacks for volume encryption keys](types-of-attacks-for-volume-encryption-keys.md)
-- [BitLocker countermeasures](bitlocker-countermeasures.md)
-- [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md)
-
-## See also
-
-- [BitLocker overview](bitlocker-overview.md)
-
-
diff --git a/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md b/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md
deleted file mode 100644
index d96b30a8c5..0000000000
--- a/windows/security/information-protection/bitlocker/types-of-attacks-for-volume-encryption-keys.md
+++ /dev/null
@@ -1,129 +0,0 @@
----
-title: Types of attacks for volume encryption keys (Windows 10)
-description: There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) secure boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts.
-ms.assetid: 405060a9-2009-44fc-9f84-66edad32c6bc
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-author: brianlic-msft
-ms.date: 10/27/2017
----
-
-# Types of attacks for volume encryption keys
-
-**Applies to**
-- Windows 10
-
-There are many ways Windows helps protect your organization from attacks, including Unified Extensible Firmware Interface (UEFI) Secure Boot, Trusted Platform Module (TPM), Group Policy, complex passwords, and account lockouts.
-
-The next few sections describe each type of attack that could be used to compromise a volume encryption key, whether for BitLocker or a non-Microsoft encryption solution. After an attacker has compromised a volume encryption key, the attacker can read data from your system drive or even install malware while Windows is offline. Each section begins with a graphical overview of the attack’s strengths and weaknesses as well as suggested mitigations.
-
-### Bootkit and rootkit attacks
-
-Rootkits are a sophisticated and dangerous type of malware that runs in kernel mode, using the same privileges as the operating system. Because rootkits have the same or possibly even more rights than the operating system, they can completely hide themselves from Windows and even an antimalware solution. Often, rootkits are part of an entire suite of malware that can bypass local logins, record passwords, transfer private files, and capture cryptography keys.
-
-Different types of bootkits and rootkits load at different software levels:
-
-- **Kernel level.** Rootkits running at the kernel level have the highest privilege in the operating system. They may be able to inject malicious code or replace portions of the core operating system, including both the kernel and device drivers.
-- **Application level.** These rootkits are aimed to replace application binaries with malicious code, such as a Trojan, and can even modify the behavior of existing applications.
-- **Library level.** The purpose of library-level rootkits is to hook, patch, or replace system calls with malicious code that can hide the malware’s presence.
-- **Hypervisor level.** Hypervisor rootkits target the boot sequence. Their primary purpose is to modify the boot sequence to load themselves as a hypervisor.
-- **Firmware level.** These rootkits overwrite the PC’s BIOS firmware, giving the malware low-level access and potentially the ability to install or hide malware, even if it’s cleaned or removed from the hard disk.
-
-Regardless of the operating system or encryption method, rootkits have access to confidential data once installed. Application-level rootkits can read any files the user can access, bypassing volume-level encryption. Kernel-, library-, hypervisor-, and firmware-level rootkits have direct access to system files on encrypted volumes and can also retrieve an encryption key from memory.
-
-Windows offers substantial protection from bootkits and rootkits, but it is possible to bypass operating system security when an attacker has physical access to the device and can install the malware to the device while Windows is offline. For example, an attacker might boot a PC from a USB flash drive containing malware that starts before Windows. The malware can replace system files or the PC’s firmware or simply start Windows under its control.
-
-To sufficiently protect a PC from boot and rootkits, devices must use pre-boot authentication or Secure Boot, or the encryption solution must use the device’s Trusted Platform Module (TPM) as a means of monitoring the integrity of the end-to-end boot process. Pre-boot authentication is available for any device, regardless of the hardware, but because it is inconvenient to users, it should be used only to mitigate threats that are applicable to the device. On devices with Secure Boot enabled, you do not need to use pre-boot authentication to protect against boot and rootkit attacks.
-
-Although password protection of the UEFI configuration is important for protecting a device’s configuration and preventing an attacker from disabling Secure Boot, use of a TPM and its Platform Configuration Register (PCR) measurements (PCR7) to ensure that the system’s bootloader (whether a Windows or non-Microsoft encryption solution) is tamper free and the first code to start on the device is critical. An encryption solution that doesn’t use a device’s TPM to protect its components from tampering may be unable to protect itself from bootkit-level infections that could log a user’s password or acquire encryption keys.
-
-For this reason, when BitLocker is configured on devices that include a TPM, the TPM and its PCRs are always used to secure and confirm the integrity of the pre–operating system environment before making encrypted volumes accessible.
-
-Any change to the UEFI configuration invalidates the PCR7 and requires the user to enter the BitLocker recovery key. Because of this feature, it’s not critical to password-protect your UEFI configuration. But UEFI password protection is a best practice and is still required for systems not using a TPM (such as non-Microsoft alternatives).
-
-### Brute-force Sign-in Attacks
-
-Attackers can find any password if you allow them to guess enough times. The process of trying millions of different passwords until you find the right one is known as a *brute-force sign-in attack*. In theory, an attacker could obtain any password by using this method.
-
-Three opportunities for brute-force attacks exist:
-
-- **Against the pre-boot authenticator.** An attacker could attack the device directly by attempting to guess the user’s BitLocker PIN or an equivalent authenticator. The TPM mitigates this approach by invoking an anti-hammering lockout capability that requires the user to wait until the lockout period ends or enter the BitLocker recovery key.
-- **Against the recovery key.** An attacker could attempt to guess the 48-digit BitLocker recovery key. Even without a lockout period, the key is long enough to make brute-force attacks impractical. Specifically, the BitLocker recovery key has 128 bits of entropy; thus, the average brute-force attack would succeed after 18,446,744,073,709,551,616 guesses. If an attacker could guess 1 million passwords per second, the average brute-force attack would require more than 580,000 years to be successful.
-- **Against the operating system sign-in authenticator.** An attacker can attempt to guess a valid user name and password. Windows implements a delay between password guesses, slowing down brute-force attacks. In addition, all recent versions of Windows allow administrators to require complex passwords and password lockouts. Similarly, administrators can use Microsoft Exchange ActiveSync policy or Group Policy to configure Windows 8.1 and Windows 8 to automatically restart and require the user to enter the BitLocker 48-digit recovery key after a specified number of invalid password attempts. When these settings are enabled and users follow best practices for complex passwords, brute-force attacks against the operating system sign-in are impractical.
-
-In general, brute-force sign-in attacks are not practical against Windows when administrators enforce complex passwords and account lockouts.
-
-### Direct Memory Access Attacks
-
-Direct memory access (DMA) allows certain types of hardware devices to communicate directly with a device’s system memory. For example, if you use Thunderbolt to connect another device to your computer, the second device automatically has Read and Write access to the target computer’s memory.
-
-Unfortunately, DMA ports don’t use authentication and access control to protect the contents of the computer’s memory. Whereas Windows can often prevent system components and apps from reading and writing to protected parts of memory, a device can use DMA to read any location in memory, including the location of any encryption keys.
-
-DMA attacks are relatively easy to execute and require little technical skills. Anyone can download a tool from the Internet, such as those made by [Passware](http://www.lostpassword.com/), [ElcomSoft](http://elcomsoft.com/), and
-others, and then use a DMA attack to read confidential data from a PC’s memory. Because encryption solutions store their encryption keys in memory, they can be accessed by a DMA attack.
-
-Not all port types are vulnerable to DMA attacks. USB in particular does not allow DMA, but devices that have any of the following port types are vulnerable:
-
-- FireWire
-- Thunderbolt
-- ExpressCard
-- PCMCIA
-- PCI
-- PCI-X
-- PCI Express
-
-To perform a DMA attack, attackers typically connect a second PC that is running a memory-scanning tool (for example, Passware, ElcomSoft) to the FireWire or Thunderbolt port of the target computer. When connected, the software
-scans the system memory of the target and locates the encryption key. Once acquired, the key can be used to decrypt the drive and read or modify its contents.
-
-A much more efficient form of this attack exists in theory: An attacker crafts a custom FireWire or Thunderbolt device that has the DMA attack logic programmed on it. Now, the attacker simply needs to physically connect the device. If the attacker does not have physical access, they could disguise it as a free USB flash drive and distribute it to employees of a target organization. When connected, the attacking device could use a DMA attack to scan the PC’s memory for the encryption key. It could then transmit the key (or any data in the PC’s memory) using the PC’s Internet connection or its own wireless connection. This type of attack would require an extremely high level of sophistication, because it requires that the attacker create a custom device (devices of these types are not readily available in the marketplace at this time).
-
-Today, one of the most common uses for DMA ports on Windows devices is for developer debugging, a task that some developers need to perform and one that few consumers will ever perform. Because USB; DisplayPort; and other, more secure port types satisfy consumers, most new mobile PCs do not include DMA ports. Microsoft’s view is that because of the inherent security risks of DMA ports, they do not belong on mobile devices, and Microsoft has prohibited their inclusion on any Modern Standby-certified devices. Modern Standby devices offer mobile phone–like power management and instant-on capabilities; at the time of writing, they are primarily found in Windows tablets.
-
-DMA-based expansion slots are another avenue of attack, but these slots generally appear only on desktop PCs that are designed for expansion. Organizations can use physical security to prevent outside attacks against their desktop PCs. In addition, a DMA attack on the expansion slot would require a custom device; as a result, an attacker would most likely insert an interface with a traditional DMA port (for example, FireWire) into the slot to attack the PC.
-
-To mitigate a port-based DMA attack an administrator can configure policy settings to disable FireWire and other device types that have DMA. Also, many PCs allow those devices to be disabled by using firmware settings. Although the need for pre-boot authentication can be eliminated at the device level or through Windows configuration, the BitLocker pre-boot authentication feature is still available when needed. When used, it successfully mitigates all types of DMA port and expansion slot attacks on any type of device.
-
-### Hiberfil.sys Attacks
-
-The hiberfil.sys file is the Windows hibernation file. It contains a snapshot of system memory that is generated when a device goes into hibernation and includes the encryption key for BitLocker and other encryption technologies. Attackers have claimed that they have successfully extracted encryption keys from the hiberfil.sys file.
-
-Like the DMA port attack discussed in the previous section, tools are available that can scan the hiberfile.sys file and locate the encryption key, including a tool made by [Passware](http://www.lostpassword.com/). Microsoft does not consider Windows to be vulnerable to this type of attack, because Windows stores the hiberfil.sys file within the encrypted system volume. As a result, the file would be accessible only if the attacker had both physical and sign-in access to the PC. When an attacker has sign-in access to the PC, there are few reasons for the attacker to decrypt the drive, because they would already have full access to the data within it.
-
-In practice, the only reason an attack on hiberfil.sys would grant an attacker additional access is if an administrator had changed the default Windows configuration and stored the hiberfil.sys file on an unencrypted drive. By default, Windows 10 is designed to be secure against this type of attack.
-
-### Memory Remanence Attacks
-
-A memory remanence attack is a side-channel attack that reads the encryption key from memory after restarting a PC. Although a PC’s memory is often considered to be cleared when the PC is restarted, memory chips don’t immediately lose their memory when you disconnect power. Therefore, an attacker who has physical access to the PC’s memory might be able to read data directly from the memory—including the encryption key.
-
-When performing this type of cold boot attack, the attacker accesses the PC’s physical memory and recovers the encryption key within a few seconds or minutes of disconnecting power. This type of attack was demonstrated by researchers at [Princeton University](http://www.youtube.com/watch?v=JDaicPIgn9U). With the encryption key, the attacker would be able to decrypt the drive and access its files.
-
-To acquire the keys, attackers follow this process:
-
-1. Freeze the PC’s memory. For example, an attacker can freeze the memory to −50°C by spraying it with aerosol air duster spray.
-2. Restart the PC.
-3. Instead of restarting Windows, boot to another operating system. Typically, this is done by connecting a bootable flash drive or loading a bootable DVD.
-4. The bootable media loads the memory remanence attack tools, which the attacker uses to scan the system memory and locate the encryption keys.
-5. The attacker uses the encryption keys to access the drive’s data.
-
-If the attacker is unable to boot the device to another operating system (for example, if bootable flash drives have been disabled or Secure Boot is enabled), the attacker can attempt to physically remove the frozen memory from the device and attach it to a different, possibly identical device. Fortunately, this process has proven extremely unreliable, as evidenced by the Defence Research and Development Canada (DRDC) Valcartier group’s analysis (see [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078)). On an increasing portion of modern devices, this type of attack is not even possible, because memory is soldered directly to the motherboard.
-
-Although Princeton’s research proved that this type of attack was possible on devices that have removable memory, device hardware has changed since the research was published in 2008:
-
-- Secure Boot prevents the malicious tools that the Princeton attack depends on from running on the target device.
-- Windows systems with BIOS or UEFI can be locked down with a password, and booting to a USB drive can be prevented.
-- If booting to USB is required on the device, it can be limited to starting trusted operating systems by using Secure Boot.
-- The discharge rates of memory are highly variable among devices, and many devices have memory that is completely immune to memory remanence attacks.
-- Increased density of memory diminishes their remanence properties and reduces the likelihood that the attack can be successfully executed, even when memory is physically removed and placed in an identical system where the system’s configuration may enable booting to the malicious tools.
-
-Because of these factors, this type of attack is rarely possible on modern devices. Even in cases where the risk factors exist on legacy devices, attackers will find the attack unreliable. For detailed info about the practical uses for forensic memory acquisition and the factors that make a computer vulnerable or resistant to memory remanence attacks, read [An In-depth Analysis of the Cold Boot Attack](http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA545078).
-
-The BitLocker pre-boot authentication feature can successfully mitigate memory remanence attacks on most devices, but you can also mitigate such attacks by protecting the system UEFI or BIOS and prevent the PC from booting from external media (such as a USB flash drive or DVD). The latter option is often a better choice, because it provides sufficient protection without inconveniencing users with pre-boot authentication.
-
-## See also
-
-- [BitLocker countermeasures](bitlocker-countermeasures.md)
-- [Choose the right BitLocker countermeasure](choose-the-right-bitlocker-countermeasure.md)
-- [Protect BitLocker from pre-boot attacks](protect-bitlocker-from-pre-boot-attacks.md)
-- [BitLocker overview](bitlocker-overview.md)
diff --git a/windows/security/information-protection/images/device-details-tab.png b/windows/security/information-protection/images/device-details-tab.png
new file mode 100644
index 0000000000..4dfe33e156
Binary files /dev/null and b/windows/security/information-protection/images/device-details-tab.png differ
diff --git a/windows/security/information-protection/images/kernel-dma-protection-user-experience.png b/windows/security/information-protection/images/kernel-dma-protection-user-experience.png
new file mode 100644
index 0000000000..8949c51627
Binary files /dev/null and b/windows/security/information-protection/images/kernel-dma-protection-user-experience.png differ
diff --git a/windows/security/information-protection/index.md b/windows/security/information-protection/index.md
index 4da67275f3..5c7a8d5795 100644
--- a/windows/security/information-protection/index.md
+++ b/windows/security/information-protection/index.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
-ms.date: 02/05/2018
+ms.date: 09/17/2018
---
# Information protection
@@ -16,4 +16,8 @@ Learn more about how to secure documents and other data across your organization
| Section | Description |
|-|-|
| [BitLocker](bitlocker/bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
+| [Encrypted Hard Drive](bitlocker/bitlocker-overview.md)| Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. |
+| [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md)| Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. |
| [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
+| [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Windows 10 supports features to help prevent rootkits and bootkits from loading during the startup process. |
+| [Trusted Platform Module](tpm/trusted-platform-module-top-node.md)| Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. |
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
new file mode 100644
index 0000000000..17127719eb
--- /dev/null
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -0,0 +1,111 @@
+---
+title: Kernel DMA Protection for Thunderbolt™ 3 (Windows 10)
+description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: aadake
+ms.date: 09/19/2018
+---
+
+# Kernel DMA Protection for Thunderbolt™ 3
+
+**Applies to**
+- Windows 10
+
+In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports.
+Drive-by DMA attacks can lead to disclosure of sensitive information residing on a PC, or even injection of malware that allows attackers to bypass the lock screen or control PCs remotely.
+
+This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.
+
+For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to Intel documentation.
+
+## Background
+
+PCI devices are DMA-capable, which allows them to read and write to system memory at will, without having to engage the system processor in these operations.
+The DMA capability is what makes PCI devices the highest performing devices available today.
+These devices have historically existed only inside the PC chassis, either connected as a card or soldered on the motherboard.
+Access to these devices required the user to turn off power to the system and disassemble the chassis.
+Today, this is no longer the case with Thunderbolt™.
+
+Thunderbolt™ technology has provided modern PCs with extensibility that was not available before for PCs.
+It allows users to attach new classes of external peripherals, such as graphics cards or other PCI devices, to their PCs with a hot plug experience identical to USB.
+Having PCI hot plug ports externally and easily accessible makes PCs susceptible to drive-by DMA attacks.
+
+Drive-by DMA attacks are attacks that occur while the owner of the system is not present and usually take less than 10 minutes, with simple to moderate attacking tools (affordable, off-the-shelf hardware and software) that do not require the disassembly of the PC.
+A simple example would be a PC owner leaves the PC for a quick coffee break, and within the break, and attacker steps in, plugs in a USB-like device and walks away with all the secrets on the machine, or injects a malware that allows them to have full control over the PC remotely.
+
+## How Windows protects against DMA drive-by attacks
+
+Windows leverages the system Input/Output Memory Management Unit (IOMMU) to block external devices from starting and performing DMA unless the drivers for these devices support memory isolation (such as DMA-remapping).
+Devices with compatible drivers will be automatically enumerated, started and allowed to perform DMA to their assigned memory regions.
+Devices with incompatible drivers will be blocked from starting and performing DMA until an authorized user signs into the system or unlocks the screen.
+
+## User experience
+
+
+
+A device that is incompatible with DMA-remapping will be blocked from starting if the device was plugged in before an authorized user logs in, or while the screen is locked.
+Once the system is unlocked, the device driver will be started by the OS, and the device will continue to function normally until the system is rebooted, or the device is unplugged.
+The devices will continue to function normally if the user locks the screen or logs out of the system.
+
+## System compatibility
+
+Kernel DMA Protection requires new UEFI firmware support.
+This support is anticipated only on newly-introduced, Intel-based systems shipping with Windows 10 version 1803 (not all systems). Virtualization-based Security (VBS) is not required.
+
+To see if a system supports Kernel DMA Protection, check the System Information desktop app (MSINFO32).
+Systems released prior to Windows 10 version 1803 do not support Kernel DMA Protection, but they can leverage other DMA attack mitigations as described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
+
+>[!NOTE]
+>Kernel DMA Protection is not compatible with other BitLocker DMA attacks countermeasures. It is recommended to disable the BitLocker DMA attacks countermeasures if the system supports Kernel DMA Protection. Kernel DMA Protection provides higher security bar for the system over the BitLocker DMA attack countermeasures, while maintaining usability of external peripherals.
+
+## Enabling Kernel DMA protection
+
+Systems running Windows 10 version 1803 that do support Kernel DMA Protection do have this security feature enabled automatically by the OS with no user or IT admin configuration required.
+
+**To check if a device supports kernel DMA protection**
+
+1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar.
+2. Check the value of **Kernel DMA Protection**.
+ 
+3. If the current state of **Kernel DMA Protection** is OFF and **Virtualization Technology in Firmware** is NO:
+ - Reboot into BIOS settings
+ - Turn on Intel Virtualization Technology.
+ - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in BitLocker Countermeasures.
+ - Reboot system into Windows 10.
+4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.
+
+## Frequently asked questions
+
+### Do in-market systems support Kernel DMA protection for Thunderbolt™ 3?
+In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees.
+
+### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot?
+No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot.
+
+### How can I check if a certain driver supports DMA-remapping?
+DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the following Property GUID (highlighted in red in the image below) in the Details tab of a device in Device Manager. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping.
+Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
+
+
+
+### What should I do if the drivers for my Thunderbolt™ 3 peripherals do not support DMA-remapping?
+If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support this functionality. Details for driver compatibility requirements can be found here (add link to OEM documentation).
+
+### Do Microsoft drivers support DMA-remapping?
+In Windows 10 1803 and beyond, the Microsoft inbox drivers for USB XHCI (3.x) Controllers, Storage AHCI/SATA Controllers and Storage NVMe Controllers support DMA-remapping.
+
+### Do drivers for non-PCI devices need to be compatible with DMA-remapping?
+No. Devices for non-PCI peripherals, such as USB devices, do not perform DMA, thus no need for the driver to be compatible with DMA-remapping.
+
+### How can an enterprise enable the “External device enumeration” policy?
+The “External device enumeration” policy controls whether to enumerate external devices that are not compatible with DMA-remapping. Devices that are compatible with DMA-remapping are always enumerated. The policy can be enabled via Group Policy or Mobile Device Management (MDM):
+- Group Policy: Administrative Templates\System\Kernel DMA Protection\Enumeration policy for external devices incompatible with Kernel DMA Protection
+- MDM: [DmaGuard policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies)
+
+## Related topics
+
+- [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md)
+- [DmaGuard MDM policies](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-dmaguard#dmaguard-policies)
diff --git a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
index 0f5768fe1c..ad48ae604e 100644
--- a/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+++ b/windows/security/information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
@@ -6,7 +6,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: brianlic-msft
+author: andreabichsel
+ms.author: v-anbic
ms.date: 04/19/2017
---
diff --git a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
index 7731079b80..1f879a21ea 100644
--- a/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
+++ b/windows/security/information-protection/tpm/change-the-tpm-owner-password.md
@@ -6,7 +6,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: brianlic-msft
+author: andreabichsel
+ms.author: v-anbic
ms.date: 04/19/2017
---
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index 44e66ef033..1ff26cb46d 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -7,7 +7,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: brianlic-msft
+author: andreabichsel
+ms.author: v-anbic
ms.date: 10/27/2017
---
diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
index 3b52d2e805..37d77fa8e0 100644
--- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -1,24 +1,23 @@
---
-title: View status, clear, or troubleshoot the TPM (Windows 10)
+title: Troubleshoot the TPM (Windows 10)
description: This topic for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM).
ms.assetid: 1166efaf-7aa3-4420-9279-435d9c6ac6f8
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: brianlic-msft
-ms.date: 04/19/2017
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 09/11/2018
---
-# View status, clear, or troubleshoot the TPM
+# Troubleshoot the TPM
**Applies to**
- Windows 10
- Windows Server 2016
-This topic for the IT professional describes actions you can take through the Trusted Platform Module (TPM) snap-in, **TPM.msc**:
-
-- [View the status of the TPM](#view-the-status-of-the-tpm)
+This topic provides information for the IT professional to troubleshoot the Trusted Platform Module (TPM):
- [Troubleshoot TPM initialization](#troubleshoot-tpm-initialization)
@@ -32,15 +31,7 @@ For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](h
## About TPM initialization and ownership
-Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you would initialize the TPM and create an owner password. Therefore, with Windows 10, in most cases, we recommend that you avoid configuring the TPM through **TPM.msc**. The one exception is that in certain circumstances you might use **TPM.msc** to clear the TPM. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic.
-
-## View the status of the TPM
-
-To view the status of the TPM, open the TPM Management console (TPM.msc). In the center pane, find the **Status** box.
-
-In most cases, the status will be **Ready**. If the status is ready but “**with reduced functionality**,” see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic.
-
-If the status is **Not ready**, you can try the steps in [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic. If this does not bring it to a **Ready** state, contact the manufacturer, and see the troubleshooting suggestions in the next section.
+Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you would initialize the TPM and create an owner password.
## Troubleshoot TPM initialization
@@ -72,19 +63,13 @@ For example, toggling TPMs will cause BitLocker to enter recovery mode. We stron
## Clear all the keys from the TPM
-With Windows 10, in most cases, we recommend that you avoid configuring the TPM through TPM.msc. The one exception is that you can use TPM.msc to clear the TPM, for example, as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, for example, attestation. However, even if the TPM is not cleared before a new operating system is installed, most TPM functionality will probably work correctly.
+You can use the Windows Defender Security Center app to clear the TPM as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, such as attestation. However, even if the TPM is not cleared before a new operating system is installed, most TPM functionality will probably work correctly.
Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows 10 operating system will automatically re-initialize it and take ownership again.
> [!WARNING]
> Clearing the TPM can result in data loss. For more information, see the next section, “Precautions to take before clearing the TPM.”
-There are several ways to clear the TPM:
-
-- **Clear the TPM as part of a complete reset of the computer**: You might want to remove all files from the computer and completely reset it, for example, in preparation for a clean installation. To do this, we recommend that you use the **Reset** option in **Settings**. When you perform a reset and use the **Remove everything** option, it will clear the TPM as part of the reset. You might be prompted to press a key before the TPM can be cleared. For more information, see the “Reset this PC” section in [Recovery options in Windows 10](https://support.microsoft.com/en-us/help/12415/windows-10-recovery-options).
-
-- **Clear the TPM to fix “reduced functionality” or “Not ready” TPM status**: If you open TPM.msc and see that the TPM status is something other than **Ready**, you can try using TPM.msc to clear the TPM and fix the status. However, be sure to review the precautions in the next section.
-
### Precautions to take before clearing the TPM
Clearing the TPM can result in data loss. To protect against such loss, review the following precautions:
@@ -103,15 +88,19 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
**To clear the TPM**
-1. Open the TPM MMC (tpm.msc).
+1. Open the Windows Defender Security Center app.
-2. If the **User Account Control** dialog box appears, confirm that the action it displays is what you want, and then click **Yes**.
+2. Click **Device security**.
-3. Under **Actions**, click **Clear TPM**.
+3. Click **Security processor details**.
-4. You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM.
+4. Click **Security processor troubleshooting**.
-5. After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
+5. Click **Clear TPM**.
+
+6. You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM.
+
+7. After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 or 1511)
@@ -149,20 +138,6 @@ If you want to stop using the services that are provided by the TPM, you can use
- If you did not save your TPM owner password or no longer know it, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
-### Change the TPM Owner Password (available only with Windows 10, version 1607 and earlier versions)
-
-If you have the [owner password](https://technet.microsoft.com/itpro/windows/keep-secure/change-the-tpm-owner-password) available, you can use TPM.msc to change the TPM Owner Password.
-
-1. Open the TPM MMC (tpm.msc).
-
-2. In the **Action** pane, click **Change the Owner Password**
-
- - If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, click **Browse** to locate the .tpm file that is saved on your removable storage device, click **Open**, and then click **Turn TPM Off**.
-
- - If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**.
-
-This capability was fully removed from TPM.msc in later versions of Windows.
-
## Use the TPM cmdlets
You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](https://docs.microsoft.com/powershell/module/trustedplatformmodule/?view=win10-ps).
diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md
index 0f681444d4..201fa3eafd 100644
--- a/windows/security/information-protection/tpm/manage-tpm-commands.md
+++ b/windows/security/information-protection/tpm/manage-tpm-commands.md
@@ -20,12 +20,6 @@ This topic for the IT professional describes how to manage which Trusted Platfor
After a computer user takes ownership of the TPM, the TPM owner can limit which TPM commands can be run by creating a list of blocked TPM commands. The list can be created and applied to all computers in a domain by using Group Policy, or a list can be created for individual computers by using the TPM MMC. Because some hardware vendors might provide additional commands or the Trusted Computing Group may decide to add commands in the future, the TPM MMC also supports the ability to block new commands.
-Domain administrators can configure a list of blocked TPM commands by using Group Policy. Local administrators cannot allow TPM commands that are blocked through Group Policy. For more information about this Group Policy setting, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#configure-the-list-of-blocked-tpm-commands).
-
-Local administrators can block commands by using the TPM MMC, and commands on the default block list are also blocked unless the Group Policy settings are changed from the default settings.
-
-Two policy settings control the enforcement which allows TPM commands to run. For more information about these policy settings, see [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md#ignore-the-default-list-of-blocked-tpm-commands).
-
The following procedures describe how to manage the TPM command lists. You must be a member of the local Administrators group.
**To block TPM commands by using the Local Group Policy Editor**
diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index fabb1ccc07..164658f0a0 100644
--- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -6,7 +6,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: brianlic-msft
+author: andreabichsel
+ms.author: v-anbic
ms.date: 04/19/2017
---
diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md
index 23eb4f8be3..0d44a4282a 100644
--- a/windows/security/information-protection/tpm/tpm-fundamentals.md
+++ b/windows/security/information-protection/tpm/tpm-fundamentals.md
@@ -6,7 +6,8 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: brianlic-msft
+author: andreabichsel
+ms.author: v-anbic
ms.date: 08/16/2017
---
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index 00b392f1c2..7fa22e10ce 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -7,7 +7,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: brianlic-msft
+author: andreabichsel
+ms.author: v-anbic
ms.date: 05/16/2018
---
@@ -103,8 +104,8 @@ The following table defines which Windows features require TPM support.
| BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required |
| Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. |
| Windows Defender Application Control (Device Guard) | No | Yes | Yes | |
-| Windows Defender Exploit Guard | Yes | Yes | Yes | |
-| Windows Defender System Guard | Yes | Yes | Yes | |
+| Windows Defender Exploit Guard | No | N/A | N/A | |
+| Windows Defender System Guard | Yes | No | Yes | |
| Credential Guard | No | Yes | Yes | Windows 10, version 1507 (End of Life as of May 2017) only supported TPM 2.0 for Credential Guard. Beginning with Windows 10, version 1511, TPM 1.2 and 2.0 are supported. |
| Device Health Attestation| Yes | Yes | Yes | |
| Windows Hello/Windows Hello for Business| No | Yes | Yes | Azure AD join supports both versions of TPM, but requires TPM with keyed-hash message authentication code (HMAC) and Endorsement Key (EK) certificate for key attestation support. |
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index 94c5d6fbce..1b4e9f6f6f 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -7,7 +7,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: brianlic-msft
+author: andreabichsel
+ms-author: v-anbic
ms.date: 08/21/2018
---
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
index 41d6404f4b..0b2740ff70 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -6,15 +6,16 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-author: brianlic-msft
-ms.date: 06/29/2018
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 10/02/2018
---
# TPM Group Policy settings
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows Server 2016 and later
This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
@@ -22,39 +23,7 @@ The Group Policy settings for TPM services are located at:
**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
-The following Group Policy settings were introduced in Window 10.
-
-## Configure the list of blocked TPM commands
-
-This policy setting allows you to manage the Group Policy list of Trusted Platform Module (TPM) commands that are blocked by Windows.
-
-If you enable this policy setting, Windows will block the specified commands from being sent to the TPM on the computer. TPM commands are referenced by a command number. For example, command number 129 is **TPM\_OwnerReadInternalPub**, and command number 170 is **TPM\_FieldUpgrade**. To find the command number that is associated with each TPM command, at the command prompt, type **tpm.msc** to open the TPM Management Console and navigate to the **Command Management** section.
-
-If you disable or do not configure this policy setting, only those TPM commands that are specified through the default or local lists can be blocked by Windows. The default list of blocked TPM commands is preconfigured by Windows.
-
-- You can view the default list by typing **tpm.msc** at the command prompt, navigating to the **Command Management** section, and exposing the **On Default Block List** column.
-
-- The local list of blocked TPM commands is configured outside of Group Policy by running the TPM Management Console or scripting using the **Win32\_Tpm** interface.
-
-## Ignore the default list of blocked TPM commands
-
-This policy setting allows you to enforce or ignore the computer's default list of blocked Trusted Platform Module (TPM) commands.
-
-The default list of blocked TPM commands is preconfigured by Windows. You can view the default list by typing **tpm.msc** at the command prompt to open the TPM Management Console, navigating to the **Command Management** section, and exposing the **On Default Block List** column.
-
-If you enable this policy setting, the Windows operating system will ignore the computer's default list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the local list.
-
-If you disable or do not configure this policy setting, Windows will block the TPM commands in the default list, in addition to the commands that are specified by Group Policy and the local list of blocked TPM commands.
-
-## Ignore the local list of blocked TPM commands
-
-This policy setting allows you to enforce or ignore the computer's local list of blocked Trusted Platform Module (TPM) commands.
-
-The local list of blocked TPM commands is configured outside of Group Policy by typing **tpm.msc** at the command prompt to open the TPM Management Console, or scripting using the **Win32\_Tpm** interface. (The default list of blocked TPM commands is preconfigured by Windows.)
-
-If you enable this policy setting, the Windows operating system will ignore the computer's local list of blocked TPM commands, and it will block only those TPM commands that are specified by Group Policy or the default list.
-
-If you disable or do not configure this policy setting, Windows will block the TPM commands in the local list, in addition to the commands that are specified in Group Policy and the default list of blocked TPM commands.
+The following Group Policy settings were introduced in Windows 10.
## Configure the level of TPM owner authorization information available to the operating system
@@ -115,7 +84,7 @@ For each standard user, two thresholds apply. Exceeding either threshold prevent
- [Standard User Total Lockout Threshold](#standard-user-total-lockout-threshold) This value is the maximum total number of authorization failures that all standard users can have before all standard users are not allowed to send commands that require authorization to the TPM.
-An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
+An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the Windows Defender Security Center. Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
If you do not configure this policy setting, a default value of 480 minutes (8 hours) is used.
@@ -127,7 +96,7 @@ This setting helps administrators prevent the TPM hardware from entering a locko
An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored.
-An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
+An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the Windows Defender Security Center. Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
If you do not configure this policy setting, a default value of 4 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.
@@ -139,7 +108,7 @@ This setting helps administrators prevent the TPM hardware from entering a locko
An authorization failure occurs each time a standard user sends a command to the TPM and receives an error response indicating an authorization failure occurred. Authorization failures older than the duration are ignored.
-An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the TPM Management Console (tpm.msc). Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
+An administrator with the TPM owner password can fully reset the TPM's hardware lockout logic by using the Windows Defender Security Center. Each time an administrator resets the TPM's hardware lockout logic, all prior standard user TPM authorization failures are ignored. This allows standard users to immediately use the TPM normally.
If you do not configure this policy setting, a default value of 9 is used. A value of zero means that the operating system will not allow standard users to send commands to the TPM, which might cause an authorization failure.
@@ -157,6 +126,17 @@ Introduced in Windows 10, version 1703, this policy setting configures the TPM t
> - Disable it from group policy
> - Clear the TPM on the system
+# TPM Group Policy settings in the Windows Security app
+
+You can change what users see about TPM in the Windows Security app. The Group Policy settings for the TPM area in the Windows Security app are located at:
+
+**Computer Configuration\\Administrative Templates\\Windows Components\\Windows Security\\Device security**
+
+## Disable the Clear TPM button
+If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it with this Group Policy setting. Select **Enabled** to make the **Clear TPM** button unavailable for use.
+
+## Hide the TPM Firmware Update recommendation
+If you don't want users to see the recommendation to update TPM firmware, you can disable it with this setting. Select **Enabled** to prevent users from seeing a recommendation to update their TPM firmware when a vulnerable firmware is detected.
## Related topics
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
index 90d82100a4..f66b65f12b 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
@@ -6,8 +6,9 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
-author: brianlic-msft
-ms.date: 07/27/2017
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 09/11/2018
---
# Trusted Platform Module
@@ -26,9 +27,6 @@ Trusted Platform Module (TPM) technology is designed to provide hardware-based,
| [TPM fundamentals](tpm-fundamentals.md) | Provides background about how a TPM can work with cryptographic keys. Also describes technologies that work with the TPM, such as TPM-based virtual smart cards. |
| [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) | Describes TPM services that can be controlled centrally by using Group Policy settings. |
| [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer’s TPM information to Active Directory Domain Services. |
-| [Manage TPM commands](manage-tpm-commands.md) | Describes methods by which a local or domain administrator can block or allow specific TPM commands. |
-| [Manage TPM lockout](manage-tpm-lockout.md) | Describes how TPM lockout works (to help prevent tampering or malicious attacks), and outlines ways to work with TPM lockout settings. |
-| [Change the TPM owner password](change-the-tpm-owner-password.md) | In most cases, applies to Windows 10, version 1511 and Windows 10, version 1507 only. Tells how to change the TPM owner password. |
-| [View status, clear, or troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, describes how to turn the TPM on or off. |
+| [Troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, describes how to turn the TPM on or off. |
| [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md) | Provides background about what happens when you switch PCR banks on TPM 2.0 devices. |
| [TPM recommendations](tpm-recommendations.md) | Discusses aspects of TPMs such as the difference between TPM 1.2 and 2.0, and the Windows 10 features for which a TPM is required or recommended. |
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 7adccd0ac3..06be6ec2fb 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -8,7 +8,7 @@ ms.pagetype: security
author: justinha
ms.author: justinha
ms.localizationpriority: medium
-ms.date: 08/08/2018
+ms.date: 09/19/2018
---
# Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
@@ -32,11 +32,11 @@ Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on
Follow these steps to add a WIP policy using Intune.
**To add a WIP policy**
-1. Open Microsoft Intune and click **Mobile apps**.
+1. Open Microsoft Intune and click **Client apps**.
- 
+ 
-2. In **Mobile apps**, click **App protection policies**.
+2. In **Client apps**, click **App protection policies**.
diff --git a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png b/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png
index ccc701332b..57c40a85d0 100644
Binary files a/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png and b/windows/security/information-protection/windows-information-protection/images/open-mobile-apps.png differ
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index 7e687dd04c..fdc4981748 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -30,7 +30,7 @@
##### Machines list
###### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md)
-###### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+###### [Manage machine group and tags](windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md)
###### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
###### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
####### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
@@ -138,7 +138,7 @@
####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
-##### [Managed service provider provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md)
+##### [Managed security service provider support](windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md)
#### [Microsoft threat protection](windows-defender-atp/threat-protection-integration.md)
##### [Protect users, data, and devices with conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md)
@@ -175,6 +175,10 @@
##### [Hardware-based isolation](windows-defender-application-guard/install-wd-app-guard.md)
###### [Confguration settings](windows-defender-application-guard/configure-wd-app-guard.md)
##### [Application control](windows-defender-application-control/windows-defender-application-control.md)
+##### [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+###### [Memory integrity](windows-defender-exploit-guard/memory-integrity.md)
+####### [Hardware qualifications](windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+####### [Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
##### [Exploit protection](windows-defender-exploit-guard/enable-exploit-protection.md)
###### [Customize exploit protection](windows-defender-exploit-guard/customize-exploit-protection.md)
###### [Import/export configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
@@ -368,6 +372,7 @@
#### [Malware names](intelligence/malware-naming.md)
#### [Coin miners](intelligence/coinminer-malware.md)
#### [Exploits and exploit kits](intelligence/exploits-malware.md)
+#### [Fileless threats](intelligence/fileless-threats.md)
#### [Macro malware](intelligence/macro-malware.md)
#### [Phishing](intelligence/phishing.md)
#### [Ransomware](intelligence/ransomware-malware.md)
@@ -380,6 +385,7 @@
### [How Microsoft identifies malware and PUA](intelligence/criteria.md)
### [Submit files for analysis](intelligence/submission-guide.md)
### [Safety Scanner download](intelligence/safety-scanner-download.md)
+### [Industry antivirus tests](intelligence/top-scoring-industry-antivirus-tests.md)
### [Industry collaboration programs](intelligence/cybersecurity-industry-partners.md)
#### [Virus information alliance](intelligence/virus-information-alliance-criteria.md)
#### [Microsoft virus initiative](intelligence/virus-initiative-criteria.md)
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index 5fdb1739c0..f9a028c36e 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: brianlic-msft
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
index 00ef9a3f98..80aac0ab42 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: brianlic-msft
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing.md b/windows/security/threat-protection/auditing/advanced-security-auditing.md
index 8601d26ede..95b7643f60 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: brianlic-msft
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
index 7e40077bc3..454c14422b 100644
--- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
+++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
index e84f020843..8b1f8421eb 100644
--- a/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
+++ b/windows/security/threat-protection/auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: brianlic-msft
ms.date: 07/25/2018
---
diff --git a/windows/security/threat-protection/auditing/audit-account-lockout.md b/windows/security/threat-protection/auditing/audit-account-lockout.md
index 1e4cf0bc0a..9cb1d5053c 100644
--- a/windows/security/threat-protection/auditing/audit-account-lockout.md
+++ b/windows/security/threat-protection/auditing/audit-account-lockout.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 07/16/2018
---
diff --git a/windows/security/threat-protection/auditing/audit-application-generated.md b/windows/security/threat-protection/auditing/audit-application-generated.md
index dc4a17983a..ad98239120 100644
--- a/windows/security/threat-protection/auditing/audit-application-generated.md
+++ b/windows/security/threat-protection/auditing/audit-application-generated.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-application-group-management.md b/windows/security/threat-protection/auditing/audit-application-group-management.md
index 54a24aeabd..5840b881a2 100644
--- a/windows/security/threat-protection/auditing/audit-application-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-application-group-management.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-audit-policy-change.md b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
index 1adb598a89..a64e4c60e4 100644
--- a/windows/security/threat-protection/auditing/audit-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-audit-policy-change.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
index e09948e6a9..9c4f4f01b9 100644
--- a/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authentication-policy-change.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
index ec84ce1cdf..d2a34b5e82 100644
--- a/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-authorization-policy-change.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
index f06923aec9..ce97191388 100644
--- a/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
+++ b/windows/security/threat-protection/auditing/audit-central-access-policy-staging.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-certification-services.md b/windows/security/threat-protection/auditing/audit-certification-services.md
index db60342744..34094b45c4 100644
--- a/windows/security/threat-protection/auditing/audit-certification-services.md
+++ b/windows/security/threat-protection/auditing/audit-certification-services.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-computer-account-management.md b/windows/security/threat-protection/auditing/audit-computer-account-management.md
index 5b3570b704..9ba95826d4 100644
--- a/windows/security/threat-protection/auditing/audit-computer-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-computer-account-management.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-credential-validation.md b/windows/security/threat-protection/auditing/audit-credential-validation.md
index 9f9d0cb8f4..1053fc3b3e 100644
--- a/windows/security/threat-protection/auditing/audit-credential-validation.md
+++ b/windows/security/threat-protection/auditing/audit-credential-validation.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
index 0f25203d5d..c20e709c3f 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-directory-service-replication.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-detailed-file-share.md b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
index 90ea83f0c5..512ffb1d82 100644
--- a/windows/security/threat-protection/auditing/audit-detailed-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-detailed-file-share.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-access.md b/windows/security/threat-protection/auditing/audit-directory-service-access.md
index 76de4e61d1..af3f219142 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-access.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-changes.md b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
index d7120d4c5c..30761993c8 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-changes.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-changes.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-directory-service-replication.md b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
index 3271a1b5fb..41ced142b1 100644
--- a/windows/security/threat-protection/auditing/audit-directory-service-replication.md
+++ b/windows/security/threat-protection/auditing/audit-directory-service-replication.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-distribution-group-management.md b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
index 1d9c77ad06..88a2692952 100644
--- a/windows/security/threat-protection/auditing/audit-distribution-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-distribution-group-management.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-dpapi-activity.md b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
index 4b03a1f4a7..8e927d07a5 100644
--- a/windows/security/threat-protection/auditing/audit-dpapi-activity.md
+++ b/windows/security/threat-protection/auditing/audit-dpapi-activity.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-file-share.md b/windows/security/threat-protection/auditing/audit-file-share.md
index 4501f8e8f7..6664fafb8d 100644
--- a/windows/security/threat-protection/auditing/audit-file-share.md
+++ b/windows/security/threat-protection/auditing/audit-file-share.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-file-system.md b/windows/security/threat-protection/auditing/audit-file-system.md
index 3195fd4e72..133f3f2532 100644
--- a/windows/security/threat-protection/auditing/audit-file-system.md
+++ b/windows/security/threat-protection/auditing/audit-file-system.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
index 9160d63777..d196239f6b 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-connection.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
index 15e570608f..0a55d6a91f 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-packet-drop.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
index cd4c887700..82e1e1f4d3 100644
--- a/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-filtering-platform-policy-change.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-group-membership.md b/windows/security/threat-protection/auditing/audit-group-membership.md
index 2c77196a27..c503247f64 100644
--- a/windows/security/threat-protection/auditing/audit-group-membership.md
+++ b/windows/security/threat-protection/auditing/audit-group-membership.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-handle-manipulation.md b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
index b0c1442c91..032486cabe 100644
--- a/windows/security/threat-protection/auditing/audit-handle-manipulation.md
+++ b/windows/security/threat-protection/auditing/audit-handle-manipulation.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-driver.md b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
index 1907464fec..4b1c430188 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-driver.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-driver.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
index 41835f6b58..9edf8ad528 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-extended-mode.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
index af0f1a911e..d0764daf4b 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-main-mode.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
index 3931177329..7adfcddd8c 100644
--- a/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
+++ b/windows/security/threat-protection/auditing/audit-ipsec-quick-mode.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
index c27b4bdf2d..fa45372c3e 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-authentication-service.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
index f8827a3cf1..555286d0f5 100644
--- a/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
+++ b/windows/security/threat-protection/auditing/audit-kerberos-service-ticket-operations.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-kernel-object.md b/windows/security/threat-protection/auditing/audit-kernel-object.md
index d61d5386f0..e8bd06b601 100644
--- a/windows/security/threat-protection/auditing/audit-kernel-object.md
+++ b/windows/security/threat-protection/auditing/audit-kernel-object.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-logoff.md b/windows/security/threat-protection/auditing/audit-logoff.md
index 347351c797..521a5e8e0f 100644
--- a/windows/security/threat-protection/auditing/audit-logoff.md
+++ b/windows/security/threat-protection/auditing/audit-logoff.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 07/16/2018
---
diff --git a/windows/security/threat-protection/auditing/audit-logon.md b/windows/security/threat-protection/auditing/audit-logon.md
index e57df86b17..4b4cc2f5de 100644
--- a/windows/security/threat-protection/auditing/audit-logon.md
+++ b/windows/security/threat-protection/auditing/audit-logon.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
index 8d79ebdaaa..f3bb9e035a 100644
--- a/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
+++ b/windows/security/threat-protection/auditing/audit-mpssvc-rule-level-policy-change.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-network-policy-server.md b/windows/security/threat-protection/auditing/audit-network-policy-server.md
index 4cd445c0e1..31203993ba 100644
--- a/windows/security/threat-protection/auditing/audit-network-policy-server.md
+++ b/windows/security/threat-protection/auditing/audit-network-policy-server.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
index 29a2bf062c..9f0a2a2a2f 100644
--- a/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-non-sensitive-privilege-use.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
index 212599c38d..8a13f5aac2 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-logon-events.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-account-management-events.md b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
index 0dada7cc0f..01d32dee4a 100644
--- a/windows/security/threat-protection/auditing/audit-other-account-management-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-account-management-events.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
index d1c84998ab..06c1cec1ea 100644
--- a/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-logonlogoff-events.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-object-access-events.md b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
index a100b7f4f4..199192018a 100644
--- a/windows/security/threat-protection/auditing/audit-other-object-access-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-object-access-events.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 05/29/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
index 3e9078765c..08d287a0cb 100644
--- a/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-policy-change-events.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
index a494cdd7b4..45be00eab8 100644
--- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-other-system-events.md b/windows/security/threat-protection/auditing/audit-other-system-events.md
index a9e385b322..e70d6e2681 100644
--- a/windows/security/threat-protection/auditing/audit-other-system-events.md
+++ b/windows/security/threat-protection/auditing/audit-other-system-events.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-pnp-activity.md b/windows/security/threat-protection/auditing/audit-pnp-activity.md
index 08dd852a74..51f7778df1 100644
--- a/windows/security/threat-protection/auditing/audit-pnp-activity.md
+++ b/windows/security/threat-protection/auditing/audit-pnp-activity.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-process-creation.md b/windows/security/threat-protection/auditing/audit-process-creation.md
index 65d9725fb1..39e53664c4 100644
--- a/windows/security/threat-protection/auditing/audit-process-creation.md
+++ b/windows/security/threat-protection/auditing/audit-process-creation.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-process-termination.md b/windows/security/threat-protection/auditing/audit-process-termination.md
index ff6e0c7eb7..d1a88331d5 100644
--- a/windows/security/threat-protection/auditing/audit-process-termination.md
+++ b/windows/security/threat-protection/auditing/audit-process-termination.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-registry.md b/windows/security/threat-protection/auditing/audit-registry.md
index 463a01e1f6..2acf898d3b 100644
--- a/windows/security/threat-protection/auditing/audit-registry.md
+++ b/windows/security/threat-protection/auditing/audit-registry.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-removable-storage.md b/windows/security/threat-protection/auditing/audit-removable-storage.md
index d4abe3507f..d47d436aa8 100644
--- a/windows/security/threat-protection/auditing/audit-removable-storage.md
+++ b/windows/security/threat-protection/auditing/audit-removable-storage.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-rpc-events.md b/windows/security/threat-protection/auditing/audit-rpc-events.md
index a091eac795..584b5fb9ff 100644
--- a/windows/security/threat-protection/auditing/audit-rpc-events.md
+++ b/windows/security/threat-protection/auditing/audit-rpc-events.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-sam.md b/windows/security/threat-protection/auditing/audit-sam.md
index dc8b55abd1..0c36ef5e56 100644
--- a/windows/security/threat-protection/auditing/audit-sam.md
+++ b/windows/security/threat-protection/auditing/audit-sam.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-security-group-management.md b/windows/security/threat-protection/auditing/audit-security-group-management.md
index 2e14934b51..7ce77ac37a 100644
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-security-state-change.md b/windows/security/threat-protection/auditing/audit-security-state-change.md
index 29afe92c74..127b34b44a 100644
--- a/windows/security/threat-protection/auditing/audit-security-state-change.md
+++ b/windows/security/threat-protection/auditing/audit-security-state-change.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-security-system-extension.md b/windows/security/threat-protection/auditing/audit-security-system-extension.md
index 695ee99db2..778abbd8c0 100644
--- a/windows/security/threat-protection/auditing/audit-security-system-extension.md
+++ b/windows/security/threat-protection/auditing/audit-security-system-extension.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
index d0572e5d91..f9b696cb08 100644
--- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md
index 318d0c7c8d..bfd47e55e9 100644
--- a/windows/security/threat-protection/auditing/audit-special-logon.md
+++ b/windows/security/threat-protection/auditing/audit-special-logon.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md
index 27548edf0f..7690f62c37 100644
--- a/windows/security/threat-protection/auditing/audit-system-integrity.md
+++ b/windows/security/threat-protection/auditing/audit-system-integrity.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md
index 8c7ee885fc..3315c7f053 100644
--- a/windows/security/threat-protection/auditing/audit-user-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-user-account-management.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md
index dbc39068f4..988736426a 100644
--- a/windows/security/threat-protection/auditing/audit-user-device-claims.md
+++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md
@@ -6,7 +6,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
index 94c4b462f1..8b87a565cb 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: brianlic-msft
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
index e1ad77ba01..5ae03bbe81 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: brianlic-msft
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
index c0a52a4dc4..aea8e2c6a8 100644
--- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: brianlic-msft
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index 9f3210eae2..5ac16f81ca 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: brianlic-msft
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index 8492b5fb62..564f09756f 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: brianlic-msft
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
index 9ff920eda5..d6fa0d9840 100644
--- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: brianlic-msft
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
index 74c74bd180..12b823cf4e 100644
--- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
+++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: brianlic-msft
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
index 1282c18871..ada9f8ba66 100644
--- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
+++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: brianlic-msft
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md
index 2cc15b14cb..1c30f0f216 100644
--- a/windows/security/threat-protection/auditing/basic-audit-system-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: brianlic-msft
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
index 31ba69f0e1..87389a5d60 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: brianlic-msft
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
index 6f7578b433..814491f237 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: brianlic-msft
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
index 6b329771a8..71a8cdfc2c 100644
--- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
+++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
@@ -6,7 +6,7 @@ ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: brianlic-msft
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md
index 13ae345c28..8ae8a12264 100644
--- a/windows/security/threat-protection/auditing/event-1100.md
+++ b/windows/security/threat-protection/auditing/event-1100.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md
index 61d48236a0..cb164a63ca 100644
--- a/windows/security/threat-protection/auditing/event-1102.md
+++ b/windows/security/threat-protection/auditing/event-1102.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md
index d6928796bc..8108688794 100644
--- a/windows/security/threat-protection/auditing/event-1104.md
+++ b/windows/security/threat-protection/auditing/event-1104.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md
index 3fb741e93d..25c17fe2ee 100644
--- a/windows/security/threat-protection/auditing/event-1105.md
+++ b/windows/security/threat-protection/auditing/event-1105.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md
index 53a761ddd3..d726c93ad0 100644
--- a/windows/security/threat-protection/auditing/event-1108.md
+++ b/windows/security/threat-protection/auditing/event-1108.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md
index 40e4b625b8..cff87d7dea 100644
--- a/windows/security/threat-protection/auditing/event-4608.md
+++ b/windows/security/threat-protection/auditing/event-4608.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md
index 97ce41dd27..f06b332a6c 100644
--- a/windows/security/threat-protection/auditing/event-4610.md
+++ b/windows/security/threat-protection/auditing/event-4610.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md
index 97cefc2edc..c306a73ee1 100644
--- a/windows/security/threat-protection/auditing/event-4611.md
+++ b/windows/security/threat-protection/auditing/event-4611.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md
index 1d0a8fc3ac..4a380aceb6 100644
--- a/windows/security/threat-protection/auditing/event-4612.md
+++ b/windows/security/threat-protection/auditing/event-4612.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md
index 83b5ae6f58..1c2d522fd4 100644
--- a/windows/security/threat-protection/auditing/event-4614.md
+++ b/windows/security/threat-protection/auditing/event-4614.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md
index 37c253f26f..2f460fcef2 100644
--- a/windows/security/threat-protection/auditing/event-4615.md
+++ b/windows/security/threat-protection/auditing/event-4615.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md
index 61bcb648f9..b05a075adc 100644
--- a/windows/security/threat-protection/auditing/event-4616.md
+++ b/windows/security/threat-protection/auditing/event-4616.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md
index 624692202b..6f99221add 100644
--- a/windows/security/threat-protection/auditing/event-4618.md
+++ b/windows/security/threat-protection/auditing/event-4618.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md
index b1e1638791..1c4966789f 100644
--- a/windows/security/threat-protection/auditing/event-4621.md
+++ b/windows/security/threat-protection/auditing/event-4621.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md
index b8b8d972af..9e406ae1b4 100644
--- a/windows/security/threat-protection/auditing/event-4622.md
+++ b/windows/security/threat-protection/auditing/event-4622.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index 8ee6f8a44b..88890d35a3 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index f06d559a05..2a67c5bece 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md
index 804c229ae3..00bdfbedbf 100644
--- a/windows/security/threat-protection/auditing/event-4626.md
+++ b/windows/security/threat-protection/auditing/event-4626.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md
index 86c34c7909..4ce1a85b44 100644
--- a/windows/security/threat-protection/auditing/event-4627.md
+++ b/windows/security/threat-protection/auditing/event-4627.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md
index 9f05521e12..364cc29898 100644
--- a/windows/security/threat-protection/auditing/event-4634.md
+++ b/windows/security/threat-protection/auditing/event-4634.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 11/20/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md
index f3f4af3202..ada815be96 100644
--- a/windows/security/threat-protection/auditing/event-4647.md
+++ b/windows/security/threat-protection/auditing/event-4647.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md
index 1614e05097..79190f5271 100644
--- a/windows/security/threat-protection/auditing/event-4648.md
+++ b/windows/security/threat-protection/auditing/event-4648.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md
index 3b378b7682..9214d1fc97 100644
--- a/windows/security/threat-protection/auditing/event-4649.md
+++ b/windows/security/threat-protection/auditing/event-4649.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md
index b009f0d8eb..8c72de4fc2 100644
--- a/windows/security/threat-protection/auditing/event-4656.md
+++ b/windows/security/threat-protection/auditing/event-4656.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md
index 06375a60e0..5ce80b0284 100644
--- a/windows/security/threat-protection/auditing/event-4657.md
+++ b/windows/security/threat-protection/auditing/event-4657.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md
index 5ceeb9a280..2002ff7b1d 100644
--- a/windows/security/threat-protection/auditing/event-4658.md
+++ b/windows/security/threat-protection/auditing/event-4658.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md
index 1d464049d7..02e32d0958 100644
--- a/windows/security/threat-protection/auditing/event-4660.md
+++ b/windows/security/threat-protection/auditing/event-4660.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md
index fab58ae85f..e9be1c1106 100644
--- a/windows/security/threat-protection/auditing/event-4661.md
+++ b/windows/security/threat-protection/auditing/event-4661.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md
index 945efabaa8..f784317663 100644
--- a/windows/security/threat-protection/auditing/event-4662.md
+++ b/windows/security/threat-protection/auditing/event-4662.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md
index 0896af005f..f3db0e1298 100644
--- a/windows/security/threat-protection/auditing/event-4663.md
+++ b/windows/security/threat-protection/auditing/event-4663.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md
index 23ee991c1a..22ec52f545 100644
--- a/windows/security/threat-protection/auditing/event-4664.md
+++ b/windows/security/threat-protection/auditing/event-4664.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
index 496c9157ff..94bb9f707f 100644
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ b/windows/security/threat-protection/auditing/event-4670.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md
index e8f42c6afa..eb364f29f6 100644
--- a/windows/security/threat-protection/auditing/event-4671.md
+++ b/windows/security/threat-protection/auditing/event-4671.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md
index 04962bc557..9a9d51814e 100644
--- a/windows/security/threat-protection/auditing/event-4672.md
+++ b/windows/security/threat-protection/auditing/event-4672.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
index 8749baa01b..5080043717 100644
--- a/windows/security/threat-protection/auditing/event-4673.md
+++ b/windows/security/threat-protection/auditing/event-4673.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md
index 58934e4de7..113d7caac9 100644
--- a/windows/security/threat-protection/auditing/event-4674.md
+++ b/windows/security/threat-protection/auditing/event-4674.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md
index f5946c9298..fa71f35477 100644
--- a/windows/security/threat-protection/auditing/event-4675.md
+++ b/windows/security/threat-protection/auditing/event-4675.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index eef6cadbee..3739d330a3 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md
index dceac91e41..e5ad7cdede 100644
--- a/windows/security/threat-protection/auditing/event-4689.md
+++ b/windows/security/threat-protection/auditing/event-4689.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md
index 88b3db7b2f..416593f25d 100644
--- a/windows/security/threat-protection/auditing/event-4690.md
+++ b/windows/security/threat-protection/auditing/event-4690.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md
index 2ccb4ed0a9..b081552f9c 100644
--- a/windows/security/threat-protection/auditing/event-4691.md
+++ b/windows/security/threat-protection/auditing/event-4691.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md
index e1eaefb348..fa60a9afe7 100644
--- a/windows/security/threat-protection/auditing/event-4692.md
+++ b/windows/security/threat-protection/auditing/event-4692.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md
index e9f776d0ca..422a22d16d 100644
--- a/windows/security/threat-protection/auditing/event-4693.md
+++ b/windows/security/threat-protection/auditing/event-4693.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md
index b8b2d4fde7..43660656d1 100644
--- a/windows/security/threat-protection/auditing/event-4694.md
+++ b/windows/security/threat-protection/auditing/event-4694.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md
index 5bc050e752..5b94789f6e 100644
--- a/windows/security/threat-protection/auditing/event-4695.md
+++ b/windows/security/threat-protection/auditing/event-4695.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md
index 94e30520f0..4297ae500c 100644
--- a/windows/security/threat-protection/auditing/event-4696.md
+++ b/windows/security/threat-protection/auditing/event-4696.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md
index 608cf4412e..6ec3afd6b3 100644
--- a/windows/security/threat-protection/auditing/event-4697.md
+++ b/windows/security/threat-protection/auditing/event-4697.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md
index 0ea9a8bfcb..5a9d579d52 100644
--- a/windows/security/threat-protection/auditing/event-4698.md
+++ b/windows/security/threat-protection/auditing/event-4698.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md
index f4deaf1e26..36bbbe2e12 100644
--- a/windows/security/threat-protection/auditing/event-4699.md
+++ b/windows/security/threat-protection/auditing/event-4699.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md
index b6550f63e8..5488c0fe3f 100644
--- a/windows/security/threat-protection/auditing/event-4700.md
+++ b/windows/security/threat-protection/auditing/event-4700.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md
index 66c0fdbe24..e68e88564e 100644
--- a/windows/security/threat-protection/auditing/event-4701.md
+++ b/windows/security/threat-protection/auditing/event-4701.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md
index 9b344d520b..04b87445fc 100644
--- a/windows/security/threat-protection/auditing/event-4702.md
+++ b/windows/security/threat-protection/auditing/event-4702.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
index 3a33b7fb1a..499adb7003 100644
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ b/windows/security/threat-protection/auditing/event-4703.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
index 2f3c13af0b..9498cad12e 100644
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ b/windows/security/threat-protection/auditing/event-4704.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
index 9411db16ba..b90233b9f4 100644
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md
index b0d1108d01..d1521c73e2 100644
--- a/windows/security/threat-protection/auditing/event-4706.md
+++ b/windows/security/threat-protection/auditing/event-4706.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md
index 85c6887b71..15321679ec 100644
--- a/windows/security/threat-protection/auditing/event-4707.md
+++ b/windows/security/threat-protection/auditing/event-4707.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md
index f8c17d0d23..2cfa10bcc4 100644
--- a/windows/security/threat-protection/auditing/event-4713.md
+++ b/windows/security/threat-protection/auditing/event-4713.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md
index 45e1db3e65..bd99198a79 100644
--- a/windows/security/threat-protection/auditing/event-4714.md
+++ b/windows/security/threat-protection/auditing/event-4714.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md
index 31b4ed376d..3d53dbfc66 100644
--- a/windows/security/threat-protection/auditing/event-4715.md
+++ b/windows/security/threat-protection/auditing/event-4715.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md
index 6389cea265..e250d2d76b 100644
--- a/windows/security/threat-protection/auditing/event-4716.md
+++ b/windows/security/threat-protection/auditing/event-4716.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md
index 4921434446..fbe3204478 100644
--- a/windows/security/threat-protection/auditing/event-4717.md
+++ b/windows/security/threat-protection/auditing/event-4717.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md
index db47f55f93..3886b9e04f 100644
--- a/windows/security/threat-protection/auditing/event-4718.md
+++ b/windows/security/threat-protection/auditing/event-4718.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md
index d67898fd2e..9b2455527b 100644
--- a/windows/security/threat-protection/auditing/event-4719.md
+++ b/windows/security/threat-protection/auditing/event-4719.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
index c182112703..535c3ad26a 100644
--- a/windows/security/threat-protection/auditing/event-4720.md
+++ b/windows/security/threat-protection/auditing/event-4720.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md
index 261f9cb975..759bb70c79 100644
--- a/windows/security/threat-protection/auditing/event-4722.md
+++ b/windows/security/threat-protection/auditing/event-4722.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md
index d0bea5eb68..94cad5dcb5 100644
--- a/windows/security/threat-protection/auditing/event-4723.md
+++ b/windows/security/threat-protection/auditing/event-4723.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md
index b3913f0cbe..159cf6c977 100644
--- a/windows/security/threat-protection/auditing/event-4724.md
+++ b/windows/security/threat-protection/auditing/event-4724.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md
index 72a9797d2d..666b390af6 100644
--- a/windows/security/threat-protection/auditing/event-4725.md
+++ b/windows/security/threat-protection/auditing/event-4725.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md
index b3dfd1467b..92453fda66 100644
--- a/windows/security/threat-protection/auditing/event-4726.md
+++ b/windows/security/threat-protection/auditing/event-4726.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md
index 9f840372e7..5fc169586c 100644
--- a/windows/security/threat-protection/auditing/event-4731.md
+++ b/windows/security/threat-protection/auditing/event-4731.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md
index b032541291..2be7574075 100644
--- a/windows/security/threat-protection/auditing/event-4732.md
+++ b/windows/security/threat-protection/auditing/event-4732.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md
index 5803a7a96d..940ddf7318 100644
--- a/windows/security/threat-protection/auditing/event-4733.md
+++ b/windows/security/threat-protection/auditing/event-4733.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md
index 336f98cd2d..ca4f21d730 100644
--- a/windows/security/threat-protection/auditing/event-4734.md
+++ b/windows/security/threat-protection/auditing/event-4734.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md
index ea6a0f906b..23c8e66bd6 100644
--- a/windows/security/threat-protection/auditing/event-4735.md
+++ b/windows/security/threat-protection/auditing/event-4735.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index 6a0c6f7fec..41316ce8c9 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md
index b4ce931ca3..af0fcac973 100644
--- a/windows/security/threat-protection/auditing/event-4739.md
+++ b/windows/security/threat-protection/auditing/event-4739.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md
index 766edfb035..5c05b0ef4a 100644
--- a/windows/security/threat-protection/auditing/event-4740.md
+++ b/windows/security/threat-protection/auditing/event-4740.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index 9fcabb2b06..e699566732 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
index 81c06e259a..0ab317604e 100644
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ b/windows/security/threat-protection/auditing/event-4742.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md
index a6a08ce668..1a1b7d54b9 100644
--- a/windows/security/threat-protection/auditing/event-4743.md
+++ b/windows/security/threat-protection/auditing/event-4743.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md
index adf348858e..246c690505 100644
--- a/windows/security/threat-protection/auditing/event-4749.md
+++ b/windows/security/threat-protection/auditing/event-4749.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md
index c6f9458b13..372e067fb1 100644
--- a/windows/security/threat-protection/auditing/event-4750.md
+++ b/windows/security/threat-protection/auditing/event-4750.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md
index a54bc67494..5aad3931e8 100644
--- a/windows/security/threat-protection/auditing/event-4751.md
+++ b/windows/security/threat-protection/auditing/event-4751.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md
index 67b6917c57..faa65c3205 100644
--- a/windows/security/threat-protection/auditing/event-4752.md
+++ b/windows/security/threat-protection/auditing/event-4752.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md
index 6f7ea445cc..c7df1c49c3 100644
--- a/windows/security/threat-protection/auditing/event-4753.md
+++ b/windows/security/threat-protection/auditing/event-4753.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md
index 914faaec85..7a531f94cb 100644
--- a/windows/security/threat-protection/auditing/event-4764.md
+++ b/windows/security/threat-protection/auditing/event-4764.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md
index 9930e1add7..6bcb624195 100644
--- a/windows/security/threat-protection/auditing/event-4765.md
+++ b/windows/security/threat-protection/auditing/event-4765.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md
index 03e5f98777..2e7b864ec7 100644
--- a/windows/security/threat-protection/auditing/event-4766.md
+++ b/windows/security/threat-protection/auditing/event-4766.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md
index e9c94bc2b7..567d9d197e 100644
--- a/windows/security/threat-protection/auditing/event-4767.md
+++ b/windows/security/threat-protection/auditing/event-4767.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
index dfad68c114..eee391bee2 100644
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md
index ddc3fc91bd..b7187f8d10 100644
--- a/windows/security/threat-protection/auditing/event-4769.md
+++ b/windows/security/threat-protection/auditing/event-4769.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md
index d1fbaec511..0dc1358a3d 100644
--- a/windows/security/threat-protection/auditing/event-4770.md
+++ b/windows/security/threat-protection/auditing/event-4770.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index 34add04027..91db8f35ee 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md
index 3bb2aa354c..cf2e1d5c17 100644
--- a/windows/security/threat-protection/auditing/event-4772.md
+++ b/windows/security/threat-protection/auditing/event-4772.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md
index 8a65a7df8a..ed5f9bb1a0 100644
--- a/windows/security/threat-protection/auditing/event-4773.md
+++ b/windows/security/threat-protection/auditing/event-4773.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md
index 65edca2761..e88f833a6c 100644
--- a/windows/security/threat-protection/auditing/event-4774.md
+++ b/windows/security/threat-protection/auditing/event-4774.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md
index 473697a68f..e257e4610f 100644
--- a/windows/security/threat-protection/auditing/event-4775.md
+++ b/windows/security/threat-protection/auditing/event-4775.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md
index ef04b9a13e..e748e1caf0 100644
--- a/windows/security/threat-protection/auditing/event-4776.md
+++ b/windows/security/threat-protection/auditing/event-4776.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md
index ec54750c71..ee412150ee 100644
--- a/windows/security/threat-protection/auditing/event-4777.md
+++ b/windows/security/threat-protection/auditing/event-4777.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md
index caa301af26..686af7ea86 100644
--- a/windows/security/threat-protection/auditing/event-4778.md
+++ b/windows/security/threat-protection/auditing/event-4778.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md
index 48da89946f..338bb36e87 100644
--- a/windows/security/threat-protection/auditing/event-4779.md
+++ b/windows/security/threat-protection/auditing/event-4779.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md
index 26d14f55d5..cd95a2f2a2 100644
--- a/windows/security/threat-protection/auditing/event-4780.md
+++ b/windows/security/threat-protection/auditing/event-4780.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md
index be9c51ab52..acf0ea8014 100644
--- a/windows/security/threat-protection/auditing/event-4781.md
+++ b/windows/security/threat-protection/auditing/event-4781.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md
index 195c2cf4df..b41a078e08 100644
--- a/windows/security/threat-protection/auditing/event-4782.md
+++ b/windows/security/threat-protection/auditing/event-4782.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md
index b0ac045f2f..d34b62517d 100644
--- a/windows/security/threat-protection/auditing/event-4793.md
+++ b/windows/security/threat-protection/auditing/event-4793.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md
index cd85dc1d77..d3bcd9301c 100644
--- a/windows/security/threat-protection/auditing/event-4794.md
+++ b/windows/security/threat-protection/auditing/event-4794.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md
index c432cb8c08..52a95c2b18 100644
--- a/windows/security/threat-protection/auditing/event-4798.md
+++ b/windows/security/threat-protection/auditing/event-4798.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md
index 1f126c2840..c8171085ac 100644
--- a/windows/security/threat-protection/auditing/event-4799.md
+++ b/windows/security/threat-protection/auditing/event-4799.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md
index 1d4ef520e5..48a8e41773 100644
--- a/windows/security/threat-protection/auditing/event-4800.md
+++ b/windows/security/threat-protection/auditing/event-4800.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md
index 7681ec1773..84364654bc 100644
--- a/windows/security/threat-protection/auditing/event-4801.md
+++ b/windows/security/threat-protection/auditing/event-4801.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md
index f984fd6753..c57dedf1a6 100644
--- a/windows/security/threat-protection/auditing/event-4802.md
+++ b/windows/security/threat-protection/auditing/event-4802.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md
index f857dd4f57..0d10438bc8 100644
--- a/windows/security/threat-protection/auditing/event-4803.md
+++ b/windows/security/threat-protection/auditing/event-4803.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md
index 1166587fae..fee398f114 100644
--- a/windows/security/threat-protection/auditing/event-4816.md
+++ b/windows/security/threat-protection/auditing/event-4816.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md
index ce42488f86..b77a5db3be 100644
--- a/windows/security/threat-protection/auditing/event-4817.md
+++ b/windows/security/threat-protection/auditing/event-4817.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md
index 147dee2f2b..f2443032d5 100644
--- a/windows/security/threat-protection/auditing/event-4818.md
+++ b/windows/security/threat-protection/auditing/event-4818.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md
index 6b7f2516b5..7c2bc71dc5 100644
--- a/windows/security/threat-protection/auditing/event-4819.md
+++ b/windows/security/threat-protection/auditing/event-4819.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md
index d3a1cf34e3..17448acec2 100644
--- a/windows/security/threat-protection/auditing/event-4826.md
+++ b/windows/security/threat-protection/auditing/event-4826.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md
index a4729e4103..0417800a87 100644
--- a/windows/security/threat-protection/auditing/event-4864.md
+++ b/windows/security/threat-protection/auditing/event-4864.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md
index 843d1542b6..a59b9b843d 100644
--- a/windows/security/threat-protection/auditing/event-4865.md
+++ b/windows/security/threat-protection/auditing/event-4865.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md
index bf32d2daa5..4f5095c9dc 100644
--- a/windows/security/threat-protection/auditing/event-4866.md
+++ b/windows/security/threat-protection/auditing/event-4866.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md
index cc0c449a75..c323c5ec14 100644
--- a/windows/security/threat-protection/auditing/event-4867.md
+++ b/windows/security/threat-protection/auditing/event-4867.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md
index 9a59309492..ad1d71cdae 100644
--- a/windows/security/threat-protection/auditing/event-4902.md
+++ b/windows/security/threat-protection/auditing/event-4902.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md
index c529ad4a45..c4c763c993 100644
--- a/windows/security/threat-protection/auditing/event-4904.md
+++ b/windows/security/threat-protection/auditing/event-4904.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md
index 5cdb7f8d3c..c9f8c95d64 100644
--- a/windows/security/threat-protection/auditing/event-4905.md
+++ b/windows/security/threat-protection/auditing/event-4905.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md
index 7ad2014e0c..656f80f36d 100644
--- a/windows/security/threat-protection/auditing/event-4906.md
+++ b/windows/security/threat-protection/auditing/event-4906.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md
index bd687db23f..cbf73343da 100644
--- a/windows/security/threat-protection/auditing/event-4907.md
+++ b/windows/security/threat-protection/auditing/event-4907.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md
index 91100cee21..416ce22b6e 100644
--- a/windows/security/threat-protection/auditing/event-4908.md
+++ b/windows/security/threat-protection/auditing/event-4908.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md
index 02c3e26b35..a5cac875fe 100644
--- a/windows/security/threat-protection/auditing/event-4909.md
+++ b/windows/security/threat-protection/auditing/event-4909.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md
index fcf06907b2..caae02d594 100644
--- a/windows/security/threat-protection/auditing/event-4910.md
+++ b/windows/security/threat-protection/auditing/event-4910.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md
index a613fe1a37..a21a9b132f 100644
--- a/windows/security/threat-protection/auditing/event-4911.md
+++ b/windows/security/threat-protection/auditing/event-4911.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md
index 87d587596b..8a78fdde05 100644
--- a/windows/security/threat-protection/auditing/event-4912.md
+++ b/windows/security/threat-protection/auditing/event-4912.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md
index 8c3d47db80..4388e3db87 100644
--- a/windows/security/threat-protection/auditing/event-4913.md
+++ b/windows/security/threat-protection/auditing/event-4913.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md
index 615d55926f..0c0ff2b9bc 100644
--- a/windows/security/threat-protection/auditing/event-4928.md
+++ b/windows/security/threat-protection/auditing/event-4928.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md
index f1e2e9044a..efbf9fb2d0 100644
--- a/windows/security/threat-protection/auditing/event-4929.md
+++ b/windows/security/threat-protection/auditing/event-4929.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md
index 7063936812..782d76ece8 100644
--- a/windows/security/threat-protection/auditing/event-4930.md
+++ b/windows/security/threat-protection/auditing/event-4930.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md
index ef59fb97f9..4525a536b0 100644
--- a/windows/security/threat-protection/auditing/event-4931.md
+++ b/windows/security/threat-protection/auditing/event-4931.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md
index 40f8fe939a..5481fec3bc 100644
--- a/windows/security/threat-protection/auditing/event-4932.md
+++ b/windows/security/threat-protection/auditing/event-4932.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md
index f1097f928f..a4ae0f6a9a 100644
--- a/windows/security/threat-protection/auditing/event-4933.md
+++ b/windows/security/threat-protection/auditing/event-4933.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md
index 7df893eab6..afc657cfe7 100644
--- a/windows/security/threat-protection/auditing/event-4934.md
+++ b/windows/security/threat-protection/auditing/event-4934.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md
index d29e4f36f5..a666ac4295 100644
--- a/windows/security/threat-protection/auditing/event-4935.md
+++ b/windows/security/threat-protection/auditing/event-4935.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md
index 92b3e6caf5..2541043735 100644
--- a/windows/security/threat-protection/auditing/event-4936.md
+++ b/windows/security/threat-protection/auditing/event-4936.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md
index 2b02731d51..62f13d85ab 100644
--- a/windows/security/threat-protection/auditing/event-4937.md
+++ b/windows/security/threat-protection/auditing/event-4937.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md
index b4169b5915..5b4960bfc9 100644
--- a/windows/security/threat-protection/auditing/event-4944.md
+++ b/windows/security/threat-protection/auditing/event-4944.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md
index c759afa1e6..eba8ccd671 100644
--- a/windows/security/threat-protection/auditing/event-4945.md
+++ b/windows/security/threat-protection/auditing/event-4945.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md
index 9c67d305e2..21b7061a9b 100644
--- a/windows/security/threat-protection/auditing/event-4946.md
+++ b/windows/security/threat-protection/auditing/event-4946.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md
index bb9a592ca3..3c43a64cd2 100644
--- a/windows/security/threat-protection/auditing/event-4947.md
+++ b/windows/security/threat-protection/auditing/event-4947.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md
index 2a8a1a7a9a..6ab7f16f7f 100644
--- a/windows/security/threat-protection/auditing/event-4948.md
+++ b/windows/security/threat-protection/auditing/event-4948.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md
index 0454afa9ca..af8020bcfa 100644
--- a/windows/security/threat-protection/auditing/event-4949.md
+++ b/windows/security/threat-protection/auditing/event-4949.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md
index fd666fc369..86b013392c 100644
--- a/windows/security/threat-protection/auditing/event-4950.md
+++ b/windows/security/threat-protection/auditing/event-4950.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md
index a83b9f12c9..d9e05e9505 100644
--- a/windows/security/threat-protection/auditing/event-4951.md
+++ b/windows/security/threat-protection/auditing/event-4951.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md
index dfa3de4c4f..32dc73cc6e 100644
--- a/windows/security/threat-protection/auditing/event-4952.md
+++ b/windows/security/threat-protection/auditing/event-4952.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md
index d74e0ac560..0835e66b51 100644
--- a/windows/security/threat-protection/auditing/event-4953.md
+++ b/windows/security/threat-protection/auditing/event-4953.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md
index 91e3c4833d..743878ab0f 100644
--- a/windows/security/threat-protection/auditing/event-4954.md
+++ b/windows/security/threat-protection/auditing/event-4954.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md
index 2c57e4c683..dbdb573ed5 100644
--- a/windows/security/threat-protection/auditing/event-4956.md
+++ b/windows/security/threat-protection/auditing/event-4956.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md
index 135f54ed60..d9684e4ba7 100644
--- a/windows/security/threat-protection/auditing/event-4957.md
+++ b/windows/security/threat-protection/auditing/event-4957.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md
index e04a7c576b..bb6d247e38 100644
--- a/windows/security/threat-protection/auditing/event-4958.md
+++ b/windows/security/threat-protection/auditing/event-4958.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md
index 64d80d5bd4..505c750a6f 100644
--- a/windows/security/threat-protection/auditing/event-4964.md
+++ b/windows/security/threat-protection/auditing/event-4964.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md
index b5ae0e52fc..dafaf8db67 100644
--- a/windows/security/threat-protection/auditing/event-4985.md
+++ b/windows/security/threat-protection/auditing/event-4985.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md
index 41b9e70214..f1183ce7ac 100644
--- a/windows/security/threat-protection/auditing/event-5024.md
+++ b/windows/security/threat-protection/auditing/event-5024.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md
index 1fc4d75d56..43d42d9ad6 100644
--- a/windows/security/threat-protection/auditing/event-5025.md
+++ b/windows/security/threat-protection/auditing/event-5025.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md
index 369785a28c..7a02f1c187 100644
--- a/windows/security/threat-protection/auditing/event-5027.md
+++ b/windows/security/threat-protection/auditing/event-5027.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md
index 426fabfd91..51c3c3a7aa 100644
--- a/windows/security/threat-protection/auditing/event-5028.md
+++ b/windows/security/threat-protection/auditing/event-5028.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md
index b406c84f14..cee2e5f678 100644
--- a/windows/security/threat-protection/auditing/event-5029.md
+++ b/windows/security/threat-protection/auditing/event-5029.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md
index 48a65fb8f8..4f42988a8c 100644
--- a/windows/security/threat-protection/auditing/event-5030.md
+++ b/windows/security/threat-protection/auditing/event-5030.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md
index 583721a9fe..e45a0beb04 100644
--- a/windows/security/threat-protection/auditing/event-5031.md
+++ b/windows/security/threat-protection/auditing/event-5031.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md
index d15d9f16fa..0a95f4b688 100644
--- a/windows/security/threat-protection/auditing/event-5032.md
+++ b/windows/security/threat-protection/auditing/event-5032.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md
index 75109ef8f3..9c05c9b919 100644
--- a/windows/security/threat-protection/auditing/event-5033.md
+++ b/windows/security/threat-protection/auditing/event-5033.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md
index 0ccd247148..d45008ad7a 100644
--- a/windows/security/threat-protection/auditing/event-5034.md
+++ b/windows/security/threat-protection/auditing/event-5034.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md
index 175e4aadec..d7897db3b0 100644
--- a/windows/security/threat-protection/auditing/event-5035.md
+++ b/windows/security/threat-protection/auditing/event-5035.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md
index bf4911fb3e..6f2c76bbc8 100644
--- a/windows/security/threat-protection/auditing/event-5037.md
+++ b/windows/security/threat-protection/auditing/event-5037.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md
index 3e6b0fb302..1f420e0916 100644
--- a/windows/security/threat-protection/auditing/event-5038.md
+++ b/windows/security/threat-protection/auditing/event-5038.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md
index 7b1ba2e281..b32498cbac 100644
--- a/windows/security/threat-protection/auditing/event-5039.md
+++ b/windows/security/threat-protection/auditing/event-5039.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md
index 73f82089f2..b979c83969 100644
--- a/windows/security/threat-protection/auditing/event-5051.md
+++ b/windows/security/threat-protection/auditing/event-5051.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md
index be7ee92421..9f120f6027 100644
--- a/windows/security/threat-protection/auditing/event-5056.md
+++ b/windows/security/threat-protection/auditing/event-5056.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md
index 55f1edb854..475cfcfab7 100644
--- a/windows/security/threat-protection/auditing/event-5057.md
+++ b/windows/security/threat-protection/auditing/event-5057.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md
index c0b2c17fe8..3b1cb19b0a 100644
--- a/windows/security/threat-protection/auditing/event-5058.md
+++ b/windows/security/threat-protection/auditing/event-5058.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md
index cc890b0727..8d71b94dd4 100644
--- a/windows/security/threat-protection/auditing/event-5059.md
+++ b/windows/security/threat-protection/auditing/event-5059.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md
index be31414e13..097b25ad56 100644
--- a/windows/security/threat-protection/auditing/event-5060.md
+++ b/windows/security/threat-protection/auditing/event-5060.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md
index cbd18c4c2a..014ea71245 100644
--- a/windows/security/threat-protection/auditing/event-5061.md
+++ b/windows/security/threat-protection/auditing/event-5061.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md
index 67b9d5b4e3..7a8d60d333 100644
--- a/windows/security/threat-protection/auditing/event-5062.md
+++ b/windows/security/threat-protection/auditing/event-5062.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md
index b5a82e84e3..ba5fcc95d5 100644
--- a/windows/security/threat-protection/auditing/event-5063.md
+++ b/windows/security/threat-protection/auditing/event-5063.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md
index 5ee606581a..8fb4261204 100644
--- a/windows/security/threat-protection/auditing/event-5064.md
+++ b/windows/security/threat-protection/auditing/event-5064.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md
index ee4fae206d..57817b83de 100644
--- a/windows/security/threat-protection/auditing/event-5065.md
+++ b/windows/security/threat-protection/auditing/event-5065.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md
index c37391a6df..d32b399dc1 100644
--- a/windows/security/threat-protection/auditing/event-5066.md
+++ b/windows/security/threat-protection/auditing/event-5066.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md
index 4928e743c7..5232db2d68 100644
--- a/windows/security/threat-protection/auditing/event-5067.md
+++ b/windows/security/threat-protection/auditing/event-5067.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md
index 45904a6ef7..54c1aa3f5f 100644
--- a/windows/security/threat-protection/auditing/event-5068.md
+++ b/windows/security/threat-protection/auditing/event-5068.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md
index 6f40c2d61f..59b441d6a9 100644
--- a/windows/security/threat-protection/auditing/event-5069.md
+++ b/windows/security/threat-protection/auditing/event-5069.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md
index dde6756a49..2da4b27923 100644
--- a/windows/security/threat-protection/auditing/event-5070.md
+++ b/windows/security/threat-protection/auditing/event-5070.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md
index ac81516d45..653e8227b1 100644
--- a/windows/security/threat-protection/auditing/event-5136.md
+++ b/windows/security/threat-protection/auditing/event-5136.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md
index 68e3c16bf6..1b3f5cb556 100644
--- a/windows/security/threat-protection/auditing/event-5137.md
+++ b/windows/security/threat-protection/auditing/event-5137.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md
index 8f8025411c..13390e20d8 100644
--- a/windows/security/threat-protection/auditing/event-5138.md
+++ b/windows/security/threat-protection/auditing/event-5138.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md
index b949968635..fcf72e490a 100644
--- a/windows/security/threat-protection/auditing/event-5139.md
+++ b/windows/security/threat-protection/auditing/event-5139.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md
index aa0ea5013d..216fda1e69 100644
--- a/windows/security/threat-protection/auditing/event-5140.md
+++ b/windows/security/threat-protection/auditing/event-5140.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md
index d1a8d52a18..4fb9ff313d 100644
--- a/windows/security/threat-protection/auditing/event-5141.md
+++ b/windows/security/threat-protection/auditing/event-5141.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md
index e031fd9dbd..3a6937b68b 100644
--- a/windows/security/threat-protection/auditing/event-5142.md
+++ b/windows/security/threat-protection/auditing/event-5142.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md
index 999f6f9f93..10340b7e17 100644
--- a/windows/security/threat-protection/auditing/event-5143.md
+++ b/windows/security/threat-protection/auditing/event-5143.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md
index 905774bf44..65f92128dd 100644
--- a/windows/security/threat-protection/auditing/event-5144.md
+++ b/windows/security/threat-protection/auditing/event-5144.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md
index ec8421bf74..4b959c56eb 100644
--- a/windows/security/threat-protection/auditing/event-5145.md
+++ b/windows/security/threat-protection/auditing/event-5145.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md
index c4461e26a3..602cf56f41 100644
--- a/windows/security/threat-protection/auditing/event-5148.md
+++ b/windows/security/threat-protection/auditing/event-5148.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 05/29/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md
index 08039b5ca0..991095fcd1 100644
--- a/windows/security/threat-protection/auditing/event-5149.md
+++ b/windows/security/threat-protection/auditing/event-5149.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 05/29/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md
index 3afbcf26df..0ddcd6478e 100644
--- a/windows/security/threat-protection/auditing/event-5150.md
+++ b/windows/security/threat-protection/auditing/event-5150.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md
index 4864a283c9..57b29c41cf 100644
--- a/windows/security/threat-protection/auditing/event-5151.md
+++ b/windows/security/threat-protection/auditing/event-5151.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md
index 154a62f07a..ec9ffa6ee6 100644
--- a/windows/security/threat-protection/auditing/event-5152.md
+++ b/windows/security/threat-protection/auditing/event-5152.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md
index ffd21c1282..f2bb576647 100644
--- a/windows/security/threat-protection/auditing/event-5153.md
+++ b/windows/security/threat-protection/auditing/event-5153.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md
index 9dd278c6a8..11a6a76441 100644
--- a/windows/security/threat-protection/auditing/event-5154.md
+++ b/windows/security/threat-protection/auditing/event-5154.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md
index 8662e186f2..59ddc54716 100644
--- a/windows/security/threat-protection/auditing/event-5155.md
+++ b/windows/security/threat-protection/auditing/event-5155.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
index bfeaa865c2..982fb26822 100644
--- a/windows/security/threat-protection/auditing/event-5156.md
+++ b/windows/security/threat-protection/auditing/event-5156.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
index 6b91edfeb0..33b919c24b 100644
--- a/windows/security/threat-protection/auditing/event-5157.md
+++ b/windows/security/threat-protection/auditing/event-5157.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md
index d3d62462e1..9e5a7fbf6d 100644
--- a/windows/security/threat-protection/auditing/event-5158.md
+++ b/windows/security/threat-protection/auditing/event-5158.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
index 3fdf553811..74fd606119 100644
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ b/windows/security/threat-protection/auditing/event-5159.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md
index 46f401b3a0..c8eec57f75 100644
--- a/windows/security/threat-protection/auditing/event-5168.md
+++ b/windows/security/threat-protection/auditing/event-5168.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md
index 40919244b6..3714d2750a 100644
--- a/windows/security/threat-protection/auditing/event-5376.md
+++ b/windows/security/threat-protection/auditing/event-5376.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md
index c55060acff..585ca469c6 100644
--- a/windows/security/threat-protection/auditing/event-5377.md
+++ b/windows/security/threat-protection/auditing/event-5377.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md
index 47e308e4b7..df9199e9fa 100644
--- a/windows/security/threat-protection/auditing/event-5378.md
+++ b/windows/security/threat-protection/auditing/event-5378.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md
index d946f5bf63..1e72720f03 100644
--- a/windows/security/threat-protection/auditing/event-5447.md
+++ b/windows/security/threat-protection/auditing/event-5447.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md
index b84d151c2d..9ab4899bf0 100644
--- a/windows/security/threat-protection/auditing/event-5632.md
+++ b/windows/security/threat-protection/auditing/event-5632.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md
index 7984ff5428..6fcac6b719 100644
--- a/windows/security/threat-protection/auditing/event-5633.md
+++ b/windows/security/threat-protection/auditing/event-5633.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md
index 0588eb54be..be757a5bb8 100644
--- a/windows/security/threat-protection/auditing/event-5712.md
+++ b/windows/security/threat-protection/auditing/event-5712.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md
index 28a9434761..7b9765b982 100644
--- a/windows/security/threat-protection/auditing/event-5888.md
+++ b/windows/security/threat-protection/auditing/event-5888.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md
index 180114aff2..258e121a80 100644
--- a/windows/security/threat-protection/auditing/event-5889.md
+++ b/windows/security/threat-protection/auditing/event-5889.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md
index c9dcc8b7e8..fbc98bd144 100644
--- a/windows/security/threat-protection/auditing/event-5890.md
+++ b/windows/security/threat-protection/auditing/event-5890.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md
index 6001c97965..85812bc35a 100644
--- a/windows/security/threat-protection/auditing/event-6144.md
+++ b/windows/security/threat-protection/auditing/event-6144.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md
index 0c7df89384..de7a63be42 100644
--- a/windows/security/threat-protection/auditing/event-6145.md
+++ b/windows/security/threat-protection/auditing/event-6145.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md
index 91740aeefb..837d239ea6 100644
--- a/windows/security/threat-protection/auditing/event-6281.md
+++ b/windows/security/threat-protection/auditing/event-6281.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md
index 8846fca660..bdf323461d 100644
--- a/windows/security/threat-protection/auditing/event-6400.md
+++ b/windows/security/threat-protection/auditing/event-6400.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md
index eb91491cd0..c8fc24b94d 100644
--- a/windows/security/threat-protection/auditing/event-6401.md
+++ b/windows/security/threat-protection/auditing/event-6401.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md
index 4a1a25539a..49d6839bdf 100644
--- a/windows/security/threat-protection/auditing/event-6402.md
+++ b/windows/security/threat-protection/auditing/event-6402.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md
index 28eef92c52..30b311e730 100644
--- a/windows/security/threat-protection/auditing/event-6403.md
+++ b/windows/security/threat-protection/auditing/event-6403.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md
index 2a7e910540..a988484860 100644
--- a/windows/security/threat-protection/auditing/event-6404.md
+++ b/windows/security/threat-protection/auditing/event-6404.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md
index 7fc3ad0806..57b7d78034 100644
--- a/windows/security/threat-protection/auditing/event-6405.md
+++ b/windows/security/threat-protection/auditing/event-6405.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md
index 8d55408ad9..dd74c47896 100644
--- a/windows/security/threat-protection/auditing/event-6406.md
+++ b/windows/security/threat-protection/auditing/event-6406.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md
index ba34e7a26e..c6f8e25a6c 100644
--- a/windows/security/threat-protection/auditing/event-6407.md
+++ b/windows/security/threat-protection/auditing/event-6407.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md
index 1f54ca83b1..0aacfce3f1 100644
--- a/windows/security/threat-protection/auditing/event-6408.md
+++ b/windows/security/threat-protection/auditing/event-6408.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md
index b5e0e99e03..6bbe69fb2d 100644
--- a/windows/security/threat-protection/auditing/event-6409.md
+++ b/windows/security/threat-protection/auditing/event-6409.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md
index f1c92358f7..f58b033971 100644
--- a/windows/security/threat-protection/auditing/event-6410.md
+++ b/windows/security/threat-protection/auditing/event-6410.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md
index 812286011b..d9667a2625 100644
--- a/windows/security/threat-protection/auditing/event-6416.md
+++ b/windows/security/threat-protection/auditing/event-6416.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md
index b2f31d721b..e9582509f3 100644
--- a/windows/security/threat-protection/auditing/event-6419.md
+++ b/windows/security/threat-protection/auditing/event-6419.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md
index da80a07bdc..970c382ab7 100644
--- a/windows/security/threat-protection/auditing/event-6420.md
+++ b/windows/security/threat-protection/auditing/event-6420.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md
index 0b09ff7dee..bddd6284b5 100644
--- a/windows/security/threat-protection/auditing/event-6421.md
+++ b/windows/security/threat-protection/auditing/event-6421.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md
index 42d91b1f65..38990177e5 100644
--- a/windows/security/threat-protection/auditing/event-6422.md
+++ b/windows/security/threat-protection/auditing/event-6422.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md
index e3eb81e79d..f48d8e7d1b 100644
--- a/windows/security/threat-protection/auditing/event-6423.md
+++ b/windows/security/threat-protection/auditing/event-6423.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md
index a4ef6c15e8..d9f0466d51 100644
--- a/windows/security/threat-protection/auditing/event-6424.md
+++ b/windows/security/threat-protection/auditing/event-6424.md
@@ -5,7 +5,7 @@ ms.pagetype: security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
-ms.localizationpriority: medium
+ms.localizationpriority: none
author: Mir0sh
ms.date: 04/19/2017
---
diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index 72a7d46264..b56a7a46b9 100644
--- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -1,15 +1,15 @@
---
-title: Device Guard is the combination of Windows Defender Application Control and Virtualization-based security (Windows 10)
+title: Device Guard is the combination of Windows Defender Application Control and virtualization-based protection of code integrity (Windows 10)
description: Device Guard consists of both hardware and software system integrity hardening capabilites that can be deployed separately or in combination.
keywords: virtualization, security, malware
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
author: mdsakibMSFT
-ms.date: 08/2/2018
+ms.date: 09/07/2018
---
-# Device Guard: Windows Defender Application Control and Virtualization-based security
+# Device Guard: Windows Defender Application Control and virtualization-based protection of code integrity
**Applies to**
- Windows 10
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index ba15937384..be736a9d69 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -1,18 +1,21 @@
---
title: Threat Protection (Windows 10)
description: Learn how Windows Defender ATP helps protect against threats.
+keywords: threat protection, windows defender advanced threat protection, attack surface reduction, next generation protection, endpoint detection and response, automated investigation and response, secure score, advanced hunting
+search.product: eADQiWindows 10XVcnh
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
-ms.localizationpriority: high
author: dansimp
-ms.date: 09/03/2018
+ms.localizationpriority: medium
+ms.date: 09/07/2018
---
# Threat Protection
-Windows Defender Advanced Threat Protection (ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.
+Windows Defender Advanced Threat Protection (Windows Defender ATP) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Windows Defender ATP protects endpoints from cyber threats; detects advanced attacks and data breaches, automates security incidents and improves security posture.
+
@@ -35,7 +38,7 @@ Windows Defender Advanced Threat Protection (ATP) is a unified platform for prev
-**Attack surface reduction**
+**[Attack surface reduction](windows-defender-atp/overview-attack-surface-reduction.md)**
The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations.
- [Hardware based isolation](windows-defender-atp/overview-hardware-based-isolation.md)
@@ -48,7 +51,7 @@ The attack surface reduction set of capabilities provide the first line of defen
-**Next generation protection**
+**[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**
To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats.
- [Windows Defender Antivirus](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
@@ -58,8 +61,7 @@ To further reinforce the security perimeter of your network, Windows Defender AT
-**Endpoint protection and response**
-
+**[Endpoint protection and response](windows-defender-atp/overview-endpoint-detection-response.md)**
Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
- [Alerts](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
@@ -71,7 +73,7 @@ Endpoint protection and response capabilities are put in place to detect, invest
-**Automated investigation and remediation**
+**[Automated investigation and remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md)**
In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
- [Automated investigation and remediation](windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md)
@@ -81,8 +83,7 @@ In conjunction with being able to quickly respond to advanced attacks, Windows D
-**Secure score**
-
+**[Secure score](windows-defender-atp/overview-secure-score-windows-defender-advanced-threat-protection.md)**
Windows Defender ATP includes a secure score to help you dynamically assess the security state of your enterprise network, identify unprotected systems, and take recommended actions to improve the overall security of your organization.
- [Asset inventory](windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md)
- [Recommended improvement actions](windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md)
@@ -91,7 +92,7 @@ Windows Defender ATP includes a secure score to help you dynamically assess the
-**Advanced hunting**
+**[Advanced hunting](windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md)**
Create custom threat intelligence and use a powerful search and query tool to hunt for possible threats in your organization.
- [Custom detection](windows-defender-atp/overview-custom-detections.md)
@@ -99,7 +100,7 @@ Create custom threat intelligence and use a powerful search and query tool to hu
-**Management and APIs**
+**[Management and APIs](windows-defender-atp/management-apis.md)**
Integrate Windows Defender Advanced Threat Protection into your existing workflows.
- [Onboarding](windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md)
- [API and SIEM integration](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
@@ -109,7 +110,7 @@ Integrate Windows Defender Advanced Threat Protection into your existing workflo
-**Microsoft threat protection**
+**[Microsoft threat protection](windows-defender-atp/threat-protection-integration.md)**
Bring the power of Microsoft threat protection to your organization.
- [Conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md)
- [O365 ATP](windows-defender-atp/threat-protection-integration.md)
diff --git a/windows/security/threat-protection/intelligence/TOC.md b/windows/security/threat-protection/intelligence/TOC.md
index cd09366bea..db9e975f40 100644
--- a/windows/security/threat-protection/intelligence/TOC.md
+++ b/windows/security/threat-protection/intelligence/TOC.md
@@ -10,6 +10,8 @@
### [Exploits and exploit kits](exploits-malware.md)
+### [Fileless threats](fileless-threats.md)
+
### [Macro malware](macro-malware.md)
### [Phishing](phishing.md)
diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
index 5c1f9d33d8..2f6a6ce43c 100644
--- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
+++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
@@ -32,4 +32,4 @@ Organizations participating in the CME effort work together to help eradicate se
Any organization that is involved in cybersecurity and antimalware or interested in fighting cybercrime can participate in CME campaigns by enrolling in the [Virus Information Alliance (VIA) program](virus-information-alliance-criteria.md). It ensures that everyone agrees to use the information and tools available for campaigns for their intended purpose (that is, the eradication of malware).
-Please apply using our [membership application form](https://www.microsoft.com/security/portal/partnerships/apply.aspx) to get started.
\ No newline at end of file
+If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join CME, [VIA](./virus-information-alliance-criteria.md), or [MVI](./virus-initiative-criteria.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
new file mode 100644
index 0000000000..ec5da8fb32
--- /dev/null
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -0,0 +1,96 @@
+---
+title: Fileless threats
+description: Learn about fileless threats, its categories, and how it runs
+keywords: fileless, amsi, behavior monitoring, memory scanning, boot sector protection, security, malware, Windows Defender ATP, antivirus, AV
+ms.prod: w10
+ms.mktglfcycl: secure
+ms.sitesec: library
+ms.localizationpriority: medium
+ms.author: eravena
+author: eavena
+ms.date: 09/14/2018
+---
+
+#Fileless threats
+
+What exactly is a fileless threat? The term "fileless" suggests that a threat that does not come in a file, such as a backdoor that lives only in the memory of a machine. However, there's no generally accepted definition. The terms is used broadly; it's also used to describe malware families that do rely on files in order to operate.
+
+Given that attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) for functionalities like execution, persistence, information theft, lateral movement, communication with command-and-control, etc., some parts of the attack chain may be fileless, while others may involve the filesystem in some form or another.
+
+To shed light on this loaded term, we grouped fileless threats into different categories.
+
+
+*Figure 1. Comprehensive diagram of fileless malware*
+
+We can classify fileless threats by their entry point, which indicates how fileless malware can arrive on a machine: via an exploit; through compromised hardware; or via regular execution of applications and scripts.
+
+Next, we can list the form of entry point: for example, exploits can be based on files or network data; PCI peripherals are a type of hardware vector; and scripts and executables are sub-categories of the execution vector.
+
+Finally, we can classify the host of the infection: for example, a Flash application that may contain an exploit; a simple executable; a malicious firmware from a hardware device; or an infected MBR, which could bootstrap the execution of a malware before the operating system even loads.
+
+This helps us divide and categorize the various kinds of fileless threats. Clearly, the categories are not all the same: some are more dangerous but also more difficult to implement, while others are more commonly used despite (or precisely because of) not being very advanced.
+
+From this categorization, we can glean three big types of fileless threats based on how much fingerprint they may leave on infected machines.
+
+##Type I: No file activity performed
+
+A completely fileless malware can be considered one that never requires writing a file on the disk. How would such malware infect a machine in the first place? An example scenario could be a target machine receiving malicious network packets that exploit the EternalBlue vulnerability, leading to the installation of the DoublePulsar backdoor, which ends up residing only in the kernel memory. In this case, there is no file or any data written on a file.
+
+Another scenario could involve compromised devices, where malicious code could be hiding in device firmware (such as a BIOS), a USB peripheral (like the BadUSB attack), or even in the firmware of a network card. All these examples do not require a file on the disk in order to run and can theoretically live only in memory, surviving even reboots, disk reformats, and OS reinstalls.
+
+Infections of this type can be extra difficult to detect and remediate. Antivirus products usually don’t have the capability to access firmware for inspection; even if they did, it would be extremely challenging to detect and remediate threats at this level. Because this type of fileless malware requires high levels of sophistication and often depend on particular hardware or software configuration, it’s not an attack vector that can be exploited easily and reliably. For this reason, while extremely dangerous, threats of this type tend to be very uncommon and not practical for most attacks.
+
+##Type II: Indirect file activity
+
+There are other ways that malware can achieve fileless presence on a machine without requiring significant engineering effort. Fileless malware of this type don’t directly write files on the file system, but they can end up using files indirectly. This is the case for [Poshspy backdoor](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html). Attackers installed a malicious PowerShell command within the WMI repository and configured a WMI filter to run such command periodically.
+
+It’s possible to carry out such installation via command line without requiring the presence of the backdoor to be on a file in the first place. The malware can thus be installed and theoretically run without ever touching the file system. However, the WMI repository is stored on a physical file that is a central storage area managed by the CIM Object Manager and usually contains legitimate data. Therefore, while the infection chain does technically use a physical file, for practical purposes it’s considered a fileless attack given that the WMI repository is a multi-purpose data container that cannot be simply detected and removed.
+
+##Type III: Files required to operate
+
+Some malware can have some sort of fileless persistence but not without using files in order to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. This action means that opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe.
+
+
+*Figure 2. Kovter’s registry key*
+
+When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an auto-run key configured to open such file when the machine starts.
+
+Despite the use of files, and despite the fact that the registry too is stored in physical files, Kovter is considered a fileless threat because the file system is of no practical use: the files with random extension contain junk data that is not usable in verifying the presence of the threat, and the files that store the registry are containers that cannot be detected and deleted if malicious content is present.
+
+##Categorizing fileless threats by infection host
+
+Having described the broad categories, we can now dig into the details and provide a breakdown of the infection hosts. This comprehensive classification covers the panorama of what is usually referred to as fileless malware. It drives our efforts to research and develop new protection features that neutralize classes of attacks and ensure malware does not get the upper hand in the arms race.
+
+###Exploits
+
+**File-based** (Type III: executable, Flash, Java, documents): An initial file may exploit the operating system, the browser, the Java engine, the Flash engine, etc. in order to execute a shellcode and deliver a payload in memory. While the payload is fileless, the initial entry vector is a file.
+
+**Network-based** (Type I): A network communication that takes advantage of a vulnerability in the target machine can achieve code execution in the context of an application or the kernel. An example is WannaCry, which exploits a previously fixed vulnerability in the SMB protocol to deliver a backdoor within the kernel memory.
+
+###Hardware
+
+**Device-based** (Type I: network card, hard disk): Devices like hard disks and network cards require chipsets and dedicated software to function. A software residing and running in the chipset of a device is called a firmware. Although a complex task, the firmware can be infected by malware, as the [Equation espionage group has been caught doing](https://www.kaspersky.com/blog/equation-hdd-malware/7623/).
+
+**CPU-based** (Type I): Modern CPUs are extremely complex and may include subsystems running firmware for management purposes. Such firmware may be vulnerable to hijacking and allow the execution of malicious code that would hence operate from within the CPU. In December 2017, two researchers reported a vulnerability that can allow attackers to execute code inside the [Management Engine (ME)](https://en.wikipedia.org/wiki/Intel_Management_Engine) present in any modern CPU from Intel. Meanwhile, the attacker group PLATINUM has been observed to have the capability to use Intel's [Active Management Technology (AMT)](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology) to perform [invisible network communications](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/) bypassing the installed operating system. ME and AMT are essentially autonomous micro-computers that live inside the CPU and that operate at a very low level. Because these technologies’ purpose is to provide remote manageability, they have direct access to hardware, are independent of the operating system, and can run even if the computer is turned off. Besides being vulnerable at the firmware level, CPUs could be manufactured with backdoors inserted directly in the hardware circuitry. This attack has been [researched and proved possible](https://www.emsec.rub.de/media/crypto/veroeffentlichungen/2015/03/19/beckerStealthyExtended.pdf) in the past. Just recently it has been reported that certain models of x86 processors contain a secondary embedded RISC-like CPU core that can [effectively provide a backdoor](https://www.theregister.co.uk/2018/08/10/via_c3_x86_processor_backdoor/) through which regular applications can gain privileged execution.
+
+**USB-based** (Type I): USB devices of all kinds can be reprogrammed with a malicious firmware capable of interacting with the operating system in nefarious ways. This is the case of the [BadUSB technique](https://arstechnica.com/information-technology/2014/07/this-thumbdrive-hacks-computers-badusb-exploit-makes-devices-turn-evil/), demonstrated few years ago, which allows a reprogrammed USB stick to act as a keyboard that sends commands to machines via keystrokes, or as a network card that can redirect traffic at will.
+
+**BIOS-based** (Type I): A BIOS is a firmware running inside a chipset. It executes when a machine is powered on, initializes the hardware, and then transfers control to the boot sector. It’s a very important component that operates at a very low level and executes before the boot sector. It’s possible to reprogram the BIOS firmware with malicious code, as has happened in the past with the [Mebromi rootkit](https://www.webroot.com/blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/).
+
+**Hypervisor-based** (Type I): Modern CPUs provide hardware hypervisor support, allowing the operating system to create robust virtual machines. A virtual machine runs in a confined, simulated environment, and is in theory unaware of the emulation. A malware taking over a machine may implement a small hypervisor in order to hide itself outside of the realm of the running operating system. Malware of this kind has been theorized in the past, and eventually real hypervisor rootkits [have been observed](http://seclists.org/fulldisclosure/2017/Jun/29), although very few are known to date.
+
+###Execution and injection
+
+**File-based** (Type III: executables, DLLs, LNK files, scheduled tasks): This is the standard execution vector. A simple executable can be launched as a first-stage malware to run an additional payload in memory or inject it into other legitimate running processes.
+
+**Macro-based** (Type III: Office documents): The [VBA language](https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office) is a flexible and powerful tool designed to automate editing tasks and add dynamic functionality to documents. As such, it can be abused by attackers to carry out malicious operations like decoding, running, or injecting an executable payload, or even implementing an entire ransomware, like in [the case of qkG](https://blog.trendmicro.com/trendlabs-security-intelligence/qkg-filecoder-self-replicating-document-encrypting-ransomware/). Macros are executed within the context of an Office process (e.g., Winword.exe), and they’re implemented in a scripting language, so there is no binary executable that an antivirus can inspect. While Office apps require explicit consent from the user to execute macros from a document, attackers use social engineering techniques to trick users into allowing macros to execute.
+
+**Script-based** (Type II: file, service, registry, WMI repo, shell): The JavaScript, VBScript, and PowerShell scripting languages are available by default on Windows platforms. Scripts have the same advantages as macros: they’re textual files (not binary executables) and they run within the context of the interpreter (e.g., wscript.exe, powershell.exe, etc.), which is a clean and legitimate component. Scripts are very versatile; they can be run from a file (e.g., by double-clicking them) or, in some cases, executed directly on the command line of an interpreter. Being able to run on the command line can allow malware to encode malicious command-line scripts as auto-start services inside [autorun registry keys](https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file) as [WMI event subscriptions](https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html) from the WMI repo. Furthermore, an attacker who has gained access to an infected machine may input the script on the command prompt.
+
+**Disk-based** (Type II: Boot Record): The [Boot Record](https://en.wikipedia.org/wiki/Boot_sector) is the first sector of a disk or volume and contains executable code required to start the boot process of the operating system. Threats like [Petya](https://cloudblogs.microsoft.com/microsoftsecure/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/?source=mmpc) are capable of infecting the Boot Record by overwriting it with malicious code, so that when the machine is booted the malware immediately gains control (and in the case of Petya, with disastrous consequences). The Boot Record resides outside the file system, but it’s accessible by the operating system, and modern antivirus products have the capability to scan and restore it.
+
+##Defeating fileless malware
+
+At Microsoft, we actively monitor the security landscape to identify new threat trends and develop solutions that continuously enhance Windows security and mitigate classes of threats. We instrument durable protections that are effective against a wide range of threats. Through AntiMalware Scan Interface (AMSI), behavior monitoring, memory scanning, and boot sector protection, Windows Defender Advanced Threat Protection [(Windows Defender ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-fileless) can inspect fileless threats even with heavy obfuscation. Machine learning technologies in the cloud allow us to scale these protections against new and emerging threats.
+
+To learn more, read: [Out of sight but not invisible: Defeating fileless malware with behavior monitoring, AMSI, and next-gen AV](https://cloudblogs.microsoft.com/microsoftsecure/2018/09/27/out-of-sight-but-not-invisible-defeating-fileless-malware-with-behavior-monitoring-amsi-and-next-gen-av/)
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/images/fileless-malware.png b/windows/security/threat-protection/intelligence/images/fileless-malware.png
new file mode 100644
index 0000000000..2aa502e144
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/fileless-malware.png differ
diff --git a/windows/security/threat-protection/intelligence/images/kovter-reg-key.png b/windows/security/threat-protection/intelligence/images/kovter-reg-key.png
new file mode 100644
index 0000000000..456f0956fa
Binary files /dev/null and b/windows/security/threat-protection/intelligence/images/kovter-reg-key.png differ
diff --git a/windows/security/threat-protection/intelligence/safety-scanner-download.md b/windows/security/threat-protection/intelligence/safety-scanner-download.md
index 46d99ff069..907f9c9a3a 100644
--- a/windows/security/threat-protection/intelligence/safety-scanner-download.md
+++ b/windows/security/threat-protection/intelligence/safety-scanner-download.md
@@ -5,7 +5,7 @@ keywords: security, malware
ms.prod: w10
ms.mktglfcycl: secure
ms.sitesec: library
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.author: dansimp
author: dansimp
ms.date: 08/01/2018
diff --git a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
index 0b05818396..e984e5abab 100644
--- a/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
+++ b/windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md
@@ -1,6 +1,6 @@
---
title: Top scoring in industry antivirus tests
-description: Industry antivirus tests landing page
+description: Windows Defender Antivirus consistently achieves high scores in independent tests. View the latest scores and analysis.
keywords: security, malware, av-comparatives, av-test, av, antivirus
ms.prod: w10
ms.mktglfcycl: secure
@@ -8,16 +8,16 @@ ms.sitesec: library
ms.localizationpriority: medium
ms.author: ellevin
author: levinec
-ms.date: 08/17/2018
+ms.date: 09/05/2018
---
# Top scoring in industry antivirus tests
-[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) **consistently achieves high scores** from independent tests, displaying how it is a top choice in the antivirus market.
+[Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10?ocid=cx-docs-avreports) **consistently achieves high scores** in independent tests, displaying how it is a top choice in the antivirus market.
We want to be transparent and have gathered top industry reports that demonstrate our enterprise antivirus capabilities. Note that these tests only provide results for antivirus and do not test for additional security protections.
-In the real world, millions of devices are protected from cyberattacks every day, sometimes [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). In many cases, customers might not even know they were protected. That's because Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) [next generation protection](https://www.youtube.com/watch?v=Xy3MOxkX_o4) detects and stops malware at first sight by using predictive technologies, [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies.
+In the real world, millions of devices are protected from cyberattacks every day, sometimes [milliseconds after a campaign starts](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign?ocid=cx-docs-avreports). Windows Defender AV is part of the [next generation](https://www.youtube.com/watch?v=Xy3MOxkX_o4) Windows Defender Advanced Threat Protection ([Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports)) security stack which addresses the latest and most sophisticated threats today. In many cases, customers might not even know they were protected. That's because Windows Defender AV detects and stops malware at first sight by using [machine learning](https://cloudblogs.microsoft.com/microsoftsecure/2018/06/07/machine-learning-vs-social-engineering?ocid=cx-docs-avreports), [artificial intelligence](https://cloudblogs.microsoft.com/microsoftsecure/2018/02/14/how-artificial-intelligence-stopped-an-emotet-outbreak?ocid=cx-docs-avreports), behavioral analysis, and other advanced technologies.
> [!TIP]
> Learn why [Windows Defender Antivirus is the most deployed in the enterprise](https://cloudblogs.microsoft.com/microsoftsecure/2018/03/22/why-windows-defender-antivirus-is-the-most-deployed-in-the-enterprise?ocid=cx-docs-avreports).
@@ -27,24 +27,20 @@ In the real world, millions of devices are protected from cyberattacks every day
## AV-TEST: Perfect protection score of 6.0/6.0 in the latest test
-**[Analysis of the latest AV-TEST results](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports)**
-The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the protection category which has two scores: real world testing and the AV-TEST reference set (known as "prevalent malware").
+The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
-**Real-World testing** as defined by AV-TEST attempts to test protection against zero-day malware attacks, inclusive of web and email threats.
+### May-June 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) **Latest**
-**Prevalent malware** as defined by AV-TEST attempts to test detection of widespread and prevalent malware discovered in the last four weeks.
+ Windows Defender AV achieved an overall Protection score of 6.0/6.0, detecting 100% of 5,790 malware samples. With the latest results, Windows Defender AV has achieved 100% on 10 of the 12 most recent antivirus tests (combined "Real-World" and "Prevalent malware").
-The below scores are the results of AV-TEST's evaluations on **Windows Defender Antivirus**.
+### March-April 2018 AV-TEST Business User test: [Protection score 5.5/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports)
-|Month (2018)|Real-World test score| Prevalent malware test score | AV-TEST report| Microsoft analysis|
-|---|---|---|---|---|
-|January| 100.00%| 99.92%| [Report (Jan-Feb)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2018/microsoft-windows-defender-antivirus-4.12-180674/)| [Analysis (Jan-Feb)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports)|
-|February| 100.00% | 100.00%|[Report (Jan-Feb)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2018/microsoft-windows-defender-antivirus-4.12-180674/)| [Analysis (Jan-Feb)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports)|
-March |98.00%| 100.00%|[Report (Mar-Apr)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/)|[Analysis (Mar-Apr)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports)|
-April|100.00%| 100.00%|[Report (Mar-Apr)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/april-2018/microsoft-windows-defender-antivirus-4.12-181574/)|[Analysis (Mar-Apr)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports)|
-May|100.00%| 100.00%| [Report (May-Jun)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/) |[Analysis (May-Jun)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) **Latest**|
-June|100.00%| 100.00%| [Report (May-Jun)](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/june-2018/microsoft-windows-defender-antivirus-4.12-182374/)|[Analysis (May-Jun)](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2v60I?ocid=cx-docs-avreports) **Latest**|
+ Windows Defender AV achieved an overall Protection score of 5.5/6.0, missing 2 out of 5,680 malware samples (0.035% miss rate).
+
+### January-February 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/february-2018/microsoft-windows-defender-antivirus-4.12-180674/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE27O5A?ocid=cx-docs-avreports)
+
+Windows Defender AV achieved an overall Protection score of 6.0/6.0, with 5,105 malware samples tested.
|||
|---|---|
@@ -57,33 +53,26 @@ June|100.00%| 100.00%| [Report (May-Jun)](https://www.av-test.org/en/antivirus/b
AV-Comparatives is an independent organization offering systematic testing for security software such as PC/Mac-based antivirus products and mobile security solutions.
-The **Real-World Protection Test (Enterprise)** as defined by AV-Comparatives attempts to evaluate the “real-world” protection capabilities with default settings. The goal is to find out whether the security software protects the computer by either hindering the malware from changing any systems or remediating all changes if any were made.
+### Real-World Protection Test July (Consumer): [Protection Rate 100%](https://www.av-comparatives.org/tests/real-world-protection-test-july-2018-factsheet/) **Latest**
-The **Malware Protection Test Enterprise** as defined by AV-Comparatives attempts to assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution. It is only tested every six months.
+The results are based on testing against 186 malicious URLs that have working exploits or point directly to malware.
-The below scores are the results of AV-Comparatives tests on **Windows Defender Antivirus**. The scores represent the percentage of blocked malware.
+### Real-World Protection Test March - June (Enterprise): [Protection Rate 98.7%](https://www.av-comparatives.org/tests/real-world-protection-test-enterprise-march-june-2018-testresult/)
-|Month (2018)| Real-World test score| Malware test score (every 6 months)|
-|---|---|---|
-|February| 100.00%| N/A|
-|March| 94.40%| 99.90%|
-|April| 96.40%| N/A|
-|May| 100.00%| N/A|
-|June| 99.50%| N/A|
-|July| 100.00%| N/A|
+This test, as defined by AV-Comparatives, attempts to assess the effectiveness of each security program to protect a computer against active malware threats while online.
-* [Real-World Protection Test (Enterprise) February - June 2018](https://www.av-comparatives.org/tests/real-world-protection-test-february-june-2018/)
+### Malware Protection Test March 2018 (Enterprise): [Protection Rate 99.9%](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-march-2018-testresult/)
-* [Malware Protection Test Enterprise March 2018](https://www.av-comparatives.org/tests/malware-protection-test-enterprise-march-2018-testresult/)
+This test, as defined by AV-Comparatives, attempts to assesses a security program’s ability to protect a system against infection by malicious files before, during or after execution.
-* [Real-World Protection Test (Enterprise) July 2018](https://www.av-comparatives.org/tests/real-world-protection-test-july-2018-factsheet/) **Latest**
+[Historical AV-Comparatives Microsoft tests](https://www.av-comparatives.org/vendors/microsoft/)
## To what extent are tests representative of protection in the real world?
-It is important to remember that Microsoft sees a wider and broader set of threats beyond just what’s tested in the AV evaluations highlighted above. The capabilities within [Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports) also provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into AV tests. Using these tests, customer can view one aspect of their security suite but can't assess the complete protection of all the security features.
+It is important to remember that Microsoft sees a wider and broader set of threats beyond what’s tested in the antivirus evaluations highlighted above. Windows Defender AV encounters ~200 million samples every month, and the typical antivirus test consists of between 100-5,000 samples. The vastness of the malware landscape makes it extremely difficult to evaluate the quality of protection against real world threats.
-There are other technologies in nearly every endpoint security suite not represented in AV tests that address some of the latest and most sophisticated threats. For example, the capabilities such as attack surface reduction and endpoint detection & response help prevent malware from getting onto devices in the first place.
+The capabilities within [Windows Defender ATP](https://www.microsoft.com/WindowsForBusiness/windows-atp?ocid=cx-docs-avreports) also provide [additional layers of protection](https://cloudblogs.microsoft.com/microsoftsecure/2017/12/11/detonating-a-bad-rabbit-windows-defender-antivirus-and-layered-machine-learning-defenses?ocid=cx-docs-avreports) that are not factored into industry tests. These technologies address some of the latest and most sophisticated threats. Isolating AV from the rest of Windows Defender ATP creates a partial picture of how our security stack operates in the real world. For example, attack surface reduction and endpoint detection & response capabilities can help prevent malware from getting onto devices in the first place. We have proven that Windows Defender ATP components [catch samples that Windows Defender AV missed](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2ouJA?ocid=cx-docs-avreports) in these industry tests, which is more representative of how effectively our security suite protects customers in the real world.
-Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/windowsforbusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
+Using independent tests, customers can view one aspect of their security suite but can't assess the complete protection of all the security features. Microsoft is highly engaged in working with several independent testers to evolve security testing to focus on the end-to-end security stack. In the meantime, customers can evaluate Windows Defender Advanced Threat Protection in their own networks by signing up for a [90-day trial of Windows Defender ATP](https://www.microsoft.com/windowsforbusiness/windows-atp?ocid=cx-docs-avreports), or [enabling Preview features on existing tenants](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection?ocid=cx-docs-avreports).
diff --git a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
index d08b16e029..10e99ef924 100644
--- a/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-information-alliance-criteria.md
@@ -46,6 +46,4 @@ To be eligible for VIA your organization must:
3. Be willing to sign and adhere to the VIA membership agreement.
-If your organization wants to apply and meets this criteria, you can apply using our [membership application form](https://www.microsoft.com/security/portal/partnerships/apply.aspx).
-
-If you have any questions, you can also contact us using our [partnerships contact form](https://www.microsoft.com/security/portal/partnerships/contactus.aspx).
\ No newline at end of file
+If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join VIA, [MVI](./virus-initiative-criteria.md), or [CME](./coordinated-malware-eradication.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
index 6edc83eaba..26f3bbce30 100644
--- a/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
+++ b/windows/security/threat-protection/intelligence/virus-initiative-criteria.md
@@ -54,4 +54,4 @@ Your organization must meet the following eligibility requirements to participat
### Apply to MVI
-If your organization wants to apply and meets this criteria, you can apply using our [membership application form](https://www.microsoft.com/security/portal/partnerships/apply.aspx).
\ No newline at end of file
+If your organization meets these criteria and would like to apply for membership, contact us at [mvi@microsoft.com](mailto:mvi@microsoft.com). Please indicate whether you would like to join MVI, [VIA](./virus-information-alliance-criteria.md), or [CME](./coordinated-malware-eradication.md).
\ No newline at end of file
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
index eec6a03a0a..fa9637e81f 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 09/18/2018
---
# Interactive logon: Machine inactivity limit
@@ -26,7 +26,7 @@ Beginning with Windows Server 2012 and Windows 8, Windows detects user-input ina
The automatic lock of the device is set in elapsed seconds of inactivity, which can range from zero (0) to 599,940 seconds (166.65 hours).
-If no value (blank) or zero (0) is present in the **Machine will be locked after** input field, then the policy setting is disabled and no action is taken on user-input inactivity for the session.
+If **Machine will be locked after** is set to zero (0) or has no value (blank), the policy setting is disabled and a user sign-in session is never locked after any inactivity.
### Best practices
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
index d8dab27bda..403f7249a8 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 08/27/2018
---
# Interactive logon: Number of previous logons to cache (in case domain controller is not available)
@@ -42,7 +42,7 @@ encrypting the information and keeping the cached credentials in the system's re
### Best practices
-It is advisable to set **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** to 0. Setting this value to 0 disables the local caching of logon information. Additional countermeasures include enforcing strong password policies and physically securing the computers. If the value is set to 0, users will be unable to log on to any computers if there is no domain controller available to authenticate them. Organizations might want to set **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** to 2 for end-user systems, especially for mobile users. Setting this value to 2 means that the user's logon information will still be in the cache even if a member of the IT department has recently logged on to their device to perform system maintenance. This way, those users will be able to log on to their devices when they are not connected to the corporate network.
+The [Windows security baselines](https://docs.microsoft.com/windows/security/threat-protection/windows-security-baselines) do not recommend configuring this setting.
### Location
@@ -57,7 +57,7 @@ The following table lists the actual and effective default values for this polic
| Default Domain Policy| Not defined|
| Default Domain Controller Policy | Not defined|
| Stand-Alone Server Default Settings | 10 logons|
-| DC Effective Default Settings | 10 logons|
+| DC Effective Default Settings | No effect|
| Member Server Effective Default Settings | 10 logons|
| Client Computer Effective Default Settings| 10 logons|
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 6b9f166e9f..1ad7ec6aeb 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
ms.localizationpriority: medium
author: justinha
-ms.date: 07/27/2017
+ms.date: 09/17/2018
---
# Network access: Restrict clients allowed to make remote calls to SAM
@@ -130,7 +130,7 @@ Compare the security context attempting to remotely enumerate accounts with the
### Event Throttling
A busy server can flood event logs with events related to the remote enumeration access check. To prevent this, access-denied events are logged once every 15 minutes by default. The length of this period is controlled by the following registry value.
-|Registry Path|System\CurrentControlSet\Control\Lsa\
+|Registry Path|HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\ |
|---|---|
Setting |RestrictRemoteSamEventThrottlingWindow|
Data Type |DWORD|
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
index 673fc41138..59c2b970da 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 09/03/2018
+ms.date: 10/02/2018
---
@@ -55,6 +55,10 @@ Scan removable drives during full scans only | Scan > Scan removable drives | Di
Specify the level of subfolders within an archive folder to scan | Scan > Specify the maximum depth to scan archive files | 0 | Not available
Specify the maximum CPU load (as a percentage) during a scan. Note: This is not a hard limit but rather a guidance for the scanning engine to not exceed this maximum on average. | Scan > Specify the maximum percentage of CPU utilization during a scan | 50 | `-ScanAvgCPULoadFactor`
Specify the maximum size (in kilobytes) of archive files that should be scanned. The default, **0**, applies no limit | Scan > Specify the maximum size of archive files to be scanned | No limit | Not available
+ Configure low CPU priority for scheduled scans | Scan > Configure low CPU priority for scheduled scans | Disabled | Not available
+
+>[!NOTE]
+>By default, quick scans run on mounted removable devices, such as USB drives.
**Use PowerShell to configure scanning options**
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
index 728e03873e..eccace7a35 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md
@@ -96,7 +96,7 @@ For a list of Windows Defender Antivirus device restrictions in Intune, see [Dev
If you had to change any of the settings, you should re-deploy the Group Policy Object across your network to ensure all endpoints are covered.
-### Confirm block at first sight is enabled with the Windows Defender Security Center app
+### Confirm block at first sight is enabled with the Windows Security app
You can confirm that block at first sight is enabled in Windows Settings.
@@ -104,11 +104,11 @@ Block at first sight is automatically enabled as long as **Cloud-based protectio
**Confirm Block at First Sight is enabled on individual clients**
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar.
+1. Open the Windows Security app by clicking the shield icon in the task bar.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Virus & threat protection settings**:
- 
+ 
3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
index 4c95157a94..886f66d077 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md
@@ -53,9 +53,9 @@ To exclude files opened by a specific process, see [Configure and validate exclu
The exclusions apply to [scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md), [on-demand scans](run-scan-windows-defender-antivirus.md), and [real-time protection](configure-real-time-protection-windows-defender-antivirus.md).
>[!IMPORTANT]
->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
>
->Changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
+>Changes made in the Windows Security app **will not show** in the Group Policy lists.
By default, local changes made to the lists (by users with administrator privileges, including changes made with PowerShell and WMI) will be merged with the lists as defined (and deployed) by Group Policy, Configuration Manager, or Intune. The Group Policy lists will take precedence in case of conflicts.
@@ -157,9 +157,9 @@ See the following for more information and allowed parameters:
-**Use the Windows Defender Security Center app to configure file name, folder, or file extension exclusions:**
+**Use the Windows Security app to configure file name, folder, or file extension exclusions:**
-See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
+See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
## Use wildcards in the file name and folder path or extension exclusion lists
@@ -264,12 +264,12 @@ The following table describes how the wildcards can be used and provides some ex
## Review the list of exclusions
-You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), PowerShell, or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+You can retrieve the items in the exclusion list with [Intune](https://docs.microsoft.com/en-us/intune/deploy-use/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune), [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), PowerShell, or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
>[!IMPORTANT]
->Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+>Exclusion list changes made with Group Policy **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
>
->Changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
+>Changes made in the Windows Security app **will not show** in the Group Policy lists.
If you use PowerShell, you can retrieve the list in two ways:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
index 013ef4ec60..f35bf7b9bc 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus.md
@@ -28,7 +28,7 @@ For example, it may be necessary to allow certain user groups (such as security
The default setting for these policies is **Disabled**.
-If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Defender Security Center](windows-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate).
+If they are set to **Enabled**, users on endpoints can make changes to the associated setting with the [Windows Security](windows-defender-security-center-antivirus.md) app, local Group Policy settings, and PowerShell cmdlets (where appropriate).
The following table lists each of the override policy setting and the configuration instructions for the associated feature or setting.
@@ -66,7 +66,7 @@ Scan | Configure local setting override for the scan type to use for a scheduled
You can also configure how locally defined lists are combined or merged with globally defined lists. This setting applies to [exclusion lists](configure-exclusions-windows-defender-antivirus.md) and [specified remediation lists](configure-remediation-windows-defender-antivirus.md).
-By default, lists that have been configured in local group policy and the Windows Defender Security Center app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence.
+By default, lists that have been configured in local group policy and the Windows Security app are merged with lists that are defined by the appropriate Group Policy Object that you have deployed on your network. Where there are conflicts, the globally-defined list takes precedence.
You can disable this setting to ensure that only globally-defined lists (such as those from any deployed GPOs) are used.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index 69728c47d8..c7d6f246c3 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -40,7 +40,7 @@ The Windows Defender Antivirus cloud service provides fast, strong protection fo
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud, rather it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
-See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Defender Security Center app.
+See [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md) for details on enabling the service with Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
After you've enabled the service, you may need to configure your network or firewall to allow connections between it and your endpoints.
@@ -176,20 +176,20 @@ A similar message occurs if you are using Internet Explorer:
-You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Defender Security Center app:
+You will also see a detection under **Quarantined threats** in the **Scan history** section in the Windows Security app:
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label:
- 
+ 
3. Under the **Quarantined threats** section, click the **See full history** label to see the detected fake malware:
- 
+ 
>[!NOTE]
->Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces.
+>Versions of Windows 10 before version 1703 have a different user interface. See [Windows Defender Antivirus in the Windows Security app](windows-defender-security-center-antivirus.md) for more information about the differences between versions, and instructions on how to perform common tasks in the different interfaces.
The Windows event log will also show [Windows Defender client event ID 2050](troubleshoot-windows-defender-antivirus.md).
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
index 6985bdef52..10132268ce 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
@@ -28,7 +28,7 @@ You can also configure how standard notifications appear on endpoints, such as n
## Configure the additional notifications that appear on endpoints
-You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md) and with Group Policy.
+You can configure the display of additional notifications, such as recent threat detection summaries, in the [Windows Security app](windows-defender-security-center-antivirus.md) and with Group Policy.
> [!NOTE]
> In Windows 10, version 1607 the feature was called **Enhanced notifications** and could be configured under **Windows Settings** > **Update & security** > **Windows Defender**. In Group Policy settings in all versions of Windows 10, it is called **Enhanced notifications**.
@@ -36,13 +36,13 @@ You can configure the display of additional notifications, such as recent threat
> [!IMPORTANT]
> Disabling additional notifications will not disable critical notifications, such as threat detection and remediation alerts.
-**Use the Windows Defender Security Center app to disable additional notifications:**
+**Use the Windows Security app to disable additional notifications:**
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
- 
+ 
3. Scroll to the **Notifications** section and click **Change notification settings**.
@@ -73,7 +73,7 @@ Hiding notifications can be useful in situations where you can't hide the entire
> [!NOTE]
> Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
-See [Customize the Windows Defender Security Center app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines.
+See [Customize the Windows Security app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines.
**Use Group Policy to hide notifications:**
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
index 57a4d03e85..e3b8813972 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md
@@ -36,9 +36,9 @@ When you add a process to the process exclusion list, Windows Defender Antivirus
The exclusions only apply to [always-on real-time protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md). They don't apply to scheduled or on-demand scans.
-Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Defender Security Center app **will not show** in the Group Policy lists.
+Changes made with Group Policy to the exclusion lists **will show** in the lists in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions). However, changes made in the Windows Security app **will not show** in the Group Policy lists.
-You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Defender Security Center app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
+You can add, remove, and review the lists for exclusions in [Group Policy](#gp), [System Center Configuration Manager, Microsoft Intune, and with the Windows Security app](#man-tools), and you can [use wildcards](#wildcards) to further customize the lists.
You can also [use PowerShell cmdlets and WMI to configure the exclusion lists](#ps), including [reviewing](#review) your lists.
@@ -123,9 +123,9 @@ See the following for more information and allowed parameters:
-**Use the Windows Defender Security Center app to exclude files that have been opened by specified processes from scans:**
+**Use the Windows Security app to exclude files that have been opened by specified processes from scans:**
-See [Add exclusions in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
+See [Add exclusions in the Windows Security app](windows-defender-security-center-antivirus.md#exclusions) for instructions.
@@ -147,7 +147,7 @@ Environment variables | The defined variable will be populated as a path when th
## Review the list of exclusions
-You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure), or the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+You can retrieve the items in the exclusion list with PowerShell, [System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/endpoint-antimalware-policies#exclusion-settings), [Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure), or the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
If you use PowerShell, you can retrieve the list in two ways:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
index 968c4850cb..e2008c7eee 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md
@@ -22,7 +22,7 @@ ms.date: 09/03/2018
Windows Defender Antivirus on Windows Server 2016 computers automatically enrolls you in certain exclusions, as defined by your specified server role. See [the end of this topic](#list-of-automatic-exclusions) for a list of these exclusions.
-These exclusions will not appear in the standard exclusion lists shown in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md#exclusions).
+These exclusions will not appear in the standard exclusion lists shown in the [Windows Security app](windows-defender-security-center-antivirus.md#exclusions).
You can still add or remove custom exclusions (in addition to the server role-defined automatic exclusions) as described in these exclusion-related topics:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
index 4487dc5453..fd8a577fc1 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@@ -30,5 +30,5 @@ Topic | Description
[Configure Windows Defender Antivirus scanning options](configure-advanced-scan-types-windows-defender-antivirus.md) | You can configure Windows Defender Antivirus to include certain types of email storage files, back-up or reparse points, and archived files (such as .zip files) in scans. You can also enable network file scanning
[Configure remediation for scans](configure-remediation-windows-defender-antivirus.md) | Configure what Windows Defender Antivirus should do when it detects a threat, and how long quarantined files should be retained in the quarantine folder
[Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md) | Set up recurring (scheduled) scans, including when they should run and whether they run as full or quick scans
-[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
-[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
+[Configure and run scans](run-scan-windows-defender-antivirus.md) | Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
+[Review scan results](review-scan-results-windows-defender-antivirus.md) | Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Security app
diff --git a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
index 692b68e71c..32898e862b 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 09/03/2018
+ms.date: 10/02/2018
---
# Detect and block potentially unwanted applications
@@ -49,7 +49,7 @@ The file is placed in the quarantine section so it won't run.
When a PUA is detected on an endpoint, the endpoint will present a notification to the user ([unless notifications have been disabled](configure-notifications-windows-defender-antivirus.md)) in the same format as normal threat detections (prefaced with "PUA:").
-They will also appear in the usual [quarantine list in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history).
+They will also appear in the usual [quarantine list in the Windows Security app](windows-defender-security-center-antivirus.md#detection-history).
## View PUA events
@@ -61,17 +61,17 @@ See [Troubleshoot event IDs](troubleshoot-windows-defender-antivirus.md) for det
## Configure PUA protection
-You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, or PowerShell cmdlets.
+You can enable PUA protection with Microsoft Intune, System Center Configuration Manager, Group Policy, or PowerShell cmdlets.
You can also use the PUA audit mode to detect PUA without blocking them. The detections will be captured in the Windows event log.
This feature is useful if your company is conducting an internal software security compliance check and you'd like to avoid any false positives.
-**Use Intune to configure the PUA protection feature**
+**Use Intune to configure PUA protection**
See [Configure device restriction settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-configure) and [Windows Defender Antivirus device restriction settings for Windows 10 in Intune](https://docs.microsoft.com/en-us/intune/device-restrictions-windows-10#windows-defender-antivirus) for more details.
-**Use Configuration Manager to configure the PUA protection feature:**
+**Use Configuration Manager to configure PUA protection:**
PUA protection is enabled by default in System Center Configuration Manager (current branch), including version 1606 and later.
@@ -82,7 +82,21 @@ For Configuration Manager 2012, see [How to Deploy Potentially Unwanted Applicat
> [!NOTE]
> PUA events are reported in the Windows Event Viewer and not in System Center Configuration Manager.
-**Use PowerShell cmdlets to configure the PUA protection feature:**
+**Use Group Policy to configure PUA protection:**
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components > Windows Defender Antivirus**.
+
+4. Double-click **Configure protection for potentially unwanted applications**.
+
+5. Click **Enabled** to enable PUA protection.
+
+6. In **Options**, select **Block** to block potentially unwanted applications, or select **Audit Mode** to test how the setting will work in your environment. Click **OK**.
+
+**Use PowerShell cmdlets to configure PUA protection:**
Use the following cmdlet:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index 67c5b7bdfa..f3392dab0d 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -23,7 +23,7 @@ ms.date: 09/03/2018
>[!NOTE]
>The Windows Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional signature updates.
-You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Defender Security Center app.
+You can enable or disable Windows Defender Antivirus cloud-delivered protection with Microsoft Intune, System Center Configuration Manager, Group Policy, PowerShell cmdlets, or on individual clients in the Windows Security app.
See [Use Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) for an overview of Windows Defender Antivirus cloud-delivered protection.
@@ -104,16 +104,16 @@ SubmitSamplesConsent
See the following for more information and allowed parameters:
- [Windows Defender WMIv2 APIs](https://msdn.microsoft.com/en-us/library/dn439477(v=vs.85).aspx)
-**Enable cloud-delivered protection on individual clients with the Windows Defender Security Center app**
+**Enable cloud-delivered protection on individual clients with the Windows Security app**
> [!NOTE]
> If the **Configure local setting override for reporting Microsoft MAPS** Group Policy setting is set to **Disabled**, then the **Cloud-based protection** setting in Windows Settings will be greyed-out and unavailable. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings.
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Virus & threat protection settings** label:
- 
+ 
3. Confirm that **Cloud-based Protection** and **Automatic sample submission** are switched to **On**.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
index d35db44c87..942585308e 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
@@ -34,11 +34,11 @@ By default, Windows Defender Antivirus will enable itself on a Windows 10 device
If Windows Defender Antivirus is enabled, the usual options will appear to configure it on that device:
-
+
-If another antivirus product is installed and working correctly, Windows Defender Antivirus will disable itself. The Windows Defender Security Center app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options:
+If another antivirus product is installed and working correctly, Windows Defender Antivirus will disable itself. The Windows Security app will change the **Virus & threat protection** section to show status about the AV product, and provide a link to the product's configuration options:
-
+
Underneath any 3rd party AV products, a new link will appear as **Windows Defender Antivirus options**. Clicking this link will expand to show the toggle that enables limited periodic scanning.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
index 73d8882279..eeb27d5a8f 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/prevent-end-user-interaction-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Hide the Windows Defender Antivirus interface
-description: You can hide virus and threat protection tile in the Windows Defender Security Center app.
+description: You can hide virus and threat protection tile in the Windows Security app.
keywords: ui lockdown, headless mode, hide app, hide settings, hide interface
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -24,15 +24,15 @@ You can use Group Policy to prevent users on endpoints from seeing the Windows D
## Hide the Windows Defender Antivirus interface
-In Windows 10, versions 1703, hiding the interface will hide Windows Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Defender Security Center app.
+In Windows 10, versions 1703, hiding the interface will hide Windows Defender Antivirus notifications and prevent the Virus & threat protection tile from appearing in the Windows Security app.
With the setting set to **Enabled**:
-
+
With the setting set to **Disabled** or not configured:
-
+
>[!NOTE]
>Hiding the interface will also prevent Windows Defender Antivirus notifications from appearing on the endpoint. Windows Defender Advanced Threat Protection notifications will still appear. You can also individually [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
index 37c8231fb3..485ea3e2a7 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
@@ -22,7 +22,7 @@ ms.date: 09/03/2018
If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender Antivirus quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
-1. Open **Windows Defender Security Center**.
+1. Open **Windows Security**.
2. Click **Virus & threat protection** and then click **Scan history**.
3. Under **Quarantined threats**, click **See full history**.
4. Click **Restore** for any items you want to keep. (If you prefer to remove them, you can click **Remove**.)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
index 802c92f163..a63291b836 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/review-scan-results-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Review the results of Windows Defender AV scans
-description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Defender Security Center app
+description: Review the results of scans using System Center Configuration Manager, Microsoft Intune, or the Windows Security app
keywords: scan results, remediation, full scan, quick scan
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -34,9 +34,9 @@ After an Windows Defender Antivirus scan completes, whether it is an [on-demand]
See [How to monitor Endpoint Protection status](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/monitor-endpoint-protection).
-**Use the Windows Defender Security Center app to review scan results:**
+**Use the Windows Security app to review scan results:**
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Scan history** label.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
index 9a93cd3335..dd926aacc2 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/run-scan-windows-defender-antivirus.md
@@ -1,6 +1,6 @@
---
title: Run and customize on-demand scans in Windows Defender AV
-description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Defender Security Center app
+description: Run and configure on-demand scans using PowerShell, Windows Management Instrumentation, or individually on endpoints with the Windows Security app
keywords: scan, on-demand, dos, intune, instant scan
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -33,6 +33,8 @@ In most instances, this means a quick scan is adequate to find malware that wasn
A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up, and can be ideal when running on-demand scans.
+>[!NOTE]
+>By default, quick scans run on mounted removable devices, such as USB drives.
**Use Configuration Manager to run a scan:**
@@ -59,9 +61,9 @@ See [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defen
2. Select **...More** and then select **Quick Scan** or **Full Scan**.
-**Use the Windows Defender Security Center app to run a scan:**
+**Use the Windows Security app to run a scan:**
-See [Run a scan in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
+See [Run a scan in the Windows Security app](windows-defender-security-center-antivirus.md#scan) for instructions on running a scan on individual endpoints.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
index e85493f83c..bc6c620629 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md
@@ -57,7 +57,10 @@ In most instances, this means a quick scan is adequate to find malware that wasn
A full scan can be useful on endpoints that have encountered a malware threat to identify if there are any inactive components that require a more thorough clean-up. In this instance, you may want to use a full scan when running an [on-demand scan](run-scan-windows-defender-antivirus.md).
-A custom scan allows you to specify the files and folders to scan, such as a USB drive.
+A custom scan allows you to specify the files and folders to scan, such as a USB drive.
+
+>[!NOTE]
+>By default, quick scans run on mounted removable devices, such as USB drives.
## Set up scheduled scans
@@ -71,7 +74,7 @@ Location | Setting | Description | Default setting (if not configured)
Scan | Specify the scan type to use for a scheduled scan | Quick scan
Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am
-Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows Defebder Antivirus scans. This can be useful in VM or VDI deployments. | Enabled
+Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows Defender Antivirus scans. This can be useful in VM or VDI deployments. | Enabled
**Use PowerShell cmdlets to schedule scans:**
diff --git a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
index 7d53f93ac2..a40df9b551 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/troubleshoot-windows-defender-antivirus.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 09/03/2018
+ms.date: 09/11/2018
---
# Review event logs and error codes to troubleshoot issues with Windows Defender Antivirus
@@ -1417,10 +1417,10 @@ Antivirus client health report.
Last quick scan start time: ?<Last quick scan start time>
Last quick scan end time: ?<Last quick scan end time>
-
Last quick scan source: <Last quick scan source> (1 = scheduled, 2 = on demand)
+
Last quick scan source: <Last quick scan source> (0 = scan didn't run, 1 = user initiated, 2 = system initiated)
Last full scan start time: ?<Last full scan start time>
Last full scan end time: ?<Last full scan end time>
-
Last full scan source: <Last full scan source> (1 = scheduled, 2 = on demand)
+
Last full scan source: <Last full scan source> (0 = scan didn't run, 1 = user initiated, 2 = system initiated)
Product status: For internal troubleshooting
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index 2aa61cadf2..10022efbdd 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -72,11 +72,11 @@ In passive and automatic disabled mode, you can still [manage updates for Window
If you uninstall the other product, and choose to use Windows Defender AV to provide protection to your endpoints, Windows Defender AV will automatically return to its normal active mode.
>[!WARNING]
->You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Windows Defender ATP, or the Windows Defender Security Center app.
+>You should not attempt to disable, stop, or modify any of the associated services used by Windows Defender AV, Windows Defender ATP, or the Windows Security app.
>
>This includes the *wscsvc*, *SecurityHealthService*, *MsSense*, *Sense*, *WinDefend*, or *MsMpEng* services and process. Manually modifying these services can cause severe instability on your endpoints and open your network to infections and attacks.
>
->It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md).
+>It can also cause problems when using third-party antivirus apps and how their information is displayed in the [Windows Security app](windows-defender-security-center-antivirus.md).
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
index c0484875ec..1ef9d7b879 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md
@@ -43,7 +43,7 @@ You can configure and manage Windows Defender Antivirus with:
## What's new in Windows 10, version 1803
- The [block at first sight feature](configure-block-at-first-sight-windows-defender-antivirus.md) can now block non-portable executable files (such as JS, VBS, or macros) as well as executable files.
-- The [Virus & threat protection area in the Windows Defender Security Center](windows-defender-security-center-antivirus.md) now includes a section for ransomware protection. It includes controlled folder access settings and ransomware recovery settings.
+- The [Virus & threat protection area in the Windows Security app](windows-defender-security-center-antivirus.md) now includes a section for ransomware protection. It includes controlled folder access settings and ransomware recovery settings.
## What's new in Windows 10, version 1703
@@ -51,7 +51,7 @@ You can configure and manage Windows Defender Antivirus with:
New features for Windows Defender Antivirus in Windows 10, version 1703 include:
- [Updates to how the block at first sight feature can be configured](configure-block-at-first-sight-windows-defender-antivirus.md)
- [The ability to specify the level of cloud-protection](specify-cloud-protection-level-windows-defender-antivirus.md)
-- [Windows Defender Antivirus protection in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
+- [Windows Defender Antivirus protection in the Windows Security app](windows-defender-security-center-antivirus.md)
We've expanded this documentation library to cover end-to-end deployment, management, and configuration for Windows Defender Antivirus, and we've added some new guides that can help with evaluating and deploying Windows Defender AV in certain scenarios:
- [Evaluation guide for Windows Defender Antivirus](evaluate-windows-defender-antivirus.md)
@@ -69,7 +69,7 @@ Functionality, configuration, and management is largely the same when using Wind
## Related topics
-[Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
+[Windows Defender AV in the Windows Security app](windows-defender-security-center-antivirus.md)
[Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)
[Windows Defender AV compatibility](windows-defender-antivirus-compatibility.md)
[Evaluate Windows Defender AV protection](evaluate-windows-defender-antivirus.md)
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
index 2c18d5b068..c86a30f578 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md
@@ -44,7 +44,7 @@ This topic includes the following instructions for setting up and running Window
By default, Windows Defender AV is installed and functional on Windows Server 2016. The user interface is installed by default on some SKUs, but is not required.
>[!NOTE]
->You can't uninstall the Windows Defender Security Center app, but you can disable the interface with these instructions.
+>You can't uninstall the Windows Security app, but you can disable the interface with these instructions.
If the interface is not installed, you can add it in the **Add Roles and Features Wizard** at the **Features** step, under **Windows Defender Features** by selecting the **GUI for Windows Defender** option.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
index 4f28c692b5..279bf6d452 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-offline.md
@@ -24,7 +24,7 @@ Windows Defender Offline is an antimalware scanning tool that lets you boot and
You can use Windows Defender Offline if you suspect a malware infection, or you want to confirm a thorough clean of the endpoint after a malware outbreak.
-In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Defender Security Center app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
+In Windows 10, Windows Defender Offline can be run with one click directly from the [Windows Security app](windows-defender-security-center-antivirus.md). In previous versions of Windows, a user had to install Windows Defender Offline to bootable media, restart the endpoint, and load the bootable media.
## Pre-requisites and requirements
@@ -86,7 +86,7 @@ You can run a Windows Defender Offline scan with the following:
- PowerShell
- Windows Management Instrumentation (WMI)
-- The Windows Defender Security Center app
+- The Windows Security app
@@ -116,7 +116,7 @@ See the following for more information:
**Use the Windows Defender Security app to run an offline scan:**
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then the **Advanced scan** label:
@@ -130,7 +130,7 @@ See the following for more information:
## Review scan results
-Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Defender Security Center app](windows-defender-security-center-antivirus.md#detection-history).
+Windows Defender Offline scan results will be listed in the [Scan history section of the Windows Security app](windows-defender-security-center-antivirus.md#detection-history).
## Related topics
diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
index ae068a7b88..11a9537dac 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-security-center-antivirus.md
@@ -1,6 +1,6 @@
---
-title: Windows Defender Antivirus in the Windows Defender Security Center app
-description: Windows Defender AV is now included in the Windows Defender Security Center app.
+title: Windows Defender Antivirus in the Windows Security app
+description: Windows Defender AV is now included in the Windows Security app.
keywords: wdav, antivirus, firewall, security, windows
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -14,13 +14,13 @@ ms.author: v-anbic
ms.date: 09/03/2018
---
-# Windows Defender Antivirus in the Windows Defender Security Center app
+# Windows Defender Antivirus in the Windows Security app
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Defender Security Center.
+In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security.
Settings that were previously part of the Windows Defender client and main Windows Settings have been combined and moved to the new app, which is installed by default as part of Windows 10, version 1703.
@@ -28,27 +28,27 @@ Settings that were previously part of the Windows Defender client and main Windo
> Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security). These are disabled automatically when a third-party antivirus or firewall product is installed and kept up to date.
> [!WARNING]
-> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+> If you do disable the Windows Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
>This will significantly lower the protection of your device and could lead to malware infection.
-See the [Windows Defender Security Center topic](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
+See the [Windows Security topic](/windows/threat-protection/windows-defender-security-center/windows-defender-security-center) for more information on other Windows security features that can be monitored in the app.
>[!NOTE]
->The Windows Defender Security Center app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
+>The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender Security Center web portal that is used to review and manage [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
-**Review virus and threat protection settings in the Windows Defender Security Center app:**
+**Review virus and threat protection settings in the Windows Security app:**
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
-
+
## Comparison of settings and functions of the old app and the new app
-All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Defender Security Center app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app.
+All of the previous functions and settings from the Windows Defender app (in versions of Windows 10 before version 1703) are now found in the new Windows Security app. Settings that were previously located in Windows Settings under **Update & security** > **Windows Defender** are also now in the new app.
The following diagrams compare the location of settings and functions between the old and new apps:
@@ -67,14 +67,14 @@ Item | Windows 10, before version 1703 | Windows 10, version 1703 and later | De
## Common tasks
-This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the Windows Defender Security Center app.
+This section describes how to perform some of the most common tasks when reviewing or interacting with the threat protection provided by Windows Defender Antivirus in the Windows Security app.
> [!NOTE]
> If these settings are configured and deployed using Group Policy, the settings described in this section will be greyed-out and unavailable for use on individual endpoints. Changes made through a Group Policy Object must first be deployed to individual endpoints before the setting will be updated in Windows Settings. The [Configure end-user interaction with Windows Defender Antivirus](configure-end-user-interaction-windows-defender-antivirus.md) topic describes how local policy override settings can be configured.
-**Run a scan with the Windows Defender Security Center app**
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+**Run a scan with the Windows Security app**
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -83,8 +83,8 @@ This section describes how to perform some of the most common tasks when reviewi
4. Click **Run a new advanced scan** to specify different types of scans, such as a full scan.
-**Review the definition update version and download the latest updates in the Windows Defender Security Center app**
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+**Review the definition update version and download the latest updates in the Windows Security app**
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -96,9 +96,9 @@ This section describes how to perform some of the most common tasks when reviewi
-**Ensure Windows Defender Antivirus is enabled in the Windows Defender Security Center app**
+**Ensure Windows Defender Antivirus is enabled in the Windows Security app**
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -108,12 +108,12 @@ This section describes how to perform some of the most common tasks when reviewi
>[!NOTE]
>If you switch **Real-time protection** off, it will automatically turn back on after a short delay. This is to ensure you are protected from malware and threats.
->If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Defender Security Center app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).
+>If you install another antivirus product, Windows Defender AV will automatically disable itself and will indicate this in the Windows Security app. A setting will appear that will allow you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md).
-**Add exclusions for Windows Defender Antivirus in the Windows Defender Security Center app**
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+**Add exclusions for Windows Defender Antivirus in the Windows Security app**
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
@@ -135,7 +135,7 @@ This section describes how to perform some of the most common tasks when reviewi
**Set ransomware protection and recovery options**
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar).
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
index 9da9555294..83fd5dc5c5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
@@ -116,7 +116,7 @@ The following table details these path variables.
| Windows directory or disk | AppLocker path variable | Windows environment variable |
| - | - | - |
| Windows| %WINDIR%| %SystemRoot%|
-| System32| %SYSTEM32%| %SystemDirectory%|
+| System32 and SysWOW64| %SYSTEM32%| %SystemDirectory%|
| Windows installation directory| %OSDRIVE%| %SystemDrive%|
| Program Files| %PROGRAMFILES%| %ProgramFiles% and %ProgramFiles(x86)% |
| Removable media (for example, a CD or DVD)| %REMOVABLE%| |
diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
index bdc18e10d3..ea9ccb6b07 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md
@@ -25,7 +25,7 @@ Your environment needs the following hardware to run Windows Defender Applicatio
|Hardware|Description|
|--------|-----------|
-|64-bit CPU|A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
+|64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_
**-AND-**
One of the following virtualization extensions for VBS:
VT-x (Intel)
**-OR-**
AMD-V|
|Hardware memory|Microsoft requires a minimum of 8GB RAM|
|Hard disk|5 GB free space, solid state disk (SSD) recommended|
diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
index 9ff9ac7dca..de2039986d 100644
--- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
+++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: justinha
ms.author: justinha
-ms.date: 07/09/2018
+ms.date: 09/07/2018
---
# Windows Defender Application Guard overview
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
index 4eb6f33c8d..deb8c0e185 100644
--- a/windows/security/threat-protection/windows-defender-atp/TOC.md
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -28,7 +28,7 @@
#### Machines list
##### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
-##### [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+##### [Manage machine group and tags](machine-tags-windows-defender-advanced-threat-protection.md)
##### [Alerts related to this machine](investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
##### [Machine timeline](investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
###### [Search for specific events](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
@@ -137,7 +137,7 @@
###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
-#### [Managed service provider provider support](mssp-support-windows-defender-advanced-threat-protection.md)
+#### [Managed security service provider support](mssp-support-windows-defender-advanced-threat-protection.md)
### [Microsoft threat protection](threat-protection-integration.md)
@@ -166,13 +166,17 @@
##### [Network firewall](../windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md)
#### [Evaluate next generation protection](../windows-defender-antivirus/evaluate-windows-defender-antivirus.md)
-### [Access the Windows Defender Security Center Community Center](community-windows-defender-advanced-threat-protection.md)
+### [Access the Windows Security app](community-windows-defender-advanced-threat-protection.md)
## [Configure and manage capabilities](onboard.md)
### [Configure attack surface reduction](configure-attack-surface-reduction.md)
#### [Hardware-based isolation](../windows-defender-application-guard/install-wd-app-guard.md)
-##### Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md)
+##### [Configuration settings](../windows-defender-application-guard/configure-wd-app-guard.md)
#### [Application control](../windows-defender-application-control/windows-defender-application-control.md)
+#### [Device control](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+##### [Memory integrity](../windows-defender-exploit-guard/memory-integrity.md)
+###### [Hardware qualifications](../windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+###### [Enable HVCI](../windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)
#### [Exploit protection](../windows-defender-exploit-guard/enable-exploit-protection.md)
##### [Customize exploit protection](../windows-defender-exploit-guard/customize-exploit-protection.md)
##### [Import/export configurations](../windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
@@ -193,7 +197,7 @@
##### [Enable Block at first sight](../windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
##### [Configure the cloud block timeout period](../windows-defender-antivirus/configure-cloud-block-timeout-period-windows-defender-antivirus.md)
#### [Configure behavioral, heuristic, and real-time protection](../windows-defender-antivirus/configure-protection-features-windows-defender-antivirus.md)
-##### [Detect and block Potentially Unwanted Applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+##### [Detect and block potentially unwanted applications](../windows-defender-antivirus/detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
##### [Enable and configure always-on protection and monitoring](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md)
#### [Antivirus on Windows Server 2016](../windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016.md)
#### [Antivirus compatibility](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md)
@@ -216,7 +220,7 @@
###### [Configure and validate exclusions based on file name, extension, and folder location](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
###### [Configure and validate exclusions for files opened by processes](../windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus.md)
###### [Configure antivirus exclusions Windows Server 2016](../windows-defender-antivirus/configure-server-exclusions-windows-defender-antivirus.md)
-##### [Configure scanning antivirus options](../windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
+##### [Configure antivirus scanning options](../windows-defender-antivirus/configure-advanced-scan-types-windows-defender-antivirus.md)
##### [Configure remediation for scans](../windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md)
##### [Configure scheduled scans](../windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md)
##### [Configure and run scans](../windows-defender-antivirus/run-scan-windows-defender-antivirus.md)
@@ -306,11 +310,11 @@
#### [Configure Microsoft Cloud App Security integration](microsoft-cloud-app-security-config.md)
-### [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md)
+### [Configure Windows Security app settings](preferences-setup-windows-defender-advanced-threat-protection.md)
#### General
##### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
##### [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
-##### [Enable and create Power BI reports using Windows Defender Security center data](powerbi-reports-windows-defender-advanced-threat-protection.md)
+##### [Enable and create Power BI reports using Windows Security app data](powerbi-reports-windows-defender-advanced-threat-protection.md)
##### [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
##### [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
@@ -335,7 +339,7 @@
##### [Onboarding machines](onboard-configure-windows-defender-advanced-threat-protection.md)
##### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md)
-#### [Configure Windows Defender Security Center time zone settings](time-settings-windows-defender-advanced-threat-protection.md)
+#### [Configure Windows Security app time zone settings](time-settings-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index acaeab8a05..e8f8e79356 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
-ms.date: 09/03/2018
+ms.date: 09/28/2018
---
# Configure advanced features in Windows Defender ATP
@@ -22,19 +22,21 @@ ms.date: 09/03/2018
Depending on the Microsoft security products that you use, some advanced features might be available for you to integrate Windows Defender ATP with.
-Turn on the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
+Use the following advanced features to get better protected from potentially malicious files and gain better insight during security investigations:
## Automated investigation
When you enable this feature, you'll be able to take advantage of the automated investigation and remediation features of the service. For more information, see [Automated investigations](automated-investigations-windows-defender-advanced-threat-protection.md).
## Auto-resolve remediated alerts
-The Automated investigations capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated".
+For tenants created on or after Windows 10, version 1809 the automated investigations capability is configured by default to resolve alerts where the automated analysis result status is "No threats found" or "Remediated". If you don’t want to have alerts auto-resolved, you’ll need to manually turn off the feature.
+
+>[!TIP]
+>For tenants created prior that version, you'll need to manually turn this feature on from the [Advanced features](https://securitycenter.windows.com/preferences2/integration) page.
>[!NOTE]
> - The result of the auto-resolve action may influence the Machine risk level calculation which is based on the active alerts found on a machine.
>- If a security operations analyst manually sets the status of an alert to "In progress" or "Resolved" the auto-resolve capability will not overrite it.
-If you dont want to have alerts auto-resolved, youll need to manually turn off the feature.
## Block file
This feature is only available if your organization uses Windows Defender Antivirus as the active antimalware solution and that the cloud-based protection feature is enabled.
@@ -81,7 +83,10 @@ When you enable this feature, you'll be able to incorporate data from Office 365
To receive contextual machine integration in Office 365 Threat Intelligence, you'll need to enable the Windows Defender ATP settings in the Security & Compliance dashboard. For more information, see [Office 365 Threat Intelligence overview](https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512).
## Microsoft Cloud App Security
-Enabling this setting forwards Windows Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage.
+Enabling this setting forwards Windows Defender ATP signals to Microsoft Cloud App Security to provide deeper visibility into cloud application usage. Forwarded data is stored and processed in the same location as your Cloud App Security data.
+
+>[!NOTE]
+>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
## Azure information protection
Turning this setting on forwards signals to Azure Information Protection, giving data owners and administrators visibility into protected data on onboarded machines and machine risk ratings.
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
index 2b53bf10ef..3eb5787182 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
@@ -72,7 +72,7 @@ The following tables are exposed as part of Advanced hunting:
- **RegistryEvents** - Stores registry key creation, modification, rename and deletion events
- **LogonEvents** - Stores login events
- **ImageLoadEvents** - Stores load dll events
-- **MiscEvents** - Stores several types of events, including Windows Defender blocks (Windows Defender Antivirus, Exploit Guard, Windows Defender SmartScreen, Windows Defender Application Guard, and Firewall), process injection events, access to LSASS processes, and others.
+- **MiscEvents** - Stores several types of events, process injection events, access to LSASS processes, and others.
These tables include data from the last 30 days.
@@ -144,7 +144,7 @@ Check out the [Advanced Hunting repository](https://github.com/Microsoft/Windows
## Related topic
- [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
-- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+- [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md
index a2d22d5330..cce2d0c0a3 100644
--- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md
+++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-endpoint-detection-response.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 09/03/2018
---
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md
index 6630431d3f..f48dd12b3e 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-attack-surface-reduction.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 07/01/2018
---
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index 4d35506749..c9a8e4b1b1 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
-ms.date: 04/24/2018
+ms.date: 09/19/2018
---
# Onboard Windows 10 machines using Mobile Device Management tools
@@ -55,82 +55,9 @@ For more information on using Windows Defender ATP CSP see, [WindowsAdvancedThre
7. Select **OK**, and **Create** to save your changes, which creates the profile.
-
-
-### Onboard and monitor machines using the classic Intune console
-
-1. Open the Microsoft Intune configuration package .zip file (*WindowsDefenderATPOnboardingPackage.zip*) that you downloaded from the service onboarding wizard. You can also get the package from [Windows Defender Security Center](https://securitycenter.windows.com/):
-
- a. In the navigation pane, select **Settings** > **Onboarding**.
-
- b. Select Windows 10 as the operating system.
-
- c. In the **Deployment method** field, select **Mobile Device Management / Microsoft Intune**.
-
- d. Click **Download package**, and save the .zip file.
-
-2. Extract the contents of the .zip file to a shared, read-only location that can be accessed by the network administrators who will deploy the package. You should have a file named *WindowsDefenderATP.onboarding*.
-
-3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
-
- a. Select **Policy** > **Configuration Policies** > **Add**.
- 
-
- b. Under **Windows**, select **Custom Configuration (Windows 10 Desktop and Mobile and later)** > **Create and Deploy a Custom Policy** > **Create Policy**.
- 
-
- c. Type a name and description for the policy.
-
- 
-
- d. Under OMA-URI settings, select **Add...**.
-
- 
-
- e. Type the following values then select **OK**:
-
- 
-
- - **Setting name**: Type a name for the setting.
- - **Setting description**: Type a description for the setting.
- - **Data type**: Select **String**.
- - **OMA-URI**: *./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding*
- - **Value**: Copy and paste the contents of the *WindowsDefenderATP.onboarding* file you downloaded.
-
-
- f. Save the policy.
-
- 
-
- g. Deploy the policy.
-
- 
-
- h. Select the device group to deploy the policy to:
-
- 
-
-When the policy is deployed and is propagated, machines will be shown in the **Machines list**.
-
-You can use the following onboarding policies to deploy configuration settings on machines. These policies can be sub-categorized to:
-- Onboarding
-- Health Status for onboarded machines
-- Configuration for onboarded machines
-
-> [!div class="mx-tableFixed"]
-Policy | OMA-URI | Type | Value | Description
-:---|:---|:---|:---|:---
-Onboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Onboarding | String | Copy content from onboarding MDM file | Onboarding
-Health Status for onboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | TRUE | Windows Defender ATP service is running
-Health Status for onboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 1 | Onboarded to Windows Defender ATP
-Health Status for onboarded machines: Organization ID | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OrgId | String | Use OrgID from onboarding file | Onboarded to Organization ID
-Configuration for onboarded machines | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/SampleSharing | Integer | 0 or 1 Default value: 1 | Windows Defender ATP Sample sharing is enabled
-Configuration for onboarded machines: diagnostic data reporting frequency | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Configuration/TelemetryReportingFrequency | Integer | 1 or 2 1: Normal (default)
2: Expedite | Windows Defender ATP diagnostic data reporting
-
> [!NOTE]
> - The **Health Status for onboarded machines** policy uses read-only properties and can't be remediated.
> - Configuration of diagnostic data reporting frequency is only available for machines on Windows 10, version 1703.
-> - Using the Expedite mode might have an impact on the machine's battery usage and actual bandwidth used for sensor data. You should consider this when these measures are critical.
>[!TIP]
@@ -156,16 +83,6 @@ For security reasons, the package used to Offboard machines will expire 30 days
3. Use the Microsoft Intune custom configuration policy to deploy the following supported OMA-URI settings. For more information on Microsoft Intune policy settings see, [Windows 10 policy settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune/deploy-use/windows-10-policy-settings-in-microsoft-intune).
-Offboarding - Use the offboarding policies to remove configuration settings on machines. These policies can be sub-categorized to:
-- Offboarding
-- Health Status for offboarded machines
-- Configuration for offboarded machines
-
-Policy | OMA-URI | Type | Value | Description
-:---|:---|:---|:---|:---
-Offboarding | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/Offboarding | String | Copy content from offboarding MDM file | Offboarding
- Health Status for offboarded machines: Sense Is Running | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/SenseIsRunning | Boolean | FALSE |Windows Defender ATP service is not running
-Health Status for offboarded machines: Onboarding State | ./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/HealthState/OnBoardingState | Integer | 0 | Offboarded from Windows Defender ATP
> [!NOTE]
> The **Health Status for offboarded machines** policy uses read-only properties and can't be remediated.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md
index 22998f989d..82a78124e7 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 09/03/2018
---
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index d9a8498c73..4456ba11e8 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -10,15 +10,13 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
-ms.date: 05/29/2018
+ms.date: 09/12/2018
---
# Configure machine proxy and Internet connectivity settings
**Applies to:**
-
-
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@@ -46,18 +44,24 @@ The WinHTTP configuration setting is independent of the Windows Internet (WinINe
## Configure the proxy server manually using a registry-based static proxy
Configure a registry-based static proxy to allow only Windows Defender ATP sensor to report diagnostic data and communicate with Windows Defender ATP services if a computer is not be permitted to connect to the Internet.
-The static proxy is configurable through Group Policy (GP). The group policy can be found under: **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**.
+The static proxy is configurable through Group Policy (GP). The group policy can be found under:
+- Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure Authenticated Proxy usage for the Connected User Experience and Telemetry Service
+ - Set it to **Enabled** and select **Disable Authenticated Proxy usage**:
+ 
+- **Administrative Templates > Windows Components > Data Collection and Preview Builds > Configure connected user experiences and telemetry**:
+ - Configure the proxy:
+ 
-The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
+ The policy sets two registry values `TelemetryProxyServer` as REG_SZ and `DisableEnterpriseAuthProxy` as REG_DWORD under the registry key `HKLM\Software\Policies\Microsoft\Windows\DataCollection`.
-The registry value `TelemetryProxyServer` takes the following string format:
+ The registry value `TelemetryProxyServer` takes the following string format:
-```text
-:
-```
-For example: 10.0.0.6:8080
+ ```text
+ :
+ ```
+ For example: 10.0.0.6:8080
-The registry value `DisableEnterpriseAuthProxy` should be set to 1.
+ The registry value `DisableEnterpriseAuthProxy` should be set to 1.
## Configure the proxy server manually using netsh command
@@ -82,7 +86,7 @@ For example: netsh winhttp set proxy 10.0.0.6:8080
## Enable access to Windows Defender ATP service URLs in the proxy server
If a proxy or firewall is blocking all traffic by default and allowing only specific domains through or HTTPS scanning (SSL inspection) is enabled, make sure that the following URLs are white-listed to permit communication with Windows Defender ATP service in port 80 and 443:
->![NOTE]
+>[!NOTE]
> URLs that include v20 in them are only needed if you have Windows 10, version 1803 or later machines. For example, ```us-v20.events.data.microsoft.com``` is only needed if the machine is on Windows 10, version 1803 or later.
Service location | Microsoft.com DNS record
@@ -124,14 +128,14 @@ Verify the proxy configuration completed successfully, that WinHTTP can discover
6. Open *WDATPConnectivityAnalyzer.txt* and verify that you have performed the proxy configuration steps to enable server discovery and access to the service URLs.
The tool checks the connectivity of Windows Defender ATP service URLs that Windows Defender ATP client is configured to interact with. It then prints the results into the *WDATPConnectivityAnalyzer.txt* file for each URL that can potentially be used to communicate with the Windows Defender ATP services. For example:
- ```text
- Testing URL : https://xxx.microsoft.com/xxx
- 1 - Default proxy: Succeeded (200)
- 2 - Proxy auto discovery (WPAD): Succeeded (200)
- 3 - Proxy disabled: Succeeded (200)
- 4 - Named proxy: Doesn't exist
- 5 - Command line proxy: Doesn't exist
- ```
+ ```text
+ Testing URL : https://xxx.microsoft.com/xxx
+ 1 - Default proxy: Succeeded (200)
+ 2 - Proxy auto discovery (WPAD): Succeeded (200)
+ 3 - Proxy disabled: Succeeded (200)
+ 4 - Named proxy: Doesn't exist
+ 5 - Command line proxy: Doesn't exist
+ ```
If at least one of the connectivity options returns a (200) status, then the Windows Defender ATP client can communicate with the tested URL properly using this connectivity method.
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
index ea9af9e5bd..d31a895006 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
@@ -8,8 +8,8 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: mjcaparas
-ms.localizationpriority: high
-ms.date: 09/04/2018
+ms.localizationpriority: medium
+ms.date: 09/06/2018
---
# Onboard servers to the Windows Defender ATP service
@@ -35,9 +35,9 @@ The service supports the onboarding of the following servers:
- Windows Server, version 1803
- Windows Server 2019
-## Onboard Windows Server 2012 R2 and Windows Server 2016
+## Windows Server 2012 R2 and Windows Server 2016
-To onboard your servers to Windows Defender ATP, you’ll need to:
+To onboard Windows Server 2012 R2 and Windows Server 2016 to Windows Defender ATP, you’ll need to:
- For Windows Server 2012 R2: Configure and update System Center Endpoint Protection clients.
- Turn on server monitoring from Windows Defender Security Center.
@@ -100,8 +100,8 @@ Agent Resource | Ports
| winatp-gw-aus.microsoft.com | 443|
| winatp-gw-aue.microsoft.com |443 |
-## Onboard Windows Server, version 1803 and Windows Server 2019
-You’ll be able to onboard in the same method available for Windows 10 client machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
+## Windows Server, version 1803 and Windows Server 2019
+To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 and Windows 2019 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well.
1. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md).
diff --git a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md
index c7df3eceaa..e9d21b6f95 100644
--- a/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md
+++ b/windows/security/threat-protection/windows-defender-atp/custom-detection-rules.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 09/03/2018
---
diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
index b4de052320..1efa791236 100644
--- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -10,13 +10,12 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
-ms.date: 07/05/2018
+ms.date: 09/07/2018
---
# Windows Defender ATP data storage and privacy
**Applies to:**
-
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md b/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md
index d4962ce985..760908772b 100644
--- a/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md
+++ b/windows/security/threat-protection/windows-defender-atp/evaluate-atp.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 08/10/2018
---
diff --git a/windows/security/threat-protection/windows-defender-atp/get-started.md b/windows/security/threat-protection/windows-defender-atp/get-started.md
index 917cbf300d..ea37ae0629 100644
--- a/windows/security/threat-protection/windows-defender-atp/get-started.md
+++ b/windows/security/threat-protection/windows-defender-atp/get-started.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 09/03/2018
---
@@ -24,8 +24,8 @@ The attack surface reduction set of capabilities provide the first line of defen
**Next generation protection**
To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats.
-**Endpoint protection and response**
-Endpoint protection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
+**Endpoint detection and response**
+Endpoint detection and response capabilities are put in place to detect, investigate, and respond to advanced threats that may have made it past the first two security pillars.
**Auto investigation and remediation**
In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy1.png b/windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy1.png
new file mode 100644
index 0000000000..50cc3f6f67
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy1.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy2.png b/windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy2.png
new file mode 100644
index 0000000000..dee5f471b1
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-atp/images/atp-gpo-proxy2.png differ
diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index c88e3f9b5e..607b3d55e1 100644
--- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
-ms.date: 09/03/2018
+ms.date: 09/18/2018
---
# Investigate machines in the Windows Defender ATP Machines list
@@ -60,7 +60,7 @@ You'll also see details such as logon types for each user account, the user grou
For more information, see [Investigate user entities](investigate-user-windows-defender-advanced-threat-protection.md).
**Machine risk**
-The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level is determined using the number of active alerts and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be exposed to.
+The Machine risk tile shows the overall risk assessment of a machine. A machine's risk level can be determined using the number of active alerts or by a combination of multiple risks that may increase the risk assessment and their severity levels. You can influence a machine's risk level by resolving associated alerts manually or automatically and also by suppressing an alert. It's also indicators of the active threats that machines could be exposed to.
**Azure Advanced Threat Protection**
If you have enabled the Azure ATP feature and there are alerts related to the machine, you can click on the link that will take you to the Azure ATP page where more information about the alerts are provided.
diff --git a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md
index eb5a096cf1..09ba1f5325 100644
--- a/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/machine-tags-windows-defender-advanced-threat-protection.md
@@ -47,7 +47,7 @@ Use the following registry key entry to add a tag on a machine:
- Registry key value (string): Group
>[!NOTE]
->The device tag is part of the machine information report thats generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report.
+>The device tag is part of the machine information report that's generated once a day. As an alternative, you may choose to restart the endpoint that would transfer a new machine information report.
## Add machine tags using the portal
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-edr.md b/windows/security/threat-protection/windows-defender-atp/manage-edr.md
index c1bec85f06..97ff8bd046 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-edr.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-edr.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 07/01/2018
---
diff --git a/windows/security/threat-protection/windows-defender-atp/management-apis.md b/windows/security/threat-protection/windows-defender-atp/management-apis.md
index 591e15faba..2e0966140c 100644
--- a/windows/security/threat-protection/windows-defender-atp/management-apis.md
+++ b/windows/security/threat-protection/windows-defender-atp/management-apis.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 09/03/2018
---
diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md
index 75fbcf69a7..b37cd582c8 100644
--- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md
+++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-config.md
@@ -9,8 +9,8 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
-ms.date: 09/03/2018
+ms.localizationpriority: medium
+ms.date: 09/19/2018
---
@@ -23,6 +23,10 @@ ms.date: 09/03/2018
To benefit from Windows Defender Advanced Threat Protection (ATP) cloud app discovery signals, turn on Microsoft Cloud App Security integration.
+
+>[!NOTE]
+>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
+
1. In the navigation pane, select **Preferences setup** > **Advanced features**.
2. Select **Microsoft Cloud App Security** and switch the toggle to **On**.
3. Click **Save preferences**.
diff --git a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md
index cecf0f1a7b..51dfb9bf97 100644
--- a/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md
+++ b/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration.md
@@ -9,8 +9,8 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
-ms.date: 09/03/2018
+ms.localizationpriority: medium
+ms.date: 09/18/2018
---
# Microsoft Cloud App Security integration overview
@@ -21,6 +21,9 @@ ms.date: 09/03/2018
Microsoft Cloud App Security (Cloud App Security) is a comprehensive solution that gives visibility into cloud apps and services by allowing you to control and limit access to cloud apps, while enforcing compliance requirements on data stored in the cloud. For more information, see [Cloud App Security](https://docs.microsoft.com/cloud-app-security/what-is-cloud-app-security).
+>[!NOTE]
+>This feature is available with an E5 license for [Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) on machines running Windows 10 version 1809 or later.
+
## Windows Defender ATP and Cloud App Security integration
Cloud App Security discovery relies on cloud traffic logs being forwarded to it from enterprise firewall and proxy servers. Windows Defender ATP integrates with Cloud App Security by collecting and forwarding all cloud app networking activities, providing unparalleled visibility to cloud app usage. The monitoring functionality is built into the device, providing complete coverage of network activity.
diff --git a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md
index f788a1dd65..0ec05caa9c 100644
--- a/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 09/03/2018
---
diff --git a/windows/security/threat-protection/windows-defender-atp/onboard.md b/windows/security/threat-protection/windows-defender-atp/onboard.md
index cd9030b575..39ee66db3c 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 09/03/2018
---
diff --git a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md
index 90b081cc1e..98d08c46d6 100644
--- a/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-atp/overview-attack-surface-reduction.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 07/01/2018
---
diff --git a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md
index 4ca46423a1..9b2912076d 100644
--- a/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md
+++ b/windows/security/threat-protection/windows-defender-atp/overview-custom-detections.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 09/03/2018
---
diff --git a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md
index a40fccae5f..31b65ba716 100644
--- a/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md
+++ b/windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 09/03/2018
---
diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md b/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md
index 02cf4a6b5a..9d8cdabaae 100644
--- a/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md
+++ b/windows/security/threat-protection/windows-defender-atp/overview-hardware-based-isolation.md
@@ -8,19 +8,19 @@ ms.pagetype: security
author: justinha
ms.localizationpriority: medium
ms.author: justinha
-ms.date: 08/16/2018
+ms.date: 09/07/2018
---
# Hardware-based isolation in Windows 10
**Applies to:** Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Hardware-based isolation helps protect system integrity in Windows 10 and is integreated with Windows Defender ATP.
+Hardware-based isolation helps protect system integrity in Windows 10 and is integrated with Windows Defender ATP.
| Feature | Description |
|------------|-------------|
-| [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) | Isolates untrusted sites and protects your company while your employees browse the Internet. |
-| [Windows Defender System Guard](how-hardware-based-containers-help-protect-windows.md) | Protects and maintains the integrity of the system |
+| [Windows Defender Application Guard](../windows-defender-application-guard/wd-app-guard-overview.md) | Application Guard protects your device from advanced attacks while keeping you productive. Using a unique hardware-based isolation approach, the goal is to isolate untrusted websites and PDF documents inside a lightweight container that is separated from the operating system via the native Windows Hypervisor. If an untrusted site or PDF document turns out to be malicious, it still remains contained within Application Guard’s secure container, keeping the desktop PC protected and the attacker away from your enterprise data. |
+| [Windows Defender System Guard](how-hardware-based-containers-help-protect-windows.md) | System Guard protects and maintains the integrity of the system as it starts and after it's running, and validates system integrity by using attestation. |
diff --git a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md
index b3d6c3cfb7..598138a8ef 100644
--- a/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/overview-hunting-windows-defender-advanced-threat-protection.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 09/12/2018
---
diff --git a/windows/security/threat-protection/windows-defender-atp/overview.md b/windows/security/threat-protection/windows-defender-atp/overview.md
index 813d97f8c4..b40bd3d25d 100644
--- a/windows/security/threat-protection/windows-defender-atp/overview.md
+++ b/windows/security/threat-protection/windows-defender-atp/overview.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 09/03/2018
---
@@ -24,7 +24,7 @@ Topic | Description
[Attack surface reduction](overview-attack-surface-reduction.md) | Leverage the attack surface reduction capabilities to protect the perimeter of your organization.
[Next generation protection](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | Learn about the antivirus capabilities in Windows Defender ATP so you can protect desktops, portable computers, and servers.
[Endpoint detection and response](overview-endpoint-detection-response.md) | Understand how Windows Defender ATP continuously monitors your organization for possible attacks against systems, networks, or users in your organization and the features you can use to mitigate and remediate threats.
-[Automated investigation and investigation](automated-investigations-windows-defender-advanced-threat-protection.md) | In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
+[Automated investigation and remediation](automated-investigations-windows-defender-advanced-threat-protection.md) | In conjunction with being able to quickly respond to advanced attacks, Windows Defender ATP offers automatic investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale.
[Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place.
[Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md) | Use a powerful search and query language to create custom queries and detection rules.
[Management and APIs](management-apis.md) | Windows Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows.
diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index be77829814..3eab3eda81 100644
--- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -57,7 +57,7 @@ Windows Defender ATP integrates with Azure Security Center to provide a comprehe
Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
-- [Onboard Windows Server 2019](configure-server-endpoints-windows-defender-advanced-threat-protection.md#onboard-windows-server-version-1803-and-windows-server-2019)
+- [Onboard Windows Server 2019](configure-server-endpoints-windows-defender-advanced-threat-protection.md#windows-server-version-1803-and-windows-server-2019)
Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
- [Onboard previous versions of Windows](onboard-downlevel-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md
index 9f5eeb8670..ad774f962c 100644
--- a/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/run-detection-test-windows-defender-advanced-threat-protection.md
@@ -10,18 +10,24 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
-ms.date: 11/06/2017
+ms.date: 09/07/2018
---
# Run a detection test on a newly onboarded Windows Defender ATP machine
**Applies to:**
+- Supported Windows 10 versions
+- Windows Server 2012 R2
+- Windows Server 2016
+- Windows Server, version 1803
+- Windows Server, 2019
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
Run the following PowerShell script on a newly onboarded machine to verify that it is properly reporting to the Windows Defender ATP service.
-1. Open an elevated command-line prompt on the machine and run the script:
+1. Create a folder: 'C:\test-WDATP-test'.
+2. Open an elevated command-line prompt on the machine and run the script:
a. Go to **Start** and type **cmd**.
@@ -29,7 +35,7 @@ Run the following PowerShell script on a newly onboarded machine to verify that
-2. At the prompt, copy and run the following command:
+3. At the prompt, copy and run the following command:
```
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile('http://127.0.0.1/1.exe', 'C:\test-WDATP-test\invoice.exe');Start-Process 'C:\test-WDATP-test\invoice.exe'
diff --git a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md
index a336f30021..b491a5a109 100644
--- a/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md
+++ b/windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 09/12/2018
---
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index e15d044a19..87d878f234 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
ms.author: macapara
author: mjcaparas
ms.localizationpriority: medium
-ms.date: 04/24/2018
+ms.date: 09/07/2018
---
# Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
@@ -75,7 +75,7 @@ Event ID | Error Type | Resolution steps
## Troubleshoot onboarding issues using Microsoft Intune
You can use Microsoft Intune to check error codes and attempt to troubleshoot the cause of the issue.
-If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment. For more information, see the [Configure automatic MDM enrollment](https://go.microsoft.com/fwlink/?linkid=829597) section.
+If you have configured policies in Intune and they are not propagated on machines, you might need to configure automatic MDM enrollment.
Use the following tables to understand the possible causes of issues while onboarding:
@@ -253,7 +253,7 @@ If the verification fails and your environment is using a proxy to connect to th
For example, in Group Policy there should be no entries such as the following values:
- ``````
- - ``````
+ - ``````
- After clearing the policy, run the onboarding steps again.
- You can also check the following registry key values to verify that the policy is disabled:
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
index c90bb67da7..cd9048386c 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
@@ -35,7 +35,9 @@ If your client secret expires or if you've misplaced the copy provided when you
3. Select your tenant.
-4. Click **App registrations** > **All apps**, then select your SIEM tool application. The application name is `https://windowsdefenderatpsiemconnector`.
+4. Click **App registrations**. Then in the applications list, select the application:
+ - For SIEM: `https://WindowsDefenderATPSiemConnector`
+ - For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector`
5. Select **Keys** section, then provide a key description and specify the key validity duration.
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md
index 271c270c35..12f36df3a9 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-wdatp.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 09/03/2018
---
diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index dc5416368f..a67e865ccb 100644
--- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 09/03/2018
---
diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md
index 126c30c6b5..ea7e9fd67b 100644
--- a/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md
+++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-security-center-atp.md
@@ -9,7 +9,7 @@ ms.sitesec: library
ms.pagetype: security
ms.author: macapara
author: mjcaparas
-ms.localizationpriority: high
+ms.localizationpriority: medium
ms.date: 07/01/2018
---
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 8e21f4933d..18134f19d0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -1,5 +1,5 @@
---
-title: Use Attack surface reduction rules to prevent malware infection
+title: Use attack surface reduction rules to prevent malware infection
description: ASR rules can help prevent exploits from using apps and scripts to infect machines with malware
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention
search.product: eADQiWindows 10XVcnh
@@ -11,22 +11,20 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 08/08/2018
+ms.date: 10/02/2018
---
-
-
-# Reduce attack surfaces with Windows Defender Exploit Guard
-
+# Reduce attack surfaces with attack surface reduction rules
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
-Attack surface reduction works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
-Attack surface reduction has a number of [rules](#attack-surface-reduction-rules), each of which targets specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
+Attack surface reduction rules work best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
+
+Attack surface reduction rules each target specific behaviors that are typically used by malware and malicious apps to infect machines, such as:
- Executable files and scripts used in Office apps or web mail that attempt to download or run files
- Scripts that are obfuscated or otherwise suspicious
@@ -34,11 +32,11 @@ Attack surface reduction has a number of [rules](#attack-surface-reduction-rules
When a rule is triggered, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
-You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Attack surface reduction would impact your organization if it were enabled.
+You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how attack surface reduction rules would impact your organization if they were enabled.
## Requirements
-Attack surface reduction requires Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
+Attack surface reduction rules require Windows 10 Enterprise E5 and [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
## Attack surface reduction rules
@@ -58,8 +56,8 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block only Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
-Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
+Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
The rules apply to the following Office apps:
@@ -170,19 +168,19 @@ With this rule, admins can prevent unsigned or untrusted executable files from r
- Executable files (such as .exe, .dll, or .scr)
- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file)
-### Rule: Block only Office communication applications from creating child processes (available for beta testing)
+### Rule: Block only Office communication applications from creating child processes
Office communication apps will not be allowed to create child processes. This includes Outlook.
This is a typical malware behavior, especially for macro-based attacks that attempt to use Office apps to launch or download malicious executables.
-### Rule: Block Adobe Reader from creating child processes (available for beta testing)
+### Rule: Block Adobe Reader from creating child processes
This rule blocks Adobe Reader from creating child processes.
-## Review Attack surface reduction events in Windows Event Viewer
+## Review attack surface reduction rule events in Windows Event Viewer
-You can review the Windows event log to see events that are created when an Attack surface reduction rule is triggered (or audited):
+You can review the Windows event log to see events that are created when an attack surface reduction rule is triggered (or audited):
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *asr-events.xml* to an easily accessible location on the machine.
@@ -196,7 +194,7 @@ You can review the Windows event log to see events that are created when an Atta
4. Click **OK**.
-5. This will create a custom view that filters to only show the following events related to Attack surface reduction:
+5. This will create a custom view that filters to only show the following events related to attack surface reduction rules:
Event ID | Description
-|-
@@ -218,7 +216,7 @@ You can review the Windows event log to see events that are created when an Atta
Topic | Description
---|---
-[Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how the feature works, and what events would typically be created.
-[Enable Attack surface reduction](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Attack surface reduction in your network.
-[Customize Attack surface reduction](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by Attack surface reduction and customize the notification that appears on a user's machine when a rule blocks an app or file.
+[Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md) | Use a tool to see a number of scenarios that demonstrate how attack surface reduction rules work, and what events would typically be created.
+[Enable attack surface reduction rules](enable-attack-surface-reduction.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage attack surface reduction rules in your network.
+[Customize attack surface reduction rules](customize-attack-surface-reduction.md) | Exclude specified files and folders from being evaluated by attack surface reduction rules and customize the notification that appears on a user's machine when a rule blocks an app or file.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
index 5e7831035b..57927f648c 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 08/08/2018
+ms.date: 09/18/2018
---
@@ -21,18 +21,13 @@ ms.date: 08/08/2018
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
-
-
-
-You can enable attack surface reduction, eploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
+You can enable attack surface reduction rules, eploit protection, network protection, and controlled folder access in audit mode. This lets you see a record of what *would* have happened if you had enabled the feature.
You might want to do this when testing how the features will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
While the features will not block or prevent apps, scripts, or files from being modified, the Windows Event Log will record events as if the features were fully enabled. This means you can enable audit mode and then review the event log to see what impact the feature would have had were it enabled.
-You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating Attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+You can use Windows Defender Advanced Threat Protection to get greater deatils for each event, especially for investigating attack surface reduction rules. Using the Windows Defender ATP console lets you [investigate issues as part of the alert timeline and investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
This topic provides links that describe how to enable the audit functionality for each feature and how to view events in the Windows Event Viewer.
@@ -45,10 +40,10 @@ You can use Group Policy, PowerShell, and configuration service providers (CSPs)
Audit options | How to enable audit mode | How to view events
- | - | -
-Audit applies to all events | [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled folder access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
-Audit applies to individual rules | [Enable Attack surface reduction rules](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules) | [Attack surface reduction events](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer)
-Audit applies to all events | [Enable Network protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
-Audit applies to individual mitigations | [Enable Exploit protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
+Audit applies to all events | [Enable controlled folder access](enable-controlled-folders-exploit-guard.md#enable-and-audit-controlled-folder-access) | [Controlled folder access events](controlled-folders-exploit-guard.md#review-controlled-folder-access-events-in-windows-event-viewer)
+Audit applies to individual rules | [Enable attack surface reduction rules](enable-attack-surface-reduction.md) | [Attack surface reduction rule events](attack-surface-reduction-exploit-guard.md)
+Audit applies to all events | [Enable network protection](enable-network-protection.md#enable-and-audit-network-protection) | [Network protection events](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer)
+Audit applies to individual mitigations | [Enable exploit protection](enable-exploit-protection.md#enable-and-audit-exploit-protection) | [Exploit protection events](exploit-protection-exploit-guard.md#review-exploit-protection-events-in-windows-event-viewer)
You can also use the a custom PowerShell script that enables the features in audit mode automatically:
@@ -69,14 +64,9 @@ You can also use the a custom PowerShell script that enables the features in aud
A message should appear to indicate that audit mode was enabled.
-
## Related topics
-
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Reduce attack surfaces with](attack-surface-reduction-exploit-guard.md)
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
- [Protect your network](network-protection-exploit-guard.md)
-- [Protect important folders](controlled-folders-exploit-guard.md)
-
-
-
+- [Protect important folders](controlled-folders-exploit-guard.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
index 72daf4a2bc..83348307d8 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
@@ -20,17 +20,13 @@ ms.date: 08/08/2018
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using attack surface reduction rules, network protection, exploit protection, and controlled folder access.
-
-- IT administrators
-
-This topic describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using Windows Defender Exploit Guard.
-
-In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) if you indicate that you have encountered a problem with [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) or [Network protection](network-protection-exploit-guard.md).
+In particular, you will be asked to collect and attach this data when using the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) if you indicate that you have encountered a problem with [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) or [network protection](network-protection-exploit-guard.md).
Before attempting this process, ensure you have met all required pre-requisites and taken any other suggested troubleshooting steps as described in these topics:
-- [Troubleshoot Windows Defender Exploit Guard ASR rules](troubleshoot-asr.md)
-- [Troubleshoot Windows Defender Network protection](troubleshoot-np.md)
+- [Troubleshoot attack surface reduction rules](troubleshoot-asr.md)
+- [Troubleshoot network protection](troubleshoot-np.md)
@@ -63,7 +59,7 @@ Before attempting this process, ensure you have met all required pre-requisites
## Related topics
-- [Troubleshoot ASR rules](troubleshoot-asr.md)
-- [Troubleshoot Network protection](troubleshoot-np.md)
+- [Troubleshoot attack surface reduction rules](troubleshoot-asr.md)
+- [Troubleshoot network protection](troubleshoot-np.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
index a5c31c8baf..fb5b4091c5 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
@@ -11,21 +11,17 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 08/08/2018
+ms.date: 10/02/2018
---
-
-
# Protect important folders with controlled folder access
-
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware.
-Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
+Controlled folder access works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into controlled folder access events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
All apps (any executable file, including .exe, .scr, .dll files and others) are assessed by Windows Defender Antivirus, which then determines if the app is malicious or safe. If the app is determined to be malicious or suspicious, then it will not be allowed to make changes to any files in any protected folder.
@@ -35,17 +31,16 @@ A notification will appear on the computer where the app attempted to make chang
The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
-You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+You can use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how controlled folder access would impact your organization if it were enabled. You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
## Requirements
-Controlled folder access requires enabling [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
+Controlled folder access requires enabling [Windows Defender Antivirus real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md).
+## Review controlled folder access events in Windows Event Viewer
-## Review Controlled folder access events in Windows Event Viewer
-
-You can review the Windows event log to see events that are created when Controlled folder access blocks (or audits) an app:
+You can review the Windows event log to see events that are created when controlled folder access blocks (or audits) an app:
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
@@ -59,19 +54,19 @@ You can review the Windows event log to see events that are created when Control
4. Click **OK**.
-5. This will create a custom view that filters to only show the following events related to Controlled folder access:
+5. This will create a custom view that filters to only show the following events related to controlled folder access:
Event ID | Description
-|-
5007 | Event when settings are changed
-1124 | Audited Controlled folder access event
-1123 | Blocked Controlled folder access event
+1124 | Audited controlled folder access event
+1123 | Blocked controlled folder access event
## In this section
Topic | Description
---|---
-[Evaluate Controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how Controlled folder access works, and what events would typically be created.
-[Enable Controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage Controlled folder access in your network
-[Customize Controlled folder access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.
+[Evaluate controlled folder access](evaluate-controlled-folder-access.md) | Use a dedicated demo tool to see how controlled folder access works, and what events would typically be created.
+[Enable controlled folder access](enable-controlled-folders-exploit-guard.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage controlled folder access in your network
+[Customize controlled folder access](customize-controlled-folders-exploit-guard.md) | Add additional protected folders, and allow specified apps to access protected folders.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index fcba05fbf6..2ed1ca2fa0 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -1,5 +1,5 @@
---
-title: Configure how ASR works to finetune protection in your network
+title: Configure how attack surface reduction rules work to finetune protection in your network
description: You can individually set rules in audit, block, or disabled modes, and add files and folders that should be excluded from ASR
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, customize, configure, exclude
search.product: eADQiWindows 10XVcnh
@@ -11,30 +11,29 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 08/08/2018
+ms.date: 10/02/2018
---
-# Customize attack surface reduction
+# Customize attack surface reduction rules
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
-Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
-
-This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
+This topic describes how to customize attack surface reduction rules by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
You can use Group Policy, PowerShell, and MDM CSPs to configure these settings.
## Exclude files and folders
-You can exclude files and folders from being evaluated by most Attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an Attack surface reduction rule, the file will not be blocked from running.
+You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if the file or folder contains malicious behavior as determined by an attack surface reduction rule, the file will not be blocked from running.
This could potentially allow unsafe files to run and infect your devices.
>[!WARNING]
->Excluding files or folders can severely reduce the protection provided by Attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
+>Excluding files or folders can severely reduce the protection provided by attack surface reduction rules. Files that would have been blocked by a rule will be allowed to run, and there will be no report or event recorded.
>
>If you are encountering problems with rules detecting files that you believe should not be detected, you should [use audit mode first to test the rule](enable-attack-surface-reduction.md#enable-and-audit-attack-surface-reduction-rules).
@@ -62,22 +61,20 @@ Use advanced protection against ransomware | [!include[Check mark yes](images/sv
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | [!include[Check mark no](images/svg/check-no.svg)] | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | [!include[Check mark yes](images/svg/check-yes.svg)] | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | [!include[Check mark yes](images/svg/check-yes.svg)] | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block only Office communication applications from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
-Block Adobe Reader from creating child processes (available for beta testing) | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
-
-
-See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
+Block only Office communication applications from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Adobe Reader from creating child processes | [!include[Check mark yes](images/svg/check-yes.svg)] | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
+See the [attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
### Use Group Policy to exclude files and folders
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
+3. Expand the tree to **Windows components > Windows Defender Antivirus > Windows Defender Exploit Guard > Attack surface reduction**.
-6. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
+4. Double-click the **Exclude files and paths from Attack surface reduction Rules** setting and set the option to **Enabled**. Click **Show** and enter each file or folder in the **Value name** column. Enter **0** in the **Value** column for each item.
### Use PowerShell to exclude files and folderss
@@ -90,7 +87,6 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to
Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add more folders to the list.
-
>[!IMPORTANT]
>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
@@ -98,17 +94,13 @@ Continue to use `Add-MpPreference -AttackSurfaceReductionOnlyExclusions` to add
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
-
-
## Customize the notification
-See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
-
-
+See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
-- [Reduce attack surfaces](attack-surface-reduction-exploit-guard.md)
-- [Enable Attack surface reduction](enable-attack-surface-reduction.md)
-- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
+- [Enable attack surface reduction rules](enable-attack-surface-reduction.md)
+- [Evaluate attack surface reduction rules](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
index aebfd7efca..0c74046601 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
@@ -11,22 +11,18 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 08/08/2018
+ms.date: 10/02/2018
---
-
-
# Customize controlled folder access
-
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware.
-
-This topic describes how to customize the following settings of the Controlled folder access feature with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
+This topic describes how to customize the following settings of the controlled folder access feature with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs):
- [Add additional folders to be protected](#protect-additional-folders)
- [Add apps that should be allowed to access protected folders](#allow-specifc-apps-to-make-changes-to-controlled-folders)
@@ -36,23 +32,22 @@ This topic describes how to customize the following settings of the Controlled f
>
>This may impact your organization's productivity, so you may want to consider running the feature in [audit mode](audit-windows-defender-exploit-guard.md) to fully assess the feature's impact.
-
## Protect additional folders
Controlled folder access applies to a number of system folders and default locations, including folders such as Documents, Pictures, Movies, and Desktop.
You can add additional folders to be protected, but you cannot remove the default folders in the default list.
-Adding other folders to Controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
+Adding other folders to controlled folder access can be useful, for example, if you don't store files in the default Windows libraries or you've changed the location of the libraries away from the defaults.
You can also enter network shares and mapped drives. Environment variables and wildcards are supported. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
-You can use the Windows Defender Security Center app or Group Policy to add and remove additional protected folders.
+You can use the Windows Security app or Group Policy to add and remove additional protected folders.
-### Use the Windows Defender Security Center app to protect additional folders
+### Use the Windows Security app to protect additional folders
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**:
@@ -62,16 +57,15 @@ You can use the Windows Defender Security Center app or Group Policy to add and
-
### Use Group Policy to protect additional folders
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor**, go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
-6. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
+4. Double-click **Configured protected folders** and set the option to **Enabled**. Click **Show** and enter each folder.
### Use PowerShell to protect additional folders
@@ -82,38 +76,32 @@ You can use the Windows Defender Security Center app or Group Policy to add and
Add-MpPreference -ControlledFolderAccessProtectedFolders ""
```
-
-Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Defender Security Center app.
-
+Continue to use `Add-MpPreference -ControlledFolderAccessProtectedFolders` to add more folders to the list. Folders added using this cmdlet will appear in the Windows Security app.
-
>[!IMPORTANT]
>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
### Use MDM CSPs to protect additional folders
-Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
+Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
+## Allow specific apps to make changes to controlled folders
-
- ## Allow specific apps to make changes to controlled folders
-
-You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the Controlled folder access feature.
+You can specify if certain apps should always be considered safe and given write access to files in protected folders. Allowing apps can be useful if you're finding a particular app that you know and trust is being blocked by the controlled folder access feature.
>[!IMPORTANT]
->By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Defender Security Center app or by using the associated PowerShell cmdlets.
+>By default, Windows adds apps that it considers friendly to the allowed list - apps added automatically by Windows are not recorded in the list shown in the Windows Security app or by using the associated PowerShell cmdlets.
>You shouldn't need to add most apps. Only add apps if they are being blocked and you can verify their trustworthiness.
+You can use the Windows Security app or Group Policy to add and remove apps that should be allowed to access protected folders.
-You can use the Windows Defender Security Center app or Group Policy to add and remove apps that should be allowed to access protected folders.
-
-When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by Controlled folder access.
+When you add an app, you have to specify the app's location. Only the app in that location will be permitted access to the protected folders - if the app (with the same name) is located in a different location, then it will not be added to the allow list and may be blocked by controlled folder access.
### Use the Windows Defender Security app to allow specific apps
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**.
@@ -127,13 +115,11 @@ When you add an app, you have to specify the app's location. Only the app in tha
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
-
-6. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Controlled folder access**.
+4. Double-click the **Configure allowed applications** setting and set the option to **Enabled**. Click **Show** and enter each app.
### Use PowerShell to allow specific apps
@@ -149,27 +135,22 @@ When you add an app, you have to specify the app's location. Only the app in tha
```PowerShell
Add-MpPreference -ControlledFolderAccessAllowedApplications "c:\apps\test.exe"
```
-
-Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Defender Security Center app.
-
+Continue to use `Add-MpPreference -ControlledFolderAccessAllowedApplications` to add more apps to the list. Apps added using this cmdlet will appear in the Windows Security app.
-
>[!IMPORTANT]
>Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
-
-
### Use MDM CSPs to allow specific apps
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersAllowedApplications](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfoldersallowedapplications) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Customize the notification
-See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
-- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
-- [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md)
-- [Evaluate attack surface reduction](evaluate-windows-defender-exploit-guard.md)
\ No newline at end of file
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
+- [Enable controlled folder access](enable-controlled-folders-exploit-guard.md)
+- [Evaluate attack surface reduction rules](evaluate-windows-defender-exploit-guard.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index 59513ac8ec..e689b26a32 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -1,7 +1,7 @@
---
title: Enable or disable specific mitigations used by Exploit protection
keywords: Exploit protection, mitigations, enable, powershell, dep, cfg, emet, aslr
-description: You can enable individual mitigations using the Windows Defender Security Center app or PowerShell. You can also audit mitigations and export configurations.
+description: You can enable individual mitigations using the Windows Security app or PowerShell. You can also audit mitigations and export configurations.
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
ms.prod: w10
@@ -14,33 +14,19 @@ ms.author: v-anbic
ms.date: 08/08/2018
---
-# Customize Exploit protection
+# Customize exploit protection
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
-
-
-
-
-
-
-
-
-
-
-
Exploit protection automatically applies a number of exploit mitigation techniques on both the operating system processes and on individual apps.
-
-You configure these settings using the Windows Defender Security Center on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
+You configure these settings using the Windows Security app on an individual machine, and then export the configuration as an XML file that you can deploy to other machines. You can use Group Policy to distribute the XML file to multiple devices at once. You can also configure the mitigations with PowerShell.
- This topic lists each of the mitigations available in Exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
+ This topic lists each of the mitigations available in exploit protection, indicates whether the mitigation can be applied system-wide or to individual apps, and provides a brief description of how the mitigation works.
-It also describes how to enable or configure the mitigations using Windows Defender Security Center, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
+It also describes how to enable or configure the mitigations using Windows Security, PowerShell, and MDM CSPs. This is the first step in creating a configuration that you can deploy across your network. The next step involves [generating or exporting, importing, and deploying the configuration to multiple devices](import-export-exploit-protection-emet-xml.md).
>[!WARNING]
>Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](evaluate-exploit-protection.md) before deploying the configuration across a production environment or the rest of your network.
@@ -49,10 +35,8 @@ It also describes how to enable or configure the mitigations using Windows Defen
All mitigations can be configured for individual apps. Some mitigations can also be applied at the operating system level.
-
You can set each of the mitigations to on, off, or to their default value. Some mitigations have additional options, these are indicated in the description in the table.
-
Default values are always specified in brackets at the **Use default** option for each mitigation. In the following example, the default for Data Execution Prevention is "On".
@@ -73,7 +57,7 @@ Arbitrary code guard (ACG) | Prevents the introduction of non-image-backed execu
Block low integrity images | Prevents the loading of images marked with Low Integrity. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Block remote images | Prevents loading of images from remote devices. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Block untrusted fonts | Prevents loading any GDI-based fonts not installed in the system fonts directory, notably fonts from the web. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
-Code integrity guard | Restricts loading of images signed by Microsoft, WQL, and higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
+Code integrity guard | Restricts loading of images signed by Microsoft, WHQL, or higher. Can optionally allow Microsoft Store signed images. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Disable extension points | Disables various extensibility mechanisms that allow DLL injection into all processes, such as AppInit DLLs, window hooks, and Winsock service providers. | App-level only | [!include[Check mark no](images/svg/check-no.svg)]
Disable Win32k system calls | Prevents an app from using the Win32k system call table. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
Do not allow child processes | Prevents an app from creating child processes. | App-level only | [!include[Check mark yes](images/svg/check-yes.svg)]
@@ -118,11 +102,9 @@ Validate stack integrity (StackPivot) | Ensures that the stack has not been redi
>The result will be that DEP will be enabled for *test.exe*. DEP will not be enabled for any other app, including *miles.exe*.
>CFG will be enabled for *miles.exe*.
+### Configure system-level mitigations with the Windows Security app
-
-### Configure system-level mitigations with the Windows Defender Security Center app
-
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection**.
@@ -144,10 +126,9 @@ You can now [export these settings as an XML file](import-export-exploit-protect
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
+### Configure app-specific mitigations with the Windows Security app
-### Configure app-specific mitigations with the Windows Defender Security Center app
-
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings** at the bottom of the screen.
@@ -160,7 +141,6 @@ Exporting the configuration as an XML file allows you to copy the configuration
-
4. After selecting the app, you'll see a list of all the mitigations that can be applied. To enable the mitigation, click the check box and then change the slider to **On**. Select any additional options. Choosing **Audit** will apply the mitigation in audit mode only. You will be notified if you need to restart the process or app, or if you need to restart Windows.
5. Repeat this for all the apps and mitigations you want to configure. Click **Apply** when you're done setting up your configuration.
@@ -171,17 +151,15 @@ You can now [export these settings as an XML file](import-export-exploit-protect
Exporting the configuration as an XML file allows you to copy the configuration from one machine onto other machines.
+## PowerShell reference
- ## PowerShell reference
+ You can use the Windows Security app to configure Exploit protection, or you can use PowerShell cmdlets.
- You can use the Windows Defender Security Center app to configure Exploit protection, or you can use PowerShell cmdlets.
-
- The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Defender Security Center. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
+ The configuration settings that were most recently modified will always be applied - regardless of whether you use PowerShell or Windows Security. This means that if you use the app to configure a mitigation, then use PowerShell to configure the same mitigation, the app will update to show the changes you made with PowerShell. If you were to then use the app to change the mitigation again, that change would apply.
>[!IMPORTANT]
>Any changes that are deployed to a machine through Group Policy will override the local configuration. When setting up an initial configuration, use a machine that will not have a Group Policy configuration applied to ensure your changes aren't overridden.
-
You can use the PowerShell verb `Get` or `Set` with the cmdlet `ProcessMitigation`. Using `Get` will list the current configuration status of any mitigations that have been enabled on the device - add the `-Name` cmdlet and app exe to see mitigations for just that app:
```PowerShell
@@ -195,15 +173,13 @@ Get-ProcessMitigation -Name processName.exe
>
>For app-level settings, `NOTSET` indicates the system-level setting for the mitigation will be applied.
>
->The default setting for each system-level mitigation can be seen in the Windows Defender Security Center, as described in the [Configure system-level mitigations with the Windows Defender Security Center app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app).
+>The default setting for each system-level mitigation can be seen in the Windows Security, as described in the [Configure system-level mitigations with the Windows Security app section above](#configure-system-level-mitigations-with-the-windows-defender-security-center-app).
Use `Set` to configure each mitigation in the following format:
```PowerShell
Set-ProcessMitigation - -,,
```
-
-
Where:
- \:
@@ -215,7 +191,6 @@ Where:
- \:
- The mitigation's cmdlet as defined in the [mitigation cmdlets table](#cmdlets-table) below, along with any suboptions (surrounded with spaces). Each mitigation is seperated with a comma.
-
For example, to enable the Data Execution Prevention (DEP) mitigation with ATL thunk emulation and for an executable called *testing.exe* in the folder *C:\Apps\LOB\tests*, and to prevent that executable from creating child processes, you'd use the following command:
```PowerShell
@@ -292,12 +267,12 @@ Set-ProcessMitigation -Name processName.exe -Enable EnableExportAddressFilterPlu
## Customize the notification
-See the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
+See the [Windows Security](../windows-defender-security-center/windows-defender-security-center.md#customize-notifications-from-the-windows-defender-security-center) topic for more information about customizing the notification when a rule is triggered and blocks an app or file.
## Related topics
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate Exploit protection](evaluate-exploit-protection.md)
-- [Enable Exploit protection](enable-exploit-protection.md)
-- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
index f37c7b6665..0ff71be595 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/emet-exploit-protection-exploit-guard.md
@@ -14,22 +14,18 @@ ms.author: v-anbic
ms.date: 08/08/2018
---
-
-
# Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
-
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
>[!IMPORTANT]
->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows Defender ATP.
+>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows Defender ATP.
>
>You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
-This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and Exploit protection in Windows Defender ATP.
+This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Windows Defender ATP.
Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
@@ -40,9 +36,7 @@ After July 31, 2018, it will not be supported.
For more information about the individual features and mitigations available in Windows Defender ATP, as well as how to enable, configure, and deploy them to better protect your network, see the following topics:
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
-- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
-
-
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
## Feature comparison
@@ -52,15 +46,15 @@ For more information about the individual features and mitigations available in
| Windows Defender Exploit Guard | EMET
-|:-:|:-:
Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)] All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)] Windows 8.1; Windows 8; Windows 7 Cannot be installed on Windows 10, version 1709 and later
-Installation requirements | [Windows Defender Security Center in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) (no additional installation required) Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
-User interface | Modern interface integrated with the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
+Installation requirements | [Windows Security in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) (no additional installation required) Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
+User interface | Modern interface integrated with the [Windows Security app](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
Supportability | [!include[Check mark yes](images/svg/check-yes.svg)] [Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)[[1](#fn1)] [Part of the Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)] Ends after July 31, 2018
Updates | [!include[Check mark yes](images/svg/check-yes.svg)] Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)] No planned updates or development
Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)] All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison)) [Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited set of mitigations
Attack surface reduction[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps block known infection vectors](attack-surface-reduction-exploit-guard.md) [Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited ruleset configuration only for modules (no processes)
Network protection[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Not available
Controlled folder access[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps protect important folders](controlled-folders-exploit-guard.md) [Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Windows Defender Security Center app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Requires installation and use of EMET tool
+Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Windows Security app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Requires installation and use of EMET tool
Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)] Available
Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)] [Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)] Requires use of EMET tool (EMET_CONF)
System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)] Not available
@@ -68,17 +62,13 @@ Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)] [U
Reporting | [!include[Check mark yes](images/svg/check-yes.svg)] With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md) [Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited Windows event log monitoring
Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)] [Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Limited to EAF, EAF+, and anti-ROP mitigations
-
-
([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [Exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus.
-
-
## Mitigation comparison
-The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [Exploit protection feature](exploit-protection-exploit-guard.md).
+The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [exploit protection feature](exploit-protection-exploit-guard.md).
The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.
@@ -109,10 +99,6 @@ Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] |
Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-
-
-
-
>[!NOTE]
>The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
>
@@ -122,9 +108,9 @@ Validate image dependency integrity | [!include[Check mark yes](images/svg/check
## Related topics
- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
-- [Evaluate Exploit protection](evaluate-exploit-protection.md)
-- [Enable Exploit protection](enable-exploit-protection.md)
-- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index 4f7e747a4b..dd2ed4fda3 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -11,35 +11,18 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 08/08/2018
+ms.date: 10/02/2018
---
-
-# Enable Attack surface reduction
-
+# Enable attack surface reduction rules
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
-
-
-
-
-
-
-
-
-
-
-
-
-Attack surface reduction is a feature that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
-
-
-
-## Enable and audit Attack surface reduction rules
+## Enable and audit attack surface reduction rules
You can use Group Policy, PowerShell, or MDM CSPs to configure the state or mode for each rule. This can be useful if you only want to enable some rules, or you want to enable rules individually in audit mode.
@@ -63,32 +46,28 @@ Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d3
Block credential stealing from the Windows local security authority subsystem (lsass.exe) | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2
Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c
Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4
-Block only Office communication applications from creating child processes (available for beta testing) | 26190899-1602-49e8-8b27-eb1d0a1ce869
-Block Adobe Reader from creating child processes (available for beta testing) | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
+Block only Office communication applications from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869
+Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c
See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) topic for details on each rule.
-### Use Group Policy to enable or audit Attack surface reduction rules
+### Use Group Policy to enable or audit attack surface reduction rules
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
-5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
-
-6. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
+4. Double-click the **Configure Attack surface reduction rules** setting and set the option to **Enabled**. You can then set the individual state for each rule in the options section:
- Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
- Block mode = 1
- Disabled = 0
- Audit mode = 2
-
-
-
-
-
- ### Use PowerShell to enable or audit Attack surface reduction rules
+
+
+### Use PowerShell to enable or audit attack surface reduction rules
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
@@ -97,14 +76,11 @@ See the [Attack surface reduction](attack-surface-reduction-exploit-guard.md) to
Set-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions Enabled
```
-
-
You can enable the feature in audit mode using the following cmdlet:
```PowerShell
Add-MpPreference -AttackSurfaceReductionRules_Ids -AttackSurfaceReductionRules_Actions AuditMode
```
-
Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
>[!IMPORTANT>
@@ -124,15 +100,12 @@ You can also the `Add-MpPreference` PowerShell verb to add new rules to the exis
>You can obtain a list of rules and their current state by using `Get-MpPreference`
-### Use MDM CSPs to enable Attack surface reduction rules
+### Use MDM CSPs to enable attack surface reduction rules
Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductionrules) configuration service provider (CSP) to individually enable and set the mode for each rule.
-
-
-
## Related topics
-- [Reduce attack surfaces](attack-surface-reduction-exploit-guard.md)
-- [Customize Attack surface reduction](customize-attack-surface-reduction.md)
-- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
+- [Customize attack surface reduction](customize-attack-surface-reduction.md)
+- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
index 62f8359359..1d831ea2a9 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
@@ -11,43 +11,37 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 08/08/2018
+ms.date: 10/02/2018
---
-
-
# Enable controlled folder access
-
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
-Controlled folder access helps you protect valuable data from malicious apps and threats, such as ransomware. It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-
-This topic describes how to enable Controlled folder access with the Windows Defender Security Center app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
-
+This topic describes how to enable Controlled folder access with the Windows Security app, Group Policy, PowerShell, and mobile device management (MDM) configuration service providers (CSPs).
## Enable and audit controlled folder access
You can enable controlled folder access with the Security Center app, Group Policy, PowerShell, or MDM CSPs. You can also set the feature to audit mode. Audit mode allows you to test how the feature would work (and review events) without impacting the normal use of the machine.
-
>[!NOTE]
->The Controlled folder access feature will display the state in the Windows Defender Security Center app under **Virus & threat protection settings**.
->If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Defender Security Center app after a restart of the device.
->If the feature is set to **Audit mode** with any of those tools, the Windows Defender Security Center app will show the state as **Off**.
+>The Controlled folder access feature will display the state in the Windows Security app under **Virus & threat protection settings**.
+>If the feature is configured with Group Policy, PowerShell, or MDM CSPs, the state will change in the Windows Security app after a restart of the device.
+>If the feature is set to **Audit mode** with any of those tools, the Windows Security app will show the state as **Off**.
>See [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md) for more details on how audit mode works.
>
->Group Policy settings that disable local administrator list merging will override Controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through Controlled folder access. These policies include:
+>Group Policy settings that disable local administrator list merging will override controlled folder access settings. They also override protected folders and allowed apps set by the local administrator through controlled folder access. These policies include:
>- Windows Defender Antivirus **Configure local administrator merge behavior for lists**
>- System Center Endpoint Protection **Allow users to add exclusions and overrides**
>For more information about disabling local list merging, see [Prevent or allow users to locally modify Windows Defender AV policy settings](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-local-policy-overrides-windows-defender-antivirus#configure-how-locally-and-globally-defined-threat-remediation-and-exclusions-lists-are-merged).
-### Use the Windows Defender Security app to enable Controlled folder access
+### Use the Windows Defender Security app to enable controlled folder access
-1. Open the Windows Defender Security Center by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **Virus & threat protection** tile (or the shield icon on the left menu bar) and then click **Ransomware protection**.
@@ -70,28 +64,29 @@ You can enable controlled folder access with the Security Center app, Group Poli
>[!IMPORTANT]
->To fully enable the Controlled folder access feature, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
+>To fully enable controlled folder access, you must set the Group Policy option to **Enabled** and also select **Enable** in the options drop-down menu.
-### Use PowerShell to enable Controlled folder access
+### Use PowerShell to enable controlled folder access
+
+1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**.
-1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
```PowerShell
Set-MpPreference -EnableControlledFolderAccess Enabled
```
-You can enable the feauting in audit mode by specifying `AuditMode` instead of `Enabled`.
+You can enable the feature in audit mode by specifying `AuditMode` instead of `Enabled`.
Use `Disabled` to turn the feature off.
-### Use MDM CSPs to enable Controlled folder access
+### Use MDM CSPs to enable controlled folder access
Use the [./Vendor/MSFT/Policy/Config/Defender/GuardedFoldersList](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-guardedfolderslist) configuration service provider (CSP) to allow apps to make changes to protected folders.
## Related topics
-- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
-- [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md)
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
+- [Customize controlled folder access](customize-controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
index c9c10f4b93..91f8b6b1bb 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
@@ -1,5 +1,5 @@
---
-title: Turn on Exploit protection to help mitigate against attacks
+title: Turn on exploit protection to help mitigate against attacks
keywords: exploit, mitigation, attacks, vulnerability
description: Exploit protection in Windows 10 provides advanced configuration over the settings offered in EMET.
search.product: eADQiWindows 10XVcnh
@@ -14,11 +14,8 @@ ms.author: v-anbic
ms.date: 08/08/2018
---
-
-
# Enable exploit protection
-
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
@@ -45,7 +42,6 @@ See the following topics for instructions on configuring exploit protection miti
1. [Configure the mitigations you want to enable or audit](customize-exploit-protection.md)
2. [Export the configuration to an XML file that you can use to deploy the configuration to multiple machines](import-export-exploit-protection-emet-xml.md).
-
## Related topics
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
index 93d25b4d0b..af47213614 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
@@ -1,5 +1,5 @@
---
-title: Turn Network protection on
+title: Turn network protection on
description: Enable Network protection with Group Policy, PowerShell, or MDM CSPs
keywords: ANetwork protection, exploits, malicious website, ip, domain, domains, enable, turn on
search.product: eADQiWindows 10XVcnh
@@ -14,59 +14,40 @@ ms.author: v-anbic
ms.date: 05/30/2018
---
-
-# Enable Network protection
-
+# Enable network protection
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Network protection helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+This topic describes how to enable network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
+## Enable and audit network protection
-
-
-
-
-
-
-
-
-
-
-Network protection is a feature that helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
-
-This topic describes how to enable Network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
-
-
-## Enable and audit Network protection
-
-You can enable Network protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP.
+You can enable network protection in either audit or block mode with Group Policy, PowerShell, or MDM settings with CSP.
For background information on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
+### Use Group Policy to enable or audit network protection
-### Use Group Policy to enable or audit Network protection
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-
-5. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Network protection**.
-
-6. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following:
+4. Double-click the **Prevent users and apps from accessing dangerous websites** setting and set the option to **Enabled**. In the options section, you must specify one of the following:
- **Block** - Users will not be able to access malicious IP addresses and domains
- **Disable (Default)** - The Network protection feature will not work. Users will not be blocked from accessing malicious domains
- **Audit Mode** - If a user visits a malicious IP address or domain, an event will be recorded in the Windows event log but the user will not be blocked from visiting the address.
>[!IMPORTANT]
->To fully enable the Network protection feature, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
+>To fully enable network protection, you must set the Group Policy option to **Enabled** and also select **Block** in the options drop-down menu.
-
- ### Use PowerShell to enable or audit Network protection
+ ### Use PowerShell to enable or audit network protection
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
@@ -75,7 +56,7 @@ For background information on how audit mode works, and when you might want to u
Set-MpPreference -EnableNetworkProtection Enabled
```
-You can enable the feauting in audit mode using the following cmdlet:
+You can enable the feature in audit mode using the following cmdlet:
```
Set-MpPreference -EnableNetworkProtection AuditMode
@@ -84,14 +65,12 @@ Set-MpPreference -EnableNetworkProtection AuditMode
Use `Disabled` insead of `AuditMode` or `Enabled` to turn the feature off.
+### Use MDM CSPs to enable or audit network protection
-### Use MDM CSPs to enable or audit Network protection
-
-
-Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure Network protection.
+Use the [./Vendor/MSFT/Policy/Config/Defender/EnableNetworkProtection](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-enablenetworkprotection) configuration service provider (CSP) to enable and configure network protection.
## Related topics
- [Protect your network](network-protection-exploit-guard.md)
-- [Evaluate Network protection](evaluate-network-protection.md)
+- [Evaluate network protection](evaluate-network-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
index cb3e681ae8..2c5e663e91 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -17,7 +17,7 @@ ms.date: 08/08/2018
This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
Some applications, including device drivers, may be incompatible with HVCI.
-This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
+This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself.
If this happens, see [Troubleshooting](#troubleshooting) for remediation steps.
## How to turn on HVCI in Windows 10
@@ -180,6 +180,7 @@ This field helps to enumerate and report state on the relevant security properti
| **4.** | If present, Secure Memory Overwrite is available. |
| **5.** | If present, NX protections are available. |
| **6.** | If present, SMM mitigations are available. |
+| **7.** | If present, Mode Based Execution Control is available. |
#### InstanceIdentifier
@@ -199,6 +200,7 @@ This field describes the required security properties to enable virtualization-b
| **4.** | If present, Secure Memory Overwrite is needed. |
| **5.** | If present, NX protections are needed. |
| **6.** | If present, SMM mitigations are needed. |
+| **7.** | If present, Mode Based Execution Control is needed. |
#### SecurityServicesConfigured
@@ -274,4 +276,4 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true
- The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10.
- HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time.
- Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
- - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
\ No newline at end of file
+ - The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
index d641593a68..b0eb1162cb 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
@@ -1,5 +1,5 @@
---
-title: Use a demo to see how ASR can help protect your devices
+title: Use a demo to see how ASR rules can help protect your devices
description: The custom demo tool lets you create sample malware infection scenarios so you can see how ASR would block and prevent attacks
keywords: Attack surface reduction, hips, host intrusion prevention system, protection rules, anti-exploit, antiexploit, exploit, infection prevention, evaluate, test, demo
search.product: eADQiWindows 10XVcnh
@@ -11,34 +11,18 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 08/08/2018
+ms.date: 10/02/2018
---
-
-# Evaluate Attack surface reduction rules
+# Evaluate attack surface reduction rules
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+Attack surface reduction rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. Attack surface reduction rules are supported on Windows Server 2019 as well as Windows 10 clients.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Attack surface reduction is a feature that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines.
-
-This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
+This topic helps you evaluate attack surface reduction rules. It explains how to demo ASR rules using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
>[!NOTE]
>This topic uses a customized testing tool and PowerShell cmdlets to make it easy to enable the feature and test it.
@@ -47,10 +31,9 @@ This topic helps you evaluate Attack surface reduction. It explains how to demo
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
+## Use the demo tool to see how attack surface reduction rules work
-## Use the demo tool to see how Attack surface reduction works
-
-Use the **ExploitGuard ASR test tool** app to see how Attack surface reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
+Use the **ExploitGuard ASR test tool** app to see how attack surface reduction rules are applied in certain key protection and high-risk scenarios. These scenarios are typical infection vectors for malware that use exploits to spread and infect machines.
The tool is part of the Windows Defender Exploit Guard evaluation package:
- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
@@ -95,9 +78,9 @@ Choosing the **Mode** will change how the rule functions:
Mode option | Description
-|-
-Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled Attack surface reduction at all.
-Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled Attack surface reduction.
-Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how Attack surface reduction will work but without impacting how you use the machine.
+Disabled | The rule will not fire and no event will be recorded. This is the same as if you had not enabled attack surface reduction rules at all.
+Block | The rule will fire and the suspicious behavior will be blocked from running. An event will be recorded in the event log. This is the same as if you had enabled attack surface reduction rules.
+Audit | The rule wil fire, but the suspicious behavior will **not** be blocked from running. An event will be recorded in the event log as if the rule did block the behavior. This allows you to see how attack surface reduction rules will work but without impacting how you use the computer.
Block mode will cause a notification to appear on the user's desktop:
@@ -111,7 +94,6 @@ The following sections describe what each rule does and what the scenarios entai
### Rule: Block executable content from email client and webmail
-
This rule blocks certain files from being run or launched from an email. You can specify an individual scenario, based on the category of the file type or whether the email is in Microsoft Outlook or web mail.
The following table describes the category of the file type that will be blocked and the source of the email for each scenario in this rule:
@@ -145,18 +127,13 @@ The following scenarios can be individually chosen:
- Extension Block
- Extensions will be blocked from being used by Office apps. Typically these extensions use the Windows Scripting Host (.wsh files) to run scripts that automate certain tasks or provide user-created add-on features.
-
### Rule: Block Office applications from injecting into other processes
-
>[!NOTE]
>There is only one scenario to test for this rule.
-
Office apps, such as Word, Excel, or PowerPoint, will not be able to inject code into other processes. This is typically used by malware to run malicious code in an attempt to hide the activity from antivirus scanning engines.
-
-
### Rule: Impede JavaScript and VBScript to launch executables
JavaScript and VBScript scripts can be used by malware to launch other malicious apps. This rule prevents these scripts from being allowed to launch apps, thus preventing malicious use of the scripts to spread malware and infect machines.
@@ -168,13 +145,10 @@ JavaScript and VBScript scripts can be used by malware to launch other malicious
- VBScript
- VBScript will not be allowed to launch executable files
-
-
### Rule: Block execution of potentially obfuscated scripts
Malware and other threats can attempt to obfuscate or hide their malicious code in some script files. This rule prevents scripts that appear to be obfuscated from running.
-
- Random
- A scenario will be randomly chosen from this list
- AntiMalwareScanInterface
@@ -203,7 +177,6 @@ Event ID | Description
1122 | Event when rule fires in Audit-mode
1121 | Event when rule fires in Block-mode
-
## Use audit mode to measure impact
You can also enable the Attack surface reduction feature in audit mode. This lets you see a record of what apps would have been blocked if you had enabled the feature.
@@ -222,17 +195,14 @@ This enables all Attack surface reduction rules in audit mode.
>If you want to fully audit how Attack surface reduction will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Attack surface reduction topic](attack-surface-reduction-exploit-guard.md).
-
-
-## Customize Attack surface reduction
+## Customize attack surface reduction rules
During your evaluation, you may wish to configure each rule individualy or exclude certain files and processes from being evaluated by the feature.
See the [Customize Exploit protection](customize-exploit-protection.md) topic for information on configuring the feature with management tools, including Group Policy and MDM CSP policies.
-
## Related topics
-- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
index db37592aa5..9fa8ab6d2b 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
@@ -1,5 +1,5 @@
---
-title: See how CFA can help protect files from being changed by malicious apps
+title: See how controlled folder access can help protect files from being changed by malicious apps
description: Use a custom tool to see how Controlled folder access works in Windows 10.
keywords: Exploit protection, windows 10, windows defender, ransomware, protect, evaluate, test, demo, try
search.product: eADQiWindows 10XVcnh
@@ -11,32 +11,20 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 08/08/2018
+ms.date: 10/02/2018
---
-
-# Evaluate Controlled folder access
+# Evaluate controlled folder access
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
-
-
-
-
-
-
-
-
-
-[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps.
+[Controlled folder access](controlled-folders-exploit-guard.md) is a feature that helps protect your documents and files from modification by suspicious or malicious apps. Controlled folder access is supported on Windows Server 2019 as well as Windows 10 clients.
It is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
-This topic helps you evaluate Controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
+This topic helps you evaluate controlled folder access. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
>[!NOTE]
>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
@@ -45,18 +33,16 @@ This topic helps you evaluate Controlled folder access. It explains how to demo
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-## Use the demo tool to see how Controlled folder access works
+## Use the demo tool to see how controlled folder access works
-Use the **ExploitGuard CFA File Creator** tool to see how Controlled folder access can prevent a suspicious app from creating files in protected folders.
+Use the **ExploitGuard CFA File Creator** tool to see how controlled folder access can prevent a suspicious app from creating files in protected folders.
The tool is part of the Windows Defender Exploit Guard evaluation package:
- [Download the Exploit Guard Evaluation Package](https://aka.ms/mp7z2w)
-This tool can be run locally on an individual machine to see the typical behavior of Controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
-
-You can enable Controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
-
+This tool can be run locally on an individual machine to see the typical behavior of controlled folder access. The tool is considered by Windows Defender ATP to be suspicious and will be blocked from creating new files or making changes to existing files in any of your protected folders.
+You can enable controlled folder access, run the tool, and see what the experience is like when a suspicious app is prevented from accessing or modifying files in protected folders.
1. Type **powershell** in the Start menu.
@@ -79,7 +65,7 @@ You can enable Controlled folder access, run the tool, and see what the experien
-## Review Controlled folder access events in Windows Event Viewer
+## Review controlled folder access events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when using the tool. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
@@ -96,15 +82,15 @@ You can also review the Windows event log to see the events there were created w
Event ID | Description
-|-
5007 | Event when settings are changed
-1124 | Audited Controlled folder access event
-1123 | Blocked Controlled folder access event
-1127 | Blocked Controlled folder access sector write block event
-1128 | Audited Controlled folder access sector write block event
+1124 | Audited controlled folder access event
+1123 | Blocked controlled folder access event
+1127 | Blocked controlled folder access sector write block event
+1128 | Audited controlled folder access sector write block event
## Use audit mode to measure impact
-As with other Windows Defender EG features, you can enable the Controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
+You can enable the controlled folder access feature in audit mode. This lets you see a record of what *would* have happened if you had enabled the setting.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how many suspicious file modification attempts generally occur over a certain period.
@@ -115,21 +101,18 @@ Set-MpPreference -EnableControlledFolderAccess AuditMode
```
>[!TIP]
->If you want to fully audit how Controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
-You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [Controlled folder access topic](controlled-folders-exploit-guard.md).
-
+>If you want to fully audit how controlled folder access will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+You can also use Group Policy, Intune, MDM, or System Center Configuration Manager to configure and deploy the setting, as described in the main [controlled folder access topic](controlled-folders-exploit-guard.md).
For further details on how audit mode works, and when you might want to use it, see the [audit Windows Defender Exploit Guard topic](audit-windows-defender-exploit-guard.md).
-
-
## Customize protected folders and apps
During your evaluation, you may wish to add to the list of protected folders, or allow certain apps to modify files.
-See the main [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) topic for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
+See [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) for configuring the feature with management tools, including Group Policy, PowerShell, and MDM CSP.
## Related topics
-- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
- [Evaluate Windows Defender ATP](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode](audit-windows-defender-exploit-guard.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
index d4d3705b4a..c84eaa37c2 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
@@ -14,20 +14,17 @@ ms.author: v-anbic
ms.date: 05/30/2018
---
-
-
# Evaluate exploit protection
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are included in exploit protection.
-This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md) .
+This topic helps you evaluate exploit protection. For more information about what exploit protection does and how to configure it for real-world deployment, see [Exploit protection](exploit-protection-exploit-guard.md).
>[!NOTE]
>This topic uses PowerShell cmdlets to make it easy to enable the feature and test it.
@@ -40,7 +37,7 @@ This topic helps you evaluate exploit protection. For more information about wha
For this demo you will enable the mitigation that prevents child processes from being created. You'll use Internet Explorer as the parent app.
-First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Defender Security Center app:
+First, enable the mitigation using PowerShell, and then confirm that it has been applied in the Windows Security app:
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
@@ -50,13 +47,13 @@ First, enable the mitigation using PowerShell, and then confirm that it has been
Set-ProcessMitigation -Name iexplore.exe -Enable DisallowChildProcessCreation
```
-1. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**.
+3. Open Windows Security by clicking the shield icon in the task bar or searching the Start menu for **Defender**.
-2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
+4. Click the **App & browser control** tile (or the app icon on the left menu bar) and then **Exploit protection settings** at the bottom of the screen.
-3. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
+5. Go to the **Program settings** section, scroll down, click **iexplore.exe**, and then **Edit**.
-4. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
+6. Find the **Do not allow child processes** setting and make sure that **Override System settings** is enabled and the switch is set to **On**.
Now that you know the mitigation has been enabled, you can test to see if it works and what the experience would be for an end user:
@@ -78,7 +75,6 @@ Lastly, we can disable the mitigation so that Internet Explorer works properly a
5. Validate that Internet Explorer runs by running it from the run dialog box again. It should open as expected.
-
## Review exploit protection events in Windows Event Viewer
You can now review the events that exploit protection sent to the Windows Event Viewer to confirm what happened. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
@@ -99,7 +95,6 @@ You can now review the events that exploit protection sent to the Windows Event
Process '\Device\HarddiskVolume1\Program Files\Internet Explorer\iexplore.exe' (PID 4692) was blocked from creating a child process 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' with command line '"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4692 CREDAT:75009 /prefetch:2'.
-
## Use audit mode to measure impact
You can enable exploit protection in audit mode. You can enable audit mode for individual mitigations.
@@ -112,8 +107,6 @@ See the [**PowerShell reference** section in customize exploit protection](custo
For further details on how audit mode works, and when you might want to use it, see [audit Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md).
-
-
## Related topics
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
- [Enable exploit protection](enable-exploit-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
index dc6546e9a9..ee1e9948c7 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
@@ -1,5 +1,5 @@
---
-title: Conduct a demo to see how Network protection works
+title: Conduct a demo to see how network protection works
description: Quickly see how Network protection works by performing common scenarios that it protects against
keywords: Network protection, exploits, malicious website, ip, domain, domains, evaluate, test, demo
search.product: eADQiWindows 10XVcnh
@@ -14,30 +14,13 @@ ms.author: v-anbic
ms.date: 08/09/2018
---
-# Evaluate Network protection
-
-
+# Evaluate network protection
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
-
-
-
-
-
-
-
-
-
-
-
-Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-
-It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+Network protection helps prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
This topic helps you evaluate Network protection by enabling the feature and guiding you to a testing site.
@@ -47,7 +30,7 @@ This topic helps you evaluate Network protection by enabling the feature and gui
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-## Enable Network protection
+## Enable network protection
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
2. Enter the following cmdlet:
@@ -66,10 +49,9 @@ You can also carry out the processes described in this topic in audit or disable
You will get a 403 Forbidden response in the browser, and you will see a notification that the network connnection was blocked.
-
+
-
- ## Review Network protection events in Windows Event Viewer
+## Review network protection events in Windows Event Viewer
You can also review the Windows event log to see the events there were created when performing the demo. You can use the custom view below or [locate them manually](event-views-exploit-guard.md#list-of-attack-surface-reduction-events).
@@ -81,18 +63,18 @@ You can also review the Windows event log to see the events there were created w
4. Click **OK**.
-5. This will create a custom view that filters to only show the following events related to Network protection:
+5. This will create a custom view that filters to only show the following events related to network protection:
Event ID | Description
-|-
5007 | Event when settings are changed
-1125 | Event when rule fires in Audit-mode
-1126 | Event when rule fires in Block-mode
+1125 | Event when rule fires in audit mode
+1126 | Event when rule fires in block mode
## Use audit mode to measure impact
-You can also enable the Network protection feature in audit mode. This lets you see a record of what IPs and domains would have been blocked if the feature were enabled.
+You can also enable the network protection feature in audit mode. This lets you see a record of which IP addresses and domains would have been blocked if the feature were enabled.
You might want to do this when testing how the feature will work in your organization, to ensure it doesn't affect your line-of-business apps, and to get an idea of how often the feature will block connections during normal use.
@@ -101,17 +83,12 @@ To enable audit mode, use the following PowerShell cmdlet:
```PowerShell
Set-MpPreference -EnableNetworkProtection AuditMode
```
-
-
>[!TIP]
->If you want to fully audit how Network protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
+>If you want to fully audit how network protection will work in your organization, you'll need to use a management tool to deploy this setting to machines in your network(s).
You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the setting, as described in the main [Network protection topic](network-protection-exploit-guard.md).
+## Related topics
-
-
- ## Related topics
-
-- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
+- [Protect your network](network-protection-exploit-guard.md)
- [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
index e7852096d0..ee57054634 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
@@ -14,48 +14,36 @@ ms.author: v-anbic
ms.date: 05/30/2018
---
-
-
# Evaluate Windows Defender Exploit Guard
-
**Applies to:**
- Windows 10, version 1709 and later
- Windows Server 2016
-
-
-
-
-
-Windows Defender Exploit Guard is a new collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
+Windows Defender Exploit Guard is a collection of tools and features that help you keep your network safe from exploits. Exploits are infection vectors for malware that rely on vulnerabilities in software.
Windows Defender Exploit Guard is comprised of four features. We've developed evaluation guides for each of the features so you can easily and quickly see how they work and determine if they are suitable for your organization.
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how they work.
-
Before you begin, you should read the main [Windows Defender Exploit Guard](windows-defender-exploit-guard.md) topic to get an understanding of each of the features and what their prerequisites are.
-
-- [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
-- [Evaluate Controlled folder access](evaluate-controlled-folder-access.md)
-- [Evaluate Exploit protection](evaluate-exploit-protection.md)
-- [Evaluate Network protection](evaluate-network-protection.md)
+- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
+- [Evaluate controlled folder access](evaluate-controlled-folder-access.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Evaluate network protection](evaluate-network-protection.md)
You might also be interested in enabling the features in audit mode - which allows you to see how the features work in the real world without impacting your organization or employee's work habits:
- [Use audit mode to evaluate Windows Defender Exploit Guard features](audit-windows-defender-exploit-guard.md)
-
-
## Related topics
Topic | Description
---|---
-- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
-- [Reduce attack surfaces with Windows Defender Exploit Guard](attack-surface-reduction-exploit-guard.md)
-- [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
-- [Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md)
\ No newline at end of file
+- [Protect devices from exploits](exploit-protection-exploit-guard.md)
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
+- [Protect your network](network-protection-exploit-guard.md)
+- [Protect important folders with controlled folder access](controlled-folders-exploit-guard.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
index ceb60ddeb8..1bf42dc66c 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -15,26 +15,19 @@ ms.author: v-anbic
ms.date: 08/08/2018
---
-
# View attack surface reduction events
-
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
-
-
-
You can review attack surface reduction events in Event Viewer. This is useful so you can monitor what rules or settings are working, and determine if any settings are too "noisy" or impacting your day to day workflow.
Reviewing the events is also handy when you are evaluating the features, as you can enable audit mode for the features or settings, and then review what would have happened if they were fully enabled.
This topic lists all the events, their associated feature or setting, and describes how to create custom views to filter to specific events.
-You can also get detailed reporting into events and blocks as part of Windows Defender Security Center, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
+You can also get detailed reporting into events and blocks as part of Windows Security, which you gain access to if you have an E5 subscription and use [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md).
## Use custom views to review attack surface reduction capabilities
@@ -42,7 +35,7 @@ You can create custom views in the Windows Event Viewer to only see events for s
The easiest way to do this is to import a custom view as an XML file. You can obtain XML files for each of the features in the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w), or you can copy the XML directly from this page.
-You can also manually navigate to the event area that corresponds to the Windows Defender EG feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details.
+You can also manually navigate to the event area that corresponds to the feature, see the [list of attack surface reduction events](#list-of-attack-surface-reduction-events) section at the end of this topic for more details.
### Import an existing XML custom view
@@ -82,11 +75,7 @@ You can also manually navigate to the event area that corresponds to the Windows
5. This will create a custom view that filters to only show the [events related to that feature](#list-of-all-windows-defender-exploit-guard-events).
-
-
-
-
-### XML for Attack surface reduction events
+### XML for attack surface reduction rule events
```xml
@@ -97,7 +86,7 @@ You can also manually navigate to the event area that corresponds to the Windows
```
-### XML for Controlled folder access events
+### XML for controlled folder access events
```xml
@@ -108,7 +97,7 @@ You can also manually navigate to the event area that corresponds to the Windows
```
-### XML for Exploit protection events
+### XML for exploit protection events
```xml
@@ -128,7 +117,7 @@ You can also manually navigate to the event area that corresponds to the Windows
```
-### XML for Network protection events
+### XML for network protection events
```xml
@@ -140,8 +129,6 @@ You can also manually navigate to the event area that corresponds to the Windows
```
-
-
## List of attack surface reduction events
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
index 3fa5e1d678..a20efc725e 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
@@ -14,10 +14,7 @@ ms.author: v-anbic
ms.date: 08/09/2018
---
-
-
-# Protect devices from exploits with with Windows Defender Exploit Guard
-
+# Protect devices from exploits
**Applies to:**
@@ -30,32 +27,25 @@ It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
+Exploit protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md) - which gives you detailed reporting into exploit protection events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
- You [configure these settings using the Windows Defender Security Center app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once.
+ You [configure these settings using the Windows Security app or PowerShell](customize-exploit-protection.md) on an individual machine, and then [export the configuration as an XML file that you can deploy to other machines](import-export-exploit-protection-emet-xml.md). You can use Group Policy to distribute the XML file to multiple devices at once.
When a mitigation is encountered on the machine, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
- You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Exploit protection would impact your organization if it were enabled.
+ You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how exploit protection would impact your organization if it were enabled.
- Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See the [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard topic](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to Exploit protection on Windows 10.
+ Many of the features in the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) have been included in Exploit protection, and you can convert and import existing EMET configuration profiles into Exploit protection. See [Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard](emet-exploit-protection-exploit-guard.md) for more information on how Exploit protection supersedes EMET and what the benefits are when considering moving to exploit protection on Windows 10.
>[!IMPORTANT]
- >If you are currently using EMET you should be aware that [EMET will reach end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows 10. You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+ >If you are currently using EMET you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows 10. You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
>[!WARNING]
->Some security mitigation technologies may have compatibility issues with some applications. You should test Exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
+>Some security mitigation technologies may have compatibility issues with some applications. You should test exploit protection in all target use scenarios by using [audit mode](audit-windows-defender-exploit-guard.md) before deploying the configuration across a production environment or the rest of your network.
-## Requirements
+ ## Review exploit protection events in Windows Event Viewer
-Windows 10 version | Windows Defender Advanced Threat Protection
--|-
-Windows 10 version 1709 or later | For full reporting, you need a license for [Windows Defender ATP](../windows-defender-atp/windows-defender-advanced-threat-protection.md)
-
-
- ## Review Exploit protection events in Windows Event Viewer
-
-You can review the Windows event log to see events that are created when Exploit protection blocks (or audits) an app:
+You can review the Windows event log to see events that are created when exploit protection blocks (or audits) an app:
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *ep-events.xml* to an easily accessible location on the machine.
@@ -103,11 +93,11 @@ Win32K | 260 | Untrusted Font
## Comparison between Enhanced Mitigation Experience Toolkit and Windows Defender Exploit Guard
>[!IMPORTANT]
->If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with Exploit protection in Windows Defender ATP.
+>If you are currently using EMET, you should be aware that [EMET reached end of life on July 31, 2018](https://blogs.technet.microsoft.com/srd/2016/11/03/beyond-emet/). You should consider replacing EMET with exploit protection in Windows Defender ATP.
>
->You can [convert an existing EMET configuration file into Exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
+>You can [convert an existing EMET configuration file into exploit protection](import-export-exploit-protection-emet-xml.md#convert-an-emet-configuration-file-to-an-exploit-protection-configuration-file) to make the migration easier and keep your existing settings.
-This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and Exploit protection in Windows Defender ATP.
+This topic describes the differences between the Enhance Mitigation Experience Toolkit (EMET) and exploit protection in Windows Defender ATP.
Exploit protection in Windows Defender ATP is our successor to EMET and provides stronger protection, more customization, an easier user interface, and better configuration and management options.
@@ -120,25 +110,22 @@ For more information about the individual features and mitigations available in
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
-
-
-
- ## Feature comparison
+## Feature comparison
The table in this section illustrates the differences between EMET and Windows Defender Exploit Guard.
| Windows Defender Exploit Guard | EMET
-|:-:|:-:
Windows versions | [!include[Check mark yes](images/svg/check-yes.svg)] All versions of Windows 10 starting with version 1709 | [!include[Check mark yes](images/svg/check-yes.svg)] Windows 8.1; Windows 8; Windows 7 Cannot be installed on Windows 10, version 1709 and later
-Installation requirements | [Windows Defender Security Center in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) (no additional installation required) Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
-User interface | Modern interface integrated with the [Windows Defender Security Center](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
+Installation requirements | [Windows Security in Windows 10](../windows-defender-security-center/windows-defender-security-center.md) (no additional installation required) Windows Defender Exploit Guard is built into Windows - it doesn't require a separate tool or package for management, configuration, or deployment. | Available only as an additional download and must be installed onto a management device
+User interface | Modern interface integrated with the [Windows Security app](../windows-defender-security-center/windows-defender-security-center.md) | Older, complex interface that requires considerable ramp-up training
Supportability | [!include[Check mark yes](images/svg/check-yes.svg)] [Dedicated submission-based support channel](https://www.microsoft.com/en-us/wdsi/filesubmission)[[1](#fn1)] [Part of the Windows 10 support lifecycle](https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet) | [!include[Check mark no](images/svg/check-no.svg)] Ends after July 31, 2018
Updates | [!include[Check mark yes](images/svg/check-yes.svg)] Ongoing updates and development of new features, released twice yearly as part of the [Windows 10 semi-annual update channel](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/) | [!include[Check mark no](images/svg/check-no.svg)] No planned updates or development
Exploit protection | [!include[Check mark yes](images/svg/check-yes.svg)] All EMET mitigations plus new, specific mitigations ([see table](#mitigation-comparison)) [Can convert and import existing EMET configurations](import-export-exploit-protection-emet-xml.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited set of mitigations
Attack surface reduction[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps block known infection vectors](attack-surface-reduction-exploit-guard.md) [Can configure individual rules](enable-attack-surface-reduction.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited ruleset configuration only for modules (no processes)
Network protection[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps block malicious network connections](network-protection-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Not available
Controlled folder access[[2](#fn2)] | [!include[Check mark yes](images/svg/check-yes.svg)] [Helps protect important folders](controlled-folders-exploit-guard.md) [Configurable for apps and folders](customize-controlled-folders-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Not available
-Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Windows Defender Security Center app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Requires installation and use of EMET tool
+Configuration with GUI (user interface) | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Windows Security app to customize and manage configurations](customize-exploit-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Requires installation and use of EMET tool
Configuration with Group Policy | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Group Policy to deploy and manage configurations](import-export-exploit-protection-emet-xml.md#manage-or-deploy-a-configuration) | [!include[Check mark yes](images/svg/check-yes.svg)] Available
Configuration with shell tools | [!include[Check mark yes](images/svg/check-yes.svg)] [Use PowerShell to customize and manage configurations](customize-exploit-protection.md#powershell-reference) | [!include[Check mark yes](images/svg/check-yes.svg)] Requires use of EMET tool (EMET_CONF)
System Center Configuration Manager | [!include[Check mark yes](images/svg/check-yes.svg)] [Use Configuration Manager to customize, deploy, and manage configurations](https://docs.microsoft.com/en-us/sccm/protect/deploy-use/create-deploy-exploit-guard-policy) | [!include[Check mark no](images/svg/check-no.svg)] Not available
@@ -146,19 +133,15 @@ Microsoft Intune | [!include[Check mark yes](images/svg/check-yes.svg)] [U
Reporting | [!include[Check mark yes](images/svg/check-yes.svg)] With [Windows event logs](event-views-exploit-guard.md) and [full audit mode reporting](audit-windows-defender-exploit-guard.md) [Full integration with Windows Defender Advanced Threat Protection](../windows-defender-atp/security-analytics-dashboard-windows-defender-advanced-threat-protection.md) | [!include[Check mark yes](images/svg/check-yes.svg)] Limited Windows event log monitoring
Audit mode | [!include[Check mark yes](images/svg/check-yes.svg)] [Full audit mode with Windows event reporting](audit-windows-defender-exploit-guard.md) | [!include[Check mark no](images/svg/check-no.svg)] Limited to EAF, EAF+, and anti-ROP mitigations
-
-
([1](#ref1)) Requires an enterprise subscription with Azure Active Directory or a [Software Assurance ID](https://www.microsoft.com/en-us/licensing/licensing-programs/software-assurance-default.aspx).
-([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [Exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus.
-
-
+([2](#ref2-1)) Additional requirements may apply (such as use of Windows Defender Antivirus). See [Windows Defender Exploit Guard requirements](windows-defender-exploit-guard.md#requirements) for more details. Customizable mitigation options that are configured with [exploit protection](exploit-protection-exploit-guard.md) do not require Windows Defender Antivirus.
## Mitigation comparison
-The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [Exploit protection feature](exploit-protection-exploit-guard.md).
+The mitigations available in EMET are included in Windows Defender Exploit Guard, under the [exploit protection feature](exploit-protection-exploit-guard.md).
-The table in this section indicates the availability and support of native mitigations between EMET and Exploit protection.
+The table in this section indicates the availability and support of native mitigations between EMET and exploit protection.
Mitigation | Available in Windows Defender Exploit Guard | Available in EMET
-|:-:|:-:
@@ -186,11 +169,6 @@ Validate handle usage | [!include[Check mark yes](images/svg/check-yes.svg)] | [
Validate heap integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
Validate image dependency integrity | [!include[Check mark yes](images/svg/check-yes.svg)] | [!include[Check mark no](images/svg/check-no.svg)]
-
-
-
-
-
>[!NOTE]
>The Advanced ROP mitigations that are available in EMET are superseded by ACG in Windows 10, which other EMET advanced settings are enabled by default in Windows Defender Exploit Guard as part of enabling the anti-ROP mitigations for a process.
>
@@ -199,10 +177,10 @@ Validate image dependency integrity | [!include[Check mark yes](images/svg/check
## Related topics
-- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
-- [Evaluate Exploit protection](evaluate-exploit-protection.md)
-- [Enable Exploit protection](enable-exploit-protection.md)
-- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Protect devices from exploits](exploit-protection-exploit-guard.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
index 2da48a5d94..adf0afe4dd 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md
@@ -1,5 +1,5 @@
---
-title: Deploy Exploit protection mitigations across your organization
+title: Deploy exploit protection mitigations across your organization
keywords: Exploit protection, mitigations, import, export, configure, emet, convert, conversion, deploy, install
description: Use Group Policy to deploy mitigations configuration. You can also convert an existing EMET configuration and import it as an Exploit protection configuration.
search.product: eADQiWindows 10XVcnh
@@ -14,67 +14,41 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
-
-
-# Import, export, and deploy Exploit protection configurations
-
+# Import, export, and deploy exploit protection configurations
**Applies to:**
-
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
Exploit protection applies helps protect devices from malware that use exploits to spread and infect. It consists of a number of mitigations that can be applied at either the operating system level, or at the individual app level.
It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are now included in Exploit protection.
+Many of the features that are part of the [Enhanced Mitigation Experience Toolkit (EMET)](https://technet.microsoft.com/en-us/security/jj653751) are now included in exploit protection.
-You use the Windows Defender Security Center or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
+You use the Windows Security app or PowerShell to create a set of mitigations (known as a configuration). You can then export this configuration as an XML file and share it with multiple machines on your network so they all have the same set of mitigation settings.
-You can also convert and import an existing EMET configuration XML file into an Exploit protection configuration XML.
+You can also convert and import an existing EMET configuration XML file into an exploit protection configuration XML.
This topic describes how to create a configuration file and deploy it across your network, and how to convert an EMET configuration.
-The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into Exploit protection and then review the settings in the Windows Defender Security Center app, as described further in this topic.
-
-
+The [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) contains a sample configuration file (name *ProcessMitigation-Selfhost-v4.xml* that you can use to see how the XML structure looks. The sample file also contains settings that have been converted from an EMET configuration. You can open the file in a text editor (such as Notepad) or import it directly into exploit protection and then review the settings in the Windows Security app, as described further in this topic.
## Create and export a configuration file
Before you export a configuration file, you need to ensure you have the correct settings.
-You should first configure Exploit protection on a single, dedicated machine. See the [Customize Exploit protection](customize-exploit-protection.md) topic for descriptions about and instructions for configuring mitigations.
+You should first configure exploit protection on a single, dedicated machine. See [Customize exploit protection](customize-exploit-protection.md) for descriptions about and instructions for configuring mitigations.
-When you have configured Exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Defender Security Center app or PowerShell.
+When you have configured exploit protection to your desired state (including both system-level and app-level mitigations), you can export the file using either the Windows Security app or PowerShell.
+### Use the Windows Security app to export a configuration file
-
-
-### Use the Windows Defender Security Center app to export a configuration file
-
-
-1. Open the Windows Defender Security Center app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
+1. Open the Windows Security app by clicking the shield icon in the task bar or searching the start menu for **Defender**.
2. Click the **App & browser control** tile (or the app icon on the left menu bar) and then click **Exploit protection settings**:
- 
+ 
3. At the bottom of the **Exploit protection** section, click **Export settings** and then choose the location and name of the XML file where you want the configuration to be saved.
@@ -83,7 +57,6 @@ When you have configured Exploit protection to your desired state (including bot
>[!NOTE]
>When you export the settings, all settings for both app-level and system-level mitigations are saved. This means you don't need to export a file from both the **System settings** and **Program settings** sections - either section will export all settings.
-
### Use PowerShell to export a configuration file
1. Type **powershell** in the Start menu, right click **Windows PowerShell** and click **Run as administrator**
@@ -98,12 +71,11 @@ Change `filename` to any name or location of your choosing.
> [!IMPORTANT]
> When you deploy the configuration using Group Policy, all machines that will use the configuration must be able to access the configuration file. Ensure you place the file in a shared location.
-
## Import a configuration file
-You can import an Exploit protection configuration file that you've previously created. You can only use PowerShell to import the configuration file.
+You can import an exploit protection configuration file that you've previously created. You can only use PowerShell to import the configuration file.
-After importing, the settings will be instantly applied and can be reviewed in the Windows Defender Security Center app.
+After importing, the settings will be instantly applied and can be reviewed in the Windows Security app.
### Use PowerShell to import a configuration file
@@ -115,16 +87,16 @@ After importing, the settings will be instantly applied and can be reviewed in t
Set-ProcessMitigation -PolicyFilePath filename.xml
```
-Change `filename` to the location and name of the Exploit protection XML file.
+Change `filename` to the location and name of the exploit protection XML file.
>[!IMPORTANT]
>
->Ensure you import a configuration file that is created specifically for Exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
+>Ensure you import a configuration file that is created specifically for exploit protection. You cannot directly import an EMET configuration file, you must convert it first.
-## Convert an EMET configuration file to an Exploit protection configuration file
+## Convert an EMET configuration file to an exploit protection configuration file
-You can convert an existing EMET configuration file to the new format used by Exploit protection. You must do this if you want to import an EMET configuration into Exploit protection in Windows 10.
+You can convert an existing EMET configuration file to the new format used by exploit protection. You must do this if you want to import an EMET configuration into exploit protection in Windows 10.
You can only do this conversion in PowerShell.
@@ -185,6 +157,6 @@ You can use Group Policy to deploy the configuration you've created to multiple
- [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate Exploit protection](evaluate-exploit-protection.md)
-- [Enable Exploit protection](enable-exploit-protection.md)
-- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md
index a24d063a73..03dd9e1ec9 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md
@@ -14,11 +14,8 @@ ms.author: iawilt
ms.date: 08/09/2018
---
-
-
# Memory integrity
-
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
index 65be3c2ceb..934d1154de 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@@ -1,5 +1,5 @@
---
-title: Use Network protection to help prevent connections to bad sites
+title: Use network protection to help prevent connections to bad sites
description: Protect your network by preventing users from accessing known malicious and suspicious network addresses
keywords: Network protection, exploits, malicious website, ip, domain, domains
search.product: eADQiWindows 10XVcnh
@@ -14,9 +14,7 @@ ms.author: v-anbic
ms.date: 08/09/2018
---
-
-
-# Protect your network with Windows Defender Exploit Guard
+# Protect your network
**Applies to:**
@@ -26,15 +24,12 @@ Network protection helps reduce the attack surface of your devices from Internet
It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
-It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
-
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the feature is working and see how it works.
-
Network protection works best with [Windows Defender Advanced Threat Protection](../windows-defender-atp/windows-defender-advanced-threat-protection.md), which gives you detailed reporting into Windows Defender EG events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md).
-When Network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+When network protection blocks a connection, a notification will be displayed from the Action Center. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
You can also use [audit mode](audit-windows-defender-exploit-guard.md) to evaluate how Network protection would impact your organization if it were enabled.
@@ -47,10 +42,9 @@ Windows 10 version | Windows Defender Antivirus
Windows 10 version 1709 or later | [Windows Defender AV real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) and [cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) must be enabled
-## Review Network protection events in Windows Event Viewer
+## Review network protection events in Windows Event Viewer
-
-You can review the Windows event log to see events that are created when Network protection blocks (or audits) access to a malicious IP or domain:
+You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain:
1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *np-events.xml* to an easily accessible location on the machine.
@@ -64,20 +58,17 @@ You can review the Windows event log to see events that are created when Network
4. Click **OK**.
-5. This will create a custom view that filters to only show the following events related to Network protection:
+5. This will create a custom view that filters to only show the following events related to network protection:
Event ID | Description
-|-
5007 | Event when settings are changed
-1125 | Event when Network protection fires in Audit-mode
-1126 | Event when Network protection fires in Block-mode
-
-
-
+1125 | Event when network protection fires in audit mode
+1126 | Event when network protection fires in block mode
## In this section
Topic | Description
---|---
-[Evaluate Network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
-[Enable Network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage the Network protection feature in your network.
+[Evaluate network protection](evaluate-network-protection.md) | Undertake a quick scenario that demonstrate how the feature works, and what events would typically be created.
+[Enable network protection](enable-network-protection.md) | Use Group Policy, PowerShell, or MDM CSPs to enable and manage network protection in your network.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index 42665e23e2..158a8a98ac 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -1,5 +1,5 @@
---
-title: Requirements and deployment planning guidelines for irtualization-based protection of code integrity (Windows 10)
+title: Requirements and deployment planning guidelines for virtualization-based protection of code integrity (Windows 10)
description: To help you plan a deployment of Microsoft Windows Defender Device Guard, this article describes hardware requirements for Windows Defender Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies.
keywords: virtualization, security, malware
ms.prod: w10
@@ -9,13 +9,13 @@ author: brianlic-msft
ms.date: 10/20/2017
---
-# Requirements and deployment planning guidelines for virtualization-based protection of code integrity
+# Baseline protections and additional qualifications for virtualization-based protection of code integrity
**Applies to**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in Windows Defender Device Guard. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.
+Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.
For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
index a2e9bc9fb3..847b1fa492 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
@@ -1,5 +1,5 @@
---
-title: Troubleshoot problems with Attack surface reduction rules
+title: Troubleshoot problems with attack surface reduction rules
description: Check pre-requisites, use audit mode, add exclusions, or collect diagnostic data to help troubleshoot issues
keywords: troubleshoot, error, fix, windows defender eg, asr, rules, hips, troubleshoot, audit, exclusion, false positive, broken, blocking
search.product: eADQiWindows 10XVcnh
@@ -11,26 +11,20 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 05/17/2018
+ms.date: 09/18/2018
---
-# Troubleshoot Attack surface reduction rules
+# Troubleshoot attack surface reduction rules
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
-- IT administrators
-
-When you use [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as:
+When you use [attack surface reduction rules](attack-surface-reduction-exploit-guard.md) you may encounter issues, such as:
- A rule blocks a file, process, or performs some other action that it should not (false positive)
- A rule does not work as described, or does not block a file or process that it should (false negative)
-
-
There are four steps to troubleshooting these problems:
1. Confirm that you have met all pre-requisites
@@ -38,11 +32,9 @@ There are four steps to troubleshooting these problems:
3. Add exclusions for the specified rule (for false positives)
3. Submit support logs
-
-
## Confirm pre-requisites
-Attack surface reduction (ASR) will only work on devices with the following conditions:
+Attack surface reduction rules will only work on devices with the following conditions:
>[!div class="checklist"]
> - Endpoints are running Windows 10 Enterprise E5, version 1709 (also known as the Fall Creators Update).
@@ -50,47 +42,44 @@ Attack surface reduction (ASR) will only work on devices with the following cond
> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
-
If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
## Use audit mode to test the rule
There are two ways that you can test if the rule is working.
-You can use a pre-configured demo tool to confirm ASR is generally working on the device, or you can use audit mode, which enables the rule for reporting only.
+You can use a pre-configured demo tool to confirm attack surface reduction rules are generally working on the device, or you can use audit mode, which enables rules for reporting only.
-The demo tool uses pre-configured scenarios and processes, which can be useful to first see if the ASR feature as a whole is operating correctly.
+The demo tool uses pre-configured scenarios and processes, which can be useful to first see if the attack surface reduction rule feature as a whole is operating correctly.
If you encounter problems when running the demo tool, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites).
-You should follow the instructions in the section [Use the demo tool to see how ASR works](evaluate-attack-surface-reduction.md#use-the-demo-tool-to-see-how-attack-surface-reduction-works) to test the specific rule you are encountering problems with.
+Follow the instructions in [Use the demo tool to see how attack surface reduction rules work](evaluate-attack-surface-reduction.md) to test the specific rule you are encountering problems with.
>[!TIP]
->While the instructions for using the demo tool are intended for evaluating or seeing how ASR works, you can use it to test that the rule works on known scenarios that we have already extensively tested before we released the feature.
+>While the instructions for using the demo tool are intended for evaluating or seeing how attack surface reduction rules work, you can use it to test that the rule works on known scenarios that we have already extensively tested before we released the feature.
Audit mode allows the rule to report as if it actually blocked the file or process, but will still allow the file to run.
-1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
+1. Enable audit mode for the specific rule you want to test. Use Group Policy to set the rule to **Audit mode** (value: **2**) as described in [Enable attack surface reduction rules](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
2. Perform the activity that is causing an issue (for example, open or execute the file or process that should be blocked but is being allowed).
-3. [Review the ASR event logs](attack-surface-reduction-exploit-guard.md#review-attack-surface-reduction-events-in-windows-event-viewer) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
-
+3. [Review the attack surface reductio rule event logs](attack-surface-reduction-exploit-guard.md) to see if the rule would have blocked the file or process if the rule had been set to **Enabled**.
>[!TIP]
>Audit mode will stop the rule from blocking the file or process.
>
>If a rule is not blocking a file or process that you are expecting it should block, first check if audit mode is enabled.
>
->Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
+>Audit mode may have been enabled for testing another feature, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
+If you've tested the rule with the demo tool and with audit mode, and attack surface reduction rules are working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation:
-If you've tested the rule with the demo tool and with audit mode, and ASR is working on pre-configured scenarios, but the rule is not working as expected, proceed to either of the following sections based on your situation:
-
-1. If the ASR rule is blocking something that it should not block (also known as a false positive), you can [first add an ASR exclusion](#add-exclusions-for-a-false-positive).
-2. If the ASR rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data).
+1. If the attack surface reduction rule is blocking something that it should not block (also known as a false positive), you can [first add an attack surface reduction rule exclusion](#add-exclusions-for-a-false-positive).
+2. If the attack surface reduction rule is not blocking something that it should block (also known as a false negative), you can proceed immediately to the last step, [collecting diagnostic data and submitting the issue to us](#collect-diagnostic-data).
## Add exclusions for a false positive
-You can add exclusions to ASR to prevent ASR rules from evaluating the excluded files or folders.
+You can add exclusions to prevent attack surface reduction rules from evaluating the excluded files or folders.
This is useful if you have enabled a rule, and it is blocking a file, process, or action that you believe it should not block. You can then collect data from an endpoint where the rule is not working correctly and send that information to us.
@@ -101,12 +90,11 @@ To add an exclusion, see the [Customize Attack surface reduction](customize-atta
>
>This means any files or folders that are excluded will be excluded from all ASR rules.
-
If you have followed all previous troubleshooting steps, and you still have a problem (in particular, if you have a false positive), you should proceed to the next step to collect diagnostic information and send it to us.
## Collect diagnostic data
-You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with ASR.
+You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with attack surface reduction rules.
When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one).
@@ -115,14 +103,8 @@ You must also attach associated files in a .zip file (such as the file or execut
Follow the link below for instructions on how to collect the .cab file:
> [!div class="nextstepaction"]
-> [Collect and submit diagnostic data Windows Defender Exploit Guard issues](collect-cab-files-exploit-guard-submission.md)
-
-
-
-
-
+> [Collect and submit diagnostic data](collect-cab-files-exploit-guard-submission.md)
## Related topics
-- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
-- [Attack surface reduction](attack-surface-reduction-exploit-guard.md)
+- [Attack surface reduction rules](attack-surface-reduction-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
index 28b500c5c9..31f4604299 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
@@ -1,5 +1,5 @@
---
-title: Deploy Exploit protection mitigations across your organization
+title: Deploy exploit protection mitigations across your organization
keywords: Exploit protection, mitigations, troubleshoot, import, export, configure, emet, convert, conversion, deploy, install
description: Remove unwanted Exploit protection mitigations.
search.product: eADQiWindows 10XVcnh
@@ -14,30 +14,15 @@ ms.author: v-anbic
ms.date: 08/09/2018
---
-
-
-# Troubleshoot Exploit protection mitigations
-
+# Troubleshoot exploit protection mitigations
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+When you create a set of exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
-
-
-
-
-
-
-
-
-
-
-
-When you create a set of Exploit protection mitigations (known as a configuration), you might find that the configuration export and import process does not remove all unwanted mitigations.
-
-You can manually remove unwanted mitigations in Windows Defender Security Center, or you can use the following process to remove all mitigations and then import a baseline configuration file instead.
+You can manually remove unwanted mitigations in Windows Security, or you can use the following process to remove all mitigations and then import a baseline configuration file instead.
1. Remove all process mitigations with this PowerShell script:
@@ -208,9 +193,9 @@ If you haven’t already, it's a good idea to download and use the [Windows Secu
## Related topics
-- [Protect devices from exploits with Windows Defender Exploit Guard](exploit-protection-exploit-guard.md)
+- [Protect devices from exploits](exploit-protection-exploit-guard.md)
- [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
-- [Evaluate Exploit protection](evaluate-exploit-protection.md)
-- [Enable Exploit protection](enable-exploit-protection.md)
-- [Configure and audit Exploit protection mitigations](customize-exploit-protection.md)
-- [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+- [Evaluate exploit protection](evaluate-exploit-protection.md)
+- [Enable exploit protection](enable-exploit-protection.md)
+- [Configure and audit exploit protection mitigations](customize-exploit-protection.md)
+- [Import, export, and deploy exploit protection configurations](import-export-exploit-protection-emet-xml.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
index 3019dd13f6..f2f8024158 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
@@ -14,14 +14,12 @@ ms.author: v-anbic
ms.date: 08/09/2018
---
-# Troubleshoot Network protection
+# Troubleshoot network protection
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
- IT administrators
When you use [Network protection](network-protection-exploit-guard.md) you may encounter issues, such as:
@@ -29,8 +27,6 @@ When you use [Network protection](network-protection-exploit-guard.md) you may e
- Network protection blocks a website that is safe (false positive)
- Network protection fails to block a suspicious or known malicious website (false negative)
-
-
There are four steps to troubleshooting these problems:
1. Confirm that you have met all pre-requisites
@@ -38,19 +34,16 @@ There are four steps to troubleshooting these problems:
3. Add exclusions for the specified rule (for false positives)
3. Submit support logs
-
-
## Confirm pre-requisites
-Windows Defender Exploit Guard will only work on devices with the following conditions:
+Network protection will only work on devices with the following conditions:
>[!div class="checklist"]
> - Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
> - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
> - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
> - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
-> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable Network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection).
-
+> - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection).
If these pre-requisites have all been met, proceed to the next step to test the rule in audit mode.
@@ -58,33 +51,33 @@ If these pre-requisites have all been met, proceed to the next step to test the
There are two ways that you can test if the feature is working - you can use a demo website, and you can use audit mode.
-You can enable Network protection and then visit a website that we've created to demo the feature. The website will always be reported as blocked by Network protection. See the [evaluate Network protection](evaluate-network-protection.md) topic for instructions.
+You can enable network protection and then visit a website that we've created to demo the feature. The website will always be reported as blocked by network protection. See [Evaluate network protection](evaluate-network-protection.md) for instructions.
If you encounter problems when running the evaluation scenario, check that the device you are testing the tool on meets the [pre-requisites listed above](#confirm-pre-requisites).
>[!TIP]
->While the instructions for using the demo website are intended for evaluating or seeing how Network protection works, you can use it to test that the feature is working properly and narrow down on the cause of the problem.
+>While the instructions for using the demo website are intended for evaluating or seeing how network protection works, you can use it to test that the feature is working properly and narrow down on the cause of the problem.
-You can also use audit mode and then attempt to visit the site or IP (IPv4) address you do or don't want to block. Audit mode lets Network protection report to the Windows event log as if it actually blocked the site or connection to an IP address, but will still allow the file to run.
+You can also use audit mode and then attempt to visit the site or IP (IPv4) address you do or don't want to block. Audit mode lets network protection report to the Windows event log as if it actually blocked the site or connection to an IP address, but will still allow the file to run.
-1. Enable audit mode for Network protection. Use Group Policy to set the rule to **Audit mode** as described in the [Enable Network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection).
+1. Enable audit mode for network protection. Use Group Policy to set the rule to **Audit mode** as described in the [Enable network protection topic](enable-network-protection.md#use-group-policy-to-enable-or-audit-network-protection).
2. Perform the connection activity that is causing an issue (for example, attempt to visit the site, or connect to the IP address you do or don't want to block).
-3. [Review the Network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
+3. [Review the network protection event logs](network-protection-exploit-guard.md#review-network-protection-events-in-windows-event-viewer) to see if the feature would have blocked the connection if it had been set to **Enabled**.
>[!IMPORTANT]
->Audit mode will stop Network protection from blocking known malicious connections.
+>Audit mode will stop network protection from blocking known malicious connections.
>
->If Network protection is not blocking a connection that you are expecting it should block, first check if audit mode is enabled.
+>If network protection is not blocking a connection that you are expecting it should block, first check if audit mode is enabled.
>
>Audit mode may have been enabled for testing another feature in Windows Defender Exploit Guard, or by an automated PowerShell script, and may not have been disabled after the tests were completed.
-If you've tested the feature with the demo site and with audit mode, and Network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, proceed to the next section to report the site or IP address.
+If you've tested the feature with the demo site and with audit mode, and network protection is working on pre-configured scenarios, but is not working as expected for a specific connection, proceed to the next section to report the site or IP address.
## Report a false positive or false negative
-You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with Network protection.
+You can use the [Windows Defender Security Intelligence web-based submission form](https://www.microsoft.com/en-us/wdsi/filesubmission) to report a problem with network protection.
When you fill out the submission form, you will be asked to specify whether it is a false negative or false positive. If you have an E5 subscription for Windows Defender Advanced Threat Protection, you can also [provide a link to the associated alert](../windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md) (if there is one).
@@ -93,11 +86,6 @@ You can also attach a diagnostic .cab file to your submission if you wish (this
> [!div class="nextstepaction"]
> [Collect and submit diagnostic data Windows Defender Exploit Guard issues](collect-cab-files-exploit-guard-submission.md)
-
-
-
-
-
## Related topics
- [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
index 1613918bd9..cfea6fdd1f 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@@ -14,20 +14,12 @@ ms.author: v-anbic
ms.date: 08/09/2018
---
-
-
# Windows Defender Exploit Guard
-
**Applies to:**
- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-
-
-
-
Windows Defender Exploit Guard (Windows Defender EG) is a new set of host intrusion prevention capabilities for Windows 10, allowing you to manage and reduce the attack surface of apps used by your employees.
There are four features in Windows Defender EG:
@@ -51,9 +43,9 @@ You can also [enable audit mode](audit-windows-defender-exploit-guard.md) for th
>[!TIP]
>You can also visit the Windows Defender Testground website at [demo.wd.microsoft.com](https://demo.wd.microsoft.com?ocid=cx-wddocs-testground) to confirm the features are working and see how each of them work.
-Windows Defender EG can be managed and reported on in the Windows Defender Security Center as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies.
+Windows Defender EG can be managed and reported on in the Windows Security app as part of the Windows Defender Advanced Threat Protection suite of threat mitigation, preventing, protection, and analysis technologies.
-You can use the Windows Defender Security Center to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works.
+You can use the Windows Security app to obtain detailed reporting into events and blocks as part of the usual [alert investigation scenarios](../windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md). You can [sign up for a free trial of Windows Defender ATP](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=cx-docs-msa4053440) to see how it works.
## Requirements
@@ -63,13 +55,12 @@ This section covers requirements for each feature in Windows Defender EG.
|--------|---------|
|  | Not supported |
|  | Supported |
-|  | Recommended. Includes full, automated reporting into the Windows Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an Attack surface reduction rule that blocks executable files that meet age or prevalence criteria.|
-
+|  | Recommended. Includes full, automated reporting into the Windows Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an attack surface reduction rule that blocks executable files that meet age or prevalence criteria.|
| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 |
| ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: |
| Exploit protection |  |  |  |  |
-| Attack surface reduction |  |  |  |  |
+| Attack surface reduction rules |  |  |  |  |
| Network protection |  |  |  |  |
| Controlled folder access |  |  |  |  |
@@ -78,7 +69,7 @@ The following table lists which features in Windows Defender EG require enabling
| Feature | Real-time protection |
|-----------------| ------------------------------------ |
| Exploit protection | No requirement |
-| Attack surface reduction | Must be enabled |
+| Attack surface reduction rules | Must be enabled |
| Network protection | Must be enabled |
| Controlled folder access | Must be enabled |
@@ -87,8 +78,8 @@ The following table lists which features in Windows Defender EG require enabling
Topic | Description
---|---
[Protect devices from exploits](exploit-protection-exploit-guard.md) | Exploit protection provides you with many of the features in now-retired Enhanced Mitigations Experience Toolkit - and adds additional configuration and technologies. These features can help prevent threats from using vulnerabilities to gain access to your network and devices. You can create a template of settings that can be exported and copied to multiple machines in your network at once.
-[Reduce attack surfaces](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.
+[Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction-exploit-guard.md) | Use pre-built rules to manage mitigations for key attack and infection vectors, such as Office-based malicious macro code and PowerShell, VBScript, and JavaScript scripts.
[Protect your network](network-protection-exploit-guard.md) | Minimize the exposure of your devices from network and web-based infection vectors.
-[Protect important folders with Controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.
+[Protect important folders with controlled folder access](controlled-folders-exploit-guard.md) | Prevent unknown or unauthorized apps (including ransomware encryption malware) from writing to sensitive folders, such as folders containing sensitive or business-critical data.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
index 4dad649653..94651ad2a2 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
@@ -1,5 +1,5 @@
---
-title: Account protection in the Windows Defender Security Center app
+title: Account protection in the Windows Security app
description: Use the Account protection section to manage security for your account and sign in to Microsoft.
keywords: account protection, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
search.product: eADQiWindows 10XVcnh
@@ -33,7 +33,7 @@ You can also choose to hide the section from users of the machine. This can be u
## Hide the Account protection section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
This can only be done in Group Policy.
@@ -46,7 +46,7 @@ This can only be done in Group Policy.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Security Center > Account protection**.
+5. Expand the tree to **Windows components > Windows Security > Account protection**.
6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Click **OK**.
@@ -55,4 +55,4 @@ This can only be done in Group Policy.
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
\ No newline at end of file
+>
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
index aa52a93e41..b3d73ce4da 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@@ -1,5 +1,5 @@
---
-title: App & browser control in the Windows Defender Security Center app
+title: App & browser control in the Windows Security app
description: Use the App & browser control section to see and configure Windows Defender SmartScreen and Exploit protection settings.
keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
search.product: eADQiWindows 10XVcnh
@@ -44,7 +44,7 @@ You can only prevent users from modifying Exploit protection settings by using G
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Security Center > App and browser protection**.
+5. Expand the tree to **Windows components > Windows Security > App and browser protection**.
6. Open the **Prevent users from modifying settings** setting and set it to **Enabled**. Click **OK**.
@@ -52,7 +52,7 @@ You can only prevent users from modifying Exploit protection settings by using G
## Hide the App & browser control section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
This can only be done in Group Policy.
@@ -65,7 +65,7 @@ This can only be done in Group Policy.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Security Center > App and browser protection**.
+5. Expand the tree to **Windows components > Windows Security > App and browser protection**.
6. Open the **Hide the App and browser protection area** setting and set it to **Enabled**. Click **OK**.
@@ -74,4 +74,4 @@ This can only be done in Group Policy.
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
\ No newline at end of file
+>
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index b528a224eb..30cc2c355d 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -1,5 +1,5 @@
---
-title: Customize Windows Defender Security Center contact information
+title: Customize Windows Security contact information
description: Provide information to your employees on how to contact your IT department when a security issue occurs
keywords: wdsc, security center, defender, notification, customize, contact, it department, help desk, call, help site
search.product: eADQiWindows 10XVcnh
@@ -14,7 +14,7 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
-# Customize the Windows Defender Security Center app for your organization
+# Customize the Windows Security app for your organization
**Applies to**
@@ -28,7 +28,7 @@ ms.date: 04/30/2018
- Group Policy
-You can add information about your organization in a contact card to the Windows Defender Security Center app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
+You can add information about your organization in a contact card to the Windows Security app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
@@ -56,7 +56,7 @@ This can only be done in Group Policy.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Security Center > Enterprise Customization**.
+5. Expand the tree to **Windows components > Windows Security > Enterprise Customization**.
6. You enable the contact card and the customized notifications by configuring two separate Group Policy settings. They will both use the same source of information (explained in Steps 7 and 8), and you can enable both or only one or the other:
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index 67d58174c1..2e68201ba8 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -1,5 +1,5 @@
---
-title: Device & performance health in the Windows Defender Security Center app
+title: Device & performance health in the Windows Security app
description: Use the Device & performance health section to see the status of the machine and note any storage, update, battery, driver, or hardware configuration issues
keywords: wdsc, windows update, storage, driver, device, installation, battery, health, status
search.product: eADQiWindows 10XVcnh
@@ -32,7 +32,7 @@ In Windows 10, version 1709 and later, the section can be hidden from users of t
## Hide the Device performance & health section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
This can only be done in Group Policy.
@@ -45,7 +45,7 @@ This can only be done in Group Policy.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Security Center > Device performance and health**.
+5. Expand the tree to **Windows components > Windows Security > Device performance and health**.
6. Open the **Hide the Device performance and health area** setting and set it to **Enabled**. Click **OK**.
@@ -54,4 +54,4 @@ This can only be done in Group Policy.
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
\ No newline at end of file
+>
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
index 64af9bb9d8..3dea1e0c3a 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
@@ -1,5 +1,5 @@
---
-title: Device security in the Windows Defender Security Center app
+title: Device security in the Windows Security app
description: Use the Device security section to manage security built into your device, including virtualization-based security.
keywords: device security, device guard, wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
search.product: eADQiWindows 10XVcnh
@@ -11,25 +11,22 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 10/02/2018
---
-
# Device security
**Applies to**
- Windows 10, version 1803 and later
-
-The **Device security** section contains information and settings for built-in device security.
+The **Device security** section contains information and settings for built-in device security.
You can choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
-
## Hide the Device security section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
This can only be done in Group Policy.
@@ -40,15 +37,59 @@ This can only be done in Group Policy.
1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
-3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Security Center > Device security**.
+3. Expand the tree to **Windows components > Windows Security > Device security**.
-6. Open the **Hide the Device security area** setting and set it to **Enabled**. Click **OK**.
+4. Open the **Hide the Device security area** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx).
+5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx).
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
\ No newline at end of file
+>
+
+## Disable the Clear TPM button
+If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
+
+>[!IMPORTANT]
+>### Requirements
+>
+>You must have Windows 10, version 1809 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components > Windows Security > Device security**.
+
+4. Open the **Disable the Clear TPM button** setting and set it to **Enabled**. Click **OK**.
+
+5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx).
+
+## Hide the TPM Firmware Update recommendation
+If you don't want users to see the recommendation to update TPM firmware, you can disable it.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components > Windows Security > Device security**.
+
+4. Open the **Hide the TPM Firmware Update recommendation** setting and set it to **Enabled**. Click **OK**.
+
+5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx).
+
+## Disable Memory integrity switch
+If you don't want users to be able to change the Hypervisor Control Integrity (HVCI), or memory integrity, setting on their computers, you can disable the **Memory integrity** switch.
+
+1. On your Group Policy management computer, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+
+2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
+
+3. Expand the tree to **Windows components > Windows Security > Device security**.
+
+4. Open the **Disable Memory integrity switch** setting and set it to **Enabled**. Click **OK**.
+
+5. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx).
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
index 47bf08fc3f..e691142a85 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
@@ -1,5 +1,5 @@
---
-title: Family options in the Windows Defender Security Center app
+title: Family options in the Windows Security app
description: Hide the Family options section in enterprise environments
keywords: wdsc, family options, hide, suppress, remove, disable, uninstall, kids, parents, safety, parental, child, screen time
search.product: eADQiWindows 10XVcnh
@@ -24,14 +24,14 @@ ms.date: 04/30/2018
The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It is not generally intended for enterprise or business environments.
-Home users can learn more at the [Help protection your family online in Windows Defender Security Center topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
+Home users can learn more at the [Help protection your family online in Windows Security topic at support.microsoft.com](https://support.microsoft.com/en-us/help/4013209/windows-10-protect-your-family-online-in-windows-defender)
In Windows 10, version 1709, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to this section.
## Hide the Family options section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
This can only be done in Group Policy.
@@ -44,7 +44,7 @@ This can only be done in Group Policy.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Security Center > Family options**.
+5. Expand the tree to **Windows components > Windows Security > Family options**.
6. Open the **Hide the Family options area** setting and set it to **Enabled**. Click **OK**.
@@ -53,4 +53,4 @@ This can only be done in Group Policy.
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
\ No newline at end of file
+>
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
index 4986db4e3e..1aea2d2d26 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -1,5 +1,5 @@
---
-title: Firewall and network protection in the Windows Defender Security Center app
+title: Firewall and network protection in the Windows Security app
description: Use the Firewall & network protection section to see the status of and make changes to firewalls and network connections for the machine.
keywords: wdsc, firewall, windows defender firewall, network, connections, domain, private network, publish network, allow firewall, firewall rule, block firewall
search.product: eADQiWindows 10XVcnh
@@ -22,14 +22,14 @@ ms.date: 04/30/2018
- Windows 10, version 1703 and later
-The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
+The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md).
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
## Hide the Firewall & network protection section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
This can only be done in Group Policy.
@@ -38,18 +38,18 @@ This can only be done in Group Policy.
>
>You must have Windows 10, version 1709 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings.
-1. On your Group Policy management machine, open the [Group Policy Management Console](https://technet.microsoft.com/library/cc731212.aspx), right-click the Group Policy Object you want to configure and click **Edit**.
+1. On your Group Policy management machine, open the Group Policy Management Console, right-click the Group Policy Object you want to configure and click **Edit**.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Security Center > Firewall and network protection**.
+5. Expand the tree to **Windows components > Windows Security > Firewall and network protection**.
6. Open the **Hide the Firewall and network protection area** setting and set it to **Enabled**. Click **OK**.
-7. [Deploy the updated GPO as you normally do](https://msdn.microsoft.com/en-us/library/ee663280(v=vs.85).aspx).
+7. Deploy the updated GPO as you normally do.
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
+>
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
index 551ce1779b..a21f6e6715 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md
@@ -1,6 +1,6 @@
---
-title: Hide notifications from the Windows Defender Security Center app
-description: Prevent Windows Defender Security Center app notifications from appearing on user endpoints
+title: Hide notifications from the Windows Security app
+description: Prevent Windows Security app notifications from appearing on user endpoints
keywords: defender, security center, app, notifications, av, alerts
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -14,7 +14,7 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
-# Hide Windows Defender Security Center app notifications
+# Hide Windows Security app notifications
**Applies to**
@@ -28,7 +28,7 @@ ms.date: 04/30/2018
- Group Policy
-The Windows Defender Security Center app is used by a number of Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
+The Windows Security app is used by a number of Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others.
In some cases, it may not be appropriate to show these notifications, for example, if you want to hide regular status updates, or if you want to hide all notifications to the employees in your organization.
@@ -58,7 +58,7 @@ This can only be done in Group Policy.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Security Center > Notifications**.
+5. Expand the tree to **Windows components > Windows Security > Notifications**.
6. Open the **Hide non-critical notifications** setting and set it to **Enabled**. Click **OK**.
@@ -67,7 +67,7 @@ This can only be done in Group Policy.
## Use Group Policy to hide all notifications
-You can hide all notifications that are sourced from the Windows Defender Security Center app. This may be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input.
+You can hide all notifications that are sourced from the Windows Security app. This may be useful if you don't want users of the machines from inadvertently modifying settings, running antivirus scans, or otherwise performing security-related actions without your input.
This can only be done in Group Policy.
@@ -80,7 +80,7 @@ This can only be done in Group Policy.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Security Center > Notifications**.
+5. Expand the tree to **Windows components > Windows Security > Notifications**.
6. Open the **Hide all notifications** setting and set it to **Enabled**. Click **OK**.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
index 5d7d2ce96b..e8c72f679d 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -1,5 +1,5 @@
---
-title: Virus and threat protection in the Windows Defender Security Center app
+title: Virus and threat protection in the Windows Security app
description: Use the Virus & threat protection section to see and configure Windows Defender Antivirus, Controlled folder access, and 3rd-party AV products.
keywords: wdav, smartscreen, antivirus, wdsc, exploit, protection, hide
search.product: eADQiWindows 10XVcnh
@@ -28,7 +28,7 @@ In Windows 10, version 1803, this section also contains information and settings
IT administrators and IT pros can get more information and documentation about configuration from the following:
-- [Windows Defender Antivirus in the Windows Defender Security Center app](../windows-defender-antivirus/windows-defender-security-center-antivirus.md)
+- [Windows Defender Antivirus in the Windows Security app](../windows-defender-antivirus/windows-defender-security-center-antivirus.md)
- [Windows Defender Antivirus documentation library](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
- [Protect important folders with Controlled folder access](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard)
- [Defend yourself from cybercrime with new Office 365 capabilities](https://blogs.office.com/en-us/2018/04/05/defend-yourself-from-cybercrime-with-new-office-365-capabilities/)
@@ -40,7 +40,7 @@ You can choose to hide the **Virus & threat protection** section or the **Ransom
## Hide the Virus & threat protection section
-You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Defender Security Center app, and its icon will not be shown on the navigiation bar on the side of the app.
+You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app.
This can only be done in Group Policy.
@@ -53,7 +53,7 @@ This can only be done in Group Policy.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Security Center > Virus and threat protection**.
+5. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
6. Open the **Hide the Virus and threat protection area** setting and set it to **Enabled**. Click **OK**.
@@ -62,11 +62,11 @@ This can only be done in Group Policy.
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
+>
## Hide the Ransomware protection area
-You can choose to hide the **Ransomware protection** area by using Group Policy. The area will not appear on the **Virus & threat protection** section of the Windows Defender Security Center app.
+You can choose to hide the **Ransomware protection** area by using Group Policy. The area will not appear on the **Virus & threat protection** section of the Windows Security app.
This can only be done in Group Policy.
@@ -79,7 +79,7 @@ This can only be done in Group Policy.
3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
-5. Expand the tree to **Windows components > Windows Defender Security Center > Virus and threat protection**.
+5. Expand the tree to **Windows components > Windows Security > Virus and threat protection**.
6. Open the **Hide the Ransomware data recovery area** setting and set it to **Enabled**. Click **OK**.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
index a4423252ca..3a2be655e3 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
@@ -1,6 +1,6 @@
---
-title: Manage Windows Defender Security Center in Windows 10 in S mode
-description: Windows Defender Security Center settings are different in Windows 10 in S mode
+title: Manage Windows Security in Windows 10 in S mode
+description: Windows Security settings are different in Windows 10 in S mode
keywords: windows 10 in s mode, windows 10 s, windows 10 s mode, wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -14,7 +14,7 @@ ms.author: v-anbic
ms.date: 04/30/2018
---
-# Manage Windows Defender Security Center in Windows 10 in S mode
+# Manage Windows Security in Windows 10 in S mode
**Applies to**
@@ -30,15 +30,15 @@ ms.date: 04/30/2018
Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode, users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra protections against phishing and malicious software.
-The Windows Defender Security Center interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically.
+The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically.
-
+
For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](https://docs.microsoft.com/en-us/windows/deployment/windows-10-pro-in-s-mode).
-##Managing Windows Defender Security Center settings with Intune
+##Managing Windows Security settings with Intune
In the enterprise, you can only manage security settings for devices running Windows 10 in S mode with Microsoft Intune or other mobile device management apps. Windows 10 in S mode prevents making changes via PowerShell scripts.
-For information about using Intune to manage Windows Defender Security Center settings on your organization's devices, see [Set up Intune](https://docs.microsoft.com/en-us/intune/setup-steps) and [Endpoint protection settings for Windows 10 (and later) in Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10).
+For information about using Intune to manage Windows Security settings on your organization's devices, see [Set up Intune](https://docs.microsoft.com/en-us/intune/setup-steps) and [Endpoint protection settings for Windows 10 (and later) in Intune](https://docs.microsoft.com/en-us/intune/endpoint-protection-windows-10).
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index c98c737aad..0ac415f224 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -1,6 +1,6 @@
---
-title: The Windows Defender Security Center app
-description: The Windows Defender Security Center app brings together common Windows security features into one place
+title: The Windows Security app
+description: The Windows Security app brings together common Windows security features into one place
keywords: wdav, smartscreen, antivirus, wdsc, firewall, device health, performance, Edge, browser, family, parental options, security, windows
search.product: eADQiWindows 10XVcnh
ms.pagetype: security
@@ -11,43 +11,35 @@ ms.pagetype: security
ms.localizationpriority: medium
author: andreabichsel
ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 10/02/2018
---
-# The Windows Defender Security Center app
+# The Windows Security app
**Applies to**
- Windows 10, version 1703 and later
-
-
-
-In Windows 10, version 1709 and later, the app also shows information from third-party antivirus and firewall apps.
-
-In Windows 10, version 1803, the app has two new areas, **Account protection** and **Device security**.
-
-
-
-
-
-
-In Windows 10, version 1709, we increased the scope of the app to also show information from third-party antivirus and firewall apps.
-
->[!NOTE]
->The Windows Defender Security Center app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender Security Center web portal console that is used to review and manage [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
-
-This library describes the Windows Defender Security Center app, and provides information on configuring certain features, including:
+This library describes the Windows Security app, and provides information on configuring certain features, including:
- [Showing and customizing contact information on the app and in notifications](wdsc-customize-contact-information.md)
- [Hiding notifications](wdsc-hide-notifications.md)
-You can't uninstall the Windows Defender Security Center app, but you can do one of the following:
+In Windows 10, version 1709 and later, the app also shows information from third-party antivirus and firewall apps.
+
+In Windows 10, version 1803, the app has two new areas, **Account protection** and **Device security**.
+
+
+
+>[!NOTE]
+>The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Windows Defender Security Center web portal console that is used to review and manage [Windows Defender Advanced Threat Protection](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
+
+You can't uninstall the Windows Security app, but you can do one of the following:
- Disable the interface on Windows Server 2016. See [Windows Defender Antivirus on Windows Server 2016](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-on-windows-server-2016).
- Hide all of the sections on client computers (see below).
@@ -57,47 +49,43 @@ You can find more information about each section, including options for configur
- [Virus & threat protection](wdsc-virus-threat-protection.md), which has information and access to antivirus ransomware protection settings and notifications, including the Controlled folder access feature of Windows Defender Exploit Guard and sign-in to Microsoft OneDrive.
-- [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings.
+- [Account protection](wdsc-account-protection.md), which has information and access to sign-in and account protection settings.
- [Firewall & network protection](wdsc-firewall-network-protection.md), which has information and access to firewall settings, including Windows Defender Firewall.
- [App & browser control](wdsc-app-browser-control.md), covering Windows Defender SmartScreen settings and Exploit protection mitigations.
- [Device security](wdsc-device-security.md), which provides access to built-in device security settings.
-- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.
+- [Device performance & health](wdsc-device-performance-health.md), which has information about drivers, storage space, and general Windows Update issues.
- [Family options](wdsc-family-options.md), which includes access to parental controls along with tips and information for keeping kids safe online.
>[!NOTE]
>If you hide all sections then the app will show a restricted interface, as in the following screenshot:
>
->
+>
-
-
-
-
-## Open the Windows Defender Security Center app
+## Open the Windows Security app
- Click the icon in the notification area on the taskbar.
- 
-- Search the Start menu for **Windows Defender Security Center**.
+ 
+- Search the Start menu for **Windows Security**.
- 
+ 
- Open an area from Windows **Settings**.
- 
+ 
> [!NOTE]
-> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Defender Security Center. See the topics for each of the sections for links to configuring the associated features or products.
+> Settings configured with management tools, such as Group Policy, Microsoft Intune, or System Center Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products.
-## How the Windows Defender Security Center app works with Windows security features
+## How the Windows Security app works with Windows security features
>[!IMPORTANT]
->Windows Defender AV and the Windows Defender Security Center app use similarly named services for specific purposes.
+>Windows Defender AV and the Windows Security app use similarly named services for specific purposes.
>
->The Windows Defender Security Center app uses the Windows Defender Security Center Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/en-us/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
+>The Windows Security app uses the Windows Security Service (*SecurityHealthService* or *Windows Security Health Servce*), which in turn utilizes the Security Center service ([*wscsvc*](https://technet.microsoft.com/en-us/library/bb457154.aspx#EDAA)) to ensure the app provides the most up-to-date information about the protection status on the endpoint, including protection offered by third-party antivirus products, Windows Defender Firewall, third-party firewalls, and other security protection.
>
>These services do not affect the state of Windows Defender AV. Disabling or modifying these services will not disable Windows Defender AV, and will lead to a lowered protection state on the endpoint, even if you are using a third-party antivirus product.
>
@@ -106,22 +94,22 @@ You can find more information about each section, including options for configur
>Disabling the Windows Security Center service will not disable Windows Defender AV or [Windows Defender Firewall](https://docs.microsoft.com/en-us/windows/access-protection/windows-firewall/windows-firewall-with-advanced-security).
> [!WARNING]
-> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Defender Security Center app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
+> If you disable the Security Center service, or configure its associated Group Policy settings to prevent it from starting or running, the Windows Security app may display stale or inaccurate information about any antivirus or firewall products you have installed on the device.
>
>It may also prevent Windows Defender AV from enabling itself if you have an old or outdated third-party antivirus, or if you uninstall any third-party antivirus products you may have previously installed.
>
>This will significantly lower the protection of your device and could lead to malware infection.
-The Windows Defender Security Center app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
+The Windows Security app operates as a separate app or process from each of the individual features, and will display notifications through the Action Center.
It acts as a collector or single place to see the status and perform some configuration for each of the features.
-Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Defender Security Center app. The Windows Defender Security Center app itself will still run and show status for the other security features.
+Disabling any of the individual features (through Group Policy or other management tools, such as System Center Configuration Manager) will prevent that feature from reporting its status in the Windows Security app. The Windows Security app itself will still run and show status for the other security features.
> [!IMPORTANT]
-> Individually disabling any of the services will not disable the other services or the Windows Defender Security Center app.
+> Individually disabling any of the services will not disable the other services or the Windows Security app.
-For example, [using a third-party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). However, the Windows Defender Security Center app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.
+For example, [using a third-party antivirus will disable Windows Defender Antivirus](https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility). However, the Windows Security app will still run, show its icon in the taskbar, and display information about the other features, such as Windows Defender SmartScreen and Windows Defender Firewall.
diff --git a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
index 11e79cb879..f11f1ad904 100644
--- a/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
+++ b/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md
@@ -1,6 +1,6 @@
---
title: Set up and use Windows Defender SmartScreen on individual devices (Windows 10)
-description: Steps about what happens when an employee tries to run an app, how employees can report websites as safe or unsafe, and how employees can use the Windows Defender Security Center to set Windows Defender SmartScreen for individual devices.
+description: Steps about what happens when an employee tries to run an app, how employees can report websites as safe or unsafe, and how employees can use the Windows Security to set Windows Defender SmartScreen for individual devices.
keywords: SmartScreen Filter, Windows SmartScreen
ms.prod: w10
ms.mktglfcycl: explore
@@ -19,14 +19,14 @@ ms.date: 10/13/2017
Windows Defender SmartScreen helps to protect your employees if they try to visit sites previously reported as phishing or malware websites, or if an employee tries to download potentially malicious files.
-## How employees can use Windows Defender Security Center to set up Windows Defender SmartScreen
-Starting with Windows 10, version 1703 your employees can use Windows Defender Security Center to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it.
+## How employees can use Windows Security to set up Windows Defender SmartScreen
+Starting with Windows 10, version 1703 your employees can use Windows Security to set up Windows Defender SmartScreen for an individual device; unless you've used Group Policy or Microsoft Intune to prevent it.
>[!NOTE]
>If any of the following settings are managed through Group Policy or mobile device management (MDM) settings, it appears as unavailable to the employee.
-**To use Windows Defender Security Center to set up Windows Defender SmartScreen on a device**
-1. Open the Windows Defender Security Center app, and then click **App & browser control**.
+**To use Windows Security to set up Windows Defender SmartScreen on a device**
+1. Open the Windows Security app, and then click **App & browser control**.
2. In the **App & browser control** screen, choose from the following options:
@@ -52,7 +52,7 @@ Starting with Windows 10, version 1703 your employees can use Windows Defender S
- **Off.** Turns off SmartScreen, so an employee isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
- 
+ 
## How SmartScreen works when an employee tries to run an app
Windows Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, SmartScreen can warn the employee or block the app from running entirely, depending on how you've configured the feature to run in your organization.
diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md
index acd9ab7b9e..efe30a1df5 100644
--- a/windows/security/threat-protection/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-baselines.md
@@ -16,6 +16,7 @@ ms.date: 06/25/2018
- Windows 10
- Windows Server 2016
+- Office 2016
## Using security baselines in your organization
diff --git a/windows/whats-new/TOC.md b/windows/whats-new/TOC.md
index 22e6c40651..6c8ae105ee 100644
--- a/windows/whats-new/TOC.md
+++ b/windows/whats-new/TOC.md
@@ -1,4 +1,5 @@
# [What's new in Windows 10](index.md)
+## [What's new in Windows 10, version 1809](whats-new-windows-10-version-1809.md)
## [What's new in Windows 10, version 1803](whats-new-windows-10-version-1803.md)
## [What's new in Windows 10, version 1709](whats-new-windows-10-version-1709.md)
## [What's new in Windows 10, version 1703](whats-new-windows-10-version-1703.md)
diff --git a/windows/whats-new/images/1_AppBrowser.png b/windows/whats-new/images/1_AppBrowser.png
new file mode 100644
index 0000000000..6e1f32e389
Binary files /dev/null and b/windows/whats-new/images/1_AppBrowser.png differ
diff --git a/windows/whats-new/images/2_InstallWDAG.png b/windows/whats-new/images/2_InstallWDAG.png
new file mode 100644
index 0000000000..e45f714a35
Binary files /dev/null and b/windows/whats-new/images/2_InstallWDAG.png differ
diff --git a/windows/whats-new/images/3_ChangeSettings.png b/windows/whats-new/images/3_ChangeSettings.png
new file mode 100644
index 0000000000..968eb0c3c0
Binary files /dev/null and b/windows/whats-new/images/3_ChangeSettings.png differ
diff --git a/windows/whats-new/images/4_ViewSettings.jpg b/windows/whats-new/images/4_ViewSettings.jpg
new file mode 100644
index 0000000000..72ee4db754
Binary files /dev/null and b/windows/whats-new/images/4_ViewSettings.jpg differ
diff --git a/windows/whats-new/images/Defender.png b/windows/whats-new/images/Defender.png
new file mode 100644
index 0000000000..a99f5992a0
Binary files /dev/null and b/windows/whats-new/images/Defender.png differ
diff --git a/windows/whats-new/images/FastSignIn.png b/windows/whats-new/images/FastSignIn.png
new file mode 100644
index 0000000000..1bd763dbea
Binary files /dev/null and b/windows/whats-new/images/FastSignIn.png differ
diff --git a/windows/whats-new/images/Multi-app_kiosk_inFrame.png b/windows/whats-new/images/Multi-app_kiosk_inFrame.png
new file mode 100644
index 0000000000..7a1928501e
Binary files /dev/null and b/windows/whats-new/images/Multi-app_kiosk_inFrame.png differ
diff --git a/windows/whats-new/images/Normal_inFrame.png b/windows/whats-new/images/Normal_inFrame.png
new file mode 100644
index 0000000000..8d0559d0ee
Binary files /dev/null and b/windows/whats-new/images/Normal_inFrame.png differ
diff --git a/windows/whats-new/images/RDPwBio2.png b/windows/whats-new/images/RDPwBio2.png
new file mode 100644
index 0000000000..6cffe649fe
Binary files /dev/null and b/windows/whats-new/images/RDPwBio2.png differ
diff --git a/windows/whats-new/images/RDPwBioTime.png b/windows/whats-new/images/RDPwBioTime.png
new file mode 100644
index 0000000000..d3007e8279
Binary files /dev/null and b/windows/whats-new/images/RDPwBioTime.png differ
diff --git a/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png b/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png
new file mode 100644
index 0000000000..f329d74d3e
Binary files /dev/null and b/windows/whats-new/images/SingleApp_contosoHotel_inFrame@2x.png differ
diff --git a/windows/whats-new/images/WebSignIn.png b/windows/whats-new/images/WebSignIn.png
new file mode 100644
index 0000000000..4afa324aec
Binary files /dev/null and b/windows/whats-new/images/WebSignIn.png differ
diff --git a/windows/whats-new/images/beaming.png b/windows/whats-new/images/beaming.png
new file mode 100644
index 0000000000..096c1d43f4
Binary files /dev/null and b/windows/whats-new/images/beaming.png differ
diff --git a/windows/whats-new/images/block-suspicious-behaviors.png b/windows/whats-new/images/block-suspicious-behaviors.png
new file mode 100644
index 0000000000..31a2cf5727
Binary files /dev/null and b/windows/whats-new/images/block-suspicious-behaviors.png differ
diff --git a/windows/whats-new/images/hyper-v.png b/windows/whats-new/images/hyper-v.png
new file mode 100644
index 0000000000..27f482a6dd
Binary files /dev/null and b/windows/whats-new/images/hyper-v.png differ
diff --git a/windows/whats-new/images/kiosk-mode.PNG b/windows/whats-new/images/kiosk-mode.PNG
new file mode 100644
index 0000000000..57c420a9c2
Binary files /dev/null and b/windows/whats-new/images/kiosk-mode.PNG differ
diff --git a/windows/whats-new/images/regeditor.png b/windows/whats-new/images/regeditor.png
new file mode 100644
index 0000000000..947718ee80
Binary files /dev/null and b/windows/whats-new/images/regeditor.png differ
diff --git a/windows/whats-new/images/virus-and-threat-protection.png b/windows/whats-new/images/virus-and-threat-protection.png
new file mode 100644
index 0000000000..8fd800dcfa
Binary files /dev/null and b/windows/whats-new/images/virus-and-threat-protection.png differ
diff --git a/windows/whats-new/images/your-phone.png b/windows/whats-new/images/your-phone.png
new file mode 100644
index 0000000000..708c6c004a
Binary files /dev/null and b/windows/whats-new/images/your-phone.png differ
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
new file mode 100644
index 0000000000..62ee95e835
--- /dev/null
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -0,0 +1,242 @@
+---
+title: What's new in Windows 10, version 1809
+description: New and updated features in Windows 10, version 1809
+keywords: ["What's new in Windows 10", "Windows 10", "Windows 10 October 2018 Update"]
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+author: dawnwood
+ms.date: 10/02/2018
+ms.localizationpriority: high
+---
+
+# What's new in Windows 10, version 1809 for IT Pros
+
+>Applies To: Windows 10, version 1809, also known as Windows 10 October 2018 Update
+
+In this article we describe new and updated features of interest to IT Pros for Windows 10, version 1809. This update also contains all features and fixes included in previous cumulative updates to Windows 10, version 1803.
+
+The following 3-minute video summarizes some of the new features that are available for IT Pros in this release.
+
+
+
+
+
+
+> [!video https://www.youtube.com/embed/hAva4B-wsVA]
+
+## Your Phone app
+
+Android phone users, you can finally stop emailing yourself photos. With Your Phone you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo. Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future.
+
+For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen.
+
+
+
+The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**.
+
+## Wireless projection experience
+
+One of the things we’ve heard from you is that it’s hard to know when you’re wirelessly projecting and how to disconnect your session when started from file explorer or from an app. In Windows 10, version 1809, you’ll see a control banner at the top of your screen when you’re in a session (just like you see when using remote desktop). The banner keeps you informed of the state of your connection, allows you to quickly disconnect or reconnect to the same sink, and allows you to tune the connection based on what you are doing. This tuning is done via **Settings**, which optimizes the screen-to-screen latency based on one of the three modes:
+
+* Game mode minimizes the screen-to-screen latency to make gaming over a wireless connection possible
+* Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly
+* Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often.
+
+
+
+## Windows Autopilot self-deploying mode
+
+Windows Autopilot self-deploying mode enables a zero touch device provisioning experience. Simply power on the device, plug it into the Ethernet, and the device is fully configured automatically by Windows Autopilot.
+
+This self-deploying capability removes the current need to have an end user interact by pressing the “Next” button during the deployment process.
+
+You can utilize Windows Autopilot self-deploying mode to register the device to an AAD tenant, enroll in your organization’s MDM provider,and provision policies and applications, all with no user authentication or user interaction required.
+
+To learn more about Autopilot self-deploying mode and to see step-by-step instructions to perform such a deployment, [Windows Autopilot self-deploying mode](https://docs.microsoft.com/en-us/windows/deployment/windows-autopilot/self-deploying).
+
+## Kiosk setup experience
+
+We introduced a simplified assigned access configuration experience in **Settings** that allows device administrators to easily set up a PC as a kiosk or digital sign. A wizard experience walks you through kiosk setup including creating a kiosk account that will automatically sign in when a device starts.
+
+To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page.
+
+
+Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types.
+
+1.__Digital / Interactive signage__ that displays a specific website full-screen and runs InPrivate mode.
+2.__Public browsing__ supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity.
+
+
+
+Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types.
+
+**Note** the following Microsoft Edge kiosk mode types cannot be setup using the new simplified assigned access configuration wizard in Windows 10 Settings.
+
+1.__Public browsing__ supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows.
+
+
+
+2.__Normal mode__ runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books.
+
+
+
+Learn more about [Microsoft Edge kiosk mode](https://docs.microsoft.com/en-us/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
+
+## Registry editor improvements
+
+We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
+
+
+
+## Remote Desktop with Biometrics
+
+Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
+
+
+
+To get started, sign into your device using Windows Hello for Business. Bring up **Remote Desktop Connection** (mstsc.exe), type the name of the computer you want to connect to, and click __Connect__.
+
+Windows remembers that you signed using Windows Hello for Business, and automatically selects Windows Hello for Business to authenticate you to your RDP session. You can also click __More choices__ to choose alternate credentials.
+
+
+
+In this example, Windows uses facial recognition to authenticate the RDP session to the Windows Server 2016 Hyper-V server. You can continue to use Windows Hello for Business in the remote session, but you must use your PIN.
+
+
+
+## Security Improvements
+
+We’ve continued to work on the **Current threats** area in [Virus & threat protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen:
+
+
+
+You can enable a new protection setting, **Block suspicious behaviors**, which brings [Windows Defender Exploit Guard attack surface reduction technology](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard) to all users. To enable this setting, go to the **Virus & threat protection** section and click **Manage settings**, as shown in the following screenshot:
+
+
+
+With controlled folder access you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
+
+When an app is blocked, it will appear in a recently blocked apps list, which you can get to by clicking **Manage settings** under the **Ransomware protection** heading. Click **Allow an app through Controlled folder access**. After the prompt, click the **+** button and choose **Recently blocked apps**. Select any of the apps to add them to the allowed list. You can also browse for an app from this page.
+
+We added a new assessment for the Windows time service to the **Device performance & health** section. If we detect that your device’s time is not properly synced with our time servers and the time-syncing service is disabled, we’ll provide the option for you to turn it back on.
+
+We’re continuing to work on how other security apps you’ve installed show up in the **Windows Security** app. There’s a new page called **Security providers** that you can find in the **Settings** section of the app. Click **Manage providers** to see a list of all the other security providers (including antivirus, firewall, and web protection) that are running on your device. Here you can easily open the providers’ apps or get more information on how to resolve issues reported to you through **Windows Security**.
+
+This also means you’ll see more links to other security apps within **Windows Security**. For example, if you open the **Firewall & network protection** section, you’ll see the firewall apps that are running on your device under each firewall type, which inclueds domain, private, and public networks).
+
+
+
+### BitLocker
+
+#### Silent enforcement on fixed drives
+
+Through a Modern Decice Management (MDM) policy, BitLocker can be enabled silently for standard Azure Active Directory (AAD) joined users. In Windows 10, version 1803 automatic BitLocker encryption was enabled for standard AAD users, but this still required modern hardware that passed the Hardware Security Test Interface (HSTI). This new functionality enables BitLocker via policy even on devices that don’t pass the HSTI.
+
+This is an update to the [BitLocker CSP](https://docs.microsoft.com/en-us/windows/client-management/mdm/bitlocker-csp), which was introduced in Windows 10, version 1703, and leveraged by Intune and others.
+
+This feature will soon be enabled on Olympia Corp as an optional feature.
+
+#### Delivering BitLocker policy to AutoPilot devices during OOBE
+
+You can choose which encryption algorithm to apply automatic BitLocker encryption to capable devices, rather than automatically having those devices encrypt themselves with the default algorithm. This allows the encryption algorithm (and other BitLocker policies that must be applied prior to encryption), to be delivered before automatic BitLocker encryption begins.
+
+For example, you can choose the XTS-AES 256 encryption algorithm, and have it applied to devices that would normally encrypt themselves automatically with the default XTS-AES 128 algorithm during OOBE.
+
+### Windows Defender Application Guard Improvements
+
+Windows Defender Application Guard (WDAG) introduced a new user interface inside **Windows Security** in this release. Standalone users can now install and configure their Windows Defender Application Guard settings in Windows Security without needing to change registry key settings.
+
+Additionally, users who are managed by enterprise policies will be able to check their settings to see what their administrators have configured for their machines to better understand the behavior of Windows Defender Application Guard. This new UI improves the overall experience for users while managing and checking their Windows Defender Application Guard settings. As long as devices meet the minimum requirements, these settings will appear in Windows Security.For detailed information, click [here](https://techcommunity.microsoft.com/t5/Windows-Insider-Program/test/m-p/214102#M1709).
+
+To try this,
+1. Go to**Windows Security** and select **App & browser control**.
+
+2. Under **Isolated browsing**, select **Install Windows Defender Application Guard**, then install and restart the device.
+
+3. Select **Change Application Guard** settings.
+
+4. Configure or check Application Guard settings.
+
+
+### Windows Security Center
+
+Windows Defender Security Center is now called **Windows Security Center**.
+
+You can still get to the app in all the usual ways – simply ask Cortana to open Windows Security Center(WSC) or interact with the taskbar icon. WSC lets you manage all your security needs, including **Windows Defender Antivirus** and **Windows Defender Firewall**.
+
+The WSC service now requires antivirus products to run as a protected process to register. Products that have not yet implemented this will not appear in the Windows Security Center user interface, and Windows Defender Antivirus will remain enabled side-by-side with these products.
+
+WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
+
+
+
+### Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes
+
+You can add specific rules for a WSL process in Windows Defender Firewall, just as you would for any Windows process. Also, Windows Defender Firewall now supports notifications for WSL processes. For example, when a Linux tool wants to allow access to a port from the outside (like SSH or a web server like nginx), Windows Defender Firewall will prompt to allow access just like it would for a Windows process when the port starts accepting connections. This was first introduced in [Build 17627](https://docs.microsoft.com/en-us/windows/wsl/release-notes#build-17618-skip-ahead).
+
+### Microsoft Edge Group Policies
+
+We introduced new group policies and Modern Device Management settings to manage Microsoft Edge. The new policies include enabling and disabling full-screen mode, printing, favorites bar, and saving history; preventing certificate error overrides; configuring the Home button and startup options; setting the New Tab page and Home button URL, and managing extensions. Learn more about the [new Microsoft Edge policies](https://aka.ms/new-microsoft-edge-group-policies).
+
+### Windows Defender Credential Guard is supported by default on 10S devices that are AAD Joined
+
+Windows Defender Credential Guard is a security service in Windows 10 built to protect Active Directory (AD) domain credentials so that they can't be stolen or misused by malware on a user's machine. It is designed to protect against well-known threats such as Pass-the-Hash and credential harvesting.
+
+Windows Defender Credential Guard has always been an optional feature, but Windows 10-S turns this functionality on by default when the machine has been Azure Active Directory joined. This provides an added level of security when connecting to domain resources not normally present on 10-S devices. Please note that Windows Defender Credential Guard is available only to S-Mode devices or Enterprise and Education Editions.
+
+### Windows 10 Pro S Mode requires a network connection
+
+A network connection is now required to set up a new device. As a result, we removed the “skip for now” option in the network setup page in Out Of Box Experience (OOBE).
+
+### Windows Defender ATP
+
+[Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) has been enhanced with many new capabilities. For more information, see the following topics:
+
+- [Threat analytics](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/threat-analytics)
+Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
+
+- [Custom detection](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/overview-custom-detections)
+ With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules.
+
+
+- [Managed security service provider (MSSP) support](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/mssp-support-windows-defender-advanced-threat-protection)
+Windows Defender ATP adds support for this scenario by providing MSSP integration.
+The integration will allow MSSPs to take the following actions:
+Get access to MSSP customer's Windows Defender Security Center portal, fet email notifications, and fetch alerts through security information and event management (SIEM) tools.
+
+- [Integration with Azure Security Center](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#integration-with-azure-security-center)
+Windows Defender ATP integrates with Azure Security Center to provide a comprehensive server protection solution. With this integration Azure Security Center can leverage the power of Windows Defender ATP to provide improved threat detection for Windows Servers.
+
+- [Integration with Microsoft Cloud App Security](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/microsoft-cloud-app-security-integration)
+Microsoft Cloud App Security leverages Windows Defender ATP endpoint signals to allow direct visibility into cloud application usage including the use of unsupported cloud services (shadow IT) from all Windows Defender ATP monitored machines.
+
+
+- [Onboard Windows Server 2019](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection#windows-server-version-1803-and-windows-server-2019)
+Windows Defender ATP now adds support for Windows Server 2019. You'll be able to onboard Windows Server 2019 in the same method available for Windows 10 client machines.
+
+- [Onboard previous versions of Windows](https://docs.microsoft.com/windows/security/threat-protection/onboard-downlevel-windows-defender-advanced-threat-protection)
+Onboard supported versions of Windows machines so that they can send sensor data to the Windows Defender ATP sensor
+
+## Faster sign-in to a Windows 10 shared pc
+
+Do you have shared devices deployed in your work place? **Fast sign-in** enables users to sign in to a shared Windows 10 PC in a flash!
+
+**To enable fast sign-in:**
+1. Set up a shared or guest device with Windows 10, version 1809.
+2. Set the Policy CSP, and the Authentication and EnableFastFirstSignIn policies to enable fast sign-in.
+3. Sign-in to a shared PC with your account. You'll notice the difference!
+
+
+
+## Web sign-in to Windows 10
+
+Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
+
+**To try out web sign-in:**
+1. Azure AD Join your Windows 10 PC. (Web sign-in is only supported on Azure AD Joined PCs).
+2. Set the Policy CSP, and the Authentication and EnableWebSignIn polices to enable web sign-in.
+3. On the lock screen, select web sign-in under sign-in options.
+4. Click the “Sign in” button to continue.
+
+
\ No newline at end of file
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 
- 